Reviewing security hotspots

Hotspots with a high review priority are the most likely to contain code that needs to be secured and require your attention first.

Follow this workflow to review security hotspots and apply any fixes needed to secure your code. For more information about security hotspots, see Security hotspot rules.

Reviewing hotspots in SonarQube Cloud

To make status changes, you need the Administer Security Hotspots permission, which is enabled by default. Users with the Browse permission can comment on or change the user assigned to a security hotspot.

When reviewing a hotspot, you should:

1. Review the What’s the risk tab to understand why the security hotspot was raised.

2. From the Are you at risk tab, read the Ask Yourself Whether section to determine if you need to apply a fix to secure the code highlighted in the hotspot.

3. From the How can you fix it tab, follow the Recommended Secure Coding Practices to fix your code if you’ve determined it’s unsafe.

After following these steps, assign one of the following status updates to the security hotspot:

• To Review: if the issue needs to be reviewed.

• Fixed: if you have applied a fix to secure the code highlighted by the hotspot.

• Safe: if the code is already secure and doesn’t need to be fixed. (for example, other more relevant protections are already in place).

Reviewing hotspots in your IDE

Seeing a security hotspot directly in the IDE can help you better understand its context and decide whether it is safe or not. Unfortunately, the SonarQube Cloud Open in IDE feature is not available for security hotspots at this time. See the Opening issues in your IDE article for details.

The methods to find and fix security hotspots vary by IDE. Please check out the respective SonarQube for IDE documentation pages for these details:

• Security hotspots in SonarQube for VS Code

• Security hotspots in SonarQube for IntelliJ

• Security hotspots in SonarQube for Visual Studio

• Security hotspots in SonarQube for Eclipse