Welcome to 2026.

As we look back at the year we just closed, one thing is clear: 2025 was the year of acceleration. Development teams moved faster than ever. Today, an average of 42% of all committed code is AI-generated or assisted —a volume driven by tools like Cursor, which now writes nearly a billion lines of accepted code daily. While code is being generated at breakneck speeds, organizations are discovering that speed doesn't always equal value. 

This is the "engineering productivity paradox". Despite the massive volume of AI-generated code, real engineering velocity often increases by only a fraction because of a new bottleneck—verification. Whether you call it "vibe coding" or AI-assisted development, the shift to high-velocity creation makes it mission-critical to ensure all code—developer-written and AI-generated—is high-quality, secure, and production-ready. 

In Sonar, our mission in 2025 was to solve this verification gap. We didn't just add AI features; we expanded our platform to ensure that increased velocity never comes at the cost of code health—redefining software quality through a focus on AI trust, agentic remediation, LLM research, supply chain security, architecture management, and integrated SDLC governance.

We’ve also learned that SonarQube users are already reaping the benefits from our investments in these areas. SonarQube users are 24% more likely to report lower vulnerability rates, 20% more likely to report lower defect rates, and 16% more likely to report lower technical debt impacts from AI-generated or assisted code.

Throughout the year, we delivered on this mission by:

1. Addressing the AI productivity paradox 

Last year, we recognized that securing AI code requires more than just a final scan. You need to secure the entire lifecycle—from the point of creation by LLMs to the PR push.

• Better data, better models (SonarSweep): We announced SonarSweep (currently in early access) to tackle the root cause of AI hallucinations and bugs: the training data. To prove it, we released SonarSweep-java-gpt-oss-20b on Hugging Face, a fine-tuned version of OpenAI’s gpt-oss-20b. By training on just 70k Java examples processed by SonarSweep, we achieved a ~41% reduction in bugs and security vulnerabilities compared to the base model, without sacrificing functional correctness.
• Empowering the agents (SonarQube MCP Server): We introduced the SonarQube MCP Server, a critical bridge connecting our analysis engine directly to AI agents. Now, tools like Claude Code, Cursor, and Windsurf can "consult" SonarQube to verify code safety in real-time, before a human ever reviews it.
• Verifying the output (AI Code Assurance): We brought AI Code Assurance to our platform to provide the necessary guardrails for AI coding assistants in every PR. This ensures that increased velocity does not come at the cost of code health.

2. Powering the agentic future

We aren’t just watching the rise of autonomous agents—we are building the platform to power them.

• SonarQube Remediation Agent: Our acquisition of AutoCodeRover was a strategic leap toward the next frontier of software quality. This technology is the core engine behind our SonarQube Remediation Agent (currently in beta), which will move beyond simply finding issues to actively fixing them—autonomously and securely.
• Sonar Foundation Agent: We announced the Sonar Foundation Agent, a tool-calling coding agent built on the LlamaIndex framework by the former AutoCodeRover team to resolve software issues iteratively. By adopting an autonomous, test-driven "free workflow" rather than prescriptive prompts, we boosted its efficacy from 58% to 75% on SWE-bench Verified. 

3. Understanding code and LLMs

As AI models become permanent members of the development team, we need to understand how they learn from and affect the strengths and weaknesses of our code.

Our ongoing LLM research provides the industry with its first independent analysis of code reliability, maintainability, complexity, and security, based on over 4,400 distinct Java coding assignments. The results are eye-opening:

• LLM leaderboard: To help teams choose the right partner for their code, we launched the Sonar LLM leaderboard. This resource provides an independent analysis of code reliability, maintainability, complexity, and security across leading models—including GPT-5.2 High, GPT-5.1 High, Gemini 3.0 Pro, Opus 4.5 Thinking, and Claude Sonnet 4.5. By uncovering the unique "personalities" and specific security blind spots of these LLMs, we provide the actionable code intelligence you need to verify AI output effectively and maintain high code quality.
• State of Code reports: We launched the State of Code, a new report series sharing data-driven insights from our unique understanding of code. This research explores the most common issues lurking in codebases and helps teams understand why critical bugs and vulnerabilities are often missed.

4. Securing the total supply chain

Modern applications are a complex mix of proprietary logic and open-source components. In 2025, we made strategic moves to secure every piece of that puzzle.

• SonarQube Advanced Security: We launched SonarQube Advanced Security as a developer-first solution to protect your entire software supply chain. It provides integrated security for first-party, AI-generated, and third-party open source code by combining advanced SAST with Software Composition Analysis (SCA).
• Unified SAST, IaC scanning, and SCA: These capabilities are fully integrated into SonarQube Cloud Enterprise, as well as SonarQube Server Enterprise and Data Center Edition 2025.3 and later. This unified approach gives teams a single view of their security posture and eliminates blind spots between different code sources.
• Expanded secrets detection: Preventing the accidental exposure of sensitive credentials is a critical part of supply chain security. Our secrets detection engine now includes an expanded library of over 400 secret patterns to identify API keys, passwords, and security tokens across your codebase. By integrating these checks directly into SonarQube for IDE and your CI/CD pipeline, we prevent leaked secrets from ever reaching your repository and causing a serious security breach.

5.  Managing code architecture 

Software architecture is the modular foundation of maintainable code, yet it is under significant pressure in the AI era. High-velocity code production increases the risk of architectural drift—where the gap between your intended design and the actual implementation grows, making the codebase harder to navigate and maintain.

We launched new architecture management capabilities in beta to help teams maintain structural control. Both human developers and AI agents require architectural context to ensure they are building for long-term health rather than solving isolated, immediate tasks.

Formalizing the blueprint: SonarQube allows teams to define an intended architectural blueprint, specifying how components should be layered and which dependencies are permitted.

• Continuous verification: Our engine analyzes the actual state of your project from the code, continuously verifying implementation against your blueprint.
• Actionable architectural intelligence: Rather than relying on static diagrams, SonarQube surfaces architectural violations as code-level issues. By integrating these checks into developer workflows and quality gates, we ensure architectural standards are maintained with every pull request.

By treating architecture as a living part of the development lifecycle, we empower your teams to turn high-volume AI output into a sustainable advantage without accumulating architectural debt.

6. Scaling trust through integrated SDLC governance  

Governance and integration within the SDLC should not be a roadblock—they should be the foundation. In October, we launched the Sonar Integration Program to embed code quality and security directly into the tools that drive your business.

We are now deeply integrated into the enterprise ecosystem of the following:

• AI development & modern IDEs: Empowering the next generation of development with real-time feedback in tools like Google Gemini, Cursor, Windsurf, Claude, Codex CLI, Amazon Q, and GitHub Copilot.
• Atlassian Jira: Transforming technical debt from invisible risks into trackable backlog items with Jira integration.
• JFrog: Enabling "DevGovOps" by using signed evidence to block non-compliant builds from production.
• Port & Jellyfish: Surfacing code health metrics directly in Internal Developer Portals (IDPs) Port and Jellyfish engineering management platforms.

Ready for 2026

2025 was the year we accelerated together. We experienced this momentum alongside our customers, witnessing massive adoption and growth driven by continuous product innovation. Through strategic acquisitions, the appointment of our new CPO Ori Yitzhaki, and a broadened platform, Sonar evolved to meet the demands of an AI-driven world. We didn't just keep pace with the industry—we are at the forefront, building the guardrails and platform that enable you to turn the explosion of AI-generated volume into a sustainable competitive advantage.

This year also marked an accelerated shift toward a single, integrated SonarQube platform for code quality and code security that is engineered to support both human developers and AI tools as they work in synergy. To solve the engineering productivity paradox, we must grant our teams the freedom to vibe—to experiment with AI and create at an unprecedented pace—while maintaining the accountability to verify. This isn’t about adding more manual checkpoints; it’s about building automated guardrails directly into the workflow.

Now, as we step into 2026, our focus remains clear: enabling you to innovate with speed, and release with confidence. Whether your code is written by a developer, generated by an agent, or imported from the open-source community, Sonar is here to ensure it is high quality, secure, and production ready.

Ready to modernize your verification strategy? Explore SonarQube or try the new MCP Server today.