Out now! The SonarQube Server 2025.5 release is packed with new features and major enhancements designed to empower you to deliver higher quality, more secure code with greater speed and confidence. This release focuses on expanding security coverage to new frontiers, improving the developer and administrator experience, and boosting performance.
Boost your security & supply chain defense
Detect security misconfigurations and vulnerabilities in GitHub Actions
In today's landscape, preventing supply-chain attacks is paramount. SonarQube directly helps fortify the security of CI/CD pipelines by protecting your GitHub Actions, a common target for attackers. This release expands Static Application Security Testing (SAST) to specifically identify security misconfigurations and vulnerabilities within GitHub Actions workflows. SonarQube finds issues in critical areas such as checking out code from forks in privileged contexts, improper secrets handling, script injections, and using external actions without commit references.
Benefits:
- For GitHub users and developers: Write inherently safer GitHub Actions, drastically reducing the attack surface and vulnerability to supply-chain exploits.
- For security and compliance teams: Automatically enforce critical security configuration policies for GitHub Actions, ensuring consistent security standards across all projects without manual oversight.
- For the organization: Significantly enhances the overall security posture of your software supply chain, minimizing the risk of breaches, intellectual property theft, and reputational damage from compromised CI/CD pipelines.
Available in Developer Edition | Enterprise Edition | Data Center Edition
Improved security for JavaScript and TypeScript
In this release, we are switching to using our next-gen taint analysis engine as the default security engine for JavaScript and TypeScript. This new engine delivers significant advancements in accuracy and speed in taint analysis. This means all new and existing JS/TS projects will seamlessly transition to leveraging our most advanced capabilities, while the legacy engine for JS/TS taint analysis is retired.
Benefits:
- For JavaScript and TypeScript developers: Get more accurate and faster feedback on security vulnerabilities directly within your workflow.
- For security teams: Achieve a higher level of confidence in your security posture with a more robust and extensible taint analysis engine.
- For engineering managers & DevSecOps teams: Ensure consistent, high-quality security analysis across all your JS/TS projects in SonarQube (Developer Edition and above) and SonarCloud.
Available in Developer Edition | Enterprise Edition | Data Center Edition
Enhance front-end application security for .NET WPF
As of this release, SonarQube Server officially supports the .NET Windows Presentation Foundation Framework (WPF). SonarQube identifies injection vulnerabilities originating from WPF-specific entry points like UI controls (TextBox, PasswordBox), data bindings, and command parameters.
Benefits:
- For developers: Build more secure WPF applications by catching vulnerabilities early. Our analyzer now tracks user input from WPF sources to sensitive sinks like database queries or file operations, preventing common injection attacks.
- For technical leadership: Improve the security posture of your entire application portfolio. This helps secure your desktop applications, reduces organizational risk, and lowers the cost of remediation by finding and fixing flaws before they reach production.
Available in Developer Edition | Enterprise Edition | Data Center Edition
Reduce developer toil and improve productivity
Non-disruptive updates with a clear view into what is changing
Say goodbye to unexpected Quality Gate failures after you update SonarQube Server. This groundbreaking feature provides proactive visibility into how updating to the latest version will impact your projects and offers a "cushion" to prevent new issues from immediately breaking your CI/CD pipelines. New issues found after an update can be placed in a "sandbox," visible to you but excluded from Quality Gate calculations. This addresses a major pain point with updating the SonarQube Server. Now you can perform updates without disrupting your teams.
Benefits:
- For developers and tech leads: Stay informed about new issues before they fail the quality gate, allowing you to understand the impact, prioritize fixes, and address them at their convenience. This means no more unexpected pipeline breaks.
- For SonarQube Server administrators: Gain a clear understanding of issue changes and their expected impact on projects, allowing you to effectively manage and communicate updates to development teams, reducing support requests and operational overhead.
- For the organization: Enables seamless adoption of the latest SonarQube Server versions and continuous improvements without disrupting CI/CD pipelines or development workflows. This leads to enhanced developer productivity, increased confidence, and higher overall software quality and security.
Available in Developer Edition | Enterprise Edition | Data Center Edition
Find issues in AWS Lambda serverless Python functions
SonarQube Server now contains specialized code quality and maintainability rules for Python developers building serverless applications on AWS Lambda. It directly addresses inefficiencies and best practices for serverless functions, tackling issues like increased cold starts, inefficient patterns, excessive execution times and optimizing dependency management. Lambda functions significantly contribute to high latency and operational inefficiencies. By providing tailored rules, SonarQube helps organizations optimize performance and manage costs in their serverless architectures.
Benefits:
- For Python developers: Avoid common pitfalls and write more efficient, reliable AWS Lambda functions, leading to faster execution, reduced application latency, better scalability, and easier maintainability..
- For cloud architects: Enforce coding best practices across serverless applications, ensuring maintainable and scalable Lambda functions that development teams can manage effectively.
- For DevOps & SRE teams: Gain critical insights to monitor and ensure the optimal performance and maintainability of their serverless functions, preventing costly issues.
- For the business: Realize significant cost savings by reducing excessive memory usage and long execution times on AWS, while simultaneously boosting the robustness of cloud-native applications.
Available in Developer Edition | Enterprise Edition | Data Center Edition
Boosted performance of Python analysis
Performance of analyzing Python projects is significantly boosted by enabling parallelization by default. Faster analysis means faster feedback on the health of your code, leading to more productive teams. The Python analyzer will utilize up to 90% of your available CPU cores (up to 6) to analyze your Python files concurrently, drastically reducing analysis time. You can customize the number of parallel jobs by setting the sonar.python.analysis.threads property. For those times when you need to dig deep into an analysis, you can simply disable parallel processing with the sonar.python.analysis.parallel property.
Benefits:
- For developers & DevSecOps: Get analysis results for your Python code faster than ever before, accelerating your CI/CD pipelines and shortening your feedback loop. This improvement works with no configuration changes needed.
- For technical leadership: Maximize your team's efficiency. Faster scan times mean developers spend less time waiting for pipeline feedback and more time focused on delivering innovative features.
Available in Developer Edition | Enterprise Edition | Data Center Edition
Find more issues in Angular code
SonarQube now finds more issues targeting the most common problems found in Angular code outside of templates, ensuring you can catch crucial issues early and maintain a high-quality codebase. Streamline your workflow, improve code quality, and reduce maintenance overhead for your entire engineering organization that leverages Angular for building front-end web UI.
Benefits:
- For software developers: Immediately benefit from finding common Angular pitfalls and encouraging modern Angular patterns, such as improper lifecycle method implementation, incorrect component input/output naming, and more. SonarQube helps you write higher quality, more idiomatic Angular code, aligning your projects with the latest community-recommended standards.
- For DevSecOps, engineering managers, and platform engineering teams: Reduce Toolchain Complexity by integrating essential Angular analysis directly, we eliminate the need for your teams to manage external linters. This creates a less brittle and more maintainable analysis process, reducing the operational burden on your platform teams. Easily apply a recommended, high-value rule set across all Angular projects in your organization, ensuring a consistent bar for code quality and maintainability without complex configurations.
Available in Developer Edition | Enterprise Edition | Data Center Edition
Enterprise-ready compliance & governance
Detect more issues to remain in compliance with MISRA C++:2023
MISRA C++:2023 is the de facto standard in safety-critical industries, particularly automotive. To achieve and claim compliance, organizations must support all automatically enforceable rules in the standard. This release continues to expand SonarQube's support for the latest MISRA C++:2023 coding guidelines, increasing the types of issues that are found to meet this stringent requirement. SonarQube provides early detection of compliance issues and clear visibility into code health which is crucial for industries where compliance with these guidelines is a mandatory requirement for codebases.
Benefits:
- For C++ developers in safety-critical industries: Easily and automatically identify and resolve MISRA-related issues early in the development cycle, ensuring their code adheres to the highest safety and reliability standards.
- For development leads and managers: Gain unprecedented visibility into the compliance status of their C++ codebases against MISRA C++:2023, facilitating better decision-making and risk management.
- For the business: Achieve and maintain critical industry compliance (e.g., in automotive, medical devices), avoiding costly audits, legal repercussions, and accelerating time-to-market for safety-critical systems.
Available in Enterprise Edition | Data Center Edition
Control your rollout of Software Composition Analysis (SCA)
It is now easier for large organizations to adopt our Software Composition Analysis (SCA) capabilities. Administrators can enable SCA at both the instance and individual project level, allowing teams to opt-in when ready, allowing for a more strategic and controlled rollout.
Benefits:
- For DevSecOps & technical leadership: Onboard SCA at your own pace. You can start with a pilot team or a small group of projects before rolling it out across your entire organization. This eliminates the "surprise" of enabling SCA for all projects at once and removes the burden of manually editing pipelines for projects you wish to exclude.
Available in Developer Edition | Enterprise Edition | Data Center Edition
Global announcements guide teams to helpful resources
The global announcement banner has been enhanced to support hyperlinks and markdown formatting. This allows administrators to embed clickable links directly into the announcement messages that appear across the top of their instance, pointing users to important resources like internal documentation, maintenance schedules, or company-wide policy pages. This transforms the announcement banner from a simple notification mechanism into a powerful and actionable communication tool.
Benefits:
- For DevSecOps teams & technical leadership: Streamline communication and drive action across your organization. You can now provide a direct, one-click path to critical information, improving the adoption of internal policies, increasing awareness of system maintenance, and reducing support overhead by directing users to self-service documentation. This makes it easier to govern your instance and communicate effectively with all users.
- For developers: Get quick access to important information. Instead of just reading a notification about a new internal policy or upcoming downtime, you can click a link to get the full context immediately, saving time and reducing friction when important changes that affect your work are announced.
Available in Developer Edition | Enterprise Edition | Data Center Edition
Details of 2025.5 release can be found in the SonarQube Server release notes.
Ready to experience the power of SonarQube Server? Get it today and find out.