![]() | This article contains promotional content .(October 2020) |
SonarQube | |
---|---|
![]() | |
![]() A SonarQube project homepage | |
Developer(s) | Sonar |
Initial release | 2006–2007 [1] |
Stable release | SonarQube Server Release 2025.1 / Jan 2025 |
Repository | |
Written in | Java |
Operating system | Cross-platform |
Type | Static code analysis |
License | GNU Lesser General Public License |
Website | Official website |
SonarQube is an open-source platform developed by Sonar to integrate into software development workflows, ensuring continuous code quality and code security. [2] It provides continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, vulnerabilities, security hotspots, and code smells on over 35 programming languages as well as frameworks and infrastructure technologies, with over 6,500 rules, including industry-leading taint analysis for security. [3] [4] SonarQube offers reports on duplicated code, coding standards, unit tests, code coverage, technical debt, code complexity, comments, bugs, software bill of materials (SBOMs), and security recommendations. [5] [6]
The SonarQube offerings (SonarQube Server, SonarQube Cloud, SonarQube for IDE) analyzes all code—first-party, generative AI, and third-party open source code, to help produce secure, reliable, and maintainable software. [2] It integrates with DevOp platforms, including GitHub, Bitbucket, Azure, and GitLab. [7] The commercial offerings of SonarQube supports programming languages such as Java (including Android), C#, C, C++, JavaScript, TypeScript, Python, Go, Swift, COBOL, Apex, PHP, Kotlin, Ruby, Scala, HTML, CSS, ABAP, Flex, Objective-C, PL/I, PL/SQL, RPG, T-SQL, VB.NET, VB6, and XML. [8]
SonarQube is an open source based self-hosted code quality and security solution for development teams that integrates into their development environment. [9] The solution helps developers fix and avoid coding errors at the start of the development process, targeting the source to prevent possible issues from developing. SonarQube Server allows developers to use AI while minimizing risk, with automatic and efficient real-time code analysis, flagging and explaining issues as they are detected. [10]
SonarQube Cloud is a fully managed SaaS solution that enhances the quality and security of both human-developed and AI-assisted code. [11] Integrating into cloud DevOps platforms and extending the CI/CD workflow, it identifies and remediates code-level issues, ultimately increasing productivity while negating business risk and technical debt. [12] [13]
SonarQube is expandable with the use of IDE plug-ins. It integrates with Eclipse, Visual Studio, Visual Studio Code, Cursor, Windsurf, and IntelliJ IDEA development environments through SonarQube for IDE. [14] An integrated developer environment extension for advanced linting and code analysis, SonarQube for IDE empowers organizations to find and fix issues in real-time, with the context as to why and the potential implications if not resolved. [15] [16]
SonarQube Advanced Security is a license that is available on top of SonarQube Enterprise plans that extends the code security capabilities to include support for third-party open source code. It includes advanced SAST and SCA capabilities to help secure your dependencies and supply chain. [17]
Advanced SAST, included in the SonarQube Advanced Security offering, improves the detection of hidden vulnerabilities due to first-party code interactions with third-party open source dependencies. [18] It offers support for Java, C#, and JavaScript/TypeScript, along with other open source libraries and their dependencies. [19] [3]
SCA, available in the SonarQube Advanced Security offering, streamlines the tracking, managing and mitigating of known vulnerabilities (CVEs) in third-party dependencies, in addition to allowing organizations to manage open source license policies. [18] [20] It also ensures compliance with organizations’ software license policies, as well as generating detailed software bill of materials (SBOMs) that drive greater understanding of code composition. [18]
AI Code Assurance inspects code created by generative AI copilots to ensure it meets a business's quality and security standards. [21] [22] AI Code Assurance makes use of an optimized quality gate for AI-generated code and ensures that only code meeting strict quality and security standards is approved for production. Those standards are configurable to meet the requirements of different organizations. Projects that pass the quality gate receive a badge signaling that the code is acceptable. [21]
For AI-generated code in GitHub projects that use GitHub Copilot, SonarQube Server is able to automatically detect the presence of the AI-generated code, which users can then run through the AI Code Assurance workflow. [22]
AI CodeFix automatically generates suggestions to improve code quality and code security. Developers are able to correct issues discovered by SonarQube within the SonarQube for IDE or in SonarQube Cloud and Server. [21]
Designed to be applied to both finding secrets in code repositories and as code is being developed using an integrated development environment (IDE), secrets detection in SonarQube enables enterprises to detect secrets in the code before it becomes a major threat. [23] With SonarQube for IDE, this capability can also detect secrets in the IDE, preventing the fallout to SCM and reducing the cost of remediation. [18] It can identify, for example, passwords, application programming interface (API) keys, encryption keys, tokens, database credentials and other private information. [23]