STATIC APPLICATION SECURITY TESTING

Develop secure code with SAST

SAST reduces the risk of security breaches by scanning and analyzing the source code files to identify issues such as security vulnerabilities, bugs, code smells and other flaws to ensure code quality and security.

Start free trialRead the deeper SAST announcement

Code Security

benefits of deeper SAST

find deeply hidden security issues

99% of software applications use and interact with the code in third-party libraries (dependencies). Today, most SAST tools only analyze application code and not library code which are mostly a black box for these tools. Deeper SAST from Sonar extends code analysis and scanning to cover the unknown parts of the code that are in the open-source dependencies. Scanning dependencies (libraries) allows Sonar SAST to extend the dataflow analysis and find deeply hidden security issues in code that other tools cannot find. Deeper SAST is available today for Java, C#, and JavaScript/TypeScript in SonarQube Server and SonarQube Cloud. It supports thousands of the topmost and commonly used open-source libraries, including their subsequent (transitive) dependencies. It scales automatically and will be expanded to cover more languages and libraries in the future. Machine Learning (ML) is used for optimization.

A passing quality gate is shown

accelerate secure development

SAST can be performed earlier in the software development lifecycle (SDLC) before code is deployed into and released into production. Utilizing SAST in the development phase allows security vulnerabilities and bugs to be identified and remediated more quickly before they can be exploited by attackers. SAST analysis of Pull Requests helps empower developers by shifting security left and presenting security vulnerabilities as early as possible in the process - when the code is fresh in mind and the fix is still easy. SAST is available by default with SonarQube Server and SonarQube Cloud and runs as part of a normal code analysis and integrates seamlessly with the DevSecOps pipeline.

With sonar you can assign issues to other developers to help keep your code clean

reduce risk of security breaches

By implementing secure code development practices to strengthen the quality of the codebase, organizations can prevent malicious actors from exploiting vulnerabilities and stealing sensitive information. Sonar analyzers raise issues (including bugs and vulnerabilities) and security hotspots as it scans the code to detect security problems. Vulnerability is reported when Sonar finds a point in the code that is open to attack and a fix is needed to address the security problem. Security-sensitive pieces of code that need developer review and evaluation are categorized as 'security hotspots'. Sonar security rules also detect hard-coded credentials (passwords) and hard-coded secrets in your code. This cloud secret detection capability extends to include more rules that discover unintended hard-coded passwords, credentials, tokens, cloud access keys, API keys, cloud account/keys in the most popular cloud providers: AWS, GCP, Microsoft Azure, IBM, and Alibaba Cloud.

An error is found in code and identified while providing an explanation of the risk.

automate code scanning

Sonar SAST can scan large amounts of code quickly – saving time and money in the software development life cycle process. Automating code scanning with SAST helps improve the overall security posture of an application and reduces the reliance on manual code reviews, allowing developers to focus on remediation efforts while maintaining an efficient and secure development lifecycle. Developers can identify and address code quality and security issues early in the development lifecycle; promoting continuous improvement by providing actionable insights, security reports, and metrics that help teams track and enhance the overall code of their applications.

Image shows the VS Studio, VS Code, Eclips, Intella J and C Lion Logo's and an example IDE environment

code security and compliance

Sonar provides comprehensive application security tracking and governance for the most complex projects with SAST. It allows security auditors to track code security compliance and evaluate the risks on their software assets at an enterprise level with detailed reports. Security reports, executive aggregation, and PDF reports provide the oversight larger organizations need to evaluate risks on their software assets. Using Sonar SAST can quickly give security champions the big picture of their application's security posture. Dedicated reports track the application’s code security against standards such as OWASP Top 10, OWASP ASVS, CWE Top 25 (2021, 2020, and 2019), as well as PCI DSS . The SonarSource report helps security professionals translate security problems into language developers understand.

An error is found in code and identified while providing an explanation of the risk.

comprehensive Detection Engine and Coverage

Sonar provides code quality and security analysis for 30+ languages (and frameworks), with more than 5,100 out-of-the-box Clean Code rules – and is continuously updating the scope of languages covered. Sonar detects bugs and security flaws at the code level – source code, support code (including config code, infrastructure code, scripting, and test code), and third-party code, such as external dependencies and libraries – often exceeding a true positive rate (TPR) of 90%. Security coverage includes cross-site scripting, SQL injection, path injection, to secrets, IaC misconfigurations, phishing, and a variety of others.

bits of code and quality checks are shown as an abstract of a developers environment.

Security analysis

Designed to detect and fix a wide range of code issues that can lead to bugs and security vulnerabilities, Sonar supports over 30 programming languages and frameworks. Sonar's security analysis can help detect a broad range of security issues, such as SQL injection vulnerabilities, cross-site scripting (XSS) code injection attacks, buffer overflows, authentication issues, cloud secrets detection, and much more. In SonarQube Server Enterprise Edition and Data Center Edition and in SonarQube Cloud Enterprise Plan, our security rules are classified according to well-established security standards such as PCI DSS, CWE Top 25, OWASP ASVS, OWASP Top 10, STIG, and CASA.

A table of types of security vulnerabilities Sonar detects and security standards we address.

Security hotspots > code review

Security hotspots are instances of security-sensitive code that require human review. Developers can learn to evaluate security risks and improve their understanding of secure coding practices by working with security hotspots.

Security vulnerabilities > code change/fix

Security vulnerabilities require immediate action. Sonar provides detailed issue descriptions and code highlights that explain why your code is at risk. Just follow the guidance, check in a fix, and secure your application.

Security Analysis

OWASP top 10

The OWASP Top 10 represents security professionals' broad consensus about the most critical security risks to web applications. SonarQube Server offers significant OWASP Top 10 coverage across many languages to help you protect your systems, your data and your users.

Learn More
Image of the OWASP top ten logo

Your end-to-end SAST tool

Seamlessly integrate static analysis into your software development workflow

DevOps and CI/CD

Integrating SAST into the DevOps and CI/CD pipelines empowers organizations to enhance the security posture of their software and ensure that vulnerabilities are identified early in the development lifecycle. Security analysis tools become an integral part of the development process and receive early real-time feedback as they commit code changes.  Sonar integrations are supported for popular DevOps and CI/CD Platforms including GitHub, GitLab, Azure Devops, TravisCI, CircleCI, and Bitbucket. Sonar provides native support for the most popular SCMs including Git , Subversion and community support for other popular SCMs such as CVS, Jazz RTC, Mercurial, TFVC.

Two developers work together to build new clean code

Pull request decoration

Get instant code review directly inside your pull request and development branches. Fix issues before they become problems.

  • Implement a Go/No-Go quality gate to automatically fail CI/CD pipelines if code doesn't meet your standards
  • Review and prioritize code fixes directly within the DevOps Platform interface
  • Set up multiple quality gates for your monorepo with different projects to receive specific feedback messages for each project

IDE Integration with SonarQube for IDE

  • Superior code quality tool capabilities right into developers’ code environments
  • Real-time analytical feedback
  • Code issue highlighting
  • Strict code quality standards, along with vulnerability issue details and remediation guidance
  • Customizable rules allow developers to code based on their specific requirements
  • Advanced flexibility allows developer adaptation and adoption across multiple supported languages