What’s new

Security Reports for SonarQube Cloud Enterprise now cover five new and updated standards, giving security teams and compliance auditors a broader, more accurate view of risk across Projects and Portfolios — including dedicated coverage for AI and mobile application security.

• OWASP Top 10 2025: Updated guidance on the most critical web application risks, including software supply chain integrity and broken access control.
• OWASP Top 10 for LLM (New!): Purpose-built for AI-era risk. Surfaces vulnerabilities specific to Large Language Models, including prompt injection and insecure output handling.
• OWASP MASVS (New!): The Mobile Application Security Verification Standard. A dedicated view for iOS and Android security, aligned with industry-standard mobile requirements.
• OWASP ASVS 5.0: The latest iteration of the Application Security Verification Standard, providing a rigorous technical framework for security testing and verification.
• STIG ASD V6: Updated DISA Application Security and Development STIG support for organizations with government and defense compliance requirements.

All five standards are available at both the Project and Portfolio level. Navigate to the Security Reports tab, select a standard from the left-hand panel, or export directly to PDF for audit and reporting workflows.

For more details, see the Community post.

SonarQube Cloud now includes an embedded version of our Model Context Protocol (MCP) server, allowing you to connect your AI assistants to deep code insights without any local setup.

This delivers a centralized and secure way for your team to leverage AI-driven code quality and security data.

Key Functional Benefits:

• Centralized access: Enable MCP-powered insights for your entire development team through a single, managed cloud entry point. This ensures a consistent experience across the organization without per-user configuration.
• Docker-free deployment: Eliminate the friction of local software requirements. The embedded server is the ideal solution for secure enterprise environments where corporate policies or hardware constraints prevent developers from running Docker locally.
• Seamless AI connectivity: Securely bridge your preferred AI tools—such as GitHub Copilot, Claude, or other LLMs—to SonarQube insights with zero local overhead.

For further details, please see the documentation and blog post.

Architecture management in SonarQube Cloud automatically discovers your current structure, allowing your team to define intended designs and resolve deviations directly within your existing workflow.

It provides a living structural map that governs both developer and AI development, enforcing architectural integrity directly within your workflow with:

Evergreen visual maps: Automatically create a real-time visual structure map of your project's actual architecture that updates with every scan.

Prevent architectural drift: Define your intended architecture and receive immediate feedback in Quality Gates when code violates structural design.

Accelerate onboarding: Provide new developers with an instant, navigable view of the system.

In-workflow resolution: Empower developers to fix structural debt as they code, avoiding costly future rewrites and keeping innovation on track.

How to activate: Visit the Architecture tab within your project settings to begin the four-stage process: discover, formalize, prioritize, and fix.

Check out this Community post and documentation for more information.

Now, when you click into a project, you will be presented with a project health dashboard, with visual insights. This shift gives you immediate visibility into your project’s health, surfacing critical trends and metrics the moment you enter a project.

Key highlights:

• Visual-first experience: The project landing page now functions as a command center, surfacing critical metrics and trends as soon as a project is selected.
• Universal availability: This new landing page experience is live for Free, Team, and Enterprise plans.

This feature is being released in stages between now and March 8 to ensure a smooth transition for all users.

Note: while the updated overview will become the standard for all users, custom dashboards and additional dashboard views remain exclusive to the Enterprise plan.

Learn more with this Community post

SonarQube Cloud has launched the automatic provisioning and analysis of new GitHub repositories.

This feature is designed to eliminate the manual steps previously required to onboard new projects, ensuring consistent analysis coverage from the moment a repository is created.

Key Functional Benefits:

• Zero-touch setup: When a new repository is created in your GitHub organization, a corresponding SonarQube Cloud project is provisioned automatically.
• Day 1 analysis: The initial analysis is triggered upon repository creation, providing instant feedback on the first commit.
• Improved governance: Admins no longer need to manually track or "find" new projects created by development teams; all new projects, and code, are captured by default.

Note: This is enabled by default for all new organizations. To enable it for existing Organizations: navigate to Administration > Organization Settings > Organization Binding and toggle on Auto-import new repositories.

For further details, please see the documentation, video and Community post.

We have expanded our accessibility (a11y) ruleset to move compliance from a late-stage bottleneck to early-stage detection. 

With 114 total rules for HTML, CSS, and JSX, SonarQube Cloud now provides:

• WCAG 2.1 A: 60% coverage (18 of 30 requirements).
• WCAG 2.1 AA: 52% coverage (26 of 50 requirements).
• WCAG 2.1 AAA: 38% coverage (30 of 78 requirements). 

This expanded coverage helps organizations proactively manage legal risk, and build inclusive products with less friction and lower costs.

Community post