What’s new

SonarQube Cloud has launched the automatic provisioning and analysis of new GitHub repositories.

This feature is designed to eliminate the manual steps previously required to onboard new projects, ensuring consistent analysis coverage from the moment a repository is created.

Key Functional Benefits:

• Zero-touch setup: When a new repository is created in your GitHub organization, a corresponding SonarQube Cloud project is provisioned automatically.
• Day 1 analysis: The initial analysis is triggered upon repository creation, providing instant feedback on the first commit.
• Improved governance: Admins no longer need to manually track or "find" new projects created by development teams; all new projects, and code, are captured by default.

Note: This is enabled by default for all new organizations. To enable it for existing Organizations: navigate to Administration > Organization Settings > Organization Binding and toggle on Auto-import new repositories.

For further details, please see the documentation, video and Community post.

We have expanded our accessibility (a11y) ruleset to move compliance from a late-stage bottleneck to early-stage detection. 

With 114 total rules for HTML, CSS, and JSX, SonarQube Cloud now provides:

• WCAG 2.1 A: 60% coverage (18 of 30 requirements).
• WCAG 2.1 AA: 52% coverage (26 of 50 requirements).
• WCAG 2.1 AAA: 38% coverage (30 of 78 requirements). 

This expanded coverage helps organizations proactively manage legal risk, and build inclusive products with less friction and lower costs.

Community post

You can now safely adopt the latest Microsoft language advancements with version 10.18 of our .NET analyzer.

• New language features: Full analysis for the field keyword, null-conditional assignments, expression blocks, and partial events.
• Actionable intelligence: We updated over 300 rules to eliminate false positives, ensuring your quality findings are accurate even when using new language constructs.
• Quality improvements: This update reduces the noise of incorrect alerts, making it easier to migrate your codebase to the newest runtime.

Community post

Major internal improvements to our JavaScript and TypeScript analyzers have reduced I/O overhead, significantly increasing analysis speed across projects of all sizes:

• Scalable performance: While smaller projects see immediate gains, the largest codebases benefit most, with projects of 1 million lines of code seeing analysis times drop by 40%.
• Optimized detection: A next-generation taint analysis engine improves both accuracy and speed when identifying security issues for Angular and accessibility standards.
• Consistent gains: Projects ranging from 10k to 500k lines of code see speed improvements between 17% and 22%.

Community post

We have released 14 new FastAPI rules and expanded our Flask support with 8 rules to help developers reduce their attack surface, and prevent "silent" logic errors.

• Vulnerability prevention: New rules prevent sensitive data leaks by moving credentials out of URL logs and into request bodies.
• Infrastructure hardening: Rules ensure apps are not accidentally exposed to the public internet, and that CORS headers are correctly configured.
• Reliability: Catch signature mismatches early, and ensure worker processes or route registrations do not fail silently in production.

Check out these Community posts to learn more: Fast API rules | Flask rules

Stay current with the latest Java LTS using our new dedicated rules for Java 25, covering:

• Modernized concurrency: New rules for scoped values help prevent logic errors in concurrent contexts.
• Enhanced object integrity: Rules for flexible constructor bodies ensure validation logic is handled safely before object initialization.
• Cleaner modularity: Support for module import declarations promotes more readable and maintainable code in modular applications.

Discover more in this Community post