AUSTIN — March 18, 2026 — Sonar, the global leader in code review and verification, today announced new capabilities to strengthen its SonarQube Advanced Security solution ahead of the 2026 RSA Conference. SonarQube Advanced Security will now include automated malicious package detection for pipeline integrity, while a new strategic partnership with Wiz integrates SonarQube’s Static Application Security Testing (SAST) findings directly into the Wiz platform. Along with the recently launched SonarQube CLI, which can be used to improve local agentic security, these enhancements establish a continuous security perimeter that protects the entire development lifecycle, from the first line of AI-generated code to production.
Sonar is deeply rooted in the core belief that code quality and code security are inherently linked, as high-quality, well-structured code is by nature more resilient to exploitation and allows for more effective response to emerging threats. Released in 2025, SonarQube Advanced Security, combines sophisticated first-party code analysis with robust supply chain defense providing a unified view of both code quality and code security. SonarQube Advanced Security eliminates the friction of siloed tools and ensures that security verification is a continuous part of the development lifecycle that covers the expanding threat landscape created by AI-driven development and complex agentic workflows.
Today, SonarQube is used by more than 7 million developers worldwide, including Snowflake, Deutsche Bank, AstraZeneca, and Ford Motor Company, and analyzes over 750 billion lines of code daily. Sonar’s massive scale enables SonarQube to deliver a uniquely accurate and measurable impact on security outcomes. SonarQube’s overall false positive rate in 2025 was 3.2%, substantially below the noise levels that cause alert fatigue and developer distrust in competing tools. Further, developers who verify their code with SonarQube are 44% less likely to report experiencing outages due to AI.
SonarQube Advanced Security for the agentic development era
Sonar research shows that unchecked coding models produce verbose, buggy, and insecure code faster than humans can review it. Agentic development demands deliberate practices and purpose-built tools. The Agent Centric Development Cycle (AC/DC) is Sonar's framework for managing that risk. By treating AI agents as primary contributors subject to a Guide-Verify-Solve trust layer, engineering teams can move at AI speed without the technical debt and security exposure that come with unverified code.
SonarQube has long been the de facto standard for code quality verification, with the most comprehensive range of analyses combined with strong quality assurance workflows that help guarantee that standards and compliance obligations are met. Its developer-centric SAST, taint analysis, and secrets detection, also provides security verification, and its Infrastructure-as-Code (IaC) scanning adds cloud safety. SonarQube Advanced Security offers additional capabilities, including Software Composition Analysis (SCA) to manage open source risks, and advanced SAST which uniquely tracks data flows across the boundaries of third-party open source libraries. With automated compliance reporting and prioritization intelligence based on real-world exploitability, SonarQube Advanced Security enables teams to focus their remediation efforts on the most critical vulnerabilities while maintaining high-velocity delivery.
Furthering Sonar’s verification capabilities, today’s announcement includes enhancements to SonarQube in three distinct areas:
Starting with local defense: SonarQube CLI (Beta)
As AI agents and automation pipelines reshape how software is built, Sonar announced the availability of SonarQube CLI, a unified, portable, automation-native command-line interface that brings SonarQube capabilities directly into the workflows where modern development happens. Purpose-built for the era of agentic development, SonarQube CLI scans every code snippet an AI agent produces in real time. From a code security standpoint it automatically intercepts session tokens, API keys, and other sensitive credentials before they reach an LLM provider. This closes a critical security gap that manual scanning cannot address, as AI agents increasingly read and act on sensitive context such as config files, environment definitions, and credential stores. Available across local environments, CI/CD pipelines, and AI coding tools like Claude Code, SonarQube CLI gives engineering teams a single entry point to the Sonar ecosystem.
Ensuring pipeline integrity: SonarQube Advanced Security additions
The new malicious package detection capability available in SonarQube Advanced Security acts as a real-time circuit breaker when AI agents pull in unverified libraries. It cross-references dependencies against live threat databases and fails the quality gate the moment a malicious package is detected—with no manual intervention required. Combined with new GitHub Actions security rules and expanded SCA coverage, SonarQube now protects the pipeline infrastructure itself, not just the code running through it.
Extended cloud visibility: Strategic integration with Wiz
For the first time, technology leaders have a continuous, connected view from the first line of code to the production cloud environment. SonarQube SAST analysis findings are now surfaced directly within the Wiz platform, enabling security teams to trace a cloud-detected vulnerability back to the exact file and line of code in SonarQube. Sonar delivers code-level precision; Wiz brings cloud context. Together, they close the loop, combining detection, attribution, and remediation in a single workflow. Sonar and Wiz will showcase the joint solution at the Wiz House during RSA Conference 2026.
“The AC/DC framework was built for a world where AI agents are core contributors and speed without verification is a liability. In an era where AI agents never sleep, security cannot afford to wait for a pull request. Today’s enhancements close the loop between the agent’s first line of code and the production environment, giving teams real-time verification that stops a single AI-generated oversight from becoming a serious crisis,” said Ori Yitzhaki, Chief Product Officer, Sonar.
Meet Sonar at RSA Conference 2026
Sonar will be demonstrating its full security and code verification solution at the RSA Conference in San Francisco, March 23–26, 2026. Visit the team at booth #S-1727 or at the Wiz House to see how Sonar secures the Agent Centric Development Cycle end to end.
For more information on Sonar's presence at RSAC, visit: sonarsource.com/sonar-at-rsac
About Sonar
Sonar, the industry standard for code verification and automated code review, helps reduce outages, improve security, and lower risks associated with AI and agentic coding. As an independent verification platform, Sonar enables organizations to securely develop at the speed of AI. Sonar is the foundation for high performance software engineering, analyzing over 750 billion lines of code daily to ensure applications are secure, reliable, and maintainable. Rooted in the open source community, Sonar is trusted by 7M+ developers globally, including teams at Snowflake, Booking.com, Deutsche Bank, AstraZeneca, and Ford Motor Company.
To learn more about Sonar, please visit: www.sonar.com
Cautionary note; forward-looking statements
This press release may contain forward-looking statements about future expectations, plans, and prospects. These statements are based on current beliefs and assumptions and are subject to risks and uncertainties. The information in this press release is provided as of this date, and we undertake no obligation to update any statements.