sonar_get_security_hotspots
Get all security hotspots for the project that require review.
Description
Lists security-sensitive code that needs manual review. Unlike vulnerabilities (confirmed issues), hotspots are potential security concerns that require human judgment.
Parameters
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
statuses | array | No | ["TO_REVIEW"] | Filter: TO_REVIEW, REVIEWED |
resolutions | array | No | All | Filter: FIXED, SAFE, ACKNOWLEDGED |
severities | array | No | All | Filter: HIGH, MEDIUM, LOW |
Hotspot vs Vulnerability
| Aspect | Hotspot | Vulnerability |
|---|---|---|
| Certainty | Needs review | Confirmed issue |
| Action | Review and decide | Fix immediately |
| Status flow | TO_REVIEW → REVIEWED | Open → Fixed |
Usage
List All Pending Hotspots
Show me security hotspots that need review
Tool call:
{}
High Priority Only
Show me high-severity security hotspots
Tool call:
{
"severities": ["HIGH"]
}
Include Reviewed
Show all security hotspots including reviewed ones
Tool call:
{
"statuses": ["TO_REVIEW", "REVIEWED"]
}
Response Format
SECURITY HOTSPOTS
━━━━━━━━━━━━━━━━━
Total: 5 hotspots requiring review
HIGH PROBABILITY (2):
1. Hardcoded Credentials
File: src/config/database.ts:15
Key: AHx123abc456
Category: Credentials
Status: TO_REVIEW
2. Weak Cryptographic Algorithm
File: src/utils/crypto.ts:42
Key: AHx123abc457
Category: Encryption
Status: TO_REVIEW
MEDIUM PROBABILITY (2):
3. Open Redirect
File: src/routes/auth.ts:89
Key: AHx123abc458
Category: Others
Status: TO_REVIEW
4. Insecure Cookie
File: src/middleware/session.ts:23
Key: AHx123abc459
Category: Others
Status: TO_REVIEW
LOW PROBABILITY (1):
5. HTTP Instead of HTTPS
File: src/api/client.ts:12
Key: AHx123abc460
Category: Others
Status: TO_REVIEW
RECOMMENDATION:
Start with HIGH probability hotspots.
Use sonar_get_security_hotspot_details for full context.
Security Categories
| Category | Examples |
|---|---|
| Credentials | Hardcoded passwords, API keys |
| Encryption | Weak algorithms, insecure random |
| Injection | SQL, LDAP, OS command |
| Authentication | Session handling, password storage |
| Authorization | Access control, privilege escalation |
| Others | CORS, redirects, logging |
Examples
Example 1: Security Audit
Prompt:
I need to do a security review of this project
Tool Call:
{
"severities": ["HIGH", "MEDIUM"]
}
Example 2: Check Resolved Items
Prompt:
Show me hotspots we've already reviewed
Tool Call:
{
"statuses": ["REVIEWED"],
"resolutions": ["SAFE", "FIXED"]
}
Example 3: Unresolved High Priority
Prompt:
What critical security items are still pending?
Tool Call:
{
"statuses": ["TO_REVIEW"],
"severities": ["HIGH"]
}
Hotspot Review Workflow
Best Practices
- Review HIGH first - These have highest exploitation probability
- Get details - Use
sonar_get_security_hotspot_detailsbefore deciding - Document decisions - Mark safe items with reasoning
- Regular reviews - Security hotspots accumulate over time
Common Issues
"No hotspots found"
Cause: Project hasn't been scanned or has no security-sensitive code.
Solution: Run sonar_scan_project first.
"All hotspots are LOW"
This is actually good! Your code doesn't have obvious security concerns.
Related Tools
sonar_get_security_hotspot_details- Full hotspot detailssonar_scan_project- Run security scansonar_get_issue_details- For confirmed vulnerabilities