SonarQube

Last updated
SonarQube
Developer(s) Sonar
Initial release2006–2007 [1]
Stable release
SonarQube Server Release 2025.1 / Jan 2025
Repository
Written in Java
Operating system Cross-platform
Type Static code analysis
License GNU Lesser General Public License
Website Official website

SonarQube is an open-source platform developed by Sonar to integrate into software development workflows, ensuring continuous code quality and code security. [2] It provides continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, vulnerabilities, security hotspots, and code smells on over 35 programming languages as well as frameworks and infrastructure technologies, with over 6,500 rules, including industry-leading taint analysis for security. [3] [4] SonarQube offers reports on duplicated code, coding standards, unit tests, code coverage, technical debt, code complexity, comments, bugs, software bill of materials (SBOMs), and security recommendations. [5] [6]

Contents

Overview

The SonarQube offerings (SonarQube Server, SonarQube Cloud, SonarQube for IDE) analyzes all code—first-party, generative AI, and third-party open source code, to help produce secure, reliable, and maintainable software. [2] It integrates with DevOp platforms, including GitHub, Bitbucket, Azure, and GitLab. [7] The commercial offerings of SonarQube supports programming languages such as Java (including Android), C#, C, C++, JavaScript, TypeScript, Python, Go, Swift, COBOL, Apex, PHP, Kotlin, Ruby, Scala, HTML, CSS, ABAP, Flex, Objective-C, PL/I, PL/SQL, RPG, T-SQL, VB.NET, VB6, and XML. [8]

SonarQube Server (formerly SonarQube)

SonarQube is an open source based self-hosted code quality and security solution for development teams that integrates into their development environment. [9] The solution helps developers fix and avoid coding errors at the start of the development process, targeting the source to prevent possible issues from developing. SonarQube Server allows developers to use AI while minimizing risk, with automatic and efficient real-time code analysis, flagging and explaining issues as they are detected. [10]

SonarQube Cloud (formerly SonarCloud)

SonarQube Cloud is a fully managed SaaS solution that enhances the quality and security of both human-developed and AI-assisted code. [11] Integrating into cloud DevOps platforms and extending the CI/CD workflow, it identifies and remediates code-level issues, ultimately increasing productivity while negating business risk and technical debt. [12] [13]

SonarQube for IDE (formerly SonarLint)

SonarQube is expandable with the use of IDE plug-ins. It integrates with Eclipse, Visual Studio, Visual Studio Code, Cursor, Windsurf, and IntelliJ IDEA development environments through SonarQube for IDE. [14] An integrated developer environment extension for advanced linting and code analysis, SonarQube for IDE empowers organizations to find and fix issues in real-time, with the context as to why and the potential implications if not resolved. [15] [16]

SonarQube Advanced Security

SonarQube Advanced Security is a license that is available on top of SonarQube Enterprise plans that extends the code security capabilities to include support for third-party open source code. It includes advanced SAST and SCA capabilities to help secure your dependencies and supply chain. [17]

Features

Advanced Static Application Security Testing (SAST)

Advanced SAST, included in the SonarQube Advanced Security offering, improves the detection of hidden vulnerabilities due to first-party code interactions with third-party open source dependencies. [18] It offers support for Java, C#, and JavaScript/TypeScript, along with other open source libraries and their dependencies. [19] [3]

Software Composition Analysis (SCA)

SCA, available in the SonarQube Advanced Security offering, streamlines the tracking, managing and mitigating of known vulnerabilities (CVEs) in third-party dependencies, in addition to allowing organizations to manage open source license policies. [18] [20] It also ensures compliance with organizations’ software license policies, as well as generating detailed software bill of materials (SBOMs) that drive greater understanding of code composition. [18]

AI Code Assurance

AI Code Assurance inspects code created by generative AI copilots to ensure it meets a business's quality and security standards. [21] [22] AI Code Assurance makes use of an optimized quality gate for AI-generated code and ensures that only code meeting strict quality and security standards is approved for production. Those standards are configurable to meet the requirements of different organizations. Projects that pass the quality gate receive a badge signaling that the code is acceptable. [21]

For AI-generated code in GitHub projects that use GitHub Copilot, SonarQube Server is able to automatically detect the presence of the AI-generated code, which users can then run through the AI Code Assurance workflow. [22]

AI CodeFix

AI CodeFix automatically generates suggestions to improve code quality and code security. Developers are able to correct issues discovered by SonarQube within the SonarQube for IDE or in SonarQube Cloud and Server. [21]

Secrets Detection

Designed to be applied to both finding secrets in code repositories and as code is being developed using an integrated development environment (IDE), secrets detection in SonarQube enables enterprises to detect secrets in the code before it becomes a major threat. [23] With SonarQube for IDE, this capability can also detect secrets in the IDE, preventing the fallout to SCM and reducing the cost of remediation. [18] It can identify, for example, passwords, application programming interface (API) keys, encryption keys, tokens, database credentials and other private information. [23]

See also

References

  1. "History | SonarSource". www.sonarsource.com.
  2. 1 2 "Sonar Bets On AI Code Automation With AutoCodeRover Acquisition". Forbes . February 24, 2025.
  3. 1 2 Barron, Jenna (August 2, 2023). "Sonar's new SAST tool includes support for thousands of open-source libraries". SD Times .
  4. Parama, Jerecho (January 6, 2025). "Top 5 Best Static Code Analysis Tools in 2025". Tech Times.
  5. "Sonar" (PDF). Methods and Tools. Vol. 18, no. 1. 2010-03-01. pp. 40–46. ISSN   1661-402X . Retrieved 2017-08-29.
  6. Campell/Papapetrou, Ann/Patroklos (2013). Sonar (SonarQube) in action. Greenwich, Connecticut, USA: Manning Publications. p. 350. ISBN   978-1617290954.
  7. Parama, Jerecho (January 6, 2025). "Top 5 Best Static Code Analysis Tools in 2025". Tech Times.
  8. "Multi-Language - SonarQube" . Retrieved 2021-01-25.
  9. "A guide to security testing tools". SD Times . January 4, 2024.
  10. "InfoWorld's 2024 Technology of the Year Award winners". InfoWorld . December 12, 2024.
  11. Ko, Mark (August 5, 2024). "Sonar Launches New SonarCloud Plans to Empower Developers with Clean Code Solutions". TechCoffeeHouse.
  12. Rubinstein, David (January 4, 2024). "A guide to security testing tools". SD Times .
  13. Blanchard, Sydney (September 22, 2023). "SonarCloud Debuts Open Source, Zero-Configuration, Automatic Analysis for C and C++ Projects". Database Trends and Applications.
  14. "Sonar Streamlines Product Naming to Reflect Core Mission of Code Quality and Security" . Retrieved 2024-12-14.
  15. Wiggers, Kyle (April 26, 2022). "SonarSource raises $412M to scan codebases for bugs". TechCrunch.
  16. Rubenstein, David (January 4, 2024). "A guide to security testing tools". SD Times .
  17. Blanchard, Sydney (March 11, 2025). "Sonar Ushers in Support for Third-Party, Open Source Code Analysis and Security". Database Trends and Applications.
  18. 1 2 3 4 Blanchard, Sydney (March 11, 2025). "Sonar Ushers in Support for Third-Party, Open Source Code Analysis and Security". Database Trends and Applications.
  19. Tan, Aaron (September 11, 2024). "How Sonar is elevating code quality in the age of AI". Computer Weekly .
  20. Vizard, Mike (March 11, 2025). "Sonar Combines SAST and SCA Tools in Single Offer". DevOps.com.
  21. 1 2 3 Gillin, Paul (October 3, 2024). "Sonar now inspects AI-generated code for glitches". SiliconANGLE.
  22. 1 2 Simone, Stephanie (January 27, 2025). "Sonar Empowers Developers with SonarQube Server LTA Release to Integrate AI in the Software Development Lifecycle". Database Trends and Applications.
  23. 1 2 Vizard, Mike (December 18, 2023). "Sonar Adds Secrets Detection to Code Analysis Portfolio". DevOps.com.