SonarQube
By Sonar
A long-established code quality and security scanner sold in three editions since a late-2024 rebrand: self-hosted SonarQube Server, SaaS-delivered SonarQube Cloud, and the free SonarQube Community Build. The Community Build's core is LGPL-3.0, but Sonar moved its bundled language analyzers to a separate, non-OSI source-available license in November 2024, so the free edition as typically run is not fully OSI open source.
Verified Source: 1
- Product type
- Software
- Deployment
- SaaSOn-premCLI
- Organization size
- IndividualSMBMid-marketEnterprise
- Pricing tier
- Freemium
Capability checklist
SASTHow SonarQube measures up against the full Static Application Security Testing taxonomy.
- Source code vulnerability scanning — supported
- Analyzes source code for security flaws without executing the application.
- IDE & CI/CD integration — supported
- Surfaces findings directly in the developer's editor or pull request.
- Language & framework coverage — supported
- Breadth of programming languages and frameworks the scanner understands.
- False-positive triage & prioritization — not supported
- Ranks and filters findings so developers focus on the issues that matter.
- Secrets detection — not supported
- Flags hardcoded credentials, API keys, and tokens committed to source code.
- Custom rule authoring — not supported
- Lets teams write organization-specific detection rules beyond the built-in set.
- PR / commit gating — supported
- Blocks merges when new high-severity findings are introduced.
- IaC & container config scanning — supported
- Scans infrastructure-as-code templates and container configurations for misconfigurations alongside application code.
Alternatives
Other Static Application Security Testing tools with overlapping capabilities, sized for similar teams.