What's New in SonarQube | Governance and Quality Gates at Scale | Sonar Summit 2026

SonarQube continues to evolve as a comprehensive code quality and security platform, with recent updates designed to address the challenges posed by AI-generated code in modern software development. Brian Cipollone, representing Sonar's solutions engineering team, outlined several significant enhancements that underscore the company's commitment to maintaining code quality and security as development practices transform. With artificial intelligence increasingly contributing to codebases, Sonar has prioritized features that ensure every line of code—whether written by humans or AI—undergoes thorough verification and meets organizational standards.

Software Composition Analysis and Dependency Management

Software Composition Analysis (SCA) has been integrated into SonarQube to address risks associated with open-source dependencies. The feature automatically identifies and tracks open-source libraries, scanning them for known security vulnerabilities (CVEs), license compliance issues, and malicious packages. SonarQube presents detected dependency risks alongside existing code analysis, providing users with clear guidance on issue severity, location, and remediation steps. The platform also partners with open-source maintainers to gather first-party insights on vulnerability exploitability, enabling organizations to prioritize remediation efforts effectively. Users can manage exceptions with full audit trails, and the integration with SonarQube for IDE allows teams to address dependencies earlier in the development cycle. Additionally, the Software Bill of Materials (SBOM) export feature supports popular formats and is available at both project and portfolio levels, enabling management and security teams to assess organizational dependency exposure comprehensively.

Advanced Integration and AI-Ready Architecture

The introduction of the SonarQube MCP (Model Context Protocol) server represents a major architectural evolution designed to integrate SonarQube analysis into modern AI-assisted development environments. The MCP server enables SonarQube's analysis and reporting capabilities to work seamlessly with AI coding assistants such as Cursor and Windsurf, as well as agentic workflows powered by Claude Code. By providing AI agents with structured, contextual feedback about code issues—including their exact locations and remediation suggestions—the MCP server allows autonomous agents to write more secure, reliable, and maintainable code from the first commit. This capability significantly reduces manual review overhead while embedding quality and security standards into the development process itself. The SonarQube MCP server is freely available via GitHub for all versions of SonarQube Server and Cloud.

Expanded Language Support and Rule Coverage

Sonar has substantially expanded language support to ensure comprehensive coverage across diverse technology ecosystems. New additions include full-fledged analysis for Rust, a language gaining traction for its performance and safety guarantees, as well as CI/CD automation support through GitHub Actions and general scripting via shell script analysis. Configuration file analysis now covers YAML and properties files to identify security issues in infrastructure and application settings. Concurrently, Sonar has enhanced analysis for established languages: Java now includes advanced security vulnerabilities and modern language features, Python offers deeper insights into performance bottlenecks and framework-specific issues, and .NET provides comprehensive support for newer versions with more granular bug detection. Support for Go, Ruby, and Apex has been dramatically expanded with emphasis on security analysis. In total, Sonar has added over 1,000 new rules across 31 languages in the past year, with all new rules immediately available on SonarQube Cloud and released alongside SonarQube Server updates.

Security Through Secrets Detection and Quality Gates

Secrets detection remains a critical component of SonarQube's security posture, with Sonar introducing over 340 rules to detect more than 450 secrets patterns across hundreds of cloud services and APIs. The precision of Sonar's engine—combining regular expressions with semantic analysis—maintains a remarkably low false positive rate, ensuring developers and AI agents receive high-signal, actionable feedback without alert fatigue. By preventing secrets from being committed, SonarQube helps organizations build trust into every line of code. Secrets detection is available across all SonarQube Cloud and Server versions, as well as on the desktop through SonarQube for IDE and command-line tools. Quality gates have been enhanced to integrate dependency risk directly into the enforcement pipeline, enabling organizations to break builds or block merges when license violations or high-risk dependencies are detected, ensuring AI-generated and human-written code alike meet security and compliance standards.

Key Takeaways

• Software Composition Analysis is now available as part of SonarQube's advanced security add-on, providing comprehensive dependency risk assessment, license compliance management, and SBOM export capabilities at both project and portfolio levels.
• MCP Server integration enables