Code quality testing startup SonarSource SA today announced the upcoming release of SonarQube Advanced Security, a new offering that will extend the company’s analysis capabilities beyond first-party and artificial intelligence-generated code to include third-party open-source code.

The new solution is being pitched as the first fully integrated solution for developers to find and fix code quality and code security issues in the development phase of the software development lifecycle.

Sonar’s new solution delivers enhanced security that gives developers visibility to find and fix security issues as they code. SonarQube Advanced Security features strengthen existing security capabilities, which will remain available in the core SonarQube solution.

Features of SonarQube Advanced Security include software composition analysis for identifying vulnerabilities in third-party dependencies and streamlining the management of known security risks, including common vulnerabilities and exposures. The service also ensures license compliance, allowing organizations to verify that open-source components align with internal policies while providing the ability to generate a software bill of materials for better visibility and tracking.

The solution introduces advanced static application security testing, or SAST, which detects hidden vulnerabilities in code interactions with third-party dependencies that traditional tools may overlook. SonarQube Advanced Security gives developers a more comprehensive toolkit for maintaining high-quality, secure code throughout the development process.

SonarQube’s core security capabilities remain integral to the new offering, including SAST for first-party code, taint analysis to uncover injection vulnerabilities, and secrets detection to prevent hard-coded credential leaks. Additional features include infrastructure-as-code scanning for misconfiguration detection and security reporting to ensure compliance with industry standards such as the Open Web Application Security Project Top 10, Payment Card Industry Data Security Standard and Common Weakness Enumeration Top 25.

The service also supports custom security engine configurations to allow organizations to fine-tune security settings based on specific requirements.

“Our approach to code security is rooted in the same philosophy that allowed us to become the leaders in code quality — we put developers first,” said Sonar Chief Executive Tariq Shaukat. “The release of advanced security features as an extension of our existing SonarQube offering provides an even more comprehensive integrated code quality and code security solution that empowers developers to build better, faster.”

The forthcoming launch of SonarQube Advanced Security integrates technology from Tidelift Inc., which Sonar acquired in December. In particular, the release integrates Tidelift’s proactive approach to improving third-party code quality and code security by working directly with open-source maintainers.

Image: Sonar