Deeper Analysis, Unmatched Security

Uncover Hidden Code Vulnerabilities with SonarQube SAST

Start your free 14-day Enterprise Edition trial and get:

Comprehensive detection engine for code quality and security
Over 5000 rules for 30+ languages and frameworks
Deeper SAST coverage for Java, C#, and JavaScript/TypeScript
Branch Analysis and Pull Request decoration
Powerful secrets detection
Security Reports including OWASP, CWE Top 25, and PCI DSS
Regulatory release reports
Security Engine customization
Detection of injection flaws, cross-site scripting, deserialization issues and more

↓ Scroll down for more info ↓

CODE SECURITY

benefits of deeper SAST

Hidden security issues

Accelerate development
Reduce risk of security breaches
Automate code scanning
Code Security and compliance
Comprehensive Detection Engine and coverage

Find deeply hidden security issues

99% of software applications use and interact with the code in third-party libraries (dependencies). Deeper SAST from Sonar extends code analysis and scanning to cover the unknown parts of the code that are in the open-source dependencies. Scanning dependencies (libraries) allows Sonar SAST to extend the dataflow analysis and find deeply hidden security issues in code that other tools cannot find. Deeper SAST is available today for Java, C#, and JavaScript/TypeScript in SonarQube and SonarCloud.

security analysis

Designed to detect and fix a wide range of code issues that can lead to bugs and security vulnerabilities, Sonar supports over 30 programming languages and frameworks. Sonar's security analysis can help detect a broad range of security issues such as SQL injection vulnerabilities, cross-site scripting (XSS) code injection attacks, buffer overflows, authentication issues, cloud secrets detection and much more. Our security rules are classified according to well-established security standards such as PCI DSS, CWE Top 25, and OWASP Top 10.

Graphic shows issues types that are detected by sonar, such as SQL injection, cross-site scripting, deserialization, XXE, path injection, secret detection, crptop API misuse, regex patterns, authentication, IaC misconfigs, Performance, File Manipution and much more! The image also shows the standards addressed by Sonar as well. The standards addressed are PCI DSS, OWASP Top 10, CWE Top 25 and OWASP ASVS

Security Hotspots > Code Review

Security Hotspots are uses of security-sensitive code. They might be okay, but human review is required to know for sure. As developers code and interact with Security Hotspots, they learn to evaluate security risks while learning more about secure coding practices.

Security Vulnerabilities > Code Change/fix

Security Vulnerabilities require immediate action. Sonar provides detailed issue descriptions and code highlights that explain why your code is at risk. Just follow the guidance, check in a fix and secure your application.

Chase down the bad actors

Making sure user-provided data is sanitized before it hits critical systems (database, file system, OS, etc.) helps ensure your code security. Taint analysis tracks untrusted user input throughout the execution flow - across not just methods but also from file to file.

Sonar Security Reports

Security reports quickly give you the big picture of your code’s compliance with security standards. The reports allow you to know where you stand compared to the most common security mistakes. Regulatory reports track the quality of each release and provide evidence that the code delivered meets the quality standards of the organization.

Reports include:

PCI DSS (versions 4.0 and 3.2.1)
OWASP Top 10 (versions 2021 and 2017)
CWE Top 25 (versions 2022, 2021, and 2020)
OWASP ASVS (version 4.0 with level 1 to 3)

See OWASP Top 10

Image shows security hotspot vulnerabilities based off of the WASP top 10

your end to end SAST tool

Seamlessly integrate static analysis into your software development workflow

DevOps and CI/CD

Integrating SAST into the DevOps and CI/CD pipelines empowers organizations to enhance the security posture of their software and ensure that vulnerabilities are identified early in the development lifecycle. Security analysis tools become an integral part of the development process and receive early real-time feedback as they commit code changes. Sonar integrations are supported for popular DevOps and CI/CD Platforms including GitHub, GitLab, Azure Devops, TravisCI, CircleCI, and Bitbucket. Sonar provides native support for the most popular SCMs including Git , Subversion and community support for other popular SCMs such as CVS, Jazz RTC, Mercurial, TFVC.

Two developers work together to build new clean code

pull request decoration and more

Get instant code feedback directly inside your pull request and development branches. Fix issues while the code is still fresh in mind.
Fail your CI/CD pipelines when the quality of code doesn’t meet your defined requirements with a Go/No Go quality gate. Prevent problems from being merged, or deployed.
Review and prioritize issue remediation directly from the DevOps Platform's interface. Works with GitHub, Bitbucket Cloud and Azure DevOps.
Configure several Quality Gates and receive project-labeled messages in your mono repository containing multiple projects. Works for GitHub, Bitbucket, and Azure DevOps Services.

IDE Integration with SonarLint

Superior code analysis tool capabilities right into developers’ code environments
Real-time analytical feedback
Code issue highlighting
Strict code standards, along with vulnerability issue details and remediation guidance.
Customizable rules allow developers to code based on their specific requirements
Advanced flexibility allows developer adaptation and adoption across multiple supported languages

“SonarQube is the leader for best performance/cost SAST tool. SonarQube analysis had a low false positive rate and found extensive legitimate security/code quality issues faster than certain other SAST services. SonarQube's bug and code smell detection has also reduced our technical debt and improved overall codebase quality.”
Verified Customer, SonarQube User @ Healthcare Industry