SonarCloud integrates with GitHub Security

Hi GitHub users,
Starting today, you will find all SonarCloud security vulnerabilities displayed under the GitHub Security tab as GitHub Code Scanning alerts.

This will allow you to review your vulnerabilities inside your favorite DevOps platform.

Please note that this feature is already included in your SonarCloud’s plan with no additional fee :slight_smile:

(On GitHub side, the Code Scanning feature is available for free for public project and with charge for Enterprise plans.)

Good to know : GitHub organisations admins will be prompted for a SonarCloud app permissions update. It will allow SonarCloud to push security issues directly into GitHub’s Security tab. Whether or not you accept this change, this has no impact on other permissions or on your existing plan :wink:

Have fun!




Will this feature also work with SonarQube Enterprise Edition?

1 Like

Hi @mazlan ,
this feature is not available yet for SonarQube and is planned to be released during the 9.X cycle :slight_smile:
You can track the feature’s progress on the SonarQube Portal :wink:



I love getting all notifications in one place, so this sounds like a great feature, and it makes sense that you would need write access to ‘Security Events’ based on what I’m reading (presumably for POST /repos/:owner/:repo/code-scanning/sarifs). Why the read access though?

Hey @sjcjoosten

GitHub has only three possible permission sets to grant:

  • No access
  • Read-only
  • Read & write
1 Like

We have updated the permissions and we have completed several runs of our CI pipelines in our main branch (checked 2 repositories) and there is nothing new showing up under the security tab of each repository on the GH side.

This is for private, paid, repositories.

@sodul have you checked that you even have any vulnerabilities to report?
Also, you need to have at least Write permission on the repo to be able to see the Code Scanning issues.
Otherwise I don’t see any reason for not having them displayed. If the problem persists please come back to us :wink:

@Christophe_Havard I have full admin permissions both on the SonarCloud and on the GitHub side. I can see DependaBot alerts, but nothing from sonar. I will send you details in private since this is a private repository.

1 Like

following-up the previous message from @sodul : the reason why you may not see the Code Scanning Alerts link is because this is a paid option for private projects on

The announcement text has been updated for more clarity :wink:

I still find the text confusing, as private repos on do not fall into the categories mentioned.

After reading the announcement, I expected to see SonarCloud alerts listed under Code scanning alerts on my (private) GitHub repo’s security page, but instead I see a link to Contact GitHub Sales.

You do realize that ‘paid option for private projects’ excludes like 90% of your customer base right? It’s a very expensive add-on to the default Github plans.

I don’t understand why you are not doing the sensible thing and integrate this with the Annotations from Checks?