We’re happy to announce for our SonarQube Advanced Security users that SonarQube Advanced Security is now available with automatic analysis.
What is automatic analysis?
Automatic analysis allows you to automatically analyze your code simply by reading it from your repository, without the need to configure a CI-based analysis, so you can start working on fixing issues right away.
What is SonarQube Advanced Security?
SonarQube Advanced Security brings the same security and quality analysis you expect from Sonar, but for your third-party dependencies. Check for known vulnerabilities, malicious packages, and compliance with your internal license policies.
What this means for you
Previously, SonarQube Advanced Security required the use of CI-based analysis inside your pipelines. Now, you can easily check your default branch, and get constantly updated results as you push new code to your repository.
Notes
To properly analyze not just your direct, but also your transitive dependencies, automatic SCA requires that lockfiles (such as package-lock.json) are committed to your repository. If they are not, you will only see results for direct dependencies, and a warning will be raised.
Learn more
For more information, see the SonarQube Advanced Security documentation