New SonarQube security report for Visual Studio: Find & manage security risks in your IDE

SonarQube has introduced a new security report window for Visual Studio that consolidates security findings directly within the integrated development environment. This feature displays security hotspots, vulnerabilities, and dependency risks identified by SonarQube, enabling developers to visualize and address security issues without leaving their coding workspace. The security report window represents a significant step toward making security analysis more accessible and integrated into the development workflow.

Prerequisites and Setup

To access the new security report window, developers must first establish a connected mode connection between Visual Studio and either SonarQube Cloud or SonarQube Server. Additionally, viewing dependency risks requires an advanced security subscription. Once properly configured with a project bound to a SonarQube server, users can access the security report by navigating to Extensions in Visual Studio and selecting "SonarQube Connected Mode View Security Report," which opens the dedicated security report pane.

Key Features and Functionality

The security report window provides comprehensive filtering and analysis capabilities. By default, it displays all security issues surfaced for the project. Users can click on individual issues to access detailed Sona Cube rule help panels, which explain why an issue exists, how to fix it, and its potential impact. The interface also allows developers to visualize issue flows for better understanding. The report supports flexible viewing options, allowing users to focus on security issues in open documents or the current document only.

Advanced Filtering and Dependency Management

The security report includes sophisticated filtering options, enabling developers to narrow results by severity and status. For instance, users can filter to display only blocker-level issues that have been resolved. The dependency risks tab—available with an advanced security subscription—allows developers to manage vulnerabilities in project dependencies. From this interface, developers can change issue status, add comments visible to their team within SonarQube, and open issues directly in SonarQube for more detailed information and resolution guidance.

SonarQube's Commitment to Open-Source Security

Beyond vulnerability identification, SonarQube demonstrates a proactive commitment to improving open-source security by compensating maintainers to follow and document secure practices. These insights are accessible within the security report, providing developers with valuable context about the security practices behind the dependencies they use.

Key Takeaways

• The security report window consolidates security hotspots, vulnerabilities, and dependency risks in a single IDE interface, eliminating context-switching for security analysis
• Connected mode to SonarQube Cloud or Server is required, with advanced security subscription needed for dependency risk visibility
• Developers can filter issues by severity and status, and access detailed rule help panels explaining vulnerabilities and remediation strategies
• The tool enables team collaboration through status changes and inline commenting that syncs with SonarQube
• SonarQube supports open-source security by funding maintainer documentation of secure practices