GitHub Code Scanning Alerts For Security Vulnerabilities

SonarCloud automatically provides feedback about security vulnerabilities inside the GitHub interface itself. Security vulnerabilities found by SonarCloud will appear both as part of the analysis results displayed in the SonarCloud interface and as GitHub Scanning Alerts under the Security tab in the GitHub interface.

Security vulnerabilities surfaced as code scanning alerts

When you perform an analysis on a project, the security vulnerabilities found will be displayed in the SonarCloud interface:

Screenshot showing where the security vulnerabilities results are displayed in SonarCloud.

You can click on the counter to display a list of detected security vulnerabilities:

Screenshot of a list of security vulnerabilities in SonarCloud.

If your project is in GitHub you will also find the same vulnerabilities displayed within the GitHub interface under the Security tab:

Screenshot that shows where the Security tab is located in GitHub.
Screenshot that shows the code scanning alerts section in GitHub.

Select View alerts to see the full list:

Screenshot of the complete list of security vulnerabilities in GitHub.

Bi-directional synchronized status changes

When you change the status of a security vulnerability in the SonarCloud interface that status change will be immediately reflected in the GitHub interface and vice versa.

For example, if you change an issue from Open to Resolve as false positive here in SonarCloud:

Screenshot of how to resolve a vulnerability as false positive in SonarCloud.

That change will be reflected in the code scanning alerts in GitHub:

Screenshot of the synchronized vulnerability status update in GitHub.

Similarly, if you change an issue from Open to Dismiss: Won't Fix in GitHub: 

Screenshot of how to resolve a security alert as Won't fix in GitHub.

That change will be reflected in SonarCloud.

Correspondence of statuses

Initially, all issues marked Open on SonarCloud are marked Open on GitHub. But because the available statuses on the two systems are not exactly the same, the following logic is used to manage the transitions. 

On SonarCloud, a transition to results in this on GitHub
ConfirmOpen
Resolve (Fixed)Open
Resolve (Won't Fix)Dismiss: Won't fix
Resolve (False Positive)Dismiss: False positive
ReopenedOpen
On GitHub, a transition to results in this on SonarCloud
Dismiss: False positiveResolve (False Positive)
Dismiss: Used in testsResolve (Won't Fix)
Dismiss: Won't fixResolve (Won't Fix)

No configuration needed

You might notice a button in the GitHub Security tab labeled Add more scanning tools. This is used to configure third-party plugins. To use scanning alerts from SonarCloud, however, you do not need to add any third-party plugins. 

The GitHub Code Scanning Alerts for Security Vulnerabilities feature is enabled automatically and for free on all public GitHub Repositories. You just have to make sure that your repository is bound to SonarCloud (in other words you have to import it through the SonarCloud interface).

If your repository is private then you will necessarily have a paid SonarCloud subscription. To enable scanning alerts on a private GitHub repository you will need to pay for the GitHub Advanced Security feature. This is entirely on the GitHub side. SonarCloud does not charge anything extra (above the paid subscription for private repositories) to enable the scanning alerts feature.

© 2008-2022, SonarCloud by SonarSource SA. All rights reserved.