# SonarQube

> SonarQube is a static code analysis platform that detects bugs, security vulnerabilities, code smells, and secrets across 40+ programming languages to ensure code quality and security.

SonarQube is an integrated code quality and security platform by SonarSource that performs static analysis on both human-written and AI-generated code. It detects bugs, security vulnerabilities, code smells, hard-coded secrets, and dependency risks across 40+ programming languages and frameworks. Available as a cloud-hosted SaaS (SonarQube Cloud), a self-managed server (SonarQube Server), and a free IDE extension (SonarQube for IDE), it fits into any development workflow from individual developers to large enterprises.

- **Static Application Security Testing (SAST):** *Automatically scans code for security vulnerabilities including SQL injection, XSS, taint analysis, and IaC misconfigurations.*
- **Secrets Detection:** *Identifies hard-coded credentials and secrets in source code before they reach production.*
- **AI CodeFix:** *Leverages LLMs to suggest automated fixes for detected bugs, vulnerabilities, and code quality issues directly within the workflow.*
- **Software Composition Analysis (SCA):** *Available via Advanced Security add-on; detects open source dependency vulnerabilities, performs license checks, and generates SBOMs.*
- **Quality Gates:** *Enforce organization-wide coding standards and block non-compliant code from being merged or deployed.*
- **CI/CD Integration:** *Seamlessly integrates with GitHub, GitLab, Bitbucket, Azure DevOps, Jenkins, CircleCI, and more for automated analysis in every pipeline.*
- **SonarQube for IDE:** *Free extension for VS Code, IntelliJ, Eclipse, and other IDEs that provides real-time, on-the-fly feedback as developers write code.*
- **MCP Server:** *Connects Sonar's trusted analysis to AI-powered developer tools and agents, enabling AI-native IDEs to automatically identify and remediate issues.*
- **Compliance Reporting:** *Generates security reports aligned to OWASP Top 10, PCI-DSS, STIG, CWE, MISRA, and CASA standards for regulatory compliance.*
- **Architecture Management:** *Provides visibility into code architecture to manage technical debt and enforce structural standards.*

To get started, sign up for the free tier at sonarsource.com, connect your DevOps platform (GitHub, GitLab, Bitbucket, or Azure DevOps), and run your first analysis. For IDE feedback, install the SonarQube for IDE extension from your IDE's marketplace.

## Features
- Static code analysis (SAST)
- Secrets detection
- Software Composition Analysis (SCA)
- AI CodeFix
- Quality gates
- Code smell detection
- Bug detection
- Security vulnerability detection
- IaC scanning
- Taint analysis
- Pull request analysis
- Branch analysis
- Compliance reporting (OWASP, PCI-DSS, STIG, CWE, MISRA, CASA)
- SBOM generation
- Architecture management
- Technical debt management
- MCP Server integration
- IDE real-time feedback
- CI/CD pipeline integration
- Portfolio management
- Audit logs
- SSO via SAML
- Customizable project dashboards
- 40+ programming languages and frameworks support

## Integrations
GitHub, GitLab, Bitbucket, Azure DevOps, Jenkins, CircleCI, Harness, CodeMagic, Gradle, Apache Maven, NPM, Python (PyPI), JFrog, Docker Scout, Datadog, Slack, Atlassian Jira, Atlassian Compass, Amazon CodeCatalyst, MuleSoft, SAP, Port, LinearB, Jellyfish, Eclipse, Microsoft Visual Studio, Microsoft VS Code, JetBrains IntelliJ, JetBrains PyCharm, JetBrains CLion, Cursor, Devin, Windsurf, Zed, Google Gemini CLI, Claude Code

## Platforms
ANDROID, WEB, API, VSC_EXTENSION, JETBRAINS_PLUGIN, CLI

## Pricing
Freemium — Free tier available with paid upgrades

## Links
- Website: https://www.sonarsource.com
- Documentation: https://docs.sonarsource.com/sonarqube-cloud/
- EveryDev.ai: https://www.everydev.ai/tools/sonarqube