In the fast-paced world of modern software delivery, engineering leaders and platform engineers face a growing dilemma: the "Engineering Productivity Paradox." While automated tools and AI assistants allow teams to ship code faster than ever, they also introduce a higher volume of security vulnerabilities and bugs. Tracking these risks often feels like a game of whack-a-mole, with security findings scattered across disparate tools and development cycles.

As the industry prepares to gather in San Francisco next week for the RSA Conference, the conversation has shifted from simply "finding" bugs to "unifying" the defense. Today, we are thrilled to announce a new integration between Sonar and Wiz. By bringing SonarQube’s Static Application Security Testing (SAST) findings directly into the Wiz platform, we are giving organizations the unified visibility they need to secure their software from the first line of code to the production environment. If you plan to attend RSAC, then you can see the integration in action at the Sonar booth (#S-1727) and at the Wiz House (661 Howard St).

Why this integration matters

The "before" state for most organizations is defined by silos. Developers live in their CI/CD pipelines and IDEs, focused on code quality and immediate bug fixes, while security teams operate across multiple tools to monitor risks across code, cloud, and runtime. 

Without a bridge between these worlds, it is incredibly difficult to track code health at scale in a microservices environment. A critical vulnerability found in a code scan might lack the cloud context to be properly prioritized, and a runtime risk might be hard to trace back to the specific source code repository or owner.

SonarQube insights in your cloud security inventory

The integration between Sonar and Wiz eliminates these silos by creating a "code-to-cloud" feedback loop. Using the new connector, SonarQube metrics and findings are ingested and displayed within the Inventory > SAST Findings page on the Wiz platform.

This technical flow is designed to be seamless. SonarQube performs automated systematic  code analysis during your CI/CD pipeline, conducting both Pull Request (PR) analysis (on new code) and branch analysis (on regular, long-lived branches). Wiz pulls in these branch analysis results—supporting any branch, not just the default—and maps them to the corresponding assets in your cloud inventory. 

By enriching Wiz’s Security Graph with SonarQube’s specialized SAST data, security teams can see a high-fidelity view of risk that combines code-level flaws with real-world cloud context, such as network exposure and identity permissions.

Key benefits for users

• Centralized visibility: Consolidate your application-level findings from SonarQube alongside other cloud risks within a single pane of glass in Wiz, ensuring nothing falls through the cracks.
• Prioritized remediation: By enriching existing cloud assets with SonarQube’s SAST findings, teams can identify "toxic combinations"—where a code-level vulnerability exists on a publicly exposed or highly privileged container.
• Streamlined developer workflows: SonarQube automatically tracks findings across multiple project branches, and this integration ensures that the right data reaches the right people without requiring developers to leave their existing CI/CD environments.
• Unified security posture: Strengthen your overall security governance by aligning code-level evidence with infrastructure risk, helping engineering leaders meet compliance requirements and maintain high standards across the SDLC.

The partnership between Sonar and Wiz is a significant step toward a future where code quality and cloud security are no longer separate concerns. By interweaving Sonar’s deep code analysis into the Wiz platform, we are empowering development and security teams to collaborate more effectively and build software that is secure by design. We share a vision of reducing developer toil and providing the actionable insights needed to innovate with confidence in an increasingly complex cloud landscape.

Want to see this integration in action? If you’re attending RSAC, find us at booth #S-1727 and at the Wiz House all week long, to learn more. Book a meeting with the team!