Hey SonarQube and SonarCloud users! You now have a tool to own Code Security!
SonarSource has been hard at work for the last year to give you the tooling to review and improve your code security. We're glad to say that today you have at your fingertips unmatched precision and performance in SAST (Static Application Security Testing) analysis for five languages and counting.
We've been working to bring you Code Security for a couple years now, and those efforts took a giant leap forward this spring when we acquired RIPS Technologies. RIPS initially caught our eye with the depth and precision of their PHP analysis. Seeing that, we knew their depth plus our breadth - analysis of 27 languages - would make a great combination. We joined forces in May and immediately started work to combine our two approaches. Since then, we've re-engineered our detection of injection vulnerabilities from the ground up to incorporate the best of RIPS' approach and ours.
I can say "unparalleled precision" because we've focused in this work on eliminating false positives. Old-school SAST tools aren't built for developers. They cast a very broad net, raising an issue for everything even remotely suspicious, and make an auditor sort it out. At SonarSource, we know developers don't have time for that. So we've made sure that when we raise an issue, you can be confident there's something to fix. At the same time, we haven't sacrificed performance; analysis is still extremely fast.
The best part is that you don't have to learn a new tool. These SAST advancements are part of what you already know and love: SonarCloud and SonarQube. Vulnerabilities and Security Hotspots start in SonarQube Community Edition and injection Vulnerabilities (taint analysis) is available in commercial editions. And they're available today. Getting started is as easy as making sure your Quality Profile (and your version!) is up to date.
By adding SAST to SonarCloud and SonarQube, we've put the power to own Code Security in your hands. That represents a fundamental shift, and there's a lot more to say on the topic. I'll save that for the New Year. For now, enjoy the holidays and your new toy: SAST analysis built for developers.