SonarQube
By SonarSource
SonarQube is a static code analysis platform that continuously inspects source code for bugs, vulnerabilities, code smells, and test coverage gaps, enforcing quality gates as part of the development workflow.
Definition
SonarQube is a static code analysis platform that continuously inspects source code for bugs, vulnerabilities, code smells, and test coverage gaps, enforcing quality gates as part of the development workflow.
Overview
SonarQube was developed by SonarSource and became a widely adopted standard for automated code quality and security review across enterprise engineering teams, following its earlier life as a project simply named "Sonar." Language-specific analyzers scan source code without executing it, detecting bugs, security vulnerabilities, duplicated code, and "code smells" — patterns that hurt long-term maintainability. Results are tracked over time on a dashboard, and a configurable Quality Gate can block a build or pull request from merging if new code fails to meet defined thresholds for coverage, duplication, or issue severity. It integrates directly with CI/CD pipelines such as Jenkins, GitHub Actions, and GitLab CI, and supports dozens of programming languages. SonarQube is commonly placed directly in a pipeline as an automated quality and security gate alongside testing, while SonarCloud offers the same analysis as a hosted SaaS product for teams that don't want to self-host the SonarQube server.
Key Features
- Static analysis for bugs, vulnerabilities, and code smells across dozens of languages
- Configurable Quality Gates that can block merges failing quality thresholds
- Code coverage and duplication tracking over time
- Deep CI/CD integration with Jenkins, GitHub Actions, GitLab CI, and more
- Security-focused rules mapped to categories like OWASP and CWE
- Pull request decoration showing new issues directly in the code review