What’s new

Automatic analysis for Azure DevOps repositories delivers zero config code verification, without setting up CI pipelines.

• Instant results: The platform automatically checks eligibility and triggers the first analysis upon project import, ensuring systematic code analysis, and immediate code quality and security insights.
• Continuous analysis: Analysis re-runs automatically on every push to the default branch and every pull request, verifying your code.

To learn more about connecting your ADO repos check out the how to guide, and Community post.

Automate your user lifecycle management by connecting your Identity Provider (IdP) to SonarQube Cloud via SCIM. This release completes the SCIM integration, adding automated onboarding to our existing de-provisioning capabilities.

With SCIM enabled, you can manage access centrally from your IdP without manual intervention in SonarQube Cloud.

Key capabilities:

• Automated Onboarding: New users assigned to the SonarQube Cloud app in your IdP are automatically created with the correct group memberships.
• Automated Offboarding: Access is automatically revoked when users are removed or disabled in your IdP, ensuring immediate security compliance.
• Group Synchronization: Sync groups directly from your IdP to SonarQube Cloud to manage permissions at scale.

Setup: Refer to the SCIM documentation for configuration steps, and this Community post for more details.

SonarQube Cloud now supports bulk repository onboarding for GitHub organizations. Combined with the existing auto-import for new repositories, this feature allows admins to import all existing repositories with a single click, ensuring comprehensive coverage across the entire portfolio.

• 1-click repository onboarding at scale: admins can bulk-import all existing repositories in a GitHub organization, eliminating the need for manual repository setup.
• Automatic project provisioning: imported repositories are automatically bound and provisioned for scanning, ensuring immediate compliance.
• Consolidated import summary: a review page provides the status of all imports and allows for selective triggers for any skipped repositories.

Additional details can be found in the Community post, along with instructions here.

Security Reports for SonarQube Cloud Enterprise now cover five new and updated standards, giving security teams and compliance auditors a broader, more accurate view of risk across Projects and Portfolios — including dedicated coverage for AI and mobile application security.

• OWASP Top 10 2025: Updated guidance on the most critical web application risks, including software supply chain integrity and broken access control.
• OWASP Top 10 for LLM (New!): Purpose-built for AI-era risk. Surfaces vulnerabilities specific to Large Language Models, including prompt injection and insecure output handling.
• OWASP MASVS (New!): The Mobile Application Security Verification Standard. A dedicated view for iOS and Android security, aligned with industry-standard mobile requirements.
• OWASP ASVS 5.0: The latest iteration of the Application Security Verification Standard, providing a rigorous technical framework for security testing and verification.
• STIG ASD V6: Updated DISA Application Security and Development STIG support for organizations with government and defense compliance requirements.

All five standards are available at both the Project and Portfolio level. Navigate to the Security Reports tab, select a standard from the left-hand panel, or export directly to PDF for audit and reporting workflows.

For more details, see the Community post.

SonarQube Cloud now includes an embedded version of our Model Context Protocol (MCP) server, allowing you to connect your AI assistants to deep code insights without any local setup.

This delivers a centralized and secure way for your team to leverage AI-driven code quality and security data.

Key Functional Benefits:

• Centralized access: Enable MCP-powered insights for your entire development team through a single, managed cloud entry point. This ensures a consistent experience across the organization without per-user configuration.
• Docker-free deployment: Eliminate the friction of local software requirements. The embedded server is the ideal solution for secure enterprise environments where corporate policies or hardware constraints prevent developers from running Docker locally.
• Seamless AI connectivity: Securely bridge your preferred AI tools—such as GitHub Copilot, Claude, or other LLMs—to SonarQube insights with zero local overhead.

For further details, please see the documentation and blog post.

Architecture management in SonarQube Cloud automatically discovers your current structure, allowing your team to define intended designs and resolve deviations directly within your existing workflow.

It provides a living structural map that governs both developer and AI development, enforcing architectural integrity directly within your workflow with:

Evergreen visual maps: Automatically create a real-time visual structure map of your project's actual architecture that updates with every scan.

Prevent architectural drift: Define your intended architecture and receive immediate feedback in Quality Gates when code violates structural design.

Accelerate onboarding: Provide new developers with an instant, navigable view of the system.

In-workflow resolution: Empower developers to fix structural debt as they code, avoiding costly future rewrites and keeping innovation on track.

How to activate: Visit the Architecture tab within your project settings to begin the four-stage process: discover, formalize, prioritize, and fix.

Check out this Community post and documentation for more information.