SonarQube Advanced Security now available for SonarQube Cloud Enterprise

Expanding Security Beyond First-Party Code

SonarQube has announced the availability of Advanced Security for SonarQube Cloud Enterprise Plus editions, building on the success of its SonarQube Server launch in May 2025. This new offering represents a significant expansion of SonarQube's security capabilities, moving beyond traditional first-party code analysis to address the broader security landscape of modern software development. The expansion acknowledges a critical reality: developer-written in-house code comprises only approximately 20% of modern software, with the remaining 80% consisting of third-party open source libraries and dependencies.

Advanced SAST and Taint Analysis

The Advanced Security offering includes enhanced Static Application Security Testing (SAST) capabilities powered by taint analysis that traces security vulnerabilities through deeper call paths. This advanced approach provides developers with better visibility into how their first-party code interacts with third-party open source libraries, enabling detection of vulnerabilities that might otherwise remain hidden. A notable real-world example demonstrates the offering's effectiveness: the discovery of a 9.8 critical CVE-scored vulnerability that was only identifiable because the analysis traced how the customer's code actually utilized the vulnerable library through its call paths.

Software Composition Analysis and Risk Management

Software Composition Analysis (SCA) forms the core of the Advanced Security suite, enabling organizations to maintain comprehensive visibility of all open source libraries in use, their licenses, and any known vulnerabilities. The SCA capabilities support vulnerability management for both direct and transitive dependencies, allowing teams to identify and remediate open source security risks throughout their dependency tree. Additionally, the offering provides the ability to generate Software Bill of Materials (SBOM) documents in machine-readable formats, facilitating both internal compliance tracking and transparent communication with customers regarding open source usage.

Quality Gates and Policy Enforcement

SonarQube's Advanced Security integrates quality gates that enable teams to prevent new security risks from entering the codebase while allowing customization for new code versus legacy code contexts. A specialized version of these quality gates addresses licensing management, allowing organizations to configure and enforce licensing policies directly within developer workflows. This approach removes the burden of developers manually tracking internal licensing requirements, instead embedding compliance directly into the tools developers already use daily.

Partnership and Developer Experience

The Advanced Security offering was developed in partnership with open source maintainers through contractual relationships that enhance dependency lifecycle resilience and provide deeper insights during security incident response. These partnerships also enable the implementation of secure development practices that collectively reduce the time and effort developers spend managing open source dependencies. By automating and streamlining open source risk management, SonarQube aims to minimize developer toil while strengthening overall security posture.

Key Takeaways

• Advanced Security extends SonarQube's capabilities from first-party code analysis to comprehensive third-party open source security assessment
• Advanced SAST with taint analysis provides deeper visibility into how customer code uses vulnerable libraries, enabling detection of critical vulnerabilities
• Software Composition Analysis (SCA) covers vulnerability management, SBOM generation, and licensing policy enforcement across the entire dependency tree
• Quality gates and licensing management capabilities integrate directly into developer workflows to prevent security and compliance risks
• Partnerships with open source maintainers strengthen the offering while reducing developer effort in managing open source dependencies