When performing pull request analysis, I have a rule that is reported in GitHub and in the SonarCloud branch analysis page. However when I perform analysis locally via SonarLint the issue is not reported.
Rule is java:S4502
Disabling CSRF protections is security-sensitive
One note of interest… when I go to the SonarLint Project Settings → Configure the connection and look at the Rules tab, java:S4502 is not in the list of rules even though it is active in this particular projects quality profile
That’s correct. Security hotspots are not the same as “normal” issues, which is why SonarQube and now SonarCloud display them separately and why they have a separate review workflow (see the docs for more info).
We don’t have a way of displaying hotspots separately in SonarLint, so to avoid confusion with “normal” issues we don’t currently show them at all.
However, we are working on a new feature to enable reviewing hotspots in the IDE. The first version should be available in a few weeks time.