Announcing Advanced Security for SonarQube Cloud Team plan

7 min read

Satinder Khasriya photo

Satinder Khasriya

Product Marketing Manager, Code Security

TL;DR overview

  • SonarQube Advanced Security is now available on the SonarQube Cloud Team plan to provide built-in dependency risk analysis, software composition analysis (SCA), and malware detection.
  • The feature protects against rising software supply chain threats, which recently compromised major tools like Axios and Trivy within minutes.
  • It integrates directly into existing developer workflows, code quality gates, and the IDE without requiring separate, fragmented security tools.
  • Teams can instantly identify vulnerable public packages, track license visibility, and enforce secure code standards prior to merging repository branches.

Dependency risk analysis (SCA, dependency-aware taint analysis, and malware detection) is now available for SonarQube Cloud Team plan customers. Because in 2026, "we don't know what's in our code" is no longer an acceptable answer.

The supply chain is the new front line

If you've been watching the headlines this spring, you already know: the software supply chain isn't just a target anymore. It's the target.

In a 39-minute window on March 31, attackers hijacked a maintainer account for Axios—one of the most downloaded HTTP clients in the JavaScript ecosystem, with roughly 80 million weekly downloads, and pushed two backdoored versions (1.14.1 and 0.30.4) tagged as latest and legacy. A single npm install axios was enough to drop a cross-platform RAT on macOS, Windows, and Linux developer machines and CI runners. 

Just twelve days earlier, the Trivy supply chain compromise turned a security scanner itself into a weapon. The TeamPCP group force-pushed 76 of 77 version tags in aquasecurity/trivy-action to point at malicious commits, distributed a backdoored trivy v0.69.4 binary, and spawned CanisterWorm, a self-propagating npm worm that compromised 66+ packages, 28 of them in under 60 seconds. The same campaign has since expanded to Bitwarden CLI, Checkmarx KICS, and LiteLLM.

The lesson from Axios, Trivy, tj-actions/changed-files, ua-parser-js, Codecov, and SolarWinds before them is the same one, said louder each time:

You can no longer treat your dependencies as someone else's problem.

Every transitive package, every pinned version, every postinstall script is part of your attack surface. And the gap between "a malicious version is published" and "it's running in your CI" is now measured in minutes.

Advanced Security is now available for SonarQube Cloud Team plan 

SonarQube Advanced Security has been part of the Enterprise plan since its launch. Today, we're extending that access to SonarQube Cloud Team plan customers—the same battle-tested capability, on the plan your team is already on. 

It fits into the workflow your software developers already use—no new tool to roll out, no new dashboard to babysit, no new process to fight for. It builds on the code quality and code security capabilities of SonarQube Team by adding the open source visibility modern teams can't ship without:

  • Software Composition Analysis (SCA) – analyze and enumerate every dependency you actually use and ship.
  • Malicious package detection – know exactly which public packages your code resolves to.
  • License visibility – see license details inline with dependency details.
  • Vulnerability checks – detect publicly reported vulnerabilities in your dependencies.
  • Quality Gates + IDE integration – enforce before merge, fix from inside SonarQube for IDE.

Why this matters for Team-plan customers

Until today, the SonarQube Cloud Team plan customers most exposed to supply chain risk (small and mid-sized teams shipping fast, without a dedicated AppSec function) had to either bolt on a separate SCA tool or fly blind. Fragmented tooling means fragmented context: alerts live in one place, code lives in another, developers context-switch, and remediation slips.

The Team plan with Advanced Security  fixes that. The same quality gate that already blocks a merge on a code smell can now block it on a vulnerable dependency. The same SonarQube for IDE plugin that already shows your software developers a bug fix will now show them a dependency they shouldn't be pulling in. The same workflow. One source of truth.

Concretely, for Teams customers, this means:

Reduce risk

  • Know what you ship with always-on dependency visibility.
  • Catch vulnerable dependencies earlier in the lifecycle—before they ever reach a runner.

Move faster

  • Keep code quality, code security, and dependency intelligence in one place.
  • Enforce standards using quality gates—before merge, not after incident.
  • Give software developers actionable guidance directly in SonarQube for IDE.

Use SonarQube Enterprise for more capabilities

Advanced Security for Team covers detection. If your team has compliance obligations or needs organization-wide reporting and visibility, SonarQube Enterprise adds a governance layer on top:

  • Portfolios to track across projects
  • Reporting, for an at-a-glance view of your risk
  • Software bill of materials (SBOM) export for compliance
  • License policies and license risk tracking to match your Enterprise requirements

If that's not where you are today, Advanced Security on the Teams plan is the right starting point.

Ship with confidence 

SonarQube Advanced Security is available today for all SonarQube Cloud Team plan customers. Turn it on, point it at your repos, and find out what's actually in your software—before someone else does.

Build trust into every line of code

Integrate SonarQube into your workflow and start finding vulnerabilities today.

Rating image

4.6 / 5

Start for freeContact sales

Unsubscribe