Release notes

AI and mobile compliance reporting

Extends our regulatory coverage to include critical AI and Mobile security standards such as OWASP Top 10 for LLM and OWASP MASVS for project security reports. This feature is available in the Enterprise edition and above. See Security-related rules for more information.

Feedback mechanism for self-hosted LLMs

Improves the success rate of generating valid AI CodeFix suggestions from self‑hosted LLMs.

JFrog Evidence Collection with SonarQube Server

This integration provides a single, verifiable audit trail if you use both SonarQube and JFrog with strict audit trail and compliance requirements. SonarQube analysis results are automatically signed and directly attached to your JFrog packages to create a single, verifiable source of truth. You no longer have to jump between tools to prove your code meets security standards. Everything you need for a rigorous audit is now visible within the JFrog Evidence Collection interface. This feature is available in the Enterprise edition and above. See JFrog Evidence Collection integration for more information.

SonarQube Advanced Security

This feature is available in the Enterprise edition and above.

Malicious package detection

Receive blocker-level alerts if a dependency matches publicly known datasets of known malicious packages. See Advanced Security for more information.

Quality gate fudge factor improved

To avoid overly strict enforcement of small changes, the quality gate ignores coverage and duplication conditions for very small sets of new code. See Changing instance's default quality gate for more information.

Languages

Cobol

Adds support for parsing additional language constructs and includes fixes for crashes and false positives for COBOL. Related rules include:

• S3938: Track uses of forbidden statements

• S1725: Open files should be closed explicitly

• S1574: Data items should be initialized with data of the correct type

• S1289: Unused data item blocks should be removed

IaC

The analysis of Infrastructure as Code (Ansible, Azure Resource Manager, CloudFormation, Docker, Kubernetes, Terraform, Shell, GitHub Actions) has been improved.

Helm templates are now evaluated even if values.yaml is missing.

The following rules have been added:

• S6437: Credentials should not be hard-coded

• S7638: ACTIONS_ALLOW_UNSECURE_COMMANDS should not be used

• S8232: Workflows should not rely on unverified GitHub context values to trust events

• S8233: Write permissions should be defined at the job level

• S8262: Artifacts should not contain secrets

• S8263: GitHub Action invocations should not be vulnerable to parameter injection attacks

• S8264: Read permissions should be defined at the job level

JCL

A new leaveFile API is available for custom rules for JCL language, giving rule authors more control over how files are processed and reported.

.NET 10 and C# 14 support

Empowers .NET teams to adopt the Long Term Support (LTS) release of .NET 10 and C# 14 immediately, ensuring their analysis remains accurate, performant, and free of false positives associated with new language constructs. See VB.NET and C# for more information.

Related rules:

• S1121: Assignments should not be made from within sub-expressions

• S1144: Unused private types or members should be removed

• S2225: "ToString()" method should not return null

• S2292: Trivial properties should be auto-implemented

• S2325: Methods and properties that don't access instance data should be static

• S2583: Conditionally executed code should be reachable

• S2589: Boolean expressions should not be gratuitous

• S2692: "IndexOf" checks should not be for positive numbers

• S2953: Methods named "Dispose" should implement "IDisposable.Dispose"

• S2970: Assertions should be complete

• S3063: "StringBuilder" data should be used

• S3264: Events should be invoked

• S3398: "private" methods called only by inner classes should be moved to those classes

• S3459: Unassigned members should be removed

• S3877: Exceptions should not be thrown from unexpected methods

• S3928: Parameter names used into ArgumentException constructors should match an existing one

• S4545: "DebuggerDisplayAttribute" strings should reference existing members

• S7039: Content Security Policies should be restrictive

PHP

Reduces false positives on several rules and cleans up build and dependency infrastructure for PHP. Related rules:

• S1155: "empty()" should be used to test for emptiness

• S1172: Unused function parameters should be removed

• S2699: Tests should include assertions

• S1068: Unused "private" fields should be removed

Scala

Include fixes to false positives and negatives for Scala on the following rules:

• S1192: String literals should not be duplicated

• S126: "if ... else if" constructs should end with "else" clauses

Secrets

Secrets rules have been improved to reduce the detection of false positives and the following rule have been added:

• S6418: Hard-coded secrets are security-sensitive

• S2068: Hard-coded passwords are security-sensitive

• S7552: SMTP credentials should not be disclosed

• S8350: xAI API keys should not be disclosed

VB6

Fixes parse errors and line count for VB6. Related rules:

• S138: Subs and functions should not have too many lines

• S1151: "Case" clauses should not have too many lines