Interview › Security & DevSecOps
What is a SonarQube hotspot, and how is it different from a vulnerability? [Basic]
Answer
A SonarQube security hotspot is security-sensitive code that requires human review to decide whether it is safe. A vulnerability is a finding where SonarQube has stronger evidence of an actual exploitable security flaw.
Technical explanation
Hotspots are review workflows, not automatically confirmed vulnerabilities.
Examples include use of cryptography, CORS settings, file handling, or authentication-related code that may be safe or unsafe depending on context.
A hotspot should be marked reviewed only after the reviewer verifies the implementation and documents the reasoning.
Hands-on example
Example: SonarQube flags a Security Hotspot for a permissive CORS configuration. The reviewer checks whether it is limited to non-sensitive public endpoints. If unsafe, they restrict origins; if safe, they mark it reviewed with justification.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]