SCA
Comprehensive open source risk & compliance management
- Vulnerability detection
- Malicious package detection
- License management
- SBOM (Software Bill of Materials)
Advanced Security
Developer-first security for your first-party, AI-generated, and open source code, powered by advanced SAST and integrated SCA
TRUSTED BY OVER 7M DEVELOPERS WORLDWIDE
SonarQube core security
SAST
Detect code vulnerabilities, early in development
Taint analysis
Cross-file data flow analysis to prevent injection attacks
IaC scanning
Secure cloud infrastructure configurations
Secrets detection
Prevent exposure of credentials, tokens, and keys
Advanced Security
Requires SonarQube Cloud Enterprise or Server 2025 Release 3 Enterprise or higher
CVE detection
License management
SBOM
Malicious package detection
Deeper taint analysis
CVE detection
Fix known vulnerabilities (CVEs)
- Detect known vulnerabilities in open source code (such as CVE)
- Prioritize issues by severity (CVSS) and exploitability (EPSS, KEV)
- Get additional vulnerability insights directly from the maintainer
- Understand which versions of the dependency are safe to use
Customer story
Global luxury car manufacturer
How a global luxury car manufacturer manages code risks with SonarQube Advanced Security
Key results
- Faster signal and reduced overhead across 550+ projects
- Predictable software delivery
- Accelerated response to weaponized vulnerabilities
Ecosystem support
SonarQube security reports
Comprehensive reporting for all security issues in all code
Actionable insights
Detailed code security findings with severity, trends, and remediation guidance
Rich dashboards
Visualize quality and security trends, and KPIs in unified dashboards
Compliance reports
Generate security reports for OWASP Top 10, CWE, PCI DSS, STIG, and more
Scheduled reports
Automate report delivery on daily, weekly, or monthly schedules
Integrated code quality and code security
SonarQube is an integrated code quality and security analysis platform that provides actionable intelligence to help build better software, faster.
Elevate code quality standards
Deliver robust, reliable, and maintainable code with fast, accurate analysis across all code
Core security: foundation for secure code
Includes SAST, taint analysis, secrets detection, IaC scanning for first-party and AI-generated code
Advanced Security
Advanced Security extends to open source code with advanced SAST and Software Composition Analysis (SCA)
Additional resources
Blog post
Stop malicious packages in your CI/CD pipeline with SonarQube
The key remediation suggested during the early days of malware was “don’t install or execute code that isn’t from someone you trust.” Well, about that…
Read more >
Learn article
Software Composition Analysis (SCA)
Software Composition Analysis (SCA) is an automated process in software development that identifies, analyzes, and manages open-source components within applications to mitigate security risks and ensure compliance.
Learn more >
Guide
Securing the software supply chain with SonarQube Advanced Security
With SonarQube, you've already made an investment in code quality and code security. Your teams benefit from core capabilities essential for securing the code they write.
Download >