In the high-velocity era of AI-driven development, the "engineering productivity paradox" has revealed a sobering truth: while tools can now generate code at a blistering pace, they often create a verification bottleneck that slows teams down and introduces hidden risks. At Sonar, we believe security should never be a trade-off for speed. Our latest enhancements in SonarQube establish a non-negotiable code verification layer designed to bridge this trust gap, unifying the analysis of first-party, AI-generated, and third-party code. From malicious package detection that thwarts supply chain attacks to security focussed dashboards, we are empowering developers to write good quality code with more precision and less noise than ever before. 

Here is a look at the new security features available in SonarQube.

Stop malicious packages in your CI/CD pipeline 

In the modern software supply chain, public package managers like npm and PyPI are prime targets for malware. Attackers no longer just rely on typosquatting; they hijack trusted maintainer credentials to compromise official, widely used packages. This poses a massive risk in the AI era, where the pressure to build at speed often leads to a "vibe" approach—pulling in dependencies without rigorous verification. Unlike standard security vulnerabilities, a malicious package is a critical blocker that can immediately exfiltrate data and infect your entire development environment.

To stop these threats before they reach production, SonarQube now includes malicious package detection within SonarQube Advanced Security. This feature automatically checks third-party dependencies against a live database of known threats directly within your CI/CD pipeline. By setting quality gates to fail the moment a risky package is detected, your team can maintain high velocity while ensuring that every piece of code—whether human-written or AI-generated—remains production-ready and secure. This capability is available in SonarQube Cloud and SonarQube Server 2026.1 LTA release. Learn more here.

Bringing visibility to your supply chain with SBOM import (beta)

Modern software supply chain management faces a critical visibility gap, as third-party components now comprise up to 90% of most software applications. Furthermore, evolving regulatory mandates—such as NIST SSDF and Executive Order 14028—now require organizations to maintain a machine-readable Software Bill of Materials (SBOM). Without a way to operationalize this data, SBOMs remain static documents rather than active security assets, leaving platforms vulnerable to identification lag and compliance gaps.

To solve these challenges, SonarQube Server 2026.1 LTA introduced the ability to import an SBOM as part of SonarQube Advanced Security. This feature allows platform engineering teams to import CycloneDX or SPDX SBOMs, providing universal visibility into previously opaque applications. By automatically cross-referencing this inventory against live vulnerability databases and enforcing quality gates, Sonar transforms the SBOM into a real-time defense mechanism. This ensures that every component—whether human-written, AI-generated, or third-party—meets the high standards required for production-ready code. Learn more.

Securing performance critical C/C++ applications (beta)

Managing dependencies in C and C++ has historically been a fragmented and manual process, often leaving performance-critical applications with an "opaque" supply chain. Unlike modern ecosystems with centralized package managers, C/C++ projects frequently pull from diverse sources, making it incredibly difficult for teams to track security vulnerabilities without constant, time-consuming audits. This visibility gap is a major liability for organizations in regulated industries—like automotive, aerospace, and medical—where ensuring that every third-party component is production-ready is not just a best practice, but a mandate for safety and security.

To solve this, SonarQube Server 2026.1 LTA brings deep Software Composition Analysis (SCA) to C and C++ projects using the Conan and vcpkg package managers. This enhancement allows developers and platform engineering teams to automatically identify known security vulnerabilities and license risks within their Conan and vcpkg dependencies directly in the existing SonarQube workflow. By integrating this feedback into the CI/CD pipeline, Sonar empowers teams to manage their C/C++ codebases with the same rigor and velocity as their Java or Python stacks, ensuring that even the most complex, low-level applications remain secure from the first line of code to the final build. Learn more.

Prevent secrets from entering your Git repository

Hard-coded secrets like API keys and passwords remain a critical security failure because once they enter a Git repository, they are no longer just a code issue—they become an incident response. Even if a developer deletes the credential in a subsequent commit, the secret persists in the version control history, where it can be recovered by anyone with access to the repository. This leads to a high-friction cycle of rotating credentials and purging repository history, which creates significant developer toil and disrupts delivery.

The new SonarQube Secrets CLI (beta) solves this by bringing automated detection directly to the developer's command line, enabling fast local checks before code is ever committed. By connecting the CLI to a pre-commit git hook, developers can automatically block sensitive data from leaving their laptops, ensuring that secrets never enter the Git history in the first place. This proactive approach helps teams avoid the costly, complex remediation and organizational compliance risks associated with repository leaks. Learn more.

The power of custom security dashboards

A significant challenge in the AI era is the verification bottleneck. While AI helps developers code faster, 96% of developers do not fully trust the accuracy of AI-produced code. This lack of trust often stems from inconsistent output, hallucinations, or the injection of hard-to-find security vulnerabilities. Dashboards are essential in the modern, data-driven landscape because they transform vast amounts of raw, complex information into a simplified, visual format that is easy to interpret at a glance.

Customizable dashboards are now available for SonarQube Cloud customers. This feature enables you to build tailored views that highlight the specific trends and indicators most relevant to your team’s security posture. These custom dashboards allow security champions and tech leads to create a dedicated security view that can surface critical risks—such as SQL injections, exposed secrets, or risky third-party dependencies—without the noise of unrelated metrics. This targeted visibility ensures that "looks correct but isn't reliable" code is caught before it ever reaches production. Learn more.