Sonar announced the upcoming availability of SonarQube Advanced Security. The
new offering will extend SonarQube's analysis capabilities beyond first-party
and AI-generated code to include third-party open source code. With this
announcement, Sonar will deliver the first fully integrated solution for
developers to find and fix code quality and code security issues in the
development phase of the software development lifecycle (SDLC).
SonarQube
Advanced Security includes Software Composition Analysis (SCA) and advanced
Static Application Security Testing (SAST), and will be available to all
SonarQube customers. Today, SonarQube is the industry standard for code
quality, used by +7 million developers at over 400,000
organizations.
Code security features to supercharge developers
Sonar's
new, enhanced security offering gives developers unprecedented visibility to
find and fix security issues as they code. SonarQube Advanced Security features
strengthen a robust set of existing security capabilities, which will remain
available in the core SonarQube solution.
SonarQube
Advanced Security includes the following features:
- Software Composition Analysis (SCA):
- Vulnerability identification in
third-party dependencies.
Streamlined processes for tracking, managing, and mitigating known
vulnerabilities (including CVEs) in third-party open source dependencies.
- License compliance. Ensuring that all incorporated
components meet the organization's policies for allowed software
licenses.
- The ability to generate software
bill of materials (SBOMs).
Detailed inventories that help teams understand, manage, and report on
the composition of their code.
- Advanced SAST. Detection of hidden
vulnerabilities in your code's interactions with third-party dependencies
that traditional tools fail to detect.
SonarQube
core code security capabilities include:
- SAST. The foundation of secure code,
identifying security weaknesses and vulnerabilities in first-party code.
- Taint analysis. Uncovering injection
vulnerabilities (e.g. cross-site scripting, SQL Injection) that span
multiple files to ensure user input is used safely across the entire
application.
- Secrets detection. Automatically scanning for
hard-coded secrets, helping teams prevent credential leakage.
- Infrastructure as Code (IaC)
scanning. Finding
security misconfigurations in your infrastructure as code to ensure secure
production environments.
- Security reporting. Report on code compliance for
standards like OWASP Top 10, PCI DSS, STIG, CASA, and CWE Top 25.
- Security engine custom
configuration. Fine-tune
security configurations for organization-specific needs.
"Our
approach to code security is rooted in the same philosophy that allowed us to
become the leaders in code quality - we put developers first," said Tariq
Shaukat, CEO of Sonar. "The release of advanced security features as an
extension of our existing SonarQube offering provides an even more
comprehensive integrated code quality and code security solution that empowers
developers to build better, faster."
SonarQube
Advanced Security is the first step in integrating Sonar's
recent acquisition of Tidelift and its unique, proactive approach to improving third-party code
quality and code security by working directly with open source
maintainers.
Starting Left: An integrated approach to code quality and code
security
SonarQube
Advanced Security takes the concept of "shift left" a step further to "start
left." With this "start left" approach, code security and code quality issues
are prioritized at the beginning of the SDLC. The later code security and code
quality issues are caught in the SDLC, the
more expensive they are to fix. By starting left, developers increase their productivity and
effectiveness while producing high quality, secure code.