Issues reported in GitHub
SonarQube Cloud reports issues on your GitHub pull requests and can display security issues as code scanning alerts in the GitHub interface.
Pull request decoration
SonarQube Cloud provides issue reporting for GitHub pull requests. Besides the pull request analysis summary found in the Checks and Conversation tabs, you will also see issues reported as inline annotations directly within the Files changed tab as illustrated below.
From an inline annotation, you can:
View the corresponding issue in SonarQube Cloud: copy-paste in your browser the See more on link.
View the pull request analysis summary in SonarQube Cloud: select the View details button. If this button is not available, select the Try the new experience link in the top right corner of your pull request page as illustrated below.
Using the Remediation agent on your pull requests
The SonarQube Remediation Agent is a Beta feature available with Enterprise plan accounts. It is free during the beta phase and will be a paid feature when it moves to General Availability. To learn more about the terms & conditions, please see our legal page about features in Early Access.
If your SonarQube Cloud organization is not on an Enterprise plan, please see the Getting started with Enterprise pages to get the process started.
The SonarQube Remediation Agent runs an independent review and analysis to help you fix reliability and maintainability issues found in your latest code. It focuses on new issues discovered in your latest GitHub pull request (PR). These issues, picked up by the agent, would otherwise break the new code conditions of your quality gate and block the merge of your PR. The generation of fix suggestions takes place in the background and the new code does not introduce new issues.
To enable and install the agent, see the SonarQube Remediation Agent page. To understand the agent's behavior and learn how to engage with the agent in your pull request, see the Agents in your GitHub pull request page.
Code scanning alerts
With the Enterprise plan, when you analyze a project in SonarQube Cloud, the detected security issues are displayed on the GitHub interface as code scanning alerts. When you change the status of a security issue in the SonarQube interface that status change is immediately reflected in the GitHub interface. Similarly, if you change the status of a code scanning alert in GitHub, that change is reflected in SonarQube.
To view and manage your code scanning alerts:
1. In GitHub, go to your repository’s Security > Code scanning alerts tab.
2. Select View alerts to see the full list.
3. When you change the status of a security vulnerability in the SonarQube Cloud interface that status change will be immediately reflected in the GitHub interface and vice versa.
Related pages
Last updated
Was this helpful?