SAST Testing, Code Security & Analysis Tools | SonarQube | Sonar

Security Analysis

make clean code your security standard

Detect, explain and give appropriate next steps for Security Vulnerabilities and Hotspots in code review with Static Application Security Testing (SAST).

Start Free Trial -->
Code Security

early security feedback, empowered developers

Take Ownership

real-time feedback

Getting security feedback during code review is your opportunity to learn more and take ownership of Code Security.

With sonar you can assign issues to other developers to help keep your code clean
IDE Integration

Connected Mode with SonarLint

Find Vulnerabilities and Security Hotspots in SonarQube or SonarCloud and fix them in your IDE with SonarLint as your guide.

Image shows the VS Studio, VS Code, Eclips, Intella J and C Lion Logo's and an example IDE environment
Quality Gate

Safe Code

Enforce Vulnerability standards and Security Hotspot Review in your Quality Gate to make sure you only merge safe code.

A passing quality gate is shown
Keep It Safe

Security Rules Explained

A deep understanding of the issue and its implications leads to a better fix and a safer application.

An error is found in code and identified while providing an explanation of the risk.
Commit to Developer-Led Security

clear security issues and actions from your ultimate SAST tool

Tackle security issues with a sensible pattern led by the development team

Security Hotspots > Code Review

Security Hotspots are uses of security-sensitive code. They might be okay, but human review is required to know for sure. As developers code and interact with Security Hotspots, they learn to evaluate security risks while learning more about secure coding practices.

Security Vulnerabilities > Code Change/fix

Security Vulnerabilities require immediate action. Sonar provides detailed issue descriptions and code highlights that explain why your code is at risk. Just follow the guidance, check in a fix and secure your application.

Security Analysis

OWASP top 10

The OWASP Top 10 represents security professionals' broad consensus about the most critical security risks to web applications. SonarQube offers significant OWASP Top 10 coverage across many languages to help you protect your systems, your data and your users.

Learn More
Image of the OWASP top ten logo

maximum protection with taint analysis

Chase down the bad actors

Making sure user-provided data is sanitized before it hits critical systems (database, file system, OS, etc.) helps ensure your code security. Taint analysis tracks untrusted user input throughout the execution flow - across not just methods but also from file to file.

Explore more features -->
Visual Represents taint analysis

Critical security rules for vital languages

Get highly relevant rules for critical languages to help keep your code secure.


Languages like Java, PHP, C#, C, C++, Python, JavaScript, TypeScript, and more.

Explore all languages -->
Enterprise Edition

track security compliance at an enterprise level

Comprehensive application security tracking for your most complex projects.

OWASP / CWE security reports

Dedicated reports let you track Code Security against OWASP Top 10 and CWE Top 25 (all three versions: 2021, 2020, and 2019). The SonarSource report helps security professionals translate security problems into language developers understand.

Image shows security hotspot vulnerabilities based off of the WASP top 10

Using proprietary frameworks? Feed them into the SonarQube engine

Enterprise Edition lets you declare custom frameworks you use to capture user input and/or persist it. Our injection flaw detection engine then tracks the non-sanitized user input.

Learn More -->
bits of code and quality checks are shown as an abstract of a developers environment.
Background image of bits of code connecting to each other

ready to detect security issues?

Start with open source -->Explore all editions -->
  • Follow SonarSource on Twitter
  • Follow SonarSource on Linkedin

© 2008-2023, SonarSource S.A, Switzerland. All content is copyright protected. SONAR, SONARSOURCE, SONARLINT, SONARQUBE and SONARCLOUD are trademarks of SonarSource SA. All other trademarks and copyrights are the property of their respective owners. All rights are expressly reserved.