Security analysis shield Security Analysis

Code Security,
for Developers

Detect security issues in code review with Static Application Security Testing (SAST)

Download Now
Static Application Security Testing (SAST)
    for everyone

Early security feedback, empowered developers

Code Security is no longer the realm of security teams.

Beyond the words (DevSecOps, SDLC, etc.), the true opportunity lies in developers writing more secure code with SonarQube detecting Vulnerabilities and Security Hotspots, explaining them, and giving appropriate next steps.

  • Take ownership
  • IDE integration
  • Quality Gate
  • Keep it safe

Take ownership

Getting security feedback during code review is your opportunity to learn more and take ownership of Code Security.

Security feedback during code review

Clear security issues, clear actions

Tackle security issues with a sensible pattern led by the development team

Security shield

Hotspots chevron Code review

Security Hotspots are uses of security-sensitive code. They might be okay, but human review is required to know for sure.

As developers code and interact with Security Hotspots, they learn to evaluate security risks while learning more about secure coding practices.

Available for:

Detect Security Hotspots in java Detect Security Hotspots in C sharp Detect Security Hotspots in Python Detect Security Hotspots in PHP Detect Security Hotspots in javascript Detect Security Hotspots in typescript Detect Security Hotspots in c Detect Security Hotspots in c++ Detect Security Hotspots in vb
Hashing data is security-sensitive

Hashing data is security-sensitive.

Security HotspotsSecurity Hotspot Medium

Reviewing a Security Hotspot with
Bitbucket. See the video

Security lock

Vulnerabilities chevron Code change/fix

Security Vulnerabilities require immediate action. SonarQube provides detailed issue descriptions and code highlights that explain why your code is at risk.

Just follow the guidance, check in a fix and secure your application.

Available for:

Detect Security Vulnerabilities in java Detect Security Vulnerabilities in C sharp Detect Security Vulnerabilities in Python Detect Security Vulnerabilities in PHP Detect Security Vulnerabilities in javascript Detect Security Vulnerabilities in typescript Detect Security Vulnerabilities in C Detect Security Vulnerabilities in C++
Security Vulnerabilities require immediate code change/fix

Use a key length that provides enough entropy against brute-force attacks. For the RSA algorithm it should be at least 2048 bits long.

Security VulnerabilitySecurity Vulnerabilities Blocker Blocker
OWASP Top 10

OWASP Top 10

The OWASP Top 10 represents security professionals' broad consensus about the most critical security risks to web applications. SonarQube offers significant OWASP Top 10 coverage across many languages to help you protect your systems, your data and your users.

Learn more

Maximum protection with taint analysis

Don’t let untrusted user input compromise your Code Security

Chase down the bad actors

Making sure user-provided data is sanitized before it hits critical systems (database, file system, OS, etc.) helps ensure your code security. Taint analysis tracks untrusted user input throughout the execution flow - across not just methods but also from file to file.

Dedicated UI navigation from the vulnerability source to the code location
  • Java
  • PHP
  • C#
  • C
  • C++
  • Python
  • JS/TS

Critical security rules for vital languages

Get highly relevant rules for critical languages to help keep your code secure.

Track Security Compliance at an enterprise level

Comprehensive application security tracking for your most complex projects

OWASP / CWE security reports

Dedicated reports let you track Code Security against OWASP Top 10 and CWE Top 25 (all three versions: 2021, 2020, and 2019). The SonarSource report helps security professionals translate security problems into language developers understand.

OWASP / CWE security reports
The security reports' PDF export includes the project security overview and the top security reports.

PDF download

The security reports' PDF export includes the project security overview and the top security reports.

Using proprietary frameworks?
Feed them into the SonarQube engine

Enterprise Edition lets you declare custom frameworks you use to capture user input and/or persist it. Our injection flaw detection engine then tracks the non-sanitized user input.

Custom framework in the code
pull request Example of lines of code with an issue SonarQube's dashboard of continuous inspection

Ready to detect
security issues?

Get SonarQube