Skip to content
Home SAST Tools SonarQube
SonarQube

SonarQube

Category: SAST
License: Commercial (with Free Community Edition)
GitHub (10200★)
Visit Website →
Suphi Cankurt
Suphi Cankurt
AppSec Enthusiast
Updated February 11, 2026
3 min read
Key Takeaways
  • Free Community Edition covers 35+ languages with 6,000+ static analysis rules
  • Commercial tiers (Developer, Enterprise, Data Center) add branch analysis, OWASP Top 10 reports, and portfolio management
  • AI CodeFix generates LLM-powered remediation suggestions for detected issues
  • Self-hosted only — no SaaS option available from SonarSource
  • 10,200+ GitHub stars; one of the most widely adopted SAST platforms

SonarQube (sometimes misspelled as SonarCube or Sonar Qube) is a code quality and security platform that analyzes 35+ languages with over 6,000 built-in rules. It is a SAST tool that combines security vulnerability detection with code quality analysis — tracking bugs, code smells, duplication, and maintainability alongside security issues.

The open-source Community Edition is available on GitHub under LGPL-3.0 with over 10,200 stars. Commercial tiers add more languages, branch analysis, and advanced security features like taint analysis.

What is SonarQube?

SonarQube performs continuous code quality measurement across three areas: code reliability (bugs), application security (vulnerabilities and security hotspots), and maintainability (code smells and technical debt).

The platform provides quality gates that can block deployments when code doesn’t meet configured thresholds. PR decoration shows findings directly on pull requests in GitHub, GitLab, Bitbucket, and Azure DevOps.

35+ Languages, 6,000+ Rules
Covers Java, JavaScript, TypeScript, Python, C#, C++, PHP, Kotlin, Go, Rust, COBOL, Apex, and more. Rules cover security, reliability, maintainability, and code smells.
Quality Gates
Configurable thresholds that pass or fail code on coverage, duplication, reliability, security, and maintainability. Integrated into CI/CD to block releases that don’t meet standards.
AI CodeFix
LLM-powered automated fix suggestions for detected issues. MCP Server integration allows AI coding assistants to access SonarQube findings and generate fixes.

SonarQube project dashboard showing quality gate status, reliability, security, and maintainability ratings

Key features

Security analysis

SonarQube detects security vulnerabilities and security hotspots. According to OWASP’s Source Code Analysis Tools guide, static analysis tools like SonarQube are recommended as part of a defense-in-depth approach to application security. Paid tiers add taint analysis that traces data flow from user input to dangerous operations for injection detection. The security rules cover OWASP Top 10, CWE Top 25, and SANS Top 25.

SonarQube issues list showing vulnerability details with severity levels and affected code locations

Code quality

Beyond security, SonarQube tracks code reliability (bugs), maintainability (code smells), and test coverage. Technical debt is quantified as estimated remediation time. Duplication detection identifies copy-pasted code across the project.

CI/CD integration

SonarQube integrates with Jenkins, GitHub Actions, GitLab CI, Azure DevOps, and Bitbucket Pipelines. The SonarScanner CLI handles the analysis, while quality gates provide pass/fail decisions for CI/CD gates. PR decoration shows new findings directly on pull requests.

SonarQube quality gate configuration showing pass/fail conditions for code coverage, duplication, and reliability

Community vs. commercial
The free Community Edition covers 19 languages with single-branch analysis. The Developer Edition adds branch analysis, PR decoration, and 12+ additional languages. The Enterprise Edition adds portfolio management and advanced security (taint analysis). The Data Center Edition adds high availability. Commercial editions are priced per instance based on lines of code.

SonarCloud

SonarCloud is the SaaS version of SonarQube, hosted by SonarSource. It is free for public/open-source projects and requires a subscription for private projects. It provides the same analysis capabilities without self-hosting.

Getting started

1
Install SonarQube — Download from sonarqube.org, run with Docker (docker run -p 9000:9000 sonarqube:community), or use SonarCloud for SaaS.
2
Configure SonarScanner — Install the SonarScanner CLI or use build-tool-specific scanners (Maven, Gradle, .NET). Configure sonar-project.properties with your project key and server URL.
3
Run your first analysis — Execute sonar-scanner in your project directory. Results appear in the SonarQube dashboard within seconds to minutes depending on project size.
4
Set up quality gates — Configure pass/fail conditions for coverage, duplication, reliability, security, and maintainability. Connect to your CI/CD pipeline for automated gating.

When to use SonarQube

SonarQube is a good fit for teams that want both code quality and security analysis in a single platform. The quality gate system is one of the most mature in the market, and the PR decoration makes findings visible without leaving the development workflow.

The free Community Edition works well for single-branch projects. Teams that need branch analysis, PR decoration, or advanced security features will need a paid tier.

For teams focused purely on security, dedicated SAST tools like Semgrep, Checkmarx, or Snyk Code may provide deeper vulnerability detection. SonarQube’s strength is its breadth — covering quality and security together. For a deeper comparison of testing approaches, see our guide on SAST vs DAST vs IAST.

Best for
Teams that want unified code quality and security analysis with mature quality gates, PR decoration, and broad language coverage.

Frequently Asked Questions

What does SonarQube do?
SonarQube analyzes source code for quality issues and security vulnerabilities across 35+ languages. It flags code smells, bugs, security vulnerabilities, and security hotspots. The platform has over 6,000 built-in rules and provides quality gates for CI/CD pipelines.
Is SonarQube free?
The Community Edition is free and open-source under LGPL-3.0, covering 19 languages with basic security rules. Paid tiers (Developer, Enterprise, Data Center) add more languages, branch analysis, taint analysis, and advanced security features.
How does SonarQube compare to Semgrep?
SonarQube focuses on code quality and security together, while Semgrep is more narrowly focused on security-specific pattern matching. SonarQube has a more polished UI and built-in quality gates, but Semgrep offers easier custom rule writing and faster scan times.
SonarQube vs SonarCloud: which should I use?
SonarQube is self-hosted and gives you full control over your infrastructure. SonarCloud is the SaaS version hosted by SonarSource — free for public/open-source projects. Choose SonarCloud if you want zero maintenance overhead and primarily work on cloud-hosted repositories. Choose SonarQube if you need on-premises control, custom plugins, or have data residency requirements.
Can SonarQube run in CI/CD pipelines?
Yes. SonarQube has native integrations for Jenkins, GitHub Actions, GitLab CI, Azure DevOps, and Bitbucket Pipelines. The SonarScanner CLI can be added to virtually any build system. Quality gates can fail builds when code doesn’t meet configured thresholds.
How we review tools Suggest an edit

Other SAST Tools

Bearer
Bearer

Data-First SAST with Privacy Scanning

Contrast Scan
Contrast Scan

SAST with Runtime Context

GitHub CodeQL
GitHub CodeQL

Semantic Analysis, GitHub Native

Gitleaks
Gitleaks

Git secret scanner

Bandit
Bandit

Open-Source Python Scanner

Brakeman
Brakeman

Open-Source Ruby on Rails

See all SAST tools

Complement with SCA

Pair static analysis with dependency scanning for broader coverage.

CH
Chainguard

Zero-CVE Hardened Container Images

GitHub Dependabot
GitHub Dependabot

GitHub-Native Dependency Security

See all SCA tools

Learn More

What is SAST? What is DAST? What is IAST? What is RASP? SAST vs DAST vs IAST SAST vs SCA

Explore our Application Security Testing resource hub

Compare SonarQube

Snyk Code vs SonarQube Snyk vs SonarQube SonarQube vs Checkmarx SonarQube vs Semgrep
SonarQube Alternatives

Newsletter

Weekly AppSec tool insights

One email per week. Reviews, research, and what's changing in AppSec.