Sonarcloud stopped identifying vulnerabilities

I’ve just started using SC for a javascript/node.js/express API project. I know it contains numerous vulnerabilities, and initially, SC identified them. After a day or so (and after I patched a minority of them), they disappeared from the dashboard. I can still find them as “security hotspots”, but vulnerabilities are now a fat zero, sending the wrong messages.

Has anyone experienced anything similar, and is there any known workaround?


  • ALM used: GitHub
  • CI system used: system is automatically configured
  • Languages of the repository: Javascript
  • Error observed: vulnerabilities not detected anymore
  • Steps to reproduce: unknown
  • Potential workaround: none


Welcome to the community!

You’ve said the system is automatically configured. To clarify, does that mean you’re using SonarCloud’s Autoscan for analysis?


Yes, exactly. I added the project by linking GitHub, it worked for a day or so, then stopped.

1 Like


Thanks for the clarification. I’ve flagged this for the team.


Hello Marco,

To be able to investigate this issue, I have some questions:

  • Is this a PR analysis or the main branch analysis?
  • What are the associated Rules of these Security Hotspots? You can find this in in the UI, when you click on any security hotspot, on the upper side of the screen you should have a link which should follow a format javascript:ID (for example javascript:S2068)


  • Is this a PR analysis or the main branch analysis?

main branch

What are the associated Rules of these Security Hotspots?


Thank you for the information.

The Rule javascript:S2077 is categorised as Security Hotspot, so it’s expected that you see the findings as Security Hotspots. Are all the findings related to this Rule?

I have only javascript:S2077 three times but there are way more sql injections that are not identified.


Ok, and just to be sure, have you checked both New Code and Overall Code?

I’m not sure how to do that specifically

Assuming that you already set up a New Code Definition for your project, if you go to your project → Main Branch, on the right side you should see a switch (see screenshot)


Aha, gotcha.
It was on New Code. Overall Codes still shows no sign of vulns, though.

I’ve looked at the security hotspots and it catches a whole bunch of Javascript:S2077 hotspots, but a number of them were reported before as actual vulnerabilities.


Ok I see, however the expected behaviour is that issues under Javascript:S2077 Rules are displayed as Security Hotspots. Also as you can see, your Quality Gate fails when a Security Review has rating E, so in order to have your Quality Gate green, you will still have to resolve them (same as if they were Vulnerabilities).

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.