How to Review and Gate on Security Hotspots
Hotspots are code needing manual security review; a gate on "hotspots reviewed" forces triage before the PR merges.
Add the gate condition "Security Hotspots Reviewed on new code is less than 100%" so any unreviewed new hotspot fails the gate. Reviewers mark hotspots safe or fixed in the Sonar UI.
Steps
- Add "Security Hotspots Reviewed (new code) is less than 100%" to the gate.
- Run the scan on PRs so new hotspots are attributed to the diff.
- Reviewers resolve each hotspot as safe, fixed, or acknowledged.
sonar-project.properties
sonar-project.properties
sonar.projectKey=my-org_my-repo
sonar.sources=src
sonar.security.hotspots.inheritFromParent=true
sonar.qualitygate.wait=trueGotchas
- Hotspots are not the same as vulnerabilities; they require human judgment, not an automatic fix.
- A 100%-reviewed gate blocks merges until someone triages, so keep the reviewer group staffed.
Related guides
How to Aggregate SARIF Results in the GitHub Security TabUpload multiple SARIF files from different analyzers to GitHub code scanning with distinct categories so all…
How to Run Codacy Analysis in CIRun the Codacy Analysis CLI in GitHub Actions to scan for issues and upload SARIF results, using a project AP…