Reach the true speed of AI development

The 2026.1 LTA release unifies the analysis of human-written, AI-generated, and 3rd party code into a single, high-performance verification layer that integrates deeply into the modern developer workflow.

With enhanced security for the software supply chain, expanded compliance coverage for safe and secure systems, and groundbreaking analysis speed for popular languages like Python, Java and JavaScript/TypeScript, SonarQube Server 2026.1 LTA is designed to confidently drive engineering velocity without compromising code health.

Ready for the AI and agentic SDLC

AI and agentic coding assistants are powerful tools, but their output requires a verification layer to prevent the introduction of new code quality or code security risks.

• AI-native IDE integrations: SonarQube now works with Claude Code, Cursor, Windsurf, and Gemini solve the verification bottleneck by bringing deep code intelligence directly into the modern developer workflow.
• SonarQube MCP Server: AI agents can now query your SonarQube Server instance for code quality and security insights to ensure AI-generated code is production-ready.
• AI CodeFix (BYO LLM): Leverage the power of your own Azure OpenAI service to generate AI CodeFix suggestions. This "Bring Your Own Model" approach ensures your source code stays within your private, secure environment, meeting the strictest data privacy and intellectual property requirements.
• AI CodeFix in the IDE: Move from identification to remediation instantly. AI-generated fix suggestions are now available directly in VS Code and IntelliJ, allowing software developers to resolve code quality and security issues with a single click within their primary workspace.

Enhanced code security

Modern security requires moving beyond simple pattern matching. SonarQube provides deep, context-aware analysis that identifies how data flows through an application, uncovering security vulnerabilities that other tools miss.

Advanced supply chain protection

The software supply chain is the new frontier for cyberattacks. SonarQube now offers a comprehensive suite of static code analysis tools to secure every dependency.

• Advanced Security (SCA and SBOM): Proactively secure your software supply chain with Software Composition Analysis (SCA) and SBOM vulnerability detection. This is now available across a comprehensive range of languages, including Java, Python, C#, C, C++, JavaScript, TypeScript, Go, Rust, Ruby, and PHP.
• Malicious package detection: (New for the 2026.1 release, available in Advanced Security) Protect your organization from sophisticated supply chain attacks. The SCA capability in SonarQube Advanced Security now raises blocker-level alerts when it detects malicious upstream open-source packages from the OSSF dataset, preventing secret exfiltration and data breaches before they can impact your environment.
• GA of SCA for C/C++: (Now generally available for the 2026.1 release, available in Advanced Security) We have extended our deep SCA capabilities to C and C++ projects, allowing teams working in performance-critical environments to manage their dependency risks with the same rigor as other modern stacks. Developers using Conan and vcpkg now receive automated dependency risk feedback.
• SCA in the IDE: (available in Advanced Security) Eliminate context switching by bringing dependency risk visibility directly to the developer. Vulnerability and license information for open-source packages is now visible within Visual Studio, IntelliJ, and VS Code, enabling remediation as code is written.
• SBOM Import (beta): (available in Advanced Security) CycloneDX and SPDX SBOMs to report vulnerabilities for arbitrary apps, containers, and C/C++. This gives you universal dependency coverage, gaining visibility into vulnerabilities within containers and third-party components that were previously opaque.

Deep application security (SAST)

• Refreshed advanced SAST: (New for the 2026.1 release, available in Advanced Security) Our advanced SAST has been optimized for the libraries developers use most. Java and C# have been refreshed for the top 1,000 public libraries for each language. Python has been refreshed for the top 100 libraries. This ensures that security findings are highly relevant and accurate, based on the actual libraries used by most teams.
• Expanded language security: We have introduced full SAST with taint analysis for Go and Kotlin, plus taint analysis for VB.NET. Swift and Dart plus SAST coverage for mobile developers to identify complex data flow vulnerabilities.
• Pipeline and infrastructure security: Fortify your CI/CD pipeline environments with new analysis for GitHub Actions and Bash/Shell scripts. We identify misconfigurations, unsafe file permissions, and insecure commands in .sh files to ensure your delivery pipelines are as secure as your application code.
• Secrets detection: With over 450 distinct secret patterns and support for 60+ cloud applications, we provide best-in-class protection against credential leaks. This coverage now extends to YAML, JSON, and CLI files.

Reliable code quality and maintainability

Swipe away issues that cause code bugs and technical debt and boost developer productivity. The 2026.1 release includes smarter engines that understand the intent and structure of your code.

Language-specific optimizations

• Python: Maximize performance and readability by finding issues for coroutines, comprehensions, and AWS Lambda function optimization. Parallelized analysis now delivers a massive analysis speed boost for Python automated reviews, cutting feedback loops significantly.
• Java: Our advanced Dataflow Bug Detection (DBD) engine now handles complex bugs, such as null-dereferences and division-by-zero, across multiple function calls. SonarQube finds issues that help developers avoid common pitfalls and performance bottlenecks in the Spring framework.
• JS/TS: A next-generation taint analysis engine improves both accuracy and speed. Developers will benefit from finding issues for Angular and accessibility (a11y) standards, alongside up to a 40% speed improvement for large project analysis.
• Kotlin: We’ve added support for the new Kotlin 2.0 language and the K2 compiler including a 50% boost in Kotlin analysis speeds.
• Faster remediation: (New for the 2026.1 release) We have released over 80 new QuickFixes for core JavaScript and TypeScript rules in SonarQube for IDE to help you resolve issues with a single click. These automated suggestions allow you to remediate issues in real time, as you code using SonarQube IDE.

Expanded standards compliance

For organizations in highly regulated industries, manual compliance checks are a bottleneck. SonarQube automates the collection of evidence and provides reports for global safety and security standards.

Safety-critical systems

• MISRA C++:2023: SonarQube includes complete coverage for safety-critical systems. We now enforce all 179 guidelines for the C++17 standard, providing the necessary guardrails for automotive, aerospace, and medical device software.
• MISRA in the IDE: Shift compliance left by displaying MISRA detection results directly in VS Code, Visual Studio, and IntelliJ/CLion. This allows developers working on mission-critical code to catch violations in real-time, long before the code is committed.

Modern security benchmarks

• OWASP MASVS: (New for the 2026.1 release, Enterprise/Data Center only) Specifically designed for mobile developers, this feature assesses compliance against the OWASP Mobile Application Security Verification Standard, ensuring mobile apps are resilient against modern threats.
• OWASP Top 10 for LLM: (New for the 2026.1 release, Enterprise/Data Center only) Secure your AI-powered applications with dedicated reporting on the 10 most critical vulnerabilities specific to coding Large Language Models, including prompt injection and insecure output handling.
• Updated industry standards: Stay compliant with reports for the CWE Top 25 2024, OWASP Mobile Top 10, and the STIG V6R3 standard.
• WCAG: Transform accessibility (a11y) compliance from a late stage developer bottleneck into early stage detection with SonarQube’s coverage of the WCAG 2.1 AA and 2.2 AA standards. Organizations can proactively manage legal risk and build inclusive products from the start.

Broader language coverage

SonarQube continues to expand its language reach, ensuring that as your tech stack evolves, your code intelligence platform evolves with it.

• Rust support: We have introduced full analysis for Rust, including native integration with the Clippy linter. This allows teams to leverage Rust’s memory safety benefits while maintaining SonarQube’s rigorous quality standards.
• Latest language versions: Coverage is expanded to Java 22/23/24, Dart 3.8, Swift 5.9–6.1, and Python 3.14.
• Full support for C#14 and .NET 10: (New for the 2026.1 release) Safely adopt the latest language advancements like the field keyword and null-conditional assignments with confidence. Additionally, we’ve updated over 300 rules to eliminate false positives, so you get improved actionable code intelligence without the noise of incorrect alerts.
• AI/ML and data science assurance: Ensure the reliability of your data pipelines with support for PySpark and PyTorch. Data scientists can now analyze their code directly within Jupyter Notebooks in PyCharm.
• Apex and Ruby on Rails: Enhanced coverage for enterprise-scale Salesforce (Apex) and web applications (Ruby on Rails) ensures broad coverage across the organization.
• More new languages: Over the last year, we added support for YAML, Bash/Shell, JSON, and Github Actions, to help you get the best out of your code throughout the CI/CD pipeline.

Deeper DevOps integrations

Platform engineering teams need tools that go where developer teams work. Eliminate the copy-paste actions or custom scripting to push updates to common workplace tools.

• JFrog: (New for the 2026.1 release, Enterprise/Data Center only) Streamline your software package audit trail by automatically pushing SonarQube quality and security evidence directly to JFrog. This creates a single source of truth for software attestation, eliminating disruptions in the delivery pipeline as a result of auditing.
• Jira: Transition from code review to task management by pushing SonarQube issues directly into Jira as tickets.
• Slack: Stay aligned with real-time quality gate status notifications delivered directly to your team’s Slack channels.

Optimized platform operations

• Enterprise infrastructure: Operate SonarQube Server in IPv6-only environments to support massive-scale container and serverless workloads.
• In-app product news: Keep your teams informed with product news and update alerts displayed directly within the SonarQube Server interface, ensuring everyone is up to speed with the latest changes.
• Seamless updates (Sandbox): Many of you asked for it and now it’s here. Perform version updates of the SonarQube Server without the fear of your quality gates changing status. New issues found on existing code during an update due to rule changes are automatically "sandboxed," preventing them from immediately impacting your quality gates during the update.

NEW UPDATE STEP: Configuring the sandbox is a vital new step during the update to the new 2026.1 LTA. If you want to use the sandbox feature, an administrator must enable the sandbox before performing the first post-update analysis. This will ensure your quality gates aren’t impacted from the rule changes during the update.

Are you wondering, "what is an LTA?"

Are you still using an older version of SonarQube Server?

If you’re on a version older than 2025.1, update to SonarQube Server 2025.1 LTA before updating to the latest 2026.1 LTA. Check out our helpful update guide to plan a smooth and successful update.