# Reviewing security hotspots

Hotspots with a high review priority are the most likely to contain code that needs to be secured and require your attention first.

Follow this workflow to review security hotspots and apply any fixes needed to secure your code. For more information about security hotspots, see [security-hotspots](https://docs.sonarsource.com/sonarqube-cloud/standards/managing-rules/security-hotspots "mention").

## Reviewing hotspots in SonarQube Cloud <a href="#reviewing-hotspots" id="reviewing-hotspots"></a>

To make status changes, you need the **Administer Security Hotspots** permission, which is enabled by default. Users with the **Browse** permission can comment on or change the user assigned to a security hotspot.

When reviewing a hotspot, you should:

1. Review the **What’s the risk** tab to understand why the security hotspot was raised.
2. From the **Are you at risk** tab, read the **Ask Yourself Whether** section to determine if you need to apply a fix to secure the code highlighted in the hotspot.
3. From the **How can you fix it** tab, follow the **Recommended Secure Coding Practices** to fix your code if you’ve determined it’s unsafe.

After following these steps, assign one of the following status updates to the security hotspot:

* **To Review**: if the issue needs to be reviewed.
* **Fixed**: if you have applied a fix to secure the code highlighted by the hotspot.
* **Safe**: if the code is already secure and doesn’t need to be fixed. (for example, other more relevant protections are already in place).

{% hint style="info" %}
The **Review history** tab shows the history of the security hotspot, including the status that it’s been assigned, and any comments the reviewer had regarding the hotspot.
{% endhint %}

## Reviewing hotspots in your IDE <a href="#reviewing-hotspots-in-your-ide" id="reviewing-hotspots-in-your-ide"></a>

Seeing a security hotspot directly in the IDE can help you better understand its context and decide whether it is safe or not. Unfortunately, the SonarQube Cloud Open in IDE feature is not available for security hotspots at this time. See the [#opening-in-ide](https://docs.sonarsource.com/sonarqube-cloud/managing-your-projects/fixing#opening-in-ide "mention") article for details.

The methods to find and fix security hotspots vary by IDE. Please check out the respective SonarQube for IDE documentation pages for these details:

* [Security hotspots](https://app.gitbook.com/s/6LPRABg3ubAJhpfR5K0Y/using/security-hotspots "mention") in SonarQube for VS Code
* [Security hotspots](https://app.gitbook.com/s/NvI4wotPmITyM0mnsmtp/using/security-hotspots "mention") in SonarQube for IntelliJ
* [Security hotspots](https://app.gitbook.com/s/5CSDwdOaYoOAGYNiRqgl/using/security-hotspots "mention") in SonarQube for Visual Studio
* [Security hotspots](https://app.gitbook.com/s/kadXEH8HkykK7lKaDvVq/using/security-hotspots "mention") in SonarQube for Eclipse