Security hotspots

A security hotspot highlights a security-sensitive piece of code that the developer needs to review. Upon review, you’ll either find there is no threat or you need to apply a fix to secure the code. For more information about what security hotspots are and why they're different than other security issues, take a look at the server documentation:

• Managing Security Hotspots in SonarQube Server

• Security hotspots in SonarQube Cloud

• Managing Security Hotspots in SonarQube Community Build

Hotspot analysis

In SonarQube for VS Code, local detection of security hotspots is enabled if you are using Connected mode with a project on SonarQube Server or SonarQube Community Build; from version 3.18+, security hotspots are also found when bound to a project in SonarQube Cloud. ​​These issue types are shown under the SONARQUBE panel and are grouped by file. See the relevant pages in the server documentation for information about managing these types of issues:

• Managing Security Hotspots in SonarQube Server

• Security hotspots in SonarQube Cloud

• Managing Security Hotspots in SonarQube Community Build

Reviewing hotspots

First, open a file while your project is running in connected mode with SonarQube (Server, Cloud) or SonarQube Community Build. SonarQube for VS Code will automatically run an analysis to look for security hotspots and then compares local results against those found on the SonarQube (Server, Cloud) or SonarQube Community Build. The security hotspot results will be automatically grouped by file and labeled as existing locally or on the remote project under the tooltip.

Selecting an issue in either category highlights the code in the explorer window. It is possible to change the hotspot’s status in SonarQube for VS Code, or in SonarQube (Server, Cloud) or SonarQube Community Build server. See the Fixing hotspots article below for more information.

Newly detected hotspots

Security hotspots that only exist locally are those found during the analysis and not found on SonarQube Server or Cloud. Security hotspots that only exist locally can be fixed by modifying your code or by submitting your code to trigger a new analysis where you can mark it as Fixed or Safe on the server.

Right-clicking on a security hotspot that only exists locally reveals 2 options to select:

• Clear Highlighting to remove the highlight over your code in the explorer window.

• Show Rule Description to open the rule in the SonarQube for VS Code view window.

Already known hotspots

Security hotspots existing on your remote project are those that exist locally and in SonarQube (Server, Cloud) or SonarQube Community Build. Once the security hotspot analysis is complete, SonarQube for VS Code will compare the local results against those found on the server and sort them accordingly. Hotspots existing in your remote project can be fixed by modifying your code in the IDE, or you can mark it as Fixed or Safe from either the IDE or on the server.

Right-clicking on an Already known hotspot gives you these 4 options to select:

• Change Status to modify the status of a known hotspot.

• Clear Highlighting to remove the highlight over your code in the explorer window.

• Review on Server to open the hotspot in SonarQube Server, Cloud, or in SonarQube Community Build where you can mark it as Fixed or Safe.

• Show Hotspot Details will open the details view and provide information about the rule and the current status of the hotspot.

Reporting security hotspots In the Whole Folder

By default, SonarQube for VS Code will search for Security Hotspots only in open files each time an analysis is triggered; the use of Connected Mode is required. To activate an analysis for security hotspots in your entire project, run SonarQube: Scan for Hotspots in Folder from the command palette (Ctrl + Shift + P on Windows/Linux or Command + Shift + P on MacOS).

When running Scan for Hotspots in Folder, a scan of your entire project will be made. Each time you run Scan for Hotspots in Folder, a new analysis will be triggered on the entire project.

Using the Scan for Hotspots in Folder feature may consume excessive resources depending on the size of your project. If your project is too large, a notice will appear to confirm the action. Therefore, it is recommended that users define a set of file exclusions when analyzing large projects with the Scan for Hotspots in Folder feature.

However, SonarQube for IDE will deploy these file exclusions automatically:

• File extension: SonarQube for IDE knows the primary language of your project and will restrict the scope of analysis to files matching that set of extensions.

• File size: Files larger than 0.5 Mb will be ignored…

• .gitignore: Exclusions added to your .gitignore file will be excluded.

Fixing hotspots

How you fix a security hotspot depends on your assessment of the risk. Check the Rule Description’s How can I fix it? tab to find recommended secure coding practices and compliant solutions (when available). More information can be found in the security hotspot Workflow articles in the server documentation:

• See security hotspot Managing Security Hotspots in SonarQube Server

• See security hotspot Security hotspots in SonarQube Cloud

• See security hotspot Managing Security Hotspots in SonarQube Community Build.

Once you determine the risk, you can either update your code locally, or if the hotspot matches one found on the server, change the hotspot’s review status in the IDE. Your action will be updated on the server. Prerequisites to change the review status in the IDE are:

• The security hotspot detected locally is already known by SonarQube (Server, Cloud) or SonarQube Community Build.

• You are granted the Administer Security Hotspot permission level by a project administrator.

Simply right-click the hotspot in the SONARQUBE panel to select Change Status; from there, a wizard will open in the IDE to help you choose FIXED or SAFE. Next time your project binding syncs with the server, your status update will be reflected in SonarQube (Server, Cloud) or SonarQube Community Build.