Systematically review all code for bugs, security vulnerabilities, and stylistic errors without human intervention. 

• Real-time and continuous feedback 
• Code assurance for verifying AI-generated code 
• Pull request (PR) decoration and branch analysis
• AI-native IDEs, MCP Server, CI/CD, and DevOps integration 

Comprehensive code quality assessment to maintain high-quality, reliable, maintainable codebases.

• Comprehensive and deep systematic  code analysis
• Consistent, deterministic, and idempotent
• Breadth, depth, and accurate analysis for 40+ languages 
• Finds bugs, code smells, and technical debt

All-in-one comprehensive and accurate code scanning to identify vulnerabilities and security risks. 

• SAST, taint analysis, secrets detection, IaC scanning
• Mobile Application Security Testing (MAST)
• Software Composition Analysis (SCA) (needs in SonarQube Advanced Security)
• Security reports, dashboards, and posture rating

Automatically visualizes and enforces your system design, ensuring that human and AI-generated code adhere to a modular, maintainable framework. 

• Architecture discovery 
• Architecture visualization 
• Define intended architecture
• Automated architectural reviews
• In-workflow issues management

LLM-powered, context-aware fix suggestions for issues detected by SonarQube. One-click remediation directly in your IDE or PR workflow.

• Instant AI-generated context-aware fixes
• IDE integration with AI CodeFix
• Bring your OpenAI model in SonarQube Server
• SonarQube Remediation Agent (beta) with automatic verification of fixes

Identify and prevent exposure of sensitive credentials, API keys, and secrets. Real-time detection of secrets in IDEs, commits, and pull requests. 

• Hardcoded password detection
• API  and private key detection
• OAuth token detection
• Cloud provider secret detection (AWS, Azure, GCP)

SCA automatically identifies third-party open source components to manage security vulnerabilities, license compliance, and supply chain risks

• Vulnerability (CVE) detection, license policy, and SBOM 
• Severity scores: CVSS (Common Vulnerability Scoring System) 
• Data from EPSS and KEV 
• Malicious package detection
• Open source maintainer network insights for supply chain security

Infrastructure as Code (IaC) security analysis for detecting risks, and misconfigurations in infrastructure templates.

• Multi-cloud IaC support
• Security misconfiguration detection
• Terraform, AWS CloudFormation, Azure Resource Manager
• Kubernetes, Docker, Helm, and Ansible

Find and fix bugs, vulnerabilities, and quality issues in your Android and iOS apps before they hit the app store. 

• Native iOS: Swift and Objective-C.
• Native Android: Kotlin and Java.
• Cross-Platform: Dart/Flutter and JavaScript/TypeScript 
• OWASP Mobile Top 10 reports
• IDE support for early detection of issues

Advanced data-flow analysis that tracks untrusted input through your codebase to identify injection vulnerabilities. 

• Cross-file data-flow tracking
• Lexical analysis
• Syntax and control flow analysis
• Injection vulnerability detection
• Sanitization validation

License compliance tracking for open-source dependencies. Identify license conflicts, ensure policy compliance, and manage legal risks.

• Automated enforcement in PRs 
• License detection & categorization
• Policy violation alerts
• Compliance reporting
• Software Bill of Materials (SBOM)

Scanners and plugins for all major CI/CD and DevOps platforms for automated quality checks. Features include:

• Jenkins 
• GitHub Actions 
• GitLab CI 
• Azure DevOps 

High-level visibility and aggregated data across all projects, allowing leaders to monitor risk, track compliance, and ensure coding standards. Features include:

• Multi-project dashboard
• Portfolio view
• Project tagging & categorization
• Monorepo support
• Historical trend analysis, custom metrics and KPIs, reporting

Provides centralized oversight and reporting necessary to enforce regulatory standards and corporate security policies across your organization. Features include:

• Quality gate, quality profile definition & enforcement
• Regulatory Compliance Reporting (PCI-DSS, OWASP, MISRA, etc.)
• Audit trail, activity logs, and dashboards
• Role-Based Access Control (RBAC)
• License compliance tracking

Provides actionable insights and automated reports to monitor trends, evaluate risk, and drive data-backed decisions across the organization. Features include:

• Executive summary reports
• Dashboards
• Detailed Issue Reports
• Trend analysis & charts
• Scheduled reports