# Reviewing security hotspots

Hotspots with a high review priority are the most likely to contain code that needs to be secured and require your attention first.

Follow this workflow to review security hotspots and apply any fixes needed to secure your code. For more information about security hotspots, see [Security hotspot rules](/sonarqube-cloud/standards/managing-rules/security-hotspots.md).

## Reviewing hotspots in SonarQube Cloud <a href="#reviewing-hotspots" id="reviewing-hotspots"></a>

To make status changes, you need the **Administer Security Hotspots** permission, which is enabled by default. Users with the **Browse** permission can comment on or change the user assigned to a security hotspot.

When reviewing a hotspot, you should:

1. Review the **What’s the risk** tab to understand why the security hotspot was raised.
2. From the **Are you at risk** tab, read the **Ask Yourself Whether** section to determine if you need to apply a fix to secure the code highlighted in the hotspot.
3. From the **How can you fix it** tab, follow the **Recommended Secure Coding Practices** to fix your code if you’ve determined it’s unsafe.

After following these steps, assign one of the following status updates to the security hotspot:

* **To Review**: if the issue needs to be reviewed.
* **Fixed**: if you have applied a fix to secure the code highlighted by the hotspot.
* **Safe**: if the code is already secure and doesn’t need to be fixed. (for example, other more relevant protections are already in place).

{% hint style="info" %}
The **Review history** tab shows the history of the security hotspot, including the status that it’s been assigned, and any comments the reviewer had regarding the hotspot.
{% endhint %}

## Reviewing hotspots in your IDE <a href="#reviewing-hotspots-in-your-ide" id="reviewing-hotspots-in-your-ide"></a>

Seeing a security hotspot directly in the IDE can help you better understand its context and decide whether it is safe or not. Unfortunately, the SonarQube Cloud Open in IDE feature is not available for security hotspots at this time. See the [Fixing issues](/sonarqube-cloud/managing-your-projects/issues/fixing.md#opening-in-ide) article for details.

The methods to find and fix security hotspots vary by IDE. Please check out the respective SonarQube for IDE documentation pages for these details:

* [Security hotspots](/sonarqube-for-vs-code/using/security-hotspots.md) in SonarQube for VS Code
* [Security hotspots](/sonarqube-for-intellij/using/security-hotspots.md) in SonarQube for IntelliJ
* [Security hotspots](/sonarqube-for-visual-studio/using/security-hotspots.md) in SonarQube for Visual Studio
* [Security hotspots](/sonarqube-for-eclipse/using/security-hotspots.md) in SonarQube for Eclipse


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sonarsource.com/sonarqube-cloud/managing-your-projects/issues/reviewing-security-hotspots.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.