SonarCloud Community: we’ve elevated Security Hotspots to first-class citizen status

(Alexandre Gigleux) #1

Hello SonarCloud Community,

We’ve made some changes to SonarCloud pertaining to features in the security domain. Here’s an update on these changes to help you understand them and quickly integrate them into your organization.

First, we’ve elevated Security Hotspots to first-class citizen status. They now belong to the Security domain alongside vulnerabilities. For vulnerabilities, there is no change, they are proper issues and require a fix. On the other hand, Security Hotspots, require a different action set. They need a careful review to properly categorize them - either they fall into the issue bucket (and become true vulnerabilities) or they can be safely ignored. To assist with this triage, we highlight Security Hotspots in your PR analysis so you know where to focus your attention. They’re also visible on the Overview Page of your project.

On the Issues page, we’ve added a reminder to explain the action needed for Security Hotspots:


We were careful to display Security Hotspots differently so it’s clear that they require a different action from ‘normal’ issues. A proper Security Hotspot workflow involves review and a bit of inspection along with probing questions to ensure your code isn’t linking to a known security attack or weakness.

We also break things down into Security Categories (SonarSource, OWASP Top 10 and SANS Top 25) so it’s easier to understand the effort (code fixes vs. code review/fix) involved in order to resolve all items.


Finally, we removed the “Security Reports” feature. As a developer, reports are not as useful as an actionable list of issues and this is provided by the Issues Page and its new Security Category filter.

Soon, we’ll add a bit more clarity to the Security Hotspot workflow by incorporating a clear action status: To Review > In Review > Reviewed.

As always, we love your feedback! Please reach out on this forum if you have questions or comments! Happy coding!