GitHub code scanning alerts for security vulnerabilities
This feature is only available in the Enterprise plan.
SonarCloud automatically provides feedback about security vulnerabilities inside the GitHub interface itself. Security vulnerabilities found by SonarCloud will appear both as part of the analysis results displayed in the SonarCloud interface and as GitHub Scanning Alerts under the Security tab in the GitHub interface.
Security vulnerabilities surfaced as code scanning alerts
When you perform an analysis on a project, the security vulnerabilities found will be displayed in the SonarCloud interface:
You can click on the counter to display a list of detected security vulnerabilities:
If your project is in GitHub you will also find the same vulnerabilities displayed within the GitHub interface under the Security tab:
Select View alerts to see the full list:
Bi-directional synchronized status changes
When you change the status of a security vulnerability in the SonarCloud interface that status change will be immediately reflected in the GitHub interface and vice versa.
For example, if you change an issue from Open to Resolve as false positive here in SonarCloud:
That change will be reflected in the code scanning alerts in GitHub:
Similarly, if you change an issue from Open to Dismiss: Won't Fix in GitHub:
That change will be reflected in SonarCloud.
Correspondence of statuses
Initially, all issues marked Open on SonarCloud are marked Open on GitHub. But because the available statuses on the two systems are not exactly the same, the following logic is used to manage the transitions.
| On SonarCloud, a transition to | results in this on GitHub |
|---|---|
| Confirm | Open |
| Resolve (Fixed) | Open |
| Resolve (Accept) | Dismiss: Won't fix |
| Resolve (False Positive) | Dismiss: False positive |
| Reopened | Open |
| On GitHub, a transition to | results in this on SonarCloud |
|---|---|
| Dismiss: False positive | Resolve (False Positive) |
| Dismiss: Used in tests | Resolve (Accept) |
| Dismiss: Won't fix | Resolve (Accept) |
No configuration needed
You might notice a button in the GitHub Security tab labeled Add more scanning tools. This is used to configure third-party plugins. To use scanning alerts from SonarCloud, however, you do not need to add any third-party plugins.
The GitHub Code Scanning Alerts for Security Vulnerabilities feature is enabled automatically and for free on all public GitHub Repositories. You just have to make sure that your repository is bound to SonarCloud (in other words you have to import it through the SonarCloud interface).
If your repository is private then you will necessarily have a paid SonarCloud subscription. To enable scanning alerts on a private GitHub repository you will need to pay for the GitHub Advanced Security feature. This is entirely on the GitHub side. SonarCloud does not charge anything extra (above the paid subscription for private repositories) to enable the scanning alerts feature.
Managing access to security alerts
In GitHub, you can configure access to security alerts for your repository.
Was this page helpful?
© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD, and CLEAN AS YOU CODE are trademarks of SonarSource SA.
