Skip to main content

sonar_get_security_hotspot_details

Get detailed information about a specific security hotspot with fix recommendations and context.

Description

Retrieves comprehensive security hotspot information including code context, security guidelines, and remediation advice. Essential for making informed review decisions.

Parameters

ParameterTypeRequiredDefaultDescription
hotspotKeystringYes-Security hotspot key from SonarQube
includeRuleDetailsbooleanNotrueInclude security recommendations
includeFilePathbooleanNotrueInclude absolute file path
contextLinesnumberNo10Lines of code context

Usage

Basic Usage

Show me details for security hotspot AHx123abc456

Tool call:

{
  "hotspotKey": "AHx123abc456"
}

Extended Context

I need more code context for this security issue

Tool call:

{
  "hotspotKey": "AHx123abc456",
  "contextLines": 25
}

Response Format

🔒 SECURITY HOTSPOT DETAILS
━━━━━━━━━━━━━━━━━━━━━━━━━━━

Hotspot Key: AHx123abc456
Status: TO_REVIEW
Vulnerability Probability: HIGH
Category: Credentials

📍 LOCATION:
  File: /Users/dev/my-project/src/config/database.ts
  Line: 15

📝 MESSAGE:
Make sure this password is not disclosed.

📍 CODE CONTEXT:
──────────────────────────────────────────────────────
  12 │ export const dbConfig = {
  13 │   host: 'localhost',
  14 │   port: 5432,
> 15 │   password: 'super_secret_password_123',
  16 │   database: 'myapp',
  17 │   user: 'admin'
  18 │ };
──────────────────────────────────────────────────────

🔐 SECURITY RULE: typescript:S2068
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Hard-coded credentials are security-sensitive

Credentials should not be stored directly in code.
This makes the application vulnerable if the code
is ever exposed, and makes credential rotation difficult.

⚠️ RISK:
- Exposed credentials in version control
- Cannot rotate without code changes
- Shared across all environments

✅ SECURE ALTERNATIVES:
──────────────────────────────────────────────────────
// Use environment variables
password: process.env.DB_PASSWORD,

// Use a secrets manager
password: await secretsManager.getSecret('db-password'),

// Use a configuration service
password: config.get('database.password'),
──────────────────────────────────────────────────────

📋 REVIEW CHECKLIST:
□ Is this actually a secret/credential?
□ Is it used in production code?
□ Can it be moved to environment variables?
□ Is the repository public or could become public?

🎯 RECOMMENDATION:
Move credentials to environment variables and use
.env files (gitignored) for local development.
Mark as SAFE only if this is test/mock data.

Examples

Example 1: Review Hardcoded Password

Prompt:

Tell me more about this hardcoded password issue

Tool Call:

{
  "hotspotKey": "AHx123abc456"
}

Example 2: Crypto Algorithm Review

Prompt:

Is this encryption algorithm really weak?

Tool Call:

{
  "hotspotKey": "AHx789def012",
  "contextLines": 30
}

Review Decision Guide

ScenarioDecisionAction
Real hardcoded secretFixMove to env vars
Test/mock dataSafeMark as SAFE
False positiveSafeMark as SAFE with reason
Accepted riskAcknowledgedDocument in SonarQube

Vulnerability Probability Levels

LevelMeaningAction
HIGHLikely exploitableReview immediately
MEDIUMPotentially exploitableReview soon
LOWUnlikely to be exploitedReview when possible

Best Practices

  1. Don't rush decisions - Security requires careful review
  2. Check all code paths - The flagged line may be part of larger issue
  3. Consider context - Test code differs from production
  4. Document decisions - Future developers need to understand

Common Issues

"Hotspot not found"

Cause: Invalid key or hotspot was resolved.

Solution: Run sonar_get_security_hotspots for current keys.

"This looks like a false positive"

Review carefully before marking as SAFE:

  1. Is the value actually sensitive?
  2. Could the code path be reached with real data?
  3. Could the code be copy-pasted to production?