Cyber Tool Stack
All tools

SonarQube

By Sonar

A long-established code quality and security scanner sold in three editions since a late-2024 rebrand: self-hosted SonarQube Server, SaaS-delivered SonarQube Cloud, and the free SonarQube Community Build. The Community Build's core is LGPL-3.0, but Sonar moved its bundled language analyzers to a separate, non-OSI source-available license in November 2024, so the free edition as typically run is not fully OSI open source.

Verified Source: 1

Product type
Software
Deployment
SaaSOn-premCLI
Organization size
IndividualSMBMid-marketEnterprise
Pricing tier
Freemium

Capability checklist

SAST

How SonarQube measures up against the full Static Application Security Testing taxonomy.

Source code vulnerability scanning — supported
Analyzes source code for security flaws without executing the application.
IDE & CI/CD integration — supported
Surfaces findings directly in the developer's editor or pull request.
Language & framework coverage — supported
Breadth of programming languages and frameworks the scanner understands.
False-positive triage & prioritization — not supported
Ranks and filters findings so developers focus on the issues that matter.
Secrets detection — not supported
Flags hardcoded credentials, API keys, and tokens committed to source code.
Custom rule authoring — not supported
Lets teams write organization-specific detection rules beyond the built-in set.
PR / commit gating — supported
Blocks merges when new high-severity findings are introduced.
IaC & container config scanning — supported
Scans infrastructure-as-code templates and container configurations for misconfigurations alongside application code.

Alternatives

Other Static Application Security Testing tools with overlapping capabilities, sized for similar teams.

Search Cyber Tool Stack

Jump to any tool, vendor, category, or glossary term.