 
 
Code Security, for Developers
Detect security issues in code review with Static Application Security Testing (SAST)
 
 
Code Security is no longer the realm of security teams.
Beyond the words (DevSecOps, SDLC, etc.), the true opportunity lies in developers writing more secure code with SonarQube detecting Vulnerabilities and Security Hotspots, explaining them, and giving appropriate next steps.
Getting security feedback during code review is your opportunity to learn more and take ownership of Code Security.
 
 
Find Vulnerabilities and Security Hotspots in SonarQube and fix them in your IDE with SonarLint as your guide.
 
Enforce Vulnerability standards and Security Hotspot Review in your Quality Gate to make sure you only merge safe code.
 
 
A deep understanding of the issue and its implications leads to a better fix and a safer application.
 
 
Tackle security issues with a sensible pattern led by the development team
 Security
Security
 Code review
 Code reviewSecurity Hotspots are uses of security-sensitive code. They might be okay, but human review is required to know for sure.
As developers code and interact with Security Hotspots, they learn to evaluate security risks while learning more about secure coding practices.
Available for:








 
 
Hashing data is security-sensitive.
 Security Hotspot
Security Hotspot 
 Security
Security
 Code change/fix
 Code change/fixSecurity Vulnerabilities require immediate action. SonarQube provides detailed issue descriptions and code highlights that explain why your code is at risk.
Just follow the guidance, check in a fix and secure your application.
Available for:







 
 
Use a key length that provides enough entropy against brute-force attacks. For the RSA algorithm it should be at least 2048 bits long.
 Security Vulnerabilities
Security Vulnerabilities  Blocker
Blocker
OWASP Top 10
The OWASP Top 10 represents security professionals' broad consensus about the most critical security risks to web applications. SonarQube offers significant OWASP Top 10 coverage across many languages to help you protect your systems, your data and your users.
DEVELOPER EDITION
Maximum protection with taint analysis
Don’t let untrusted user input compromise your Code Security
Chase down the bad actors
Making sure user-provided data is sanitized before it hits critical systems (database, file system, OS, etc.) helps ensure your code security. Taint analysis tracks untrusted user input throughout the execution flow - across not just methods but also from file to file.
 
 
 
 
Critical security rules for vital languages
Get highly relevant rules for critical languages to help keep your code secure.
ENTERPRISE EDITION
Track Security Compliance at an enterprise level
Comprehensive application security tracking for your most complex projects
OWASP / CWE security reports
Dedicated reports let you track Code Security against OWASP Top 10 and CWE Top 25 (both the 2019 and 2020 versions). The SonarSource report helps security professionals translate security problems into language developers understand.
 
 
PDF download
The security reports' PDF export includes the project security overview and the top security reports.
 
 
Enterprise Edition lets you declare custom frameworks you use to capture user input and/or persist it. Our injection flaw detection engine then tracks the non-sanitized user input.
