In our previous post about the European Union’s Cyber Resilience Act (CRA), we explored the tension between the speed of AI-assisted development and the legal requirement for secure by design software. Since then, the conversation has moved from adoption to accountability. AI is no longer a future goal—it is the new baseline for software development.

That said, Sonar’s 2026 State of Code Developer Survey highlights a significant security trust gap. Despite the productivity gains of AI, 96% of developers do not fully trust that AI-generated code is functionally correct. The security concerns are even more acute: 57% of developers worry about AI code exposing sensitive company or customer data, and 47% are concerned that AI is introducing new, subtle vulnerabilities into their codebase. Without automated AI code review and verification, the force multiplier effect of AI in the software development lifecycle (SDLC) can quickly become a risk multiplier for the business.

Scaling verification to match AI velocity

The CRA makes no distinction between code written by a developer and code suggested by an AI. The manufacturer remains the legal anchor of responsibility. As code volume increases, the traditional reliance on manual peer review becomes a physical bottleneck. To stay compliant and competitive, the speed of your verification must match the speed of your creation.

SonarQube provides this essential infrastructure, acting as the automated verification solution that ensures all code—regardless of its origin—is production-ready, secure, and maintainable.

Mapping SonarQube capabilities to CRA mandates

To meet the CRA's standard of due diligence, organizations must provide streamlined, standardized evidence that their products are built correctly and maintained securely. SonarQube’s technical capabilities map directly to the essential requirements of the Act:

Minimizing vulnerabilities through SAST

The CRA requires manufacturers to minimize vulnerabilities before products are placed on the market (Article 13). SonarQube’s static application security testing (SAST) directly supports this mandate by identifying exploitable coding weaknesses early in development. This prevents the introduction of common vulnerability classes—such as injection flaws and insecure deserialization—by embedding security into developer workflows, AI-assisted or deveoloper--powered, rather than relying on downstream testing. 

Safeguarding system access

The rapid pace of AI development increases the risk of hard-coded credentials. This directly impacts the CRA requirement for manufacturers to ensure protection against unauthorized access through appropriate control mechanisms (Annex I). SonarQube scans the entire codebase for API keys, passwords, and sensitive tokens that may have been inadvertently included by an AI coding tool, ensuring they are removed before exposure.

Software supply chain security & managing third-party risk

Modern software heavily relies on open-source and third-party components—a key focus area under the CRA. Software Composition Analysis (SCA) within SonarQube enables organizations to identify vulnerable dependencies and detect malicious or compromised packages, and continuously monitor component risk over time as AI coding introduces new dependencies. This supports CRA obligations for transparency and lifecycle risk management (Annex I) by providing visibility into external software dependencies.

Verifying "no known vulnerabilities"

A cornerstone of the CRA is the mandate to ship products without known exploitable vulnerabilities (Annex I). SonarQube Advanced Security utilizes NVD, EPSS, KEV, and OSV databases to verify that components are free from known risks. Also, by enabling a start-left approach, SonarQube for IDE gives developers instant feedback to detect and fix compliance issues at the moment of creation.

Mastering supply chain transparency

Manufacturers must identify and document dependencies via a software bill of materials (SBOM) (Annex I). SonarQube Advanced Security automatically generates machine-readable SBOMs, ensuring a traceable inventory management process and helping teams maintain control over the entire software lifecycle, quickly identify and remediate vulnerabilities.

Generating audit trails and proof

Compliance requires an auditable record of security activities. SonarQube delivers secure, immutable, and detailed audit logs that capture lifecycle changes, configuration updates and security events, simplifying creation of documentation required for CRA risk assessments.

The SonarQube engine: Enforcement and assessment

To bridge the gap between AI speed and regulatory reality, SonarQube provides two distinct points of verification:

1. The enforcement point: actionable intelligence

The most efficient way to streamline compliance with the CRA is to prevent non-compliant code from ever entering the codebase.

• Quality gates: These act as an automated "stop/go" mechanism in the CI/CD pipeline. They ensure that no code—regardless of its origin—can proceed if it fails to meet the organization's standards for code health and security.
• IDE-based boundaries: By integrating directly into the developer's workflow, SonarQube helps developers maintain high standards without sacrificing the speed they gain from AI.

2. The assessment point: Transparency and governance

For leadership and risk officers, compliance is built on visibility.

• Portfolio management: SonarQube delivers a high-level view of codebase health across the entire organization. This transforms invisible code debt into visible data, allowing leaders to monitor risk accumulation across business units.
• Customizable project dashboards: Designed to provide the strategic visibility needed to monitor key metrics, identify risks, and communicate progress—all from one configurable, actionable place.

Turning regulation into resilience

The Cyber Resilience Act is a mandate for a new era of software craftsmanship. Attempting to retrofit compliance in an AI-accelerated world is a risky and expensive path. By deploying SonarQube as a standardized AI code review and verification solution, organizations can safely harness the full power of AI while maintaining the hard governance and transparency required to assert total control over their regulatory responsibilities.