[フレーム]

SonarQube

Code quality and security

Ensure every line of code meets the highest standards for quality and security, whether it's written by your team or an AI assistant.

TRUSTED BY OVER 7M DEVELOPERS AND 400K ORGANIZATIONS

Build trust into every line of code

Integrated code quality and code security

Find and fix issues early in the development process with deep static analysis and real-time feedback that seamlessly integrates into your existing workflow.

[画像:settings]

Quality metrics

Track maintainability, reliability, and technical debt across your entire codebase

[画像:secure]

Security analysis

Detect complex vulnerabilities and security hotspots before they reach production

[画像:code]

Remediation

Automatically generate code fix suggestions with a click, minimizing manual debugging

[画像:integration]

CI/CD integration

Seamlessly integrate with your existing development workflow and tools

Select the perfect SonarQube deployment for you

SonarQube Cloud

The SaaS solution for modern DevOps

SonarQube Cloud analyzes code in 35+ languages, detecting issues and offering AI-powered fixes. Integrated with your DevOps tools, it enforces rules for maintainability, reliability, and security on every merge.

  • Get up and running in minutes
  • Zero maintenance and infrastructure management
  • Automatic updates and new feature rollouts
  • 99.9% uptime SLA with global availability
  • SOC 2 Type II certified security

SonarQube Server

On-premise for maximum control

SonarQube Server brings on-prem code analysis to 35+ languages, detecting issues with AI-powered suggestions. Integrated with your CI/CD tools, it enforces maintainability, reliability, and security on every merge.

  • Complete data residency and privacy control
  • Custom configurations and enterprise integrations
  • Air-gapped deployment options available
  • Dedicated support and professional services

SonarQube core capabilities

  • Automated code review

  • Static code analysis

  • Developer experience

  • AI Code Assurance

Automated code review

  • Seamless integration: Integrate SonarQube into your development pipeline for comprehensive code reviews on all projects.
  • Automated scanning: SonarQube automatically scans all branches, pull requests, and merges as soon as code is committed or pushed.
  • Expert analysis: It applies expertly curated rules and industry compliance standards during scans.
  • Real-time feedback: Receive immediate, automated feedback directly within your team's existing code review and DevOps tools.
Learn more

AI-powered remediation

Resolve coding issues in an instant. SonarQube’s AI CodeFix uses LLMs to generate context-aware fix suggestions right in your workflow.

AI CodeFix

Instant code fixes at your fingertips

Streamline your workflow by empowering developers to fix bugs faster and more accurately with AI CodeFix.

  • Get context-aware, AI-powered fixes for bugs and security issues.
  • Resolve complex problems with a single click, directly within the developer's existing workflow.
  • Free up developer time to focus on creating new features and delivering business value.
Learn more
Security Capabilities

Developer-led code security

Empower developers with real-time, actionable guidance to detect and fix vulnerabilities as code is written and reviewed, directly in their workflow.

Static Application Security Testing (SAST)

Our SAST engine automatically finds critical vulnerabilities in your development workflow, stopping them before they reach production.

  • Broad language support: Covers the most popular programming languages, including Java, JavaScript, Python, C++, C#, and many more.
  • Seamless workflow integration: Get immediate feedback directly in your IDE and CI/CD pipeline without context switching.
  • Rapid remediation: Resolve issues faster with clear guidance and AI-powered CodeFix suggestions.
  • Customizable policies: Enforce your organization's specific security standards by creating custom detection rules.
Learn more about SAST
SASTSAST

Taint analysis

Our taint analysis engine tracks data flow to find and stop critical injection vulnerabilities.

  • Find critical injection flaws: Accurately detects a wide range of vulnerabilities, including SQL injection, Cross-site scripting (XSS), SSRF, and more.
  • Minimize false positives: Utilizes sophisticated cross-file and cross-function analysis to deliver highly accurate, actionable results.
  • Framework-aware intelligence: Understands the native security controls in popular frameworks, leading to smarter and more relevant findings.
Explore taint analysis
Image depicts taint analysisImage depicts taint analysis

Secrets Detection

SonarQube detects leaked code secrets throughout your development workflow, identifying them directly in the IDE and within your CI/CD pipeline.

  • Comprehensive coverage: Finds API keys, passwords, and security tokens with hundreds of patterns covering all popular cloud providers and services.
  • High-fidelity scanning: Goes beyond basic pattern matching, using a powerful combination of regular expressions and semantic analysis to minimize false positives.
  • Customizable rules: Easily define your own patterns to detect organization-specific secrets for internal applications and private services in the Enterprise Edition.
  • Shift-left detection: Get immediate feedback directly in your IDE, allowing you to remove secrets before they are ever committed to the repository.
Explore secrets detection
Secrets DetectionSecrets Detection

Infrastructure as Code (IaC) scanning

Find and fix Infrastructure as Code (IaC) misconfigurations before they reach production to secure your cloud.

  • Broad IaC coverage: Scans popular tools including Terraform, CloudFormation, Kubernetes, Azure Resource Manager (ARM), and Ansible.
  • Identify key risks: Catches critical security issues like overly permissive access, publicly exposed services, and insecure defaults.
  • Actionable remediation: Get clear, precise results with step-by-step guidance to help you fix misconfigurations quickly and efficiently.
Learn About IaC scanning
Infrastructure as codeInfrastructure as code
ADVANCED SECURITY

Advanced SAST

Advanced SAST helps identify deeper and more complex vulnerabilities due to the interaction of your application code with third-party (open-source) code.

  • Dependency-aware scanning: Traces data flows not just through your application, but deep into the third-party libraries it relies on.
  • Uncover hidden vulnerabilities: Cross-file taint analysis that goes deep into third-party libraries for detecting hard to find vulnerabilities.
  • Effortless and fast: Runs automatically with zero configuration and no performance overhead, delivering quick and accurate results.
  • Language support: Currently available for Java, C#, JavaScript, and TypeScript.
Discover Advanced SAST
Advanced SASTAdvanced SAST
ADVANCED SECURITY

Software Composition Analysis (SCA)

Secure your open-source dependencies by finding vulnerabilities, managing licenses, and inventorying your software supply chain.

  • Vulnerability detection: Automatically find, track, and prioritize known vulnerabilities (CVEs) within your third-party components.
  • License compliance: Check for and flag incompatible or unapproved licenses in your dependencies to avoid legal and compliance risks.
  • Software bill of materials (SBOM): Generate a complete and accurate inventory of every component in your software for essential transparency and security audits.
Learn more about SCA
Software Composition AnalysisSoftware Composition Analysis

Trusted by development teams worldwide

Join thousands of organizations already using SonarQube to deliver better code

7M+

Developers use Sonar

400K+

Organizations using Open Source edition

45K+

Community members

99.9%

uptime SLA

Code quality and security in your CI/CD workflow

SonarQube is purpose-built for DevOps, embedding automated code analysis directly into your pipeline and supporting the programming languages your teams already use.

[画像:icon]

"SonarQube has significantly impacted our code coverage, security gating, effective & deep security & quality scans with effective vulnerability remediation guidance"

Geoff Hughes, Senior Manager

Enterprise-ready

Advanced features for the enterprise

Get advanced security, scalability, and compliance features built for large organizations- designed to meet your most complex demands.

Contact sales
[画像:secure]

Compliance & reporting

Automate the path to provable code compliance to ensure that your entire codebase, including AI-generated contributions, complies with regulatory requirements and industry data security standards.

[画像:building]

Quality gates & profiles

Customize quality gates, rule profiles, and thresholds to enforce your coding standards or compliance requirements. Apply gates and profiles at the project or organization level, with either self‐service setup or centrally managed governance.

[画像:pdf]

Portfolio & enterprise reporting

Group projects into portfolios to surface holistic health metrics and risk insights. Export PDF reports on demand or on a schedule to support compliance reviews and audits.

Build trust into every line of code

Ready to deliver better, secure code? Get started today with the SonarQube deployment that's right for you.

Image for rating

4.6 / 5

Frequently asked questions

SonarQube is an industry-leading platform for automated code quality and security analysis. It enables organizations and individual developers to continuously review, monitor, and improve their codebases by detecting issues such as bugs, vulnerabilities, and code smells early in the development process. With integrations available for IDEs (via SonarLint), CI/CD pipelines, and cloud or on-premises deployments, SonarQube offers coverage for a broad range of use cases, ensuring high standards for code health and security throughout the software development lifecycle.


Trusted by over 7 million developers and 400,000 organizations globally, SonarQube provides support for more than 35 programming languages and frameworks. Its unified approach aligns developer workflows, team standards, and enterprise-grade security, making it a foundational tool for both small-scale projects and large, distributed development teams seeking scalable, actionable code intelligence.

[フレーム]

AltStyle によって変換されたページ (->オリジナル) /