Deeper Analysis, Unmatched Security

14-day free trial

Deeper Analysis, Unmatched Security

Uncover Hidden Code Vulnerabilities with SonarQube SAST

Comprehensive detection engine for code quality and security
Over 5000 rules for 30+ languages and frameworks
Deeper SAST coverage for Java, C#, and JavaScript/TypeScript
Branch Analysis and Pull Request decoration
Powerful secrets detection
Security Reports including OWASP, CWE Top 25, and PCI DSS
Regulatory release reports
Security Engine customization
Detection of injection flaws, cross-site scripting, deserialization issues and more

CODE SECURITY

benefits of deeper SAST

Hidden security issues

Accelerate development
Reduce risk of security breaches
Automate code scanning
Code Security and compliance
Comprehensive Detection Engine and coverage

Find deeply hidden security issues

99% of software applications use and interact with the code in third-party libraries (dependencies). Deeper SAST from Sonar extends code analysis and scanning to cover the unknown parts of the code that are in the open-source dependencies. Scanning dependencies (libraries) allows Sonar SAST to extend the dataflow analysis and find deeply hidden security issues in code that other tools cannot find. Deeper SAST is available today for Java, C#, and JavaScript/TypeScript in SonarQube and SonarCloud.

Security analysis

Designed to detect and fix a wide range of code issues that can lead to bugs and security vulnerabilities, Sonar supports over 30 programming languages and frameworks. Sonar's security analysis can help detect a broad range of security issues such as SQL injection vulnerabilities, cross-site scripting (XSS) code injection attacks, buffer overflows, authentication issues, cloud secrets detection and much more. Our security rules are classified according to well-established security standards such as PCI DSS, CWE Top 25, and OWASP Top 10.

Graphic shows issues types that are detected by sonar, such as SQL injection, cross-site scripting, deserialization, XXE, path injection, secret detection, crptop API misuse, regex patterns, authentication, IaC misconfigs, Performance, File Manipution and much more! The image also shows the standards addressed by Sonar as well. The standards addressed are PCI DSS, OWASP Top 10, CWE Top 25 and OWASP ASVS

Security hotspots > code review

Security hotspots are instances of security-sensitive code that require human review. Developers can learn to evaluate security risks and improve their understanding of secure coding practices by working with security hotspots.

Security vulnerabilities > code change/fix

Security vulnerabilities require immediate action. Sonar provides detailed issue descriptions and code highlights that explain why your code is at risk. Just follow the guidance, check in a fix, and secure your application.

Chase down the bad actors

Making sure user-provided data is sanitized before it hits critical systems (database, file system, OS, etc.) helps ensure your code security. Taint analysis tracks untrusted user input throughout the execution flow - across not just methods but also from file to file.

Sonar security reports

Security reports quickly give you the big picture of your code’s compliance with security standards. The reports allow you to know where you stand compared to the most common security mistakes. Regulatory reports track the quality of each release and provide evidence that the code delivered meets the quality standards of the organization.

Reports include:

PCI DSS (versions 4.0 and 3.2.1)
OWASP Top 10 (versions 2021 and 2017)
CWE Top 25 (versions 2022, 2021, and 2020)
OWASP ASVS (version 4.0 with level 1 to 3)

See OWASP Top 10

Image shows security hotspot vulnerabilities based off of the WASP top 10

Your end-to-end SAST tool

Seamlessly integrate static analysis into your software development workflow

DevOps and CI/CD

Integrating SAST into the DevOps and CI/CD pipelines empowers organizations to enhance the security posture of their software and ensure that vulnerabilities are identified early in the development lifecycle. Security analysis tools become an integral part of the development process and receive early real-time feedback as they commit code changes. Sonar integrations are supported for popular DevOps and CI/CD Platforms including GitHub, GitLab, Azure Devops, TravisCI, CircleCI, and Bitbucket. Sonar provides native support for the most popular SCMs including Git , Subversion and community support for other popular SCMs such as CVS, Jazz RTC, Mercurial, TFVC.

Two developers work together to build new clean code

Pull request decoration

Get instant code review directly inside your pull request and development branches. Fix issues before they become problems.

Implement a Go/No-Go quality gate to automatically fail CI/CD pipelines if code doesn't meet your standards
Review and prioritize code fixes directly within the DevOps Platform interface
Set up multiple quality gates for your monorepo with different projects to receive specific feedback messages for each project

IDE Integration with SonarLint

Superior code quality tool capabilities right into developers’ code environments
Real-time analytical feedback
Code issue highlighting
Strict code quality standards, along with vulnerability issue details and remediation guidance
Customizable rules allow developers to code based on their specific requirements
Advanced flexibility allows developer adaptation and adoption across multiple supported languages

"When implementing large projects with various external parties, it’s nearly impossible to maintain code quality. SonarQube has allowed us to improve the quality of the code base for these large projects — especially by allowing us to significantly reduce the amount of code duplication. Refactoring has become a much easier task."
Hubert Tsang, Chief Information Officer @ Pacific Textiles Ltd