Security analysis shield Security Analysis

Code Security,
for Everyone

Detect security issues in code review with Static Application Security Testing (SAST)

Download Now
Static Application Security Testing (SAST)
    for everyone

Early security feedback, empowered developers

Security issues should not be considered the de facto realm of security teams.

Beyond the words (DevSecOps, SDLC, etc.), the true opportunity lies in developers writing more secure code with SonarQube detecting vulnerabilities, explaining their nature and giving appropriate next steps.

  • Feel engaged
  • Keep it safe
  • Increase throughput
  • Elevate your game

Feel engaged

Getting security feedback during code review is your opportunity to learn and feel more engaged.

Security feedback during code review

Clear security issues, clear actions

Tackle security issues with a sensible pattern led by the development team

Security shield

Hotspots chevron Code review

Security Hotspots highlight suspicious code snippets that developers should review and triage as they may hide a vulnerability.

As you code and discover hotspots, you learn how to evaluate the security risk while becoming more acquainted with secure coding practices.

Available for:

java c-sharp python php javascript typescript c c++ vb
Hashing data is security-sensitive

Hashing data is security-sensitive.

Security HotspotsSecurity Hotspot Medium
Security lock

Vulnerabilities chevron Code change/fix

Security Vulnerabilities require immediate action. SonarQube provides detailed issue descriptions and code highlights that explain why your code is at risk.

Just follow the guidance, check in a fix and secure your application.

Available for:

java c-sharp php php javascript typescript c c++
Security Vulnerabilities require immediate code change/fix

Use a key length that provides enough entropy against brute-force attacks. For the RSA algorithm it should be at least 2048 bits long.

Security VulnerabilitySecurity Vulnerabilities Blocker Blocker

You hate false-positives?

We hate them too. Distinguishing Hotspots from Vulnerabilities allows SonarQube to target always-actionable Security Vulnerabilities. Constant interaction with our open community allows us to continually live up to this promise.

Commercial Features  

Maximum protection with detection of injection flaws

Don’t let untrusted user input flow through your code and compromise your application

Chase down the bad actors

Sometimes called taint analysis - it's the ability to track non-trusted user input throughout the execution flow.

Application security comes from making sure that data is sanitized before hitting critical system parts (Database, File System, OS, etc.).

Taint Analysis tracks non-trusted user input throughout the execution flow for Java code
  • Java
  • PHP
  • C#
  • Python
Dedicated UI navigation from the vulnerability source to the code location

Dedicated UI to track untrusted user input

Quickly navigate any issue from the vulnerability source to the code location (‘sink’) where the compromise occurs.

Track Security Compliance at an enterprise level

Comprehensive application security tracking for your most complex projects

Custom framework in the code

Using proprietary frameworks?
Feed them into the SonarQube engine

Enterprise Edition lets you declare custom frameworks you use to capture user input and/or persist it. Our injection flaw detection engine then tracks the non-sanitized user input.

OWASP / SANS Security Reports

Dedicated reports let you track application security against known standard OWASP and SANS categories.

Dedicated security reports with standard OWASP and SANS categories
pull request Example of lines of code with an issue SonarQube's dashboard of continuous inspection

Ready to detect
security issues?

Get SonarQube