Static Application Security Testing (SAST)

security starts with Clean Code

Detect, explain and give appropriate next steps for Security Vulnerabilities and Hotspots in code review with Static Application Security Testing (SAST).

Start Free TrialRead the Deeper SAST Announcement
  • Request Demo
  • Take a Product Tour
  • Sonar Events
  • Contact Us

clean code with deeper SAST

Sonar’s new deeper SAST capability empowers organizations to identify and resolve application code issues originating from interactions with third-party open-source libraries. This unique feature enables Sonar's SAST to trace data flow in and out of libraries, effectively uncovering deeply concealed security vulnerabilities that other tools fail to detect.


Deeper SAST boosts the existing SAST engine, which already encompasses deep taint analysis, comprehensive security rules, cloud secret detection, and much more. Now, with this innovative technology, commercial editions of SonarQube and SonarCloud provide full visibility into the inner workings of the most popular libraries, ensuring unparalleled code analysis.


With Sonar's deeper SAST, organizations can confidently tackle code security challenges, achieve robust application security, and enjoy the benefits of a reliable and fortified codebase.

Try deeper SAST with SonarCloud
CODE SECURITY

benefits of deeper SAST

  • find deeply hidden security issues

  • accelerate secure development

  • reduce risk of security breaches

  • automate code scanning

  • code security and compliance

  • comprehensive detection engine and coverage

find deeply hidden security issues

99% of software applications use and interact with the code in third-party libraries (dependencies). Today, most SAST tools only analyze application code and not library code which are mostly a black box for these tools. Deeper SAST from Sonar extends code analysis and scanning to cover the unknown parts of the code that are in the open-source dependencies. Scanning dependencies (libraries) allows Sonar SAST to extend the dataflow analysis and find deeply hidden security issues in code that other tools cannot find. Deeper SAST is available today for Java, C#, and JavaScript/TypeScript in SonarQube and SonarCloud. It supports thousands of the topmost and commonly used open-source libraries, including their subsequent (transitive) dependencies. It scales automatically and will be expanded to cover more languages and libraries in the future. Machine Learning (ML) is used for optimization.

learn more about SAST and SonarQube. talk to an expert.
Request a Demo

security analysis

Designed to detect and fix a wide range of code issues that can lead to bugs and security vulnerabilities, Sonar supports over 30 programming languages and frameworks. Sonar's security analysis can help detect a broad range of security issues such as SQL injection vulnerabilities, cross-site scripting (XSS) code injection attacks, buffer overflows, authentication issues, cloud secrets detection and much more. Our security rules are classified according to well-established security standards such as PCI DSS, CWE Top 25, and OWASP Top 10.

Graphic shows issues types that are detected by sonar, such as SQL injection, cross-site scripting, deserialization, XXE, path injection, secret detection, crptop API misuse, regex patterns, authentication, IaC misconfigs, Performance, File Manipution and much more! The image also shows the standards addressed by Sonar as well. The standards addressed are PCI DSS, OWASP Top 10, CWE Top 25 and OWASP ASVS

Security Hotspots > Code Review

Security hotspots are instances of security-sensitive code that require human review. Developers can learn to evaluate security risks and improve their understanding of secure coding practices by working with security hotspots.

Security Vulnerabilities > Code Change/fix

Security Vulnerabilities require immediate action. Sonar provides detailed issue descriptions and code highlights that explain why your code is at risk. Just follow the guidance, check in a fix, and secure your application.

maximum protection with taint analysis

Chase down the bad actors

Making sure user-provided data is sanitized before it hits critical systems (database, file system, OS, etc.) helps ensure your code security. Taint analysis tracks untrusted user input throughout the execution flow - across not just methods but also from file to file.

Explore more features
Visual Represents taint analysis

Critical code security rules for vital languages

Get highly relevant rules for critical languages to help keep your code secure with SAST tooling.


Languages like Java, PHP, C#, C, C++, Python, JavaScript, TypeScript, and more.

Explore all languages
Code Security

early security feedback, empowered developers

Take Ownership

real-time feedback

Getting security feedback during code review is your opportunity to learn more and take ownership of Code Security.

With sonar you can assign issues to other developers to help keep your code clean
IDE Integration

Connected Mode with SonarLint

Find Vulnerabilities and Security Hotspots leveraging Static Application Security Testing (SAST) with SonarQube or SonarCloud and fix them in your IDE with SonarLint as your guide.

Image shows the VS Studio, VS Code, Eclips, Intella J and C Lion Logo's and an example IDE environment
Quality Gate

Safe Code

Enforce Vulnerability standards and Security Hotspot Review in your Quality Gate to make sure you only merge safe code.

A passing quality gate is shown
Keep It Safe

Security Rules Explained

A deep understanding of the issue and its implications leads to a better fix and a safer application.

An error is found in code and identified while providing an explanation of the risk.

Sonar Security Reports

Security reports quickly give you the big picture of your code’s compliance with security standards. The reports allow you to know where you stand compared to the most common security mistakes. Regulatory reports track the quality of each release and provide evidence that the code delivered meets the quality standards of the organization.

Reports include:

  • PCI DSS (versions 4.0 and 3.2.1) 
  • OWASP Top 10 (versions 2021 and 2017)
  • CWE Top 25 (versions 2022, 2021, and 2020)
  • OWASP ASVS (version 4.0 with level 1 to 3)
See OWASP Top 10
Image shows security hotspot vulnerabilities based off of the WASP top 10

your end-to-end SAST tool

Seamlessly integrate static analysis into your software development workflow

DevOps and CI/CD

Integrating SAST into the DevOps and CI/CD pipelines empowers organizations to enhance the security posture of their software and ensure that vulnerabilities are identified early in the development lifecycle. Security analysis tools become an integral part of the development process and receive early real-time feedback as they commit code changes.  Sonar integrations are supported for popular DevOps and CI/CD Platforms including GitHub, GitLab, Azure Devops, TravisCI, CircleCI, and Bitbucket. Sonar provides native support for the most popular SCMs including Git , Subversion and community support for other popular SCMs such as CVS, Jazz RTC, Mercurial, TFVC.

Two developers work together to build new clean code

pull request decoration

Get instant code review directly inside your pull request and development branches. Fix issues before they become problems.

  • Implement a Go/No-Go quality gate to automatically fail CI/CD pipelines if code doesn't meet your standards
  • Review and prioritize code fixes directly within the DevOps Platform interface
  • Set up multiple quality gates for your monorepo with different projects to receive specific feedback messages for each project

IDE Integration with SonarLint

  • Superior code quality tool capabilities right into developers’ code environments
  • Real-time analytical feedback
  • Code issue highlighting
  • Strict code quality standards, along with vulnerability issue details and remediation guidance
  • Customizable rules allow developers to code based on their specific requirements
  • Advanced flexibility allows developer adaptation and adoption across multiple supported languages
Grupo Financiero Banorte Logo

"Sonar has helped our organization by enabling us to maintain code standards and code cleanliness."

Ricky Lopez, Security Architect/AppSec Manager @ Grupo Financiero Banorte, S.A. de C.V.

ready to secure your code?

Start with open sourceStart Your Enterprise Trial