GitHub Code Scanning Alerts For Security Vulnerabilities

SonarCloud automatically provides feedback about security vulnerabilities inside the GitHub interface itself. Security vulnerabilities found by SonarCloud will appear both as part of the analysis results displayed in the SonarCoud interface and as GitHub Scanning Alerts under the Security tab in the GitHub interface.

Security vulnerabilities surfaced as code scanning alerts

When you perform an analysis on a project, the security vulnerabilities found will be displayed in the SonarCloud interface:

You can click on the counter to display a list of detected security vulnerabilities:

If your project is in GitHub you will also find the same vulnerabilities displayed within the GitHub interface under the Security tab:

Select View alerts to see the full list:

Bi-directional synchronized status changes

When you change the status of a security vulnerability in the SonarCloud interface that status change will be immediately reflected in the GitHub interface and vice versa.

For example, if you change an issue from Open to Resolve as false positive here in SonarCloud:

That change will be reflected in the code scanning alerts in GitHub:

Similarly, if you change an issue from Open to Dismiss: Won't Fix in GitHub:

That change will be reflected in SonarCloud:

Correspondence of statuses

Initially, all issues marked Open on SonarCloud are marked Open on GitHub. But because the available statuses on the two systems are not exactly the same, the following logic is used to manage the transitions. 

On SonarCloud, a transition to results in this on GitHub
Resolve (Fixed)Open
Resolve (Won't Fix)Dismiss: Won't fix
Resolve (False Positive)Dismiss: False positive
On GitHub, a transition to results in this on SonarCloud
Dismiss: False positiveResolve (False Positive)
Dismiss: Used in testsResolve (Won't Fix)
Dismiss: Won't fixResolve (Won't Fix)

No configuration needed

You might notice a button in the GitHub Security tab labeled Add more scanning tools. This is used to configure third-party plugins. To use scanning alerts from SonarCloud, however, you do not need to add any third-party plugins. 

The GitHub Code Scanning Alerts for Security Vulnerabilities feature is enabled automatically and for free on all public GitHub Repositories. You just have to make sure that your repository is bound to SonarCloud (in other words you have to import it through the SonarCloud interface).

If your repository is private then you will necessarily have a paid SonarCloud subscription. To enable scanning alerts on a private GitHub repository you will need to pay for the GitHub Advanced Security feature. This is entirely on the GitHub side. SonarCloud does not charge anything extra (above the paid subscription for private repositories) to enable the scanning alerts feature.

© 2008-2022, SonarCloud by SonarSource SA. All rights reserved.