Static Application Security Testing (SAST)

security starts with Clean Code

Detect, explain and give appropriate next steps for Security Vulnerabilities and Hotspots in code review with Static Application Security Testing (SAST).

Start Free Trial -->Read the Deeper SAST Announcement -->
Code Security

benefits of deeper SAST

find deeply hidden security issues

99% of software applications use and interact with the code in third-party libraries (dependencies). Today, most SAST tools only analyze application code and not library code which are mostly a black box for these tools. Deeper SAST from Sonar extends code analysis and scanning to cover the unknown parts of the code that are in the open-source dependencies. Scanning dependencies (libraries) allows Sonar SAST to extend the dataflow analysis and find deeply hidden security issues in code that other tools cannot find. Deeper SAST is available today for Java, C#, and JavaScript/TypeScript in SonarQube and SonarCloud. It supports thousands of the topmost and commonly used open-source libraries, including their subsequent (transitive) dependencies. It scales automatically and will be expanded to cover more languages and libraries in the future. Machine Learning (ML) is used for optimization.

A passing quality gate is shown

accelerate secure development

SAST can be performed earlier in the software development lifecycle (SDLC) before code is deployed into and released into production. Utilizing SAST in the development phase allows security vulnerabilities and bugs to be identified and remediated more quickly before they can be exploited by attackers. SAST analysis of Pull Requests helps empower developers by shifting security left and presenting security vulnerabilities as early as possible in the process - when the code is fresh in mind and the fix is still easy. SAST is available by default with SonarQube and SonarCloud and runs as part of a normal code analysis and integrates seamlessly with the DevSecOps pipeline.

With sonar you can assign issues to other developers to help keep your code clean

reduce risk of security breaches

By implementing secure code development practices to strengthen the quality of the codebase, organizations can prevent malicious actors from exploiting vulnerabilities and stealing sensitive information. Sonar analyzers raise issues (including bugs and vulnerabilities) and security hotspots as it scans the code to detect security problems. Vulnerability is reported when Sonar finds a point in the code that is open to attack and a fix is needed to address the security problem. Security-sensitive pieces of code that need developer review and evaluation are categorized as 'security hotspots'. Sonar security rules also detect hard-coded credentials (passwords) and hard-coded secrets in your code. This cloud secret detection capability extends to include more rules that discover unintended hard-coded passwords, credentials, tokens, cloud access keys, API keys, cloud account/keys in the most popular cloud providers: AWS, GCP, Microsoft Azure, IBM, and Alibaba Cloud.

An error is found in code and identified while providing an explanation of the risk.

automate code scanning

Sonar SAST can scan large amounts of code quickly – saving time and money in the software development life cycle process. Automating code scanning with SAST helps improve the overall security posture of an application and reduces the reliance on manual code reviews, allowing developers to focus on remediation efforts while maintaining an efficient and secure development lifecycle. Developers can identify and address code quality and security issues early in the development lifecycle; promoting continuous improvement by providing actionable insights, security reports, and metrics that help teams track and enhance the overall code of their applications.

Image shows the VS Studio, VS Code, Eclips, Intella J and C Lion Logo's and an example IDE environment

code security and compliance

Sonar provides comprehensive application security tracking and governance for the most complex projects with SAST. It allows security auditors to track code security compliance and evaluate the risks on their software assets at an enterprise level with detailed reports. Security reports, executive aggregation, and PDF reports provide the oversight larger organizations need to evaluate risks on their software assets. Using Sonar SAST can quickly give security champions the big picture of their application's security posture. Dedicated reports track the application’s code security against standards such as OWASP Top 10, OWASP ASVS, CWE Top 25 (2021, 2020, and 2019), as well as PCI DSS . The SonarSource report helps security professionals translate security problems into language developers understand.

An error is found in code and identified while providing an explanation of the risk.

comprehensive Detection Engine and Coverage

Sonar provides code quality and security analysis for 30+ languages (and frameworks), with more than 5,100 out-of-the-box Clean Code rules – and is continuously updating the scope of languages covered. Sonar detects bugs and security flaws at the code level – source code, support code (including config code, infrastructure code, scripting, and test code), and third-party code, such as external dependencies and libraries – often exceeding a true positive rate (TPR) of 90%. Security coverage includes cross-site scripting, SQL injection, path injection, to secrets, IaC misconfigurations, phishing, and a variety of others.

bits of code and quality checks are shown as an abstract of a developers environment.

security analysis

Designed to detect and fix a wide range of code issues that can lead to bugs and security vulnerabilities, Sonar supports over 30 programming languages and frameworks. Sonar's security analysis can help detect a broad range of security issues such as SQL injection vulnerabilities, cross-site scripting (XSS) code injection attacks, buffer overflows, authentication issues, cloud secrets detection and much more. Our security rules are classified according to well-established security standards such as PCI DSS, CWE Top 25, and OWASP Top 10.

Graphic shows issues types that are detected by sonar, such as SQL injection, cross-site scripting, deserialization, XXE, path injection, secret detection, crptop API misuse, regex patterns, authentication, IaC misconfigs, Performance, File Manipution and much more! The image also shows the standards addressed by Sonar as well. The standards addressed are PCI DSS, OWASP Top 10, CWE Top 25 and OWASP ASVS

Security Hotspots > Code Review

Security Hotspots are uses of security-sensitive code. They might be okay, but human review is required to know for sure. As developers code and interact with Security Hotspots, they learn to evaluate security risks while learning more about secure coding practices.

Security Vulnerabilities > Code Change/fix

Security Vulnerabilities require immediate action. Sonar provides detailed issue descriptions and code highlights that explain why your code is at risk. Just follow the guidance, check in a fix and secure your application.

Security Analysis

OWASP top 10

The OWASP Top 10 represents security professionals' broad consensus about the most critical security risks to web applications. SonarQube offers significant OWASP Top 10 coverage across many languages to help you protect your systems, your data and your users.

Learn More
Image of the OWASP top ten logo

your end to end SAST tool

Seamlessly integrate static analysis into your software development workflow

DevOps and CI/CD

Integrating SAST into the DevOps and CI/CD pipelines empowers organizations to enhance the security posture of their software and ensure that vulnerabilities are identified early in the development lifecycle. Security analysis tools become an integral part of the development process and receive early real-time feedback as they commit code changes.  Sonar integrations are supported for popular DevOps and CI/CD Platforms including GitHub, GitLab, Azure Devops, TravisCI, CircleCI, and Bitbucket. Sonar provides native support for the most popular SCMs including Git , Subversion and community support for other popular SCMs such as CVS, Jazz RTC, Mercurial, TFVC.

Two developers work together to build new clean code

pull request decoration and more

  • Get instant code feedback directly inside your pull request and development branches. Fix issues while the code is still fresh in mind. 
  • Fail your CI/CD pipelines when the quality of code doesn’t meet your defined requirements with a Go/No Go quality gate. Prevent problems from being merged, or deployed. 
  • Review and prioritize issue remediation directly from the DevOps Platform's interface. Works with GitHub, Bitbucket Cloud and Azure DevOps.
  • Configure several Quality Gates and receive project-labeled messages in your mono repository containing multiple projects. Works for GitHub, Bitbucket, and Azure DevOps Services.


SonarLint brings superior code analysis tool capabilities right into developers’ code environments with real-time analytical feedback, code issue highlighting, strict code standards, along with vulnerability issue details and remediation guidance. Customizable rules allows developers to code based on their specific requirements enabling coding preferences on project needs. Advanced flexibility allows developer adaptation and adoption across multiple supported languages.