SAST gaps cost
you. SonarQube closes them.
Advanced SAST and SCA that covers AI code, first-party code, and open-source dependencies — all in the workflow your developers already use.
log4j-core
2.14.1 · CVE-2021-44228
spring-web
5.3.0 · CVE-2022-22965
commons-text
1.9 · CVE-2022-42889
jackson-databind
2.13.0 · 1 advisory
Built-in security for every line of code
Advanced Security is built on SonarQube's core security foundation — extended with SCA and advanced taint analysis for open source dependencies.
SAST
Detect code vulnerabilities early in development — directly in the IDE and as part of every CI/CD build.
Taint analysis
Cross-file data flow analysis that traces user-controlled input to prevent injection attacks before they reach production.
IaC scanning
Secure cloud infrastructure configurations across Terraform, CloudFormation, Kubernetes, and more.
Secrets detection
Prevent exposure of credentials, API tokens, and private keys across all your code types and repositories.
Comprehensive open source risk & compliance management
Identify vulnerabilities in direct and transitive dependencies, block malicious packages, manage licenses, and generate SBOMs — all without leaving your existing workflow.
- CVE detection prioritized by CVSS severity and EPSS exploitability
- Real-time blocking of malicious and backdoored packages
- License policy enforcement with automated compliance reports
- Full SBOM generation in CycloneDX and SPDX formats
log4j-core
2.14.1 · CVE-2021-44228
spring-web
5.3.0 · CVE-2022-22965
commons-text
1.9 · CVE-2022-42889
jackson-databind
2.13.0 · 1 advisory
Uncover cross-boundary vulnerabilities others miss
Standard SAST stops at your code. Advanced SAST traces taint paths across the boundary between your code and third-party libraries — exposing hidden vulnerabilities that standard tools cannot see.
- Dependency-aware data flow analysis across code boundaries
- Catches SQL injection and XSS via external library internals
- Fast and accurate — minimizes false positives
- Complements, not replaces, core SAST
Global luxury car manufacturer secures code at scale
After deploying SonarQube Advanced Security, the team achieved faster vulnerability signal, predictable delivery timelines, and dramatically reduced time-to-remediation when critical CVEs were weaponized.
Read the full story →Projects secured
Faster signal, reduced overhead across all repos
Faster CVE response
Accelerated reaction to weaponized vulnerabilities
Unified platform
Replaced siloed tools with a single source of truth
Audit-ready security reports
Comprehensive reporting for all security issues in all code — with rich dashboards and automated scheduled delivery.
Actionable insights
Findings with severity, trends, and step-by-step remediation guidance.
Rich dashboards
Visualize security KPIs and quality trends in unified real-time dashboards.
Compliance reports
OWASP Top 10, CWE, PCI DSS, STIG, and more — audit-ready at any time.
Scheduled delivery
Automate report delivery daily, weekly, or monthly to any stakeholder.
Ready to secure your code?
Start your 14-day free trial today — no credit card required. Requires SonarQube Enterprise.
Frequently asked questions
What is SonarQube Advanced Security?
SonarQube Advanced Security is an enterprise-grade extension of SonarQube that adds advanced SAST and SCA to SonarQube's core quality and security analysis, giving organizations a unified approach to Code Security across first-party, AI-generated, and third-party code.
How does SonarQube improve Code Security in developer workflows?
SonarQube improves Code Security by integrating analysis directly into the developer workflow, from the IDE to CI/CD, so teams can detect issues earlier, support shift-left practices, and prevent insecure code from moving further down the delivery pipeline.
What is SAST, and how does SonarQube use it?
SAST analyzes source code without executing it, and SonarQube uses it to detect vulnerabilities, security hotspots, flaws, and misconfigurations during development while also providing remediation guidance and AI-powered CodeFix to help developers resolve issues faster.
What is Taint Analysis in SonarQube?
Taint Analysis in SonarQube tracks untrusted data paths across the codebase so teams can identify deeper vulnerabilities that emerge through real data flow, and Sonar says this analysis helps reduce noise by focusing attention on meaningful issues through advanced data flow and semantic analysis.
How does SonarQube support SCA?
SonarQube Advanced Security adds SCA to help teams identify risks in third-party and open source dependencies, including vulnerability and license-related issues, while improving dependency visibility through SBOM-related capabilities.
How does SonarQube support software supply chain security?
SonarQube supports software supply chain security by extending governance beyond first-party code to third-party and open source components, helping organizations identify dependency risk earlier and apply security and compliance controls across the broader application stack.
How does Secrets Detection work in SonarQube?
Secrets Detection in SonarQube is designed to catch exposed API keys, passwords, tokens, and other sensitive values in code, and those checks run both in SonarQube for IDE and in CI/CD with broad pattern coverage and support for custom patterns for organization-specific secrets.
Can SonarQube secure AI-generated and open source code?
Yes. Sonar positions SonarQube Advanced Security as covering first-party, AI-generated, and third-party open source code, making it relevant for teams that want one Code Security workflow across developer-written code, generated code, and dependency risk.
What types of vulnerabilities can SonarQube detect?
The security page highlights coverage for a broad range of vulnerabilities, including SQL injection, cross-site scripting, server-side request forgery, deserialization flaws, command injection, log injection, sensitive information leaks, and dependency-related risk identified through SCA.
Why use SonarQube instead of disconnected security point tools?
Sonar's positioning emphasizes that SonarQube brings code quality, Code Security, pipeline integrity, advanced SAST, Taint Analysis, Secrets Detection, and SCA together in a single developer-first workflow, which reduces tool fragmentation and gives teams one place to manage security across the application stack.
How does SonarQube help with compliance and governance?
SonarQube Advanced Security supports compliance and governance by helping organizations apply standards beyond first-party code, extending policy coverage to the software supply chain, and supporting use cases such as license compliance, SBOM visibility, and alignment with requirements like GDPR, SOC2, PCI DSS, and OWASP-focused reporting and verification.