Sonar's latest blog posts
Announcing SonarSweep: Improving training data quality for coding LLMs
Recent research from Anthropic has shown that even a small amount of malicious or poor quality training data can have a massively negative impact on a model’s performance, exposing users to significant security and quality issues.
Zombie Workflows: A GitHub Actions horror story
Our research team recently discovered an exploitable pattern in GitHub Actions that lets attackers exploit seemingly fixed vulnerabilities.
Read article >
The Cloudflare outage and why code quality matters more than ever
This blog post looks at how seemingly small decisions can have massive effects, and the importance of prioritizing code quality to build reliable software.
Read article >
Get new blog posts delivered directly to your inbox!
Stay up-to-date with the latest Sonar content. Subscribe now to receive the latest blog articles.
A technical look at SonarSweep for GPT-OSS-20B
This release is not intended to compete with state-of-the-art (SOTA) reasoning models. Instead, it serves as a technical demonstration of how training data quality impacts the quality of a model’s code generation output.
Read article >
Why prioritizing code quality is the fastest way to reduce security risks
The common perception is that a security vulnerability is a rare, complex attack pattern. In reality, the journey of most flaws begins much earlier and much more simply: as a code quality issue. For both developers and security practitioners, understanding this lifecycle is crucial to building secure, reliable, and maintainable software.
Read article >
Introducing Sonar Foundation Agent
Sonar Foundation Agent is a coding agent for general software issues, developed at Sonar by the former AutoCodeRover team. As of November 3, 2025, Sonar Foundation Agent scores 75% on SWE-bench Verified, while maintaining a low average cost of $1.26 and a high efficiency of 10.5 min per issue.
Read article >
Seventeen years later, code quality is more relevant than ever
What started as a free and open source tool to solve our own problem has grown to become SonarQube, a product now used by more than 7 million developers around the world to review and improve the quality and security of over 750 billion lines of code every day.
Read article >
The inevitable rise of poor code quality in AI-accelerated codebases
The adoption of Large Language Models (LLMs) and AI coding assistants has radically accelerated the development lifecycle, offering the potential for developers to achieve up to a 55% increase in productivity and complete tasks twice as fast.
Read article >
Ollama Remote Code Execution: Securing the Code That Runs LLMs
Our Vulnerability Researchers uncovered vulnerabilities in the code of Ollama, a popular tool to run LLMs locally. Dive into the details of how LLMs are implemented and what can go wrong.
Read article >
Vibe, then verify: How to navigate the risks of AI-generated code
AI is rewriting the traditional software development playbook. Developers are adopting AI on the ground, output is exploding, and leaders are being asked to convert promise into predictable velocity.
Read article >
Beyond cybersecurity awareness: Make a strategic shift to code security
October is Cybersecurity Awareness Month, a time when every organization is reminded that security is everyone’s responsibility. It's a time to reflect on how organizations approach security not as a campaign or compliance task, but as a mindset.
Read article >
PyTorch tensors, neural networks and Autograd: an introduction
This guide is designed to demystify PyTorch's core components, providing you with a solid understanding of how it empowers the creation and training of sophisticated machine learning models.
Read article >