Vulnerability Scanning

Hello - I ran a static code analyzer (Fortify) on our projects and there were several hundred vulnerabilities identified ranging from Low to Critical. However, those same projects show zero vulnerabilities in SonarCloud. Can you advise on why this might be? That is a significant difference, so I am questioning what vulnerabilities SonarCloud is actually scanning for.

Hey there.

There’s not much information to go off of here! What language(s) are you analyzing, and what kind of issues are being raised by Fortify that aren’t being raised by SonarCloud? Can you share some examples?

If you look at the Rules tab of your organization (and filter to Vulnerabilities/Security Hotspots), you can learn more about the issues SonarCloud is able to detect.