Software Composition Analysis

SonarQube is the only integrated code quality and code security platform that delivers actionable code intelligence for first-party code, AI-generated code, and open source code—all in a single, integrated solution. No matter the source, you get a holistic view of your code’s health and security.

SonarQube delivers an integrated solution for code quality, SAST, taint analysis, SCA, secrets detection, and IaC scanning. It provides comprehensive insights into bugs, vulnerabilities, CVEs, SBOMs, and licenses, streamlining your workflow and eliminating tool sprawl.

See open source vulnerabilities and license issues directly in your PRs, CI/CD, and soon IDE. This direct feedback minimizes context switching, speeds up fixes, ensures secure dependencies, and clear risk policies keep your development pipeline unblocked.

Review the trend and severity of your security issues across single projects or entire application portfolios and generate compliance reports for industry standards such as PCI DSS, OWASP Top 10, CWE, STIG, and more. Scheduled reports allow convenient daily, weekly, or monthly delivery. 

SonarQube detects known vulnerabilities in your dependencies. Maintainer insights as well as severity and exploitability scores help you to easily prioritize and fix critical issues.

Choose from a predefined set of prohibited or allowed software licenses or define your own policies. Automated checks flag incompatible or risky licenses before they become a problem.

Gain complete visibility into your software supply chain. Generate and maintain a detailed SBOM for your applications, making audits and regulatory compliance straightforward.

Sonar takes a proactive approach by paying the maintainers of open source projects to follow and document secure software development practices, and to provide unique insights.