Start Free
Latest | Advanced security | Introduction

Introduction to SonarQube Advanced Security

On this page

Overview Software Composition Analysis (SCA) Advanced SAST Related pages

Advanced Security is only available in SonarQube Server, as an add-on starting in Enterprise Edition.

Overview

SonarQube Advanced Security is an Enterprise add-on that extends SonarQube’s capabilities by offering deeper security analysis and compliance-focused features such as Software Composition Analysis (SCA) and advanced SAST. 

Designed for organizations that require enterprise-grade application security, it helps developers detect vulnerabilities and risks in open source code early in the software development lifecycle.

Advanced Security is built on top of SonarQube core security features such as:

  • SAST: Analyzes source code to detect vulnerabilities, security hotspots, and flaws.
  • Taint Analysis: Tracks untrusted user input with data flow analysis across functions and files to find injection and other vulnerabilities.
  • Secrets Detection: Identifies hardcoded secrets in code repositories.
  • IaC Scanning: Detects misconfigurations and security issues in your infrastructure definitions.

As well as features that are already part of Enterprise:

  • Security Engine Custom Configuration: Fine tune security engine settings for enterprise needs.
  • Security Reports: Comprehensive security reports such as PCI DSS, OWASP Top 10, CWE Top 25, STIG, CASA

Software Composition Analysis (SCA)

SonarQube server can identify your open source dependencies and discover issues with them, ensuring security and compliance. 

  • Vulnerability identification: Tracking, managing, & mitigating third-party vulnerabilities, including Common Vulnerabilities and Exposures (CVE).
  • License management: Your organization’s policies for allowed software licenses.
  • Software Bills of Materials (SBOM): Inventories that help understand, manage, and report on the composition of the code.

SonarQube Server's SCA results appear in the Dependency Risks and Dependencies sections of projects, applications, and portfolios. The Dependencies tab's location differs if you're in a project, application, or portfolio.

Supported platforms

Dependency analysis is currently available for the following languages: 

  • JavaScript/TypeScript (npm, yarn, pnpm, bun)
  • Java, Kotlin, Scala (Maven, Gradle)
  • Python (pip, poetry, pipenv)
  • C# / .NET (nuget)
  • Go
  • Ruby (bundler)
  • Rust (Cargo)

Advanced SAST

SonarQube Server is a Static Application Security Testing (SAST) tool. It examines your project's source code, without executing it, allowing you to find vulnerabilities before they enter your codebase.

The categories of issue types detected through SAST include SQL injection, cross-site scripting, deserialization, secret detection, and more. See Security related rules for more information.

Advanced SAST extends code analysis and scanning to cover the unknown parts of the code that are in the open-source dependencies. It helps you identify deeper and more complex vulnerabilities due to the interaction of your application code with third-party (open-source) code.

Advanced SAST is available for the following languages:

  • JavaScript/TypeScript
  • Java 
  • C# / .NET

Was this page helpful?

© 2008-2025 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License