The site that you are currently viewing is a static version of the Software Factory documentation delivered with the

version v7.2.
For up-to-date documentation, see the latest version.

Sandboxing Issue Triage

This page explains the Issue Sandboxing behavior you will see after the upgrade. This page is designed to help you prepare for the upgrade.

SonarQube 2026.1 LTA — What new to expect

We are upgrading from SonarQube 2025.1 LTA → 2026.1 LTA.

TL;DR

A major LTA-to-LTA upgrade brings a significant number of new and improved rules across all languages.

New issues can appear on code you haven’t touched — either because the analyzers got smarter or because new rules were added to the quality profile.

The Sandbox feature is here to make this upgrade smooth: those issues are isolated automatically, they are visible in the UI, but they do not block your pipeline or fail your quality gate.

The goal is not to hide issues, it is to give your team time to triage them deliberately, without being caught off guard on release day.

Why does SonarQube find new issues on unchanged code?

Between 2025.1 LTA and 2026.1 LTA, Sonar shipped improvements in two categories:

1. Improved analyzers — existing rules now detect more cases, with fewer false positives. Code that previously passed can now correctly raise an issue because the engine understands the code more deeply.

2. New rules — new rules were added to the default Sonar way quality profile. These rules cover patterns that simply weren’t checked before.

Both are legitimate quality improvements. The Sandbox gives you time to assess them without pressure.

What happens on your project after the upgrade

Here is the sequence you will go through, based on a test run on projects analyzed under SonarQube 2025.1:

2025

Step 1 — Check the Sandbox configuration on your project

Immeediatly after the upgrade, before any scan.

Go to: General Settings > General then Section: Sandbox specific issue categories after SonarQube update

You will see the instance-level default configuration. From here, you can:

  • Keep the default — the sandbox conditions defined at instance level apply as-is
  • Override — adjust the sandbox conditions specifically for your project (see section below on project-level override)

config

Step 2 — Re-run the analysis

Trigger a new analysis (push, manual scan, or CI). SonarQube applies the sandbox rules: matching issues are automatically flagged “In sandbox”.

Step 3 — Check your dashboard

Your existing metrics are unchanged. Quality gate: still passing.

A new widget appears on the project overview showing the count of sandboxed issues separately from open issues.

project-with-sandbox

Step 4 — Find sandboxed issues in the Issues tab

Go to the Issues tab and filter by:
Status = In Sandbox

You will see the full list of issues that were isolated, with their rule, location, severity and explanation — exactly like any other issue.

Warning

Note that Sandboxed issues generate no notification.

There is no alert, no badge everything looks normal when issues are placed in sandbox. This means your team could be unaware that new issues could have been detected.

Working with sandboxed issues

Once the upgrade to SonarQube 2026.1 is complete and the first analysis has run, you will start seeing sandboxed issues in your project.

What you will see in the UI

A sandboxed issue:

  • ✅ Is visible in the Issues tab (filter: Status = In Sandbox)
  • ✅ Shows the rule, location, and full explanation as usual
  • ✅ Appears in a dedicated sandbox widget on the project overview
  • ❌ Does not count toward your quality gate
  • ❌ Does not affect your ratings or metrics
  • ❌ Does not block your CI/CD pipeline

What you need to do — triage

Sandboxed issues don’t disappear on their own. Each issue gives you three options:

ActionWhen to use itQuality gate impact
OpenThe issue is legitimate and should be fixed⚠️ Will count once opened
AcceptKnown issue, won’t fix now (tracked as debt)✅ No impact
False positiveThe rule fired incorrectly on your code✅ No impact
Note

Start with a bulk review. Most sandbox issues from a version upgrade are Minor or Info code smells. Batch-accept those that don’t align with your current quality policy, then schedule proper fixes in a future sprint.

Project-level override

By default, all projects inherit the instance-level sandbox configuration.

If your project has specific needs, you can override the sandbox conditions directly in your project settings, only Before first analysis on the new version

Project Settings > General Settings > General > Sandbox specific issue categories

From there you can tighten or loosen the conditions (e.g. sandbox fewer or more severity levels) based on your project’s risk profile.

Note

This part is under your reponsability.

This is per-project configuration — there is no automated rollout after the upgrade.

What is sandboxed — instance default configuration

Issue TypeProposed sandboxed severitiesRationale
Code SmellsALLMaintainability issues are usually low-risk for releases. Sandboxing them avoids noisy gate breaks.
BugsALLprevent unexpected gate failures after the upgrade, while remaining visible for inspection.
VulnerabilitiesNone — never sandboxedSecurity issues always count in the quality gate; they must be addressed or explicitly accepted.

Sandbox is temporary

Sandboxed issues are not resolved issues. They are deferred, not dismissed.

If left untriaged, they accumulate as hidden technical debt and undermine the value of the upgrade.

We recommend:

  • Triaging sandbox issues within the sprint following the upgrade
  • Using Accept as a deliberate per-issue choice, not a systematic way to skip analysis
  • Scheduling fixes for Open issues in the backlog, not indefinitely

The Sandbox is a buffer — should not become a permanent state.

FAQ

Q: Will my current quality gate fail after the upgrade?
No. Sandboxed issues do not affect the quality gate. Your pipelines continue to pass as before, provided no new issues appear on your new code.

Q: How do I find sandboxed issues?
Issues tab → filter Status = In Sandbox. You can also filter by rule, file, or author.

Q: What if a rule fires incorrectly on my code?
Mark the issue as False positive and add a comment. This can feed into a shared quality profile review if the same false positive affects multiple projects.

Q: How long do issues stay in sandbox?
Until you triage them. There is no automatic expiry. They remain sandboxed across subsequent analyses as long as the underlying code hasn’t changed.

Q: What if I don’t override the instance config — is that safe?
Yes. The instance default applies automatically. You only need to act if your project needs different conditions.