What’s new

Architecture management in SonarQube Cloud now automatically discovers your current structure without automation in your CI/CD pipeline, allowing your team to define intended architecture and resolve structural deviations directly within your existing workflow.

It provides an interactive, living structural map that enforces architectural integrity natively as you code.

• Automatic scans: Connect directly to your repository and trigger automatic architecture analysis on every branch and PR, bypassing the need for automation configuration in your CI/CD pipeline.
• Interactive structural map: Generate a real-time visual representation of component relationships, coupling, and cohesion produced directly from your code, rather than relying on stale documentation.
• Continuous enforcement loop: Define your intended architecture, add constraints on relationships, and receive immediate feedback when code violates your intended design.
• Language support: Available out-of-the-box for repositories utilizing Java, JavaScript, TypeScript, Python, and C#.

How to activate: Available now on SonarQube Cloud in all plans for all projects using automatic analysis. Visit the Architecture tab within your project settings to view your interactive architecture map. No other configuration is necessary.

Check out the Community post for further information.

The development of safety-critical systems, such as ADAS and medical devices, increasingly requires the efficiency of modern C++17. To support this need, we have released complete support for the MISRA C++:2023 standard in SonarQube Cloud. 

SonarQube Enterprise plan now provides 100% coverage of all 179 MISRA C++:2023 guidelines, which define a safe subset of the C++17 language for building mission-critical apps.

Feature Details:

• Compliant C++17 adoption: Developers can safely use modern C++17 features, ensuring that syntax like structured bindings strictly conforms to all 179 MISRA C++:2023 guidelines.
• "Start left" IDE integration: SonarQube surfaces compliance checking directly within the developer's IDE. This provides immediate feedback on guideline violations, allowing developers to resolve non-compliant code locally prior to commit.
• Automated pipeline enforcement: MISRA compliance checks integrate directly into your CI/CD workflow. SonarQube automatically verifies every branch and pull request, guaranteeing that all code—including AI-generated implementations—meets the specified safety standards before merging.
• Unmatched Precision: Enjoy industry-leading, low false-positive rates so you can focus only on genuine safety concerns.

Availability: Support for MISRA C++:2023 compliance checking is available immediately for users with the SonarQube Cloud Enterprise plan.

Check out the Community post and this webpage for further details.

Introducing customizable portfolio dashboards in SonarQube Cloud, now rolling out in beta for Enterprise plan customers.

This feature provides engineering leaders with a high-level source of truth by aggregating health metrics across hundreds or thousands of projects, curated into a portfolio. Use these dashboards to:

• Aggregate health: Get a consolidated view of key metrics—reliability, security, maintainability, and coverage—across your entire portfolio.
• Visualize trends: Use a library of drag-and-drop widgets, including historical line graphs and donut charts, to track collective progress.
• Curate visibility: Build and save custom dashboards tailored to specific organizational goals or stakeholder needs.

Find the new dashboards item in your portfolio’s sidebar menu to see the built-in health view, or start creating your own.

This feature is in beta as we continue to expand our library of widgets and pre-built views.

For more information, please see the dashboards documentation and the Community post.

SonarQube Cloud now supports customer-managed keys (CMK), giving you ultimate control over how your source code is encrypted at rest. Available with the Enterprise plan, this feature allows you to integrate with your own AWS Key Management Service (KMS) and manage your encryption keys independently of Sonar.

This feature is designed for organizations with strict compliance mandates or those that require total data ownership. By using your own AWS KMS keys, you can:

• Retain full control: Manage the entire key lifecycle, including rotation and revocation, directly within your AWS account.
• Strengthen compliance: Easily meet internal and regulatory requirements (such as SOC2, ISO 27001, or HIPAA) that necessitate customer-owned encryption keys.
• Enable a "master switch": Instantly block access to your encrypted data by revoking key permissions in the event of a security incident or policy change.
• Simplify enterprise governance: Configure your key once at the enterprise level to ensure consistent protection across all your organizations and projects.

The integration follows a least-privilege model, ensuring SonarQube Cloud only has the specific permissions required to encrypt and decrypt your data.

To enable this feature, enterprise administrators can navigate to Enterprise administration > Code encryption.

For more details, please see the Community post.

Automate your user lifecycle management by connecting your Identity Provider (IdP) to SonarQube Cloud via SCIM. This release completes the SCIM integration, adding automated onboarding to our existing de-provisioning capabilities.

With SCIM enabled, you can manage access centrally from your IdP without manual intervention in SonarQube Cloud.

Key capabilities:

• Automated Onboarding: New users assigned to the SonarQube Cloud app in your IdP are automatically created with the correct group memberships.
• Automated Offboarding: Access is automatically revoked when users are removed or disabled in your IdP, ensuring immediate security compliance.
• Group Synchronization: Sync groups directly from your IdP to SonarQube Cloud to manage permissions at scale.

Setup: Refer to the SCIM documentation for configuration steps, and this Community post for more details.

Automatic analysis for Azure DevOps repositories delivers zero config code verification, without setting up CI pipelines.

• Instant results: The platform automatically checks eligibility and triggers the first analysis upon project import, ensuring systematic code analysis, and immediate code quality and security insights.
• Continuous analysis: Analysis re-runs automatically on every push to the default branch and every pull request, verifying your code.

To learn more about connecting your ADO repos check out the how to guide, and Community post.