/ plans & pricing
No single check catches everything. Sonar guides AI agents before they write, verifies AI-generated code in the inner loop, and solves issues before they compound. A zero trust, multilayered approach from the agent's inner loop to the outer loop.
Essential capabilities for small teams
Starts at
$32 monthly
Includes
Mission critical scale & performance.
Annual price
Custom pricing
Team plan plus:
Also available
Essential security for growing teams — secrets detection, SAST, and taint analysis built into your everyday workflow. Available as a subscription on SonarQube Team.
Analyze and enumerate dependencies
Block known public malicious packages
Show dependency details, including license information
Detect publicly reported vulnerabilities in dependencies
Developer-first security for your first-party, AI-generated, and open source code — powered by advanced SAST and integrated SCA. Available as a subscription on SonarQube Enterprise.
Identify known vulnerabilities in open source dependencies, prioritized by severity and exploitability
Generate and export a complete software bill of materials for every project
Define and enforce open source license policies across all projects and dependencies
Block compromised and malicious libraries from entering your supply chain in real time
Traces data flow across code boundaries into third-party libraries — uncovering complex vulnerabilities that cross-file analysis alone misses
Enterprise-wide security visibility across every portfolio and project.
/ try it yourself
SonarQube self-starter
Looking to get started right away on your own? Sign up with a 14-day free trial. No credit card required.
Feature comparison
| Capability Compare Click a section to expand or collapse |
SonarQube
Team
$32 monthly Starts at |
★ Most teams choose this
Enterprise
Custom pricing Annual price |
|---|---|---|
| SonarQube MCP Server Claude Code, Codex, Cursor, Copilot Agent |  | |
| SonarQube CLI | | |
| AI Code Assurance Quality gate for AI-generated code | | |
| AI-driven code fixes | | |
| Detect issues in AI-generated code | | |
| Languages and frameworks supported | 30+ | 40+ |
| Quality gates and profiles | | |
| Architecture management | | |
| Technical debt management | | |
| Enforce custom coding standards | | |
| Test coverage | | |
| Pull request and branch analysis | | |
| SAST | | |
| Taint analysis | | |
| Secrets detection | | |
| IaC scanning | | |
| SCA and Advanced SAST | Included in Advanced Security Enterprise subscription | |
| OWASP Top 10, CWE, PCI DSS, STIG, CASA | | |
| MISRA C++:2023 compliance | | |
| Cyber Resilience Act (CRA) compliance | | |
| GitHub Advanced Security integration | | |
| Security reports and audit logs | | |
| Unlimited users and projects | | |
| SSO, SCIM, CMK/BYOK | | |
| IP allowlist | | |
| Enterprise hierarchy and portfolios | | |
| Customizable dashboards | | |
| Enterprise SLA | | |
| Premium support | Add-on | Add-on |
Not just comments. Real fixes, validated against your CI pipeline. Try the full platform free for 14 days.
Unlimited public & private repos · Up to 50 users
$20 per user / month $25 per user / month
Billed annually · 14-day free trial Billed monthly · 14-day free trial
Get startedNo credit card required
Includes
Unlimited public & private repos · Up to 50 users
$40 per user / month $50 per user / month
Billed annually · 14-day free trial Billed monthly · 14-day free trial
Start free trialNo credit card required
Everything in Core, plus
Unlimited public & private repos · Unlimited users
Contact us
Custom pricing & agreements
Book a demoEverything in Pro, plus
Trusted by teams at
FAQ
Common questions about Sonar plans, pricing, and lines of code.
Subscribing to a paid plan on SonarQube allows you to create a private organization containing private projects.
There are two paid plans available: Team and Enterprise. You pay upfront for a maximum number of private lines of code to be analyzed in your organization.
SonarQube plan pricing starts at $32 monthly for analysis of up to 100k LOC. Other LOC increments are available, up to 1.9M LOC.
We also offer a free tier that allows you to explore SonarQube using your private projects up to a maximum of 50k LoC.
Yes. If you prefer to manage your own infrastructure, SonarQube Server is our self-managed static analysis solution.
It's available in three editions — Developer, Enterprise, and Data Center — each priced per instance, per year, based on your lines of code (LOC). View SonarQube Server plans and pricing →
For the Team plan, payment is completed online via credit card and will happen automatically every month. For all billing questions, use the Contact Us form.
LOCs are computed by summing up the lines of code of each project analyzed in SonarQube. The LOCs used for a project are the ones found during the most recent analysis of this project.
Only LOCs from your private projects are counted toward your maximum number of LOCs.
If your project contains branches, we only count the lines of code in your largest branch.
The count is not related to how frequently the source code is analyzed. If your private project has 6K LOCs and you analyze it 100 times in the month, this will be counted as 6K for the billing.
If you are getting close to the threshold, you will be notified to either upgrade your plan or reduce the number of LOCs in your projects.
Please note — in the future, we plan to introduce compute analysis measurements to enable admin monitoring of the volume of analyses made.
With SonarQube Team plan you will be invoiced once a month, the day of the month after your trial ends. For example if you start your free trial on January 1st, it will last until January 14th and you will be first billed on January 15th for your upcoming month, e.g. January 15th to February 15th.
SonarQube currently supports the following languages and frameworks in the Team plan: Ansible, Azure Resource Manager, C, C++, CloudFormation, C#, CSS, Docker, Flex, Go, HTML, Java, JavaScript, Kotlin, Kubernetes, Objective-C, PHP, PL/SQL, Python, RPG, Ruby, Rust, Scala, Swift, Terraform, TypeScript, T-SQL, VB.NET, VB6, XML, JSON, YAML and Groovy. Additionally, the Enterprise Plan offers ABAP, COBOL, JCL, RPG, PL/I, and Apex.
Yes.
The SonarQube Enterprise plan includes commercial support (starting at 5M LOC).
For the Team plan commercial support is available to purchase (contact sales).
For the Free plan (as well as Enterprise and Team plans) the Sonar Community is a channel for you to ask questions and receive help from our community members.
Yes. The free tier enables you to explore SonarQube with your private project up to a maximum size of 50k LoC. Sign up here.
Of course! There's no commitment. You can delete your paid organization whenever you wish. Or simply downgrade to the free tier if you wish to keep on analyzing some public projects.
Yes. Please contact sales and request a trial of SonarQube Enterprise features to discover the value they will bring to your organization.
SCA is available with the Advanced Security subscription available to Enterprise plan users. It offers vulnerability detection, license checks, and SBOM visibility. Head here to discover more.
Gitar is built with a security-first architecture designed for enterprise-grade environments.
Your code stays your code — always.
You could, but you'd be rebuilding years of deep systems and integration work. Gitar isn't a thin wrapper over an LLM. It's a full AI orchestration layer built specifically for developer workflows and CI/CD environments.
We've built tight integrations with GitHub, GitLab, and major CI systems to give agents direct, secure access to build data, code reviews, and workflow events.
Under the hood, Gitar handles context management, state persistence, and multi-agent coordination across repositories, allowing teams to collaborate through shared workflows rather than one-off prompts.
Our team brings decades of experience building developer tools and workflows for large, enterprise-scale engineering organizations — experience that's reflected in Gitar's reliability, scalability, and developer experience.
Most coding assistants stop at writing code. Gitar's agents go further: They understand and act across your CI and code-review workflows with full codebase context.
They root-cause failures, propose and apply fixes, and handle review comments automatically.
Our system combines deterministic build signals with AI reasoning, delivering accuracy, context, and confidence no generic coding or review assistant can match.
Yes. Sign up and get a 14-day free trial of the Pro plan — full access to AI code review, auto-fixes, CI failure diagnosis, agentic workflows, and more. No credit card required to start.
Nothing changes in how Gitar works today. Your existing integrations, CI connections, and configurations remain in place. Over time, Sonar will deepen the integration between Gitar and SonarQube, giving you a more complete view of code quality, security, and review status in one place. If you have questions about your account, contact support.
They are designed to complement each other. SonarQube provides structured, consistent, algorithmic review across 40+ languages, covering code quality, security vulnerabilities, architectural drift, and technical debt. It is fast, auditable, and operates in a zero-trust way with respect to LLMs. It does not assume AI-generated code is correct, and verifies it against defined quality profiles and gates regardless of how the code was written.
Gitar works alongside SonarQube and brings AI-native intelligence to the entire verification workflow. It reads code the way AI reads it, with awareness of context, intent, and the logic of the change as a whole, extending coverage to functional bugs, logic errors, and behavioral issues by reviewing what the code is actually trying to do.
Together, the combination is greater than the sum of its parts. SonarQube's deterministic precision and Gitar's contextual intelligence reinforce each other. Issues one approach catches inform the other, and the coverage they provide jointly closes gaps neither could alone. A CI pass alone does not mean code is production-safe. Layering both approaches means more of what matters gets caught before it ships. Together, they provide a highly comprehensive and accurate review and verification of your code.
No. Gitar and SonarQube bring different review lenses to the same codebase. SonarQube uses mathematical reasoning approaches to verify code against a wide range of known issues: security vulnerabilities, reliability problems, maintainability concerns, and architectural drift. It does this looking at data flows, control flows, syntax, and a range of other topics. On top of that, it applies defined quality profiles and gates consistently to every change, ensuring you can enforce your standards in your codebases. Gitar uses generative AI to review the logic and intent of the change in context, extending coverage to functional and behavioral issues that emerge from understanding what the code is trying to do.
The two are additive and complementary. Used together, they provide deeper and more accurate review than either delivers alone, covering both the known issue catalog that deterministic analysis excels at and the context-dependent logic that AI review is built for.
