What’s new

We have released 14 new FastAPI rules and expanded our Flask support with 8 rules to help developers reduce their attack surface, and prevent "silent" logic errors.

• Vulnerability prevention: New rules prevent sensitive data leaks by moving credentials out of URL logs and into request bodies.
• Infrastructure hardening: Rules ensure apps are not accidentally exposed to the public internet, and that CORS headers are correctly configured.
• Reliability: Catch signature mismatches early, and ensure worker processes or route registrations do not fail silently in production.

Check out these Community posts to learn more: Fast API rules | Flask rules

Stay current with the latest Java LTS using our new dedicated rules for Java 25, covering:

• Modernized concurrency: New rules for scoped values help prevent logic errors in concurrent contexts.
• Enhanced object integrity: Rules for flexible constructor bodies ensure validation logic is handled safely before object initialization.
• Cleaner modularity: Support for module import declarations promotes more readable and maintainable code in modular applications.

Discover more in this Community post

We’ve renamed the legacy Free plan in SonarQube Cloud to SonarQube for OSS. This change is now effective for all existing users currently on this plan.

This update better reflects our commitment to supporting open source projects. Users will see this new plan name reflected immediately in the Billing and upgrade tab within their organization settings.

Note: This is a naming update only. Users will see no change to their existing features, project access, or analysis capabilities.

See here for details on all our plan offerings, plus the supporting Community announcement.

SonarQube Cloud has introduced a dedicated security contact email field to streamline communication during critical events. 

This feature ensures that critical incident alerts or service-level vulnerability disclosures are routed directly to security operations teams, decoupling security oversight from the organization's initial administrative creator.

• Targeted communication: This field is specifically reserved for urgent, SonarQube Cloud service-level security notifications and critical incident response.
• Operational continuity: Users are encouraged to provide a distribution list (e.g., security-ops@yourcompany.com) to ensure the organization remains reachable despite individual team transitions.
• Internal auditing: To support transparency, we display the identity of the person who last updated the contact information, and the timestamp of the change. Only Organization Admins can access this page.
• Data privacy: This contact address is stored strictly for administrative security purposes and is excluded from marketing, sales, or routine newsletter distributions.

To update your contact information, navigate to your Organization page and follow Administration > Organization Settings > Security contact

Community post

We are introducing a redesigned interface built to align with your development flow. This update brings the SonarQube Cloud experience closer to modern IDEs, as we move from a product-specific navigation to a unified platform with a seamless, consistent experience. 

• Maximized Screen Real Estate: A new vertical, collapsible sidebar lets you reclaim 100% of your screen width, giving you more space for deep code analysis.
• Seamless Context Switching: Branch and Pull Request switching is now embedded directly within the analysis view. You no longer need to jump back to the project root to change contexts.
• Faster Navigation: Instantly toggle between Organizations and Projects with a streamlined quick-switcher.

We are rolling this out progressively. Selected users will see an option to opt in directly within the product.

To learn more about these changes visit our Community post here.

We are pleased to announce that the IP allowlist feature has graduated from beta and is now officially in GA. This transition signifies that the feature is fully hardened, supported, and ready for critical production workflows for all customers on the Enterprise plan.

By restricting access to your SonarQube Cloud enterprise based on approved source IP addresses, you can significantly improve your security posture and meet strict compliance requirements.

With IP allowlists, you can enforce network-level control to prevent unauthorized entry and secure access for:

• SAML SSO authentication.
• Personal Access Tokens (PATs) for SAML SSO user operations.
• Scoped Organization Tokens (SOTs) for CI/CD pipeline automation.

Enterprise administrators can configure this by navigating to Administration > IP Allow List.

For detailed examples and setup instructions, refer to our documentation here, as well as this Community post.