Blog post: Code security: now there's a tool for developers

Hi all,

Our elves (please don’t tell them I called them that! :grinning_face_with_smiling_eyes:) have been hard at work all year to bring you one of the best holiday presents ever:

Hey SonarQube and SonarCloud users! You now have a tool to own Code Security!

SonarSource has been hard at work for the last year to give you the tooling to review and improve your code security. We’re glad to say that today you have at your fingertips unmatched precision and performance in SAST (Static Application Security Testing) analysis for five languages and counting.

:santa: :gift: :christmas_tree:


Can you please elaborate on a few things…

Firstly, what, if anything, is needed to make use of this?

The post mentions just ensure your Quality Profile is up to date.

Using SonarCloud, our Quality Profiles are all set to use “Sonar Way (Built-In)”, but looking at the PHP Quality Profile, it should be updated automatically (“This quality profile is provided by SonarCloud. It will automatically be updated”), but last updated is 4 months ago.


For reference, the JavaScript Quality Profile was last updated 2 days ago.

Secondly, what are the real differences with this latest update, because Security Hotspots and Injection Vulnerabilities have been present in SonarCloud for the whole time I’ve been using it (many months…)

Maybe I’m missing something but I don’t see anything different…



It would be great if you could provide a Webinar or something similar that explains the new feature in depth. We will also need some kind of comparison with other SAST tools to see if this is good enough to replace other solutions we have in place.


Good! From which soarqube version can this be used ?
How does it compare with checkmarx ?


1 Like

Please update the blogpost to say in which versions of the products this is released. I don’t see that on the release page: and it should be mentioned in both places for transparency :slight_smile:

1 Like

Hi all,

Sorry about the delay in responding. I posted this and then started my holidays :christmas_tree:! Mea culpa.

For SonarQube, SAST analysis starts in Community Edition, and is fully-fleshed in Developer Edition, with additional reporting and configuration available in Enterprise Edition.

Whatever edition you’re using, just make sure you’re on the latest version and that your Quality Profile is up to date. Comparing your custom profile with the Sonar way profile will show you what rules have been added lately.

You’ll always get the best stuff in the latest version. TBH, we’ve been adding bits and pieces since the RIPS acquisition, but for the best experience you should always stick to the latest version - we add new rules and improve old ones with each release.

Perfect! You should be good to go! Not every built-in profile is updated every month. We have a lot of developers, but we also cover a lot of languages, and so there’s some rotation. Just keep up with Sonar way and you’ll stay current.

Since this is a YMMV-kind of assessment - and since we get better with each release! - we don’t publish this kind of comparison. (And no, I don’t have a private copy I can share off-line. :joy:) What I urge you to do is request a free trial and test it out on your own code.

Over the last couple years, a number of companies ran their own comparisons & found the results good enough to make the switch even before the RIPS acquisition & integration.

As I mentioned earlier, we’ve been iterating on this for a while, and small iterations get released to SonarCloud very quickly. So if you were already paying attention and staying current then you may not notice anything different. But cumulatively we’ve done a lot of work in this area in 2020 and we decided to make a big splash now because we finally felt ready to “put a bow on it”.

That’s a great idea. I’ll take it back to the team!


P.S. Sorry again to have left you hanging.