SonarCloud integrates with GitHub Security

Hi GitHub users,
Starting today, you will find all SonarCloud security vulnerabilities displayed under the GitHub Security tab as GitHub Code Scanning alerts.

This will allow you to review your vulnerabilities inside your favorite DevOps platform.

Please note that this feature is already included in your SonarCloud’s plan with no additional fee :slight_smile:

(On GitHub side, the Code Scanning feature is available for free for public project and with charge for Enterprise plans.)

Good to know : GitHub organisations admins will be prompted for a SonarCloud app permissions update. It will allow SonarCloud to push security issues directly into GitHub’s Security tab. Whether or not you accept this change, this has no impact on other permissions or on your existing plan :wink:

Have fun!

Christophe

6 Likes

Hi,

Will this feature also work with SonarQube Enterprise Edition?

Hi @mazlan ,
this feature is not available yet for SonarQube and is planned to be released during the 9.X cycle :slight_smile:
You can track the feature’s progress on the SonarQube Portal :wink:

Christophe

2 Likes

I love getting all notifications in one place, so this sounds like a great feature, and it makes sense that you would need write access to ‘Security Events’ based on what I’m reading (presumably for POST /repos/:owner/:repo/code-scanning/sarifs). Why the read access though?

Hey @sjcjoosten

GitHub has only three possible permission sets to grant:

  • No access
  • Read-only
  • Read & write
1 Like

We have updated the permissions and we have completed several runs of our CI pipelines in our main branch (checked 2 repositories) and there is nothing new showing up under the security tab of each repository on the GH side.

This is for private, paid, repositories.

@sodul have you checked that you even have any vulnerabilities to report?
Also, you need to have at least Write permission on the repo to be able to see the Code Scanning issues.
Otherwise I don’t see any reason for not having them displayed. If the problem persists please come back to us :wink:

@Christophe_Havard I have full admin permissions both on the SonarCloud and on the GitHub side. I can see DependaBot alerts, but nothing from sonar. I will send you details in private since this is a private repository.

following-up the previous message from @sodul : the reason why you may not see the Code Scanning Alerts link is because this is a paid option for private projects on GitHub.com.

The announcement text has been updated for more clarity :wink: