Advanced SAST

Trace data flow across your dependencies to uncover deeply hidden vulnerabilities

SonarQube's Advanced SAST extends deep analysis(taint analysis) beyond your first-party code, into third-party open source libraries. This unique capability traces data flow across code boundaries to uncover hidden, complex vulnerabilities that arise specifically from interacting with external libraries.

Get startedContact sales
SAST

TRUSTED BY OVER 7M DEVELOPERS AND 400K ORGANIZATIONS

Mercedes Benz
Nvidia
U.S. Army
Santander
Costco
  • Request demo
  • Take a product tour
  • Sonar community
  • Contact us
  • ROI calculator

Go deeper with advanced SAST

Sonar’s advanced static application security testing (SAST) capability, included in SonarQube Advanced Security, empowers organizations to identify and resolve application code vulnerabilities and issues originating from interactions with third-party open-source libraries. This unique dependency-aware analysis enables developers to trace data flow in and out of libraries, effectively uncovering deeply concealed security vulnerabilities that other tools fail to detect. 

SonarQube’s powerful SAST already includes deep taint analysis and comprehensive security rules aligned with standards like OWASP Top 10 and CWE Top 25.  Advanced SAST augments this foundation by addressing the security gap in the modern software that relies on third-party dependencies. This innovative capability extends the range of coverage by providing full visibility into the inner workings of the most popular open source libraries across major programming languages

With SonarQube's advanced SAST, organizations can confidently tackle code security challenges, achieve robust application security, and enjoy the benefits of a reliable, high-quality, and fortified codebase. Augment your static code analysis with SCA to mitigate open-source risk and deliver a developer-first, defense in depth approach across the SDLC-all within one integrated platform.

Try advanced SAST with SonarQube
advanced sast digs into code
CODE SECURITY

Advanced SAST benefits

  • Eliminate blind spots in code interaction

  • Comprehensive third-party risk management

  • Simplified Integrated Workflow

  • Find deeply hidden security issues

  • Accelerate secure development

Eliminate blind spots in code interaction

Traditional static analysis cannot look inside a library,leaving a critical blind spot. Advanced SAST overcomes this by extending taint analysis to trace data flow into and out of the third-party libraries. This enables it to uncover deeply hidden, complex vulnerabilities that arise from how your first-party code actually uses the dependencies. As a result, you gain actionable visibility into real application behavior, rather than relying on incomplete or surface-level insights.

Security analysis

Designed to detect and fix a wide range of code issues that can lead to bugs and security vulnerabilities, SonarQube supports over 35 programming languages and frameworks. Sonar's security analysis can help detect a broad range of security issues, such as SQL injection vulnerabilities, cross-site scripting (XSS) code injection attacks, buffer overflows, authentication issues, cloud secrets detection, and much more. In SonarQube Server Enterprise Edition and Data Center Edition and in SonarQube Cloud Enterprise Plan, our security rules are classified according to well-established security standards such as PCI DSS, CWE Top 25, OWASP ASVS, OWASP Top 10, STIG, and CASA.

categories of issues in code
checklist

Security hotspots > code review

Security hotspots are instances of security-sensitive code that require human review. Developers can learn to evaluate security risks and improve their understanding of secure coding practices by working with security hotspots. Hotspots are surfaced in the IDE and pull requests with data flow context so teams can triage potential risks quickly.

secure

Security vulnerabilities > code change/fix

Security vulnerabilities require immediate action. Sonar provides detailed issue descriptions and code highlights that explain why your code is at risk. Just follow the guidance, check in a fix, and secure your application. Quality Gates and CI/CD feedback help teams prioritize severity, map issues to OWASP and CWE, and accelerate remediation with actionable fixes using AI CodeFix.

Maximum protection with SAST taint analysis

Enforce input sanitization in CI/CD with taint analysis

Making sure user-provided data is sanitized before it hits critical systems (database, file system, OS, etc.) helps ensure your code security. Taint analysis tracks untrusted user input throughout the execution flow - across not just methods but also from file to file. It uses sources and sinks tracing with control flow and data flow analysis to reduce false positives and accelerate remediation within DevSecOps workflows and with real time feedback in the IDE, and CI/CDE.

Explore more features
code has vulnerabilities

Critical code security rules for vital languages

Get highly relevant rules for critical languages to help keep your code secure with SAST tooling. These rules align to OWASP Top 10 and CWE Top 25 through static application security testing using static analysis with taint analysis and data flow.

Languages like Java, PHP, C#, C, C++, Python, JavaScript, TypeScript, and more spanning major programming languages and frameworks.

Explore all languages
code has issues in development lifecycle

CODE SECURITY

Early security feedback, empowered developers

TAKE OWNERSHIP

Real-time coding feedback

Getting security feedback during code review is your opportunity to learn more and take ownership of code security. Static application security testing (SAST) scans on pull requests provide real-time IDE and CI/CD pipeline feedback with PR decoration and quality gates, plus data flow and taint analysis aligned to OWASP Top 10 and CWE Top 25 to reduce false positives and shift-left in the SDLC.

jeff leaves a note about code issues
IDE INTEGRATION

Connected mode with SonarQube for IDE

Find Vulnerabilities and Security Hotspots leveraging Static Application Security Testing (SAST) with SonarQube Server or SonarQube Cloud and fix them in your IDE with SonarQube for IDE as your guide. Using static analysis SAST scans that analyze source code across major programming languages and frameworks with data flow and taint analysis (sources and sinks), real-time IDE and pull request feedback, CI/CD pipeline integration, and quality gates.

sonar working with jetbrains, eclipse, vs and vs code
QUALITY GATE

Real-time quality gates in CI/CD for safe merges

Enforce Vulnerability standards and Security Hotspot review in your Quality Gate to make sure you only merge safe code, with static application security testing (SAST) integrated into the CI/CD pipeline and pull requests for real-time feedback. Configure risk thresholds by severity and type, require code owner approvals for unreviewed hotspots, and block merges on untriaged critical issues with branch‑specific policies (e.g., stricter rules on main).

coding issues are resolved
KEEP IT SAFE

Security rules explained

A deep understanding of the issue and its implications leads to a better fix and a safer application. It also helps teams prioritize remediation based on real risk, not just noise. By learning the patterns behind each rule, developers can address root causes, reduce regressions, and improve maintainability over time. This shared clarity drives consistent decisions, shortens feedback loops, and builds confidence in both code quality and security posture.

Sonar security & compliance reports

Security reports quickly give you the big picture of your code’s compliance with security standards. Available in SonarQube Server Enterprise Edition and Data Center Edition and in SonarQube Cloud Enterprise Plan, these security reports allow you to know where you stand compared to the most common security mistakes. Regulatory reports track the quality of each release and provide evidence that the code delivered meets the quality standards of the organization.

Reports include:

  • PCI DSS (versions 4.0 and 3.2.1) 
  • OWASP Top 10 (versions 2021 and 2017)
  • OWASP Mobile Top 10 (2024)
  • CWE Top 25 (versions 2024, 2023, 2022, 2021)
  • OWASP ASVS (version 4.0 with level 1 to 3)
  • STIG
  • CASA
See OWASP Top 10

Your end-to-end SAST tool

Seamlessly integrate static analysis into your software development workflow. Use static application security testing (SAST) scans that analyze source code with data‑flow and taint analysis (sources and sinks).

DevOps and CI/CD tools

Integrating SAST into the DevOps and CI/CD pipelines empowers organizations to enhance the security posture of their software and ensure that vulnerabilities are identified early in the software development lifecycle. Code security analysis tools become an integral part of the development process and receive early real-time feedback as they commit code changes.  SonarQube integrations are supported for popular DevOps and CI/CD Platforms including GitHub, GitLab, Azure Devops, TravisCI, CircleCI, and Bitbucket. SonarQube provides native support for the most popular SCMs including Git , Subversion and community support for other popular SCMs such as CVS, Jazz RTC, Mercurial, TFVC.

Pull request decoration

Get instant code review directly inside your pull request and development branches. Fix issues before they become problems, by detecting vulnerabilities and fixing security issues early in the software development life cycle (SDLC).

  • Implement a go/no-go quality gate to automatically fail CI/CD pipelines if code doesn't meet your standards
  • Review and prioritize code fixes directly within the DevOps Platform interface
  • Set up multiple quality gates for your monorepo with different projects to receive specific feedback messages for each project
  • Receive contextual guidance and remediation steps directly in your workflow, helping developers quickly understand root causes and apply the right fix the first time.

IDE Integration with SonarQube for IDE

  • Superior code quality tool capabilities right into developers’ code environments
  • Real-time analytical feedback
  • Code issue highlighting
  • Strict code quality standards, along with vulnerability issue details and remediation guidance
  • Customizable rules allow developers to code based on their specific requirements
  • Advanced flexibility allows developer adaptation and adoption across multiple supported languages

Common Challenges in Adopting SAST and How to Overcome Them

  • Managing False Positives and Negatives

  • Scalability and Performance Issues

  • Cultural and Workflow Integration Challenges

  • Tool Configuration and Maintenance Requirements

Managing False Positives and Negatives

  • False positives: Can overwhelm teams, wasting valuable time. Regularly updating scan rules, whitelisting known safe patterns, and employing contextual scanning can help reduce noise.
  • False negatives: The tool might miss security issues if not properly configured or updated. Ensuring periodic tool evaluations and rule updates is vital.

SAST vs DAST vs IAST vs SCA

SAST

Finds risks early in IDE, PRs, and CI/CD pipleines. SonarQube adds workflows, analysis, quality gates, and broad coverage.

DAST

Black box testing of running applications to validate runtime behavior, exposed attack surface, and misconfigurations.

IAST

Runtime instrumentation that combines static context with dynamic execution paths during functional tests.

SCA

Inventories open source and identifies vulnerabilities in dependencies. Paired with SAST, it covers code and dependencies.

SonarQube the best SAST tool for you

SonarQube anchors shift‑left security with accurate, actionable SAST in the IDE, pull requests, and CI/CD, so teams find and fix vulnerabilities early while improving code quality. It combines deep taint and data flow analysis with broad language coverage, Quality Gate policy enforcement, and advanced SAST that traces risks across third‑party libraries and transitive dependencies, all mapped to OWASP Top 10 and CWE with real‑time guidance and governance‑ready reporting.

Security Architect

"Sonar has helped our organization by enabling us to maintain code standards and code cleanliness."

Ricky Lopez, Security Architect/AppSec ManagerGrupo Financiero Banorte

Read customer stories
Grupo Financiero Banorte
Security Architect

Ricky Lopez, Security Architect/AppSec Manager

"Sonar has helped our organization by enabling us to maintain code standards and code cleanliness."

Read customer stories

Ready to secure your code?

Image for rating

4.6 / 5

Start with open sourceStart your enterprise trial
Go to SonarSource homepage
sonar logo
  • Follow SonarSource on Twitter
  • Follow SonarSource on Linkedin
language switcher
English

© 2025 SonarSource Sàrl. All rights reserved.