Deeper Analysis, Unmatched Security

14-day free trial

Select a country
Select # of Developers
I already use SonarQube Community Edition

By submitting this form, you agree to the storing and processing of your personal data as described in the Privacy Policy and Cookie Policy. You can withdraw your consent by unsubscribing at any time.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Deeper Analysis, Unmatched Security

Uncover Hidden Code Vulnerabilities with SonarQube Server SAST

  • Comprehensive detection engine for code quality and security
  • Over 5000 rules for 30+ languages and frameworks
  • Deeper SAST coverage for Java, C#, and JavaScript/TypeScript
  • Branch Analysis and Pull Request decoration
  • Powerful secrets detection
  • Security Reports including OWASP, CWE Top 25, and PCI DSS
  • Regulatory release reports
  • Security Engine customization
  • Detection of injection flaws, cross-site scripting, deserialization issues and more
CODE SECURITY

benefits of deeper SAST

  • Hidden security issues

  • Accelerate development

  • Reduce risk of security breaches

  • Automate code scanning

  • Code Security and compliance

  • Comprehensive Detection Engine and coverage

Find deeply hidden security issues

99% of software applications use and interact with the code in third-party libraries (dependencies). Deeper SAST from Sonar extends code analysis and scanning to cover the unknown parts of the code that are in the open-source dependencies. Scanning dependencies (libraries) allows Sonar SAST to extend the dataflow analysis and find deeply hidden security issues in code that other tools cannot find. Deeper SAST is available today for Java, C#, and JavaScript/TypeScript in SonarQube Server and SonarQube Cloud.

Security analysis

Designed to detect and fix a wide range of code issues that can lead to bugs and security vulnerabilities, Sonar supports over 30 programming languages and frameworks. Sonar's security analysis can help detect a broad range of security issues, such as SQL injection vulnerabilities, cross-site scripting (XSS) code injection attacks, buffer overflows, authentication issues, cloud secrets detection, and much more. In SonarQube Server Enterprise Edition and Data Center Edition and in SonarQube Cloud Enterprise Plan, our security rules are classified according to well-established security standards such as PCI DSS, CWE Top 25, OWASP ASVS, OWASP Top 10, STIG, and CASA.

A table of types of security vulnerabilities Sonar detects and security standards we address.

Security hotspots > code review

Security hotspots are instances of security-sensitive code that require human review. Developers can learn to evaluate security risks and improve their understanding of secure coding practices by working with security hotspots.

Security vulnerabilities > code change/fix

Security vulnerabilities require immediate action. Sonar provides detailed issue descriptions and code highlights that explain why your code is at risk. Just follow the guidance, check in a fix, and secure your application.

Chase down the bad actors

Making sure user-provided data is sanitized before it hits critical systems (database, file system, OS, etc.) helps ensure your code security. Taint analysis tracks untrusted user input throughout the execution flow - across not just methods but also from file to file.

Visual Represents taint analysis

Sonar security reports

Security reports quickly give you the big picture of your code’s compliance with security standards. Available in SonarQube Server Enterprise Edition and Data Center Edition and in SonarQube Cloud Enterprise Plan, these security reports allow you to know where you stand compared to the most common security mistakes. Regulatory reports track the quality of each release and provide evidence that the code delivered meets the quality standards of the organization.

Reports include:

  • PCI DSS (versions 4.0 and 3.2.1) 
  • OWASP Top 10 (versions 2021 and 2017)
  • CWE Top 25 (versions 2022, 2021, and 2020)
  • OWASP ASVS (version 4.0 with level 1 to 3)
  • STIG
  • CASA
See OWASP Top 10
Image shows security hotspot vulnerabilities based off of the WASP top 10

Your end-to-end SAST tool

Seamlessly integrate static analysis into your software development workflow

DevOps and CI/CD

Integrating SAST into the DevOps and CI/CD pipelines empowers organizations to enhance the security posture of their software and ensure that vulnerabilities are identified early in the development lifecycle. Security analysis tools become an integral part of the development process and receive early real-time feedback as they commit code changes.  Sonar integrations are supported for popular DevOps and CI/CD Platforms including GitHub, GitLab, Azure Devops, TravisCI, CircleCI, and Bitbucket. Sonar provides native support for the most popular SCMs including Git , Subversion and community support for other popular SCMs such as CVS, Jazz RTC, Mercurial, TFVC.

Two developers work together to build new clean code

Pull request decoration

Get instant code review directly inside your pull request and development branches. Fix issues before they become problems.

  • Implement a Go/No-Go quality gate to automatically fail CI/CD pipelines if code doesn't meet your standards
  • Review and prioritize code fixes directly within the DevOps Platform interface
  • Set up multiple quality gates for your monorepo with different projects to receive specific feedback messages for each project

IDE Integration with SonarQube for IDE

  • Superior code quality tool capabilities right into developers’ code environments
  • Real-time analytical feedback
  • Code issue highlighting
  • Strict code quality standards, along with vulnerability issue details and remediation guidance
  • Customizable rules allow developers to code based on their specific requirements
  • Advanced flexibility allows developer adaptation and adoption across multiple supported languages
Pacific Textiles Ltd

« Lors de la mise en œuvre de grands projets avec diverses parties externes, il est presque impossible de maintenir la qualité du code. SonarQube Server nous a permis d'améliorer la qualité de la base de code de ces grands projets, notamment en nous permettant de réduire considérablement la quantité de duplication de code. est devenue une tâche beaucoup plus facile. »

Hubert Tsang
Hubert Tsang, Directeur de l'Information @ Pacific Textiles Ltd

ready to secure your code?

Start Your Free Trial Now