Skip to content
Latchkey

How to Review and Gate on Security Hotspots

Hotspots are code needing manual security review; a gate on "hotspots reviewed" forces triage before the PR merges.

Add the gate condition "Security Hotspots Reviewed on new code is less than 100%" so any unreviewed new hotspot fails the gate. Reviewers mark hotspots safe or fixed in the Sonar UI.

Steps

  • Add "Security Hotspots Reviewed (new code) is less than 100%" to the gate.
  • Run the scan on PRs so new hotspots are attributed to the diff.
  • Reviewers resolve each hotspot as safe, fixed, or acknowledged.

sonar-project.properties

sonar-project.properties
sonar.projectKey=my-org_my-repo
sonar.sources=src
sonar.security.hotspots.inheritFromParent=true
sonar.qualitygate.wait=true

Gotchas

  • Hotspots are not the same as vulnerabilities; they require human judgment, not an automatic fix.
  • A 100%-reviewed gate blocks merges until someone triages, so keep the reviewer group staffed.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →