# Introduction

Advanced Security is available in SonarQube Server as an add-on starting in [Enterprise Edition](https://www.sonarsource.com/plans-and-pricing/sonarqube/)

## Overview <a href="#overview" id="overview"></a>

SonarQube Advanced Security is an Enterprise add-on that extends SonarQube’s capabilities by offering deeper security analysis and compliance-focused features such as Software Composition Analysis (SCA) and advanced SAST.

Designed for organizations that require enterprise-grade application security, it helps developers detect vulnerabilities and risks in open source code early in the software development lifecycle.

Advanced Security is built on top of SonarQube core security features such as:

* **SAST**: Analyzes source code to detect vulnerabilities, security hotspots, and flaws.
* **Taint Analysis**: Tracks untrusted user input with data flow analysis across functions and files to find injection and other vulnerabilities.
* **Secrets Detection**: Identifies hardcoded secrets in code repositories.
* **IaC Scanning**: Detects misconfigurations and security issues in your infrastructure definitions.

As well as features that are already part of Enterprise:

* **Security Engine Custom Configuration**: Fine tune security engine settings for enterprise needs.
* **Security Reports**: Comprehensive security reports such as PCI DSS, OWASP Top 10, CWE Top 25, STIG, CASA

## Software Composition Analysis (SCA) <a href="#sca" id="sca"></a>

SonarQube Server can identify your open source dependencies and discover issues with them, ensuring security and compliance.

* **Vulnerability identification**: Tracking, managing, & mitigating vulnerabilities in third-party dependencies, such as those tracked by the CVE (Common Vulnerabilities and Exposures) project.
* **Malicious package discovery**: Protect against malware compromise by checking your dependencies against known malicious packages
* **License management**: Your organization’s policies for allowed software licenses.
* **Software Bills of Materials (SBOM)**: Inventories that help understand, manage, and report on the composition of the code.

## Supported platforms <a href="#supported-platforms" id="supported-platforms"></a>

Dependency analysis is currently available for the following languages:

* JavaScript/TypeScript (npm, yarn, pnpm, bun)
* Java, Kotlin, Scala (Maven, Gradle)
* Python (pip, poetry, pipenv)
* C# / .NET (nuget)
* Go
* Ruby (bundler)
* Rust (Cargo)
* PHP

## Data sources <a href="#data-sources" id="data-sources"></a>

Sonar uses the following sources of vulnerability data:

* [NIST National Vulnerability Database](https://nvd.nist.gov/)
* [OSV](https://osv.dev), including [OpenSSF Malicious Packages](https://github.com/ossf/malicious-packages)
* [Exploit Prediction Scoring System (EPSS)](https://www.first.org/epss/)
* [CISA Known Exploited Vulnerabilities (KEV)](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

The Sonar service accesses these sites regularly to get the latest updates, and supplements it with manual research as well as insights from open source maintainers.

Sonar uses license data from upstream package managers and source repositories, and supplements it with manual research as well as insights from open source maintainers.

## Advanced SAST <a href="#advanced-sast" id="advanced-sast"></a>

SonarQube Server is a Static Application Security Testing (SAST) tool. It examines your project's source code, without executing it, allowing you to find vulnerabilities before they enter your codebase.

The categories of issue types detected through SAST include SQL injection, cross-site scripting, deserialization, secret detection, and more.

[Advanced SAST](https://www.sonarsource.com/solutions/security/sast/) extends code analysis and scanning to cover the unknown parts of the code that are in the open-source dependencies. It helps you identify deeper and more complex vulnerabilities due to the interaction of your application code with third-party (open-source) code.

Advanced SAST is available for the following languages:

* JavaScript/TypeScript
* Java
* C# / .NET

## Related pages <a href="#related-pages" id="related-pages"></a>

* [Viewing dependencies](/sonarqube-server/2025.5/advanced-security/viewing-dependencies.md)
* [Reviewing and fixing dependency risks](/sonarqube-server/2025.5/advanced-security/reviewing-and-fixing-dependency-risks.md)
* [Analyzing projects for dependencies (SCA)](/sonarqube-server/2025.5/advanced-security/analyzing-projects-for-dependencies.md)
* [Managing license profiles and policies](/sonarqube-server/2025.5/advanced-security/managing-license-profiles-and-policies.md)
* [Troubleshooting the dependency analysis](/sonarqube-server/2025.5/advanced-security/troubleshooting.md)
* [Best practices for managing dependency risks](/sonarqube-server/2025.5/advanced-security/best-practices-for-managing-dependency-risks.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sonarsource.com/sonarqube-server/2025.5/advanced-security/introduction.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.