Our organization has been leveraging the integration between Sonar and GitHub Advanced Security to enhance the security posture of our projects. However, we’ve encountered a limitation that we’re hoping to overcome with your assistance.
At present, the integration is configured to report only ‘vulnerabilities’ to GitHub’s code scanning alerts. While this is highly valuable, our goal is to obtain a more comprehensive overview of code quality and security issues directly within GitHub. In particular, we wish to include all types of Sonar issues, such as bugs, code smells, hotspots and vulnerabilities of various severities, in GitHub’s alerts.
We are seeking guidance on two main points:
Is it possible to adjust the integration settings to report all kinds of Sonar issues (beyond just vulnerabilities) to GitHub’s code scanning alerts?
If so, how can I customize which types of issues and what severity levels are reported to GitHub?
We believe that having more detailed insights directly on GitHub would significantly streamline our workflow and enable us to address issues more effectively.
Thank you in advance for your time and assistance. Any advice, links to documentation, or tips on how to achieve this would be greatly appreciated by our team.
I think it’s a tough sell that anything other than security issues should show up in the space that GitHub dedicates to security issues (and not reliability, or maintainability). There’s no adjustment you can do to bring other types of issues in.
Thanks for your response! I appreciate the perspective on keeping GitHub’s security space focused. However, I’d like to highlight a couple of key points on why integrating more types of Sonar issues into GHAS could be beneficial:
GHAS’s ‘Security-and-Quality’ Pack: GitHub itself offers a ‘security-and-quality’ query pack, suggesting a blend of security and quality issues (reliability and maintainability) is valuable for comprehensive code health. This shows there’s room to consider beyond just security vulnerabilities.
Centralized Overview: GHAS provides a centralized overview for security issues across all tools (CodeQL + 3rd party) and repositories. Since Sonar operates at the project level and lacks an org-wide view, including Sonar’s broader issues in GHAS would greatly aid in managing and prioritizing issues across many repositories in one place.
For large organizations with numerous repositories, a unified dashboard that includes both security and quality issues would streamline processes and decision-making, improving our overall code health and security.
I believe this integration aligns with the goal of enhancing code quality alongside security, offering a more holistic view of our projects.