Customers have asked, and we’re responding. SonarQube Server 2025 Release 3 is out with transformative capabilities that delivers a unified solution for code quality and code security. Developers no longer need to operate separate environments to achieve secure, well maintained first-party and third-party code. Platform engineering teams that manage experience and tooling can remove the operational overhead and cost of multiple tools. SonarQube Advanced Security goes GA with new Software Composition Analysis (SCA) and advanced SAST capabilities. Additionally. We now support SAST for Kotlin and have even more secrets detection capabilities. We enable your developers to move faster because AI generated auto-fixes are here to immediately resolve code quality and code security issues in Enterprise Edition and Data Center Edition! We are expanding compliance with more rules for MISRA C++:2023 and new reports for key security standards: CWE Top 25 2024 and OWASP Mobile Top 10. We’ve grown our breadth and depth in language coverage across Rust, Java, and PySpark for Python.
General Availability of SonarQube Advanced Security
Advanced Security, now generally available as an add-on pack, extends the core security capability by adding support for open source code. Developers and security teams benefit from features like Software Composition Analysis (SCA), detailed vulnerability detection, license compliance checks, and advanced SAST. This comprehensive security suite is essential for organizations requiring strong security assurance and adherence to compliance standards.
New Advanced Security capabilities in this release include:
- Shift dependency information left: Developers can now see security and licensing risks on each dependency version in their pull requests and overall code. Developers can use actionable remediation guidance, and deeper reviews from open source maintainers to reduce time spent on risk, and reduce risk overall.
- Configure a quality gate to include a dependency risk score: Quality Gates can now include dependency risk scores, preventing code with high-risk dependencies from entering production. Developers and quality managers can set thresholds for vulnerability and license risks, maintaining a high quality and highly secure codebase.
- Configure a company’s license compliance policy: This feature allows organizations to define and enforce custom license compliance policies within SonarQube. Developers and legal teams can track existing license risks, prevent new issues, and ensure adherence to company-specific requirements. This reduces legal and financial risks associated with open-source software usage.
- Understand dependency risks on new and overall code: The project overview screen now displays dependency risk counts, providing developers with immediate insights into the health of their project dependencies. This quick visibility streamlines risk assessment and enables faster resolution of dependency issues.
- Summarize dependency risks across applications and portfolios: This feature enables the discovery and analysis of dependency risks across multiple applications and portfolios. Security teams gain a high-level overview of vulnerabilities, enabling strategic prioritization and efficient risk management. This holistic view is essential for large organizations managing complex software landscapes.
- Provide results of SCA and SBOM analysis via API: Enhanced API access for SCA results and Software Bill of Materials (SBOMs) allows for seamless integration with other tools and custom reporting. Developers and security teams can automate data extraction and analysis, improving workflow efficiency and facilitating alignment across security and development teams.
- Broad, and growing, language coverage for SCA: We’re starting with Java, C#, Python, JavaScript, TypeScript, Go, Rust, and Ruby to ensure that developers can quickly analyze third-party dependencies for vulnerabilities and licensing issues. This broadens SonarQube's security capabilities, ensuring all projects, regardless of language, benefit from thorough dependency checks.
Available in Enterprise Edition | Data Center Edition
Additional core security advancements
Static Application Security Testing (SAST) for Kotlin
The addition of SAST, including taint analysis, for Kotlin extends security checks to Kotlin-based projects. Developers working with Kotlin, especially in Android development, can now detect and prevent injection vulnerabilities more effectively. This ensures that Kotlin projects meet the same security rigor as Java projects, reducing security risks and enhancing application resilience.
Available in Developer Edition | Enterprise Edition | Data Center Edition
Continued additions to secrets detection
Ongoing enhancements to secrets detection ensure SonarQube keeps pace with evolving cloud application security needs and brings our coverage to over 300 patterns. By improving the accuracy of secret and token detection, developers can prevent sensitive credentials from being accidentally exposed in code. This reduces the risk of data breaches and unauthorized access, critical for maintaining security integrity.
Available in Developer Edition | Enterprise Edition | Data Center Edition
Big updates to SonarQube’s AI capability
AI CodeFix GA (General Availability)
AI CodeFix, now generally available in Enterprise and Data Center Editions, offers automated code remediation suggestions directly. Developers benefit from streamlined workflows, resolving issues faster and reducing manual effort. By providing context-aware fixes, AI CodeFix helps maintain code quality and accelerate development cycles. This feature is especially beneficial in large projects where quick issue resolution is crucial.
Available in | Enterprise Edition | Data Center Edition
Leverage AI CodeFix directly in the IDE
Integrating AI CodeFix into VS Code, IntelliJ and other AI-native IDEs like Cursor, Windsurf and Trae provides developers with real-time code remediation suggestions. This direct assistance streamlines issue resolution, enhances productivity, and reinforces high quality and strong security coding practices within the development environment.
Available in Developer Edition | Enterprise Edition | Data Center Edition
Expanding compliance capabilities
More MISRA C++:2023 rules
Continued expansion of MISRA C++:2023 rule coverage as part of our MISRA Compliance Early Access enhances compliance checks for safety-critical systems. Developers working in regulated industries, like automotive, benefit from comprehensive adherence to coding standards, reducing the risk of software failures.
Available in Enterprise Edition | Data Center Edition
New security reports: CWE and OWASP Mobile
SonarQube now provides reports aligned with the latest CWE Top 25 2024 and OWASP Top 10 Mobile standards. This empowers developers and managers to assess security risks against current industry benchmarks. By identifying vulnerabilities mapped to these standards, teams can prioritize remediation efforts effectively, reducing the likelihood of exploits and enhancing overall security posture.
Available in Enterprise Edition | Data Center Edition
Enhanced language coverage
Introducing support for the Rust language
Initial support for Rust provides developers with basic code quality checks and integration with the Clippy linter. This expansion caters to the growing Rust community and ensures that Rust projects can benefit from SonarQube's code analysis capabilities.
Available in Developer Edition | Enterprise Edition | Data Center Edition
Support for Java 22 and 23
SonarQube now supports Java versions 22 and 23, ensuring developers can analyze their code with confidence when using the latest Java versions. New rules specifically tailored for Java 22 help catch issues early and maintain high code quality as developers adopt new language features and language constructs.
Available in Developer Edition | Enterprise Edition | Data Center Edition
Avoid pitfalls when using PySpark
Support for PySpark, a popular Python API to leverage Apache Spark, adds the help data engineers need to identify and address potential issues in their large-scale data processing workflows. Detecting problems like data skewness and serialization errors early on improves efficiency and reliability of big data applications.
Available in Developer Edition | Enterprise Edition | Data Center Edition
Details of 2025 Release 3 are in the SonarQube Server release notes.
Ready to experience the power of SonarQube Server? Get it today and find out.