# Security hotspots

A security hotspot highlights a security-sensitive piece of code that the developer needs to review. Upon review, you’ll either find there is no threat or you need to apply a fix to secure the code. For more information about what security hotspots are and why they're different than other security issues, take a look at the server documentation:

* [Managing Security Hotspots](https://app.gitbook.com/s/LWhbesChsC4Yd1BbhHhS/user-guide/security-hotspots "mention") in SonarQube Server
* [Security hotspot rules](https://app.gitbook.com/s/B4UT2GNiZKjtxFtcFAL7/standards/managing-rules/security-hotspots "mention") in SonarQube Cloud
* [Managing Security Hotspots](https://app.gitbook.com/s/bqrfLGeD0Y9vE5l9Le42/user-guide/security-hotspots "mention") in SonarQube Community Build

## Hotspot analysis <a href="#hotspot-analysis" id="hotspot-analysis"></a>

It is possible to locally detect and report hotspots in SonarQube for Visual Studio for all supported languages. The full list is available on the [rules](https://docs.sonarsource.com/sonarqube-for-visual-studio/using/rules "mention") page.

Requirements include running SonarQube for Visual Studio in [connected-mode](https://docs.sonarsource.com/sonarqube-for-visual-studio/connect-your-ide/connected-mode "mention") and being bound to a project in SonarQube 2025.1 or newer, or to a project on SonarQube Cloud. Security hotspot analysis rules are run each time a local analysis is triggered.

Security hotspots are displayed in the [#sonarqube-issue-visualization-tool-window](https://docs.sonarsource.com/sonarqube-for-visual-studio/investigating-issues#sonarqube-issue-visualization-tool-window "mention") tool window. If it's not already visible, navigate to the default location of the tool window in the Visual Studio main menu: **Extensions** > **SonarQube** and select **View SonarQube Report**.

Locally detected hotspots are differentiated from those found on the server in the SonarQube Security Hotspots view window by the option to open the security hotspot on the server.

<div><figure><img src="https://1613591589-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F5CSDwdOaYoOAGYNiRqgl%2Fuploads%2Fgit-blob-87e40b886b4de89adf03a1f6561ad55d7f40ed1a%2Fsq-visual-studio-hotspot-newly-detected.png?alt=media" alt="When your locally detected hotspot does not match one found on the server, SonarQube for Visual Studio will not provide the option to open the issue on the server."><figcaption><p>Newly detected security hotspot</p></figcaption></figure> <figure><img src="https://1613591589-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F5CSDwdOaYoOAGYNiRqgl%2Fuploads%2Fgit-blob-e41035e8d16213fb1ac5f038bdc94b6be988f57d%2Fsq-visual-studio-hotspot-on-server.png?alt=media" alt="When your locally detected hotspot matches one found on the server, SonarQube for Visual Studio provides the option to open the issue on the server."><figcaption><p>Matching security hotspot</p></figcaption></figure></div>

In addition, hotspots can be filtered by **Current Document** or **Open Documents**, and sorted the issue's **Status** if desired; see the [#issues-with-secondary-locations](https://docs.sonarsource.com/sonarqube-for-visual-studio/investigating-issues#issues-with-secondary-locations "mention") article for more information.

### Newly detected Hotspots <a href="#newly-detected-hotspots" id="newly-detected-hotspots"></a>

Locally found hotspots will be highlighted in the editor using the characteristic SonarQube for Visual Studio squiggles. In addition, a list of all locally found hotspots will be found in the [#sonarqube-issue-visualization-tool-window](https://docs.sonarsource.com/sonarqube-for-visual-studio/investigating-issues#sonarqube-issue-visualization-tool-window "mention") tool window. Selecting the rule key will open the [#sonar-rule-descriptions](https://docs.sonarsource.com/sonarqube-for-visual-studio/rules#sonar-rule-descriptions "mention") window where you can review descriptive and educational content associated with the hotspot.

### Already known hotspots <a href="#already-known-hotspots" id="already-known-hotspots"></a>

Hotspots already detected by the SonarQube (Server, Cloud) or SonarQube Community Build are identifiable by the addition of an icon shown in the same **SonarQube Report** tool window.

Security hotspots that are marked as Fixed or Safe on the server can be viewed by selecting the **Resolved** or **Any** filter; see the [#issues-with-secondary-locations](https://docs.sonarsource.com/sonarqube-for-visual-studio/investigating-issues#issues-with-secondary-locations "mention") article for instructions.

<figure><img src="https://1613591589-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F5CSDwdOaYoOAGYNiRqgl%2Fuploads%2Fgit-blob-a32672897c9548753b8bd26498bfbd9ce2b17f45%2Fsq-visual-studio-hotspot-select-filter.png?alt=media" alt="In the SonarQube Report tool window, be sure to select the Security Hotspots filter then choose the issue statuses you would like to see in the list."><figcaption></figcaption></figure>

It’s possible to open a security hotspot found on SonarQube Server or SonarQube Cloud directly from your IDE. Simply right-click on the hotspot and select **View in SonarQube (Server, Cloud)** when available.

## Open in IDE from SonarQube <a href="#open-in-ide-from-sonarqube" id="open-in-ide-from-sonarqube"></a>

SonarQube for Visual Studio provides a way to investigate security hotspots found on the server. This is an integration feature: when viewing a hotspot on SonarQube Server, you will notice a button named **Open in IDE**; selecting that button while Visual Studio is running will open the hotspot’s code file in the IDE.

See the [#opening-issues-in-the-ide](https://docs.sonarsource.com/sonarqube-for-visual-studio/investigating-issues#opening-issues-in-the-ide "mention") article to see how it looks in SonarQube Server. Unfortunately, the SonarQube Cloud **Open in IDE** feature is not available for security hotspots at this time but more information can be found on the [Managing Security Hotspots](https://app.gitbook.com/s/LWhbesChsC4Yd1BbhHhS/user-guide/security-hotspots "mention") page in the SonarQube Server docs.

### Feature requirements <a href="#feature-requirements" id="feature-requirements"></a>

* The correct solution must be open in Visual Studio and you must be running SonarQube for Visual Studio in [connected-mode](https://docs.sonarsource.com/sonarqube-for-visual-studio/connect-your-ide/connected-mode "mention"). SonarQube Server will not open Visual Studio if it is closed.
* **Open in IDE** is not yet supported in SonarQube Cloud with SonarQube for Visual Studio.

### Feature overview <a href="#feature-overview" id="feature-overview"></a>

When SonarQube for Visual Studio receives an **Open in IDE** request from the browser, SonarQube for Visual Studio will verify that the correct solution is open in connected mode. If not, a gold bar will be displayed asking you to check if you’ve got the correct solution open, or to try and configure the binding manually:

<div align="left"><figure><img src="https://1613591589-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F5CSDwdOaYoOAGYNiRqgl%2Fuploads%2Fgit-blob-85490f1f145bfca770103e2fcaf386ebf576a02c%2Fc7815994efe5b7e3db4eeef5f8b1338f669c3130.png?alt=media" alt="SonarQube for Visual Studio will give you a gold bar to if your Open in IDE request fails. Check which project you have open or use the Configure Binding link to set up connected mode."><figcaption></figcaption></figure></div>

If the correct solution is open and the hotspot’s code location can be found in the solution, SonarQube for Visual Studio will open the file and navigate to the relevant code. In addition, the hotspot is added to the **SonarQube Report** tool window where you will find additional information:

It is possible that the code on the server does not match your local code version. For example:

* if code changes have been made since the last analysis
* if the relevant code project is not included in the solution

In this case, only the hotspots that are found during the local analysis are shown.

### Security Hotspots list functionality <a href="#security-hotspots-list-functionality" id="security-hotspots-list-functionality"></a>

Once a hotspot has been added to the list, you can navigate to it using a double-click or the Enter key. In addition, your list of **Security Hotspots** can be filtered by **Current** or **Open Documents**, **Severity**, and **Status** alongside **Taint Vulnerabilities** and **Dependency Risks**.

<figure><img src="https://1613591589-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F5CSDwdOaYoOAGYNiRqgl%2Fuploads%2Fgit-blob-743bc64a298e7b16d8b35fb96955d2bd49652793%2Fsq-visual-studio-hotspot-all-filters.png?alt=media" alt="Hotspots can be filtered in the SonarQube for Visual Studio UI according to the current or open document, severity, and status."><figcaption></figcaption></figure>

### Implementation notes <a href="#implementation-notes" id="implementation-notes"></a>

When Visual Studio starts, SonarQube for Visual Studio will start listening in the background for *Open in IDE* requests originating from your local browser. This listener does not require a lot of resources and should not affect your machine’s performance and memory consumption in any way, nor should it interfere with your work.

SonarQube for Visual Studio will try to find an available port in the range 64120-64130 inclusive. Information about the port selection will be logged in the SonarQube for Visual Studio pane in the Output Window. If a port cannot be found, *Open in IDE* will not be handled. The port range is not configurable.