SonarQube
by SonarSource SA
Code quality and security analysis platform with SAST, taint analysis, and compliance reporting
Authoritative Sources
Key guidance documents from authoritative organizations. Click to view the original source.
NIST SSDF Executive Summary: "Following such practices should help software producers reduce the number of vulnerabilities in released software, reduce the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences." PW.7.1: "Determine whether code review or code analysis tools are used to find issues in code either in a fully automated way or in conjunction with a person." PW.7.2: "Use a static analysis tool to automatically check code for vulnerabilities and compliance with the organization's secure coding standards." PW.5.1: "Implement processes, tools, and techniques for detecting, preventing, and remediating vulnerabilities in the software." RV.1.2: "Review, analyze, and/or test the software's code to identify or confirm the presence of previously undetected vulnerabilities." SonarQube implements automated static analysis aligned with these SSDF requirements.
Configuration Examples(1)
Secure code review methodology. SonarQube automates detection of OWASP Top 10 vulnerabilities and provides remediation guidance.
Configuration Examples(1)
Security rules documentation covering CWE, OWASP, SANS Top 25 mappings with detection and remediation details.
Configuration Examples(5)
SOC 2 CC8.1: "The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives." SonarQube Quality Gates enforce testing and approval of code changes before deployment, directly supporting CC8.1 change management requirements. Source: AICPA Trust Services Criteria.
ISO 27001:2022 A.8.25: "Rules for the secure development of software and systems shall be established and applied to developments within the organisation." SonarQube enforces secure coding standards through automated static analysis and quality gates, implementing ISO 27001 secure development requirements. Source: ISO/IEC 27001:2022 Annex A.
ISO 27001:2022 A.8.28: "Secure coding principles shall be applied to software development." SonarQube detects violations of secure coding practices including OWASP Top 10 vulnerabilities, CWE weaknesses, and SANS Top 25 errors, enabling organizations to enforce A.8.28 requirements. Source: ISO/IEC 27001:2022 Annex A.
Verification Commands
Commands and queries for testing and verifying security configurations.
sonar-scanner -Dsonar.projectKey=PROJECT_KEY -Dsonar.host.url=SONAR_URL -Dsonar.token=TOKENcurl -u TOKEN: "SONAR_URL/api/qualitygates/project_status?projectKey=PROJECT_KEY"curl -u TOKEN: "SONAR_URL/api/hotspots/search?projectKey=PROJECT_KEY"curl -u TOKEN: "SONAR_URL/api/issues/search?projectKeys=PROJECT_KEY&types=VULNERABILITY"curl -u TOKEN: "SONAR_URL/api/measures/component?component=PROJECT_KEY&metricKeys=security_rating,vulnerabilities,security_hotspots"curl -u TOKEN: "SONAR_URL/api/issues/search?projectKeys=PROJECT_KEY&owaspTop10-2021=a01,a02,a03" -o owasp-report.jsoncurl -u TOKEN: "SONAR_URL/api/issues/search?projectKeys=PROJECT_KEY&cwe=79,89,22"Related Controls
Security controls from various frameworks that relate to SonarQube.