I have a saying I use with customers when I talk about AI coding tools: the models are extraordinarily intelligent…and they can also be surprisingly stupid. They always create plausible answers, but those answers often contain mistakes. Sometimes those mistakes are easy to spot and fix. Other times, they're deeply buried and complex. Regardless, every one of them can be catastrophic.
Today, Sonar has acquired Gitar, adding a new, critical layer to its multilayer, zero-trust code verification platform. Gitar is an AI code review solution, and it doesn’t just flag issues; it also generates the fix, validates it against the CI, and commits to the branch. While the tools that write code have never been more powerful, the tools that ensure code can be trusted have never been more important.
Led by Ali-Reza Adl-Tabatabai and Gautam Korlam, Gitar was built to solve a specific, hard problem: the bottleneck in software development is moving from writing code to ensuring its reliability and safety in production environments. The result is a platform that lives in your pull requests, reviews code, diagnoses CI failures, identifies root causes, and commits fixes, without waiting for a human to intervene.
I've been watching Gitar closely for a while. What impressed me most wasn't just the product; it was the thinking behind it. They've seen what happens at enormous scale when development velocity runs ahead of validation capacity. They understand this problem at the systems level, not just the feature level.
Why Gitar is critical to the SonarQube verification platform
Let me explain how this fits into what we've been building at Sonar.
Our framework for the agentic era, the Agent Centric Development Cycle (AC/DC) holds that building trusted, secure, reliable software with AI requires you to Guide the agents with the right context and constraints; Verify that the output is high quality, maintainable, and secure; and Solve problems as they occur.
Of these three pillars, Verify has always been the most critical. Verification is mandatory in AC/DC, not optional. Verification must be thorough, transparent, and consistent. The best verification is multilayered and zero trust.
SonarQube provides deep mathematical reasoning across syntax, data flows, control flows, architectures, and dependencies. It's explainable, auditable, and idempotent. This code analysis covering reliability, maintainability, complexity, and security is a vital component of a comprehensive verification platform, but AI code review is another.
That second layer is exactly what Gitar provides, and it’s what we are now adding to our platform. From the moment an agent starts writing, to the moment code lands in your codebase, you have a verification platform that is both deterministic and agentic, both comprehensive and auditable. That's what enterprises need. That's what "zero trust, multilayered verification" actually means in practice.
Gitar operates as an agent rather than a tool. It understands code context, generates a remediation, and validates that remediation against the CI pipeline before presenting it to the human developer. Rather than surfacing alerts, Gitar works the problem until it's solved.
For current Gitar customers, things will be business as usual. No change to your product, services, or support. Gitar will continue to be available for purchase as a standalone product. Over time, Sonar will deepen the integration between Gitar and SonarQube, giving you a more complete view of code quality, security, and review status in one place.
Please join me in welcoming Ali, Gautam, and the entire Gitar team to Sonar. You built something we're proud to bring into the SonarQube platform—and excited to build on together.
