SonarQube：Code Security, for Developers

Detect security issues in code review with Static Application Security Testing (SAST)

 

Early security feedback, empowered developers

Code Security is no longer the realm of security teams.

Beyond the words (DevSecOps, SDLC, etc.), the true opportunity lies in developers writing more secure code with SonarQube detecting Vulnerabilities and Security Hotspots, explaining them, and giving appropriate next steps.

• Take ownership
• IDE integration
• Quality Gate
• Keep it safe

Take ownership

Getting security feedback during code review is your opportunity to learn more and take ownership of Code Security.

 

 

 

 

 

 

IDE integration

Find Vulnerabilities and Security Hotspots in SonarQube and fix them in your IDE with SonarLint as your guide.

 

 

Quality Gate

Enforce Vulnerability standards and Security Hotspot Review in your Quality Gate to make sure you only merge safe code.

 

 

 

Keep it safe

A deep understanding of the issue and its implications leads to a better fix and a safer application.

 

 

 

 

 

Clear security issues, clear actions

Tackle security issues with a sensible pattern led by the development team

Security

Hotspots  Code review

Security Hotspots are uses of security-sensitive code. They might be okay, but human review is required to know for sure.

As developers code and interact with Security Hotspots, they learn to evaluate security risks while learning more about secure coding practices.

 

Available for:

 

Hashing data is security-sensitive.

Security Hotspot 

Security

Vulnerabilities  Code change/fix

Security Vulnerabilities require immediate action. SonarQube provides detailed issue descriptions and code highlights that explain why your code is at risk.

Just follow the guidance, check in a fix and secure your application.

Available for:

 

 

Use a key length that provides enough entropy against brute-force attacks. For the RSA algorithm it should be at least 2048 bits long.

Security Vulnerabilities  Blocker

 

OWASP Top 10

The OWASP Top 10 represents security professionals' broad consensus about the most critical security risks to web applications. SonarQube offers significant OWASP Top 10 coverage across many languages to help you protect your systems, your data and your users.

 

DEVELOPER EDITION

Maximum protection with taint analysis

Don’t let untrusted user input compromise your Code Security

Chase down the bad actors

Making sure user-provided data is sanitized before it hits critical systems (database, file system, OS, etc.) helps ensure your code security. Taint analysis tracks untrusted user input throughout the execution flow - across not just methods but also from file to file.

 

 

• Java
• PHP
• C#
• C
• C++
• Python
• JS/TS

 

Critical security rules for vital languages

Get highly relevant rules for critical languages to help keep your code secure.

ENTERPRISE EDITION

Track Security Compliance at an enterprise level

 

Comprehensive application security tracking for your most complex projects

 

OWASP / CWE security reports

Dedicated reports let you track Code Security against OWASP Top 10 and CWE Top 25 (both the 2019 and 2020 versions). The SonarSource report helps security professionals translate security problems into language developers understand.

 

 

PDF download

The security reports' PDF export includes the project security overview and the top security reports.

 

Using proprietary frameworks?
Feed them into the SonarQube engine

Enterprise Edition lets you declare custom frameworks you use to capture user input and/or persist it. Our injection flaw detection engine then tracks the non-sanitized user input.