Hi Mark,
Advanced vulnerabilities based on our taint analysis engine (rule keys starting by xxxsecurity:) are not detected directly in SonarLint. For the moment, the engine requires to analyze the entire project, that would not suit well in SonarLint.
If you are using SonarQube or SonarCloud, and if SonarLint is connected to the server, SonarLint should display the taint vulnerabilities found on the server. Is it not the case?