SonarQube_General.svg

Deeper Analysis. Unmatched Security.

14-day free trial

Select a country
Select # of Developers
I already use SonarQube Community Build
I do not wish to receive promotional emails about upcoming SonarQube updates, new releases, news and events.

By submitting this form, you agree to the storing and processing of your personal data as described in the Privacy Policy and Cookie Policy. You can withdraw your consent by unsubscribing at any time.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Deeper Analysis. Unmatched Security.

Uncover Hidden Code Vulnerabilities with SonarQube Server SAST

  • Comprehensive detection engine for code quality and security
  • Over 5000 rules for 35+ languages and frameworks
  • Deeper SAST coverage for Java, C#, and JavaScript/TypeScript
  • Branch Analysis and Pull Request decoration
  • Powerful secrets detection
  • Security Reports including OWASP, CWE Top 25, and PCI DSS
  • Regulatory release reports
  • Security Engine customization
  • Detection of injection flaws, cross-site scripting, deserialization issues and more
CODE SECURITY

benefits of deeper SAST

  • Hidden security issues

  • Accelerate development

  • Reduce risk of security breaches

  • Automate code scanning

  • Code Security and compliance

  • Comprehensive Detection Engine and coverage

Find deeply hidden security issues

99% of software applications use and interact with the code in third-party libraries (dependencies). Deeper SAST from Sonar extends code analysis and scanning to cover the unknown parts of the code that are in the open-source dependencies. Scanning dependencies (libraries) allows Sonar SAST to extend the dataflow analysis and find deeply hidden security issues in code that other tools cannot find. Deeper SAST is available today for Java, C#, and JavaScript/TypeScript in SonarQube Server and SonarQube Cloud.

安全分析

Sonar旨在检测并修复可能导致缺陷与安全漏洞的各类代码问题,支持30余种编程语言及框架。其安全分析功能可识别广泛的安全隐患,包括SQL注入漏洞、跨站脚本(XSS)代码注入攻击、缓冲区溢出、认证问题、云端密钥泄露检测等。在 SonarQube Server 企业版、数据中心版及 SonarQube Cloud 企业方案中,我们的安全规则依据 PCI DSS、CWE Top 25、OWASP ASVS、OWASP Top 10、STIG 和 CASA 等权威安全标准进行分类。

Image for 安全热点 > 代码审查

安全热点 > 代码审查

安全热点是需要人工审查的安全敏感代码实例。开发者通过处理安全热点,可学习评估安全风险并深化对安全编码实践的理解。

Image for 安全漏洞 > 代码修改/修复

安全漏洞 > 代码修改/修复

安全漏洞需立即处理。Sonar提供详细问题描述和代码高亮标记,说明代码存在风险的原因。只需遵循指引提交修复代码,即可保障应用程序安全

Chase down the bad actors

Making sure user-provided data is sanitized before it hits critical systems (database, file system, OS, etc.) helps ensure your code security. Taint analysis tracks untrusted user input throughout the execution flow - across not just methods but also from file to file.

Visual Represents taint analysis

Sonar安全报告

安全报告可快速呈现代码对安全标准的合规全貌。该功能在SonarQube Server企业版/数据中心版及SonarQube Cloud企业版中提供,助您精准定位常见安全缺陷的风险等级。合规报告追踪每次发布的质量水平,为交付代码符合组织质量标准提供凭证。

报告涵盖:

  • PCI DSS(4.0版与3.2.1版)
  • OWASP十大漏洞(2021版与2017版)
  • CWE前25大缺陷(2022版、2021版与2020版)
  • OWASP应用安全验证标准(ASVS 4.0版,含1-3级)
  • STIG
  • CASA
参见OWASP十大漏洞

您的端到端静态应用安全测试工具

将静态分析无缝集成至软件开发工作流

DevOps与CI/CD

将SAST集成至DevOps和CI/CD管道,可帮助组织提升软件安全态势,确保在开发生命周期早期发现漏洞。安全分析工具成为开发流程的有机组成部分,并在提交代码变更时获得实时反馈。 Sonar支持主流DevOps与CI/CD平台集成,包括GitHub、GitLab、Azure DevOps、TravisCI、CircleCI及Bitbucket。原生支持Git、Subversion等主流SCM,并通过社区支持覆盖CVS、Jazz RTC、Mercurial、TFVC等其他常用版本控制系统。

拉取请求装饰

在拉取请求和开发分支内直接获取即时代码审查。在问题恶化前及时修复缺陷。

  • 实施质量门禁机制:若代码未达标准,CI/CD管道将自动终止
  • 直接在DevOps平台界面审查并优先处理代码修复
  • 为单仓库中的不同项目设置多重质量门禁,获取针对性反馈信息

SonarQube与IDE集成

  • 将卓越的代码质量工具能力直接嵌入开发者编码环境
  • 实时分析反馈
  • 代码问题高亮标注
  • 严格的代码质量标准,附带漏洞详情与修复指引
  • 可定制规则支持开发者按特定需求编码
  • 高级灵活性支持跨多种支持语言的开发者适配
Pacific Textiles Ltd

"当与多个外部方共同实施大型项目时,几乎不可能保持代码质量。SonarQube Server 使我们能够提高这些大型项目的代码库质量 — 尤其是通过让我们显著减少代码重复量。重构已成为一项更容易的任务。"

Hubert Tsang
Hubert Tsang, 首席信息官 @ Pacific Textiles Ltd

ready to secure your code?

Start Your Free Trial Now