SonarQube Advanced Security for SonarQube Cloud Enterprise — Full Configuration Walkthrough

Overview of Dependency Risk Management

SonarQube Cloud Enterprise now offers advanced security capabilities that provide developers with a comprehensive view of dependency risks directly within their existing code quality workflows. The platform displays all dependency risks present in production code, including 26 dependency risks in the demonstrated example from the main branch. Rather than requiring developers to switch between multiple tools, these security insights are integrated into the familiar SonarQube interface where teams already manage code quality issues.

Risk Identification and Remediation Guidance

The platform identifies two primary categories of dependency risks: vulnerabilities and prohibited licenses. When developers encounter a vulnerability, SonarQube provides detailed remediation guidance that includes the current version in use, available partial fixes through minor releases, and the timeline to a complete fix. For direct package dependencies, developers can view the dependency tree and understand exactly how risks enter their projects. Additionally, for packages with established contractual relationships between SonarQube and maintainers, the platform includes enhanced post-mortem reviews of Common Vulnerabilities and Exposures (CVEs), potential workarounds, and false positive identification—information contributed directly by the software maintainers themselves.

Status Management and Auditability

Developers maintain control over risk management through customizable status options for each identified risk. Teams can accept risks while acknowledging that immediate remediation isn't feasible, mark issues as confirmed to prioritize quick resolution, or designate risks as posing no threat with proper project context. The platform enables developers to leave detailed notes on each risk decision, creating an auditable record that helps organizations track security decisions over time and maintain compliance documentation.

Quality Gates and License Profile Configuration

Organizations can establish quality gates that automatically fail builds when new vulnerabilities of specified severity levels are introduced into the codebase. Beyond vulnerability management, the platform includes sophisticated licensing profile capabilities that allow teams to define organizational policies around open source license usage. Rather than applying uniform policies across all projects, administrators can create multiple licensing profiles tailored to specific project types—allowing more permissive policies for internal applications while enforcing stricter compliance for distributed or mobile applications. Pre-built starter templates accelerate policy creation by offering common configurations such as permissive license allowance with weak copyleft acceptance.

Software Bill of Materials and Flexible Deployment

SonarQube generates a comprehensive Software Bill of Materials (SBOM) that teams can search, filter, and export in machine-readable formats for integration with supply chain security processes. The graduated implementation approach enables organizations new to open source licensing compliance to start with the most critical license violations and expand their enforcement policies incrementally. This flexibility makes the advanced security features accessible to teams at various maturity levels in their security practices.

Key Takeaways

• Advanced Security integrates dependency risk management directly into SonarQube workflows, eliminating tool switching for developers
• Enhanced CVE information from package maintainers provides context and workarounds to accelerate informed remediation decisions
• Quality gates and customizable status management enable organizations to enforce security policies while accommodating business decisions
• Flexible licensing profiles support different organizational policies for different project types and risk tolerance levels
• Machine-readable SBOM exports and graduated rollout options support enterprise-wide security and compliance initiatives