For over a decade, SonarQube has been a trusted name in the developer community, renowned for its industry-leading code quality analysis. But did you know that SonarQube has also been simultaneously investing in providing developers and security professionals with robust security analysis? From Static Application Security Testing (SAST) and taint analysis to Infrastructure as Code (IaC) scanning and secrets detection, SonarQube has added a broad portfolio of code security capabilities to help teams secure their first-party and AI-generated code.
Today, we’re excited to announce SonarQube Advanced Security, a major enhancement to SonarQube’s existing code quality and code security capabilities. SonarQube Advanced Security will include Software Composition Analysis (SCA) and advanced Static Application Security Testing (SAST) and will be available to all SonarQube customers. This new offering not only builds on SonarQube’s existing core security capability but also extends its reach to include analysis of first-party, third-party open source, and AI-generated code. With SonarQube Advanced Security, Sonar now provides one integrated code quality and code security analysis solution for all your code, based on the same developer-first philosophy we’ve always had.
Security in a Rapid Development World
Modern software development moves fast, often driven by generating code with AI and building on top of third-party open source libraries. Unfortunately, this speed can leave security as an afterthought. Vulnerabilities are often discovered too late—right before release or even after deployment—leading to costly rework, production delays, and increased risks.
Traditional security tools exacerbate the problem by overwhelming teams with false positives, missing hidden risks in third-party open source code, and making compliance a tedious process. To address these challenges, development teams need a proactive, developer-first approach to security—one that integrates seamlessly into their workflows and ensures that all parts of their software’s code are secure.
Our Security Solution for Developers
SonarQube integrates into the developer workflow, from IDE to CI/CD, delivering integrated code quality and code security. It already provides robust core security features, including:
- Static Application Security Testing (SAST): Identifies vulnerabilities in first-party and AI-generated code
- Taint Analysis: Tracks untrusted data flows cross-file to detect potential security risks
- Secrets Detection: Prevents sensitive information, like API keys, from being exposed in code
- Infrastructure as Code (IaC) Scanning: Secures cloud infrastructure configurations
- Security reporting: Report on code compliance for standards like OWASP Top 10, PCI DSS, STIG, CASA, and CWE Top 25
These capabilities focus on protecting first-party and AI-generated code, helping teams identify vulnerabilities early in the development process.
SonarQube Advanced Security extends this protection to third-party open source code, providing comprehensive security coverage for modern codebases.
Key features of Advanced Security include:
Software Composition Analysis (SCA)
- Vulnerability Identification: Detect, prioritize, and mitigate vulnerabilities (including CVEs) in third-party open source dependencies
- License Compliance: Ensure all third-party components meet your organization’s licensing policies
- SBOM (Software Bill of Materials): Generate detailed inventories of software components to understand, manage, and report on your code’s composition
Advanced SAST
- While SonarQube has long offered SAST and taint analysis for first-party code, advanced SAST (formerly known as deeper SAST) extends this analysis to include interactions between first-party and third-party code, uncovering deeper and more complex vulnerabilities
With Advanced Security, SonarQube addresses these challenges head-on, offering a unified solution for:
- Proactive vulnerability and supply chain management across all code sources
- Comprehensive security and quality analysis that spans first-party, third-party open source, and AI-generated code
- Streamlined compliance with SBOM generation and license tracking
SonarQube Advanced Security is the first step in integrating Sonar’s recent acquisition of Tidelift and its unique, proactive approach to improving third-party code quality and code security by working directly with open source maintainers. This allows to get verified insights about false positives, exploitability, and available workarounds for dependency risks.
Benefits of SonarQube
Created by developers for developers, SonarQube helps teams supercharge their work with:
- Comprehensive Code Coverage: SonarQube provides code quality and security analysis for 30+ programming languages and frameworks, using more than 6,000+ rules. It ensures security (SAST, taint analysis, SCA, Secrets Detection, IaC scanning), reliability, and maintainability across all types of code.
- Broad Detection and Remediation: Find and remediate a wide range of security issues, including SQL injection, cross-site scripting (XSS), buffer overflows, security misconfigurations, secret leaks, and more.
- Unmatched Accuracy and Speed: With an industry-leading >90% True Positive Rate (TPR) and <10% False Positive Rate (FPR), SonarQube detects and remediates code quality and security issues in real-time, even across multiple files and libraries.
- Enforce Coding Standards: Developers can catch real issues as they write code, minimizing rework and ensuring security is built in from the start. Organizations can set clear standards for downstream security reviews and production, empowering both developers and AppSec teams to truly "shift left."
- Meet Compliance and Regulatory Needs: Simplify compliance with essential coding standards. Built-in reports track and manage code security against OWASP Top 10, OWASP ASVS, PCI DSS, STIG, CASA, and CWE Top 25 standards. SonarQube is also aligned with the NIST Secure Software Development Framework (SSDF), making it easier to meet regulatory requirements.
SonarQube ensures your entire codebase is secure, reliable, and maintainable—helping you build better, safer applications faster.
Availability
The General Availability (GA) of SonarQube Advanced Security is planned for the end of May 2025. It will be available as a new purchasable license for SonarQube Server Enterprise Edition 2025 Release 3 and shortly after that for SonarQube Cloud Enterprise.
Learn more about our security solution.