Sonar security alerts in Github

Hi sonar community!
I’m using sonar developer edition and trying to integrate it with my Github enterprise account. My end goal is to be able to see the security overview directly in the security tab of my Github repos.

I have created a Github application in accordance with your guide GitHub integration (, specifically assigning Read and Write permissions to it in the Repository permissions > Code scanning alerts section of the app settings, I can see that the application has the permissions in question here:

Likewise, the repo that I wish it to receive security alerts for is setup in accordance to this section in the guide: GitHub integration (

The end result though, looking at the security overview of the repo in question on Github is that I am missing the Code Scanning section in Vulnerability Alerts, which I would have expected to see, at least when comparing it to the screenshot in the official guide here: GitHub integration (

My question is: do I need to have code scanning alerts enabled on Github’s side before I can consume these alerts (even when they’re coming from Sonar, via the Github app)? Or should I assume there is a misconfiguration someplace?


Note: This feature is part of the GitHub Advanced Security package and is currently free for public projects. It is available as a paid option for private projects and GitHub Enterprise. This option is entirely on the GitHub side. Sonar does not charge anything extra to enable the code scanning alerts feature.

Sorry, I didn’t realise that. Thanks for the info.