Can SonarQube measure SOC 2 compliance

Hi I am currently using version 7.7 (planning to upgrade soon). I was trying to check if I could use SQ for auditing the code for SOC 2 compliance.
In the past I have used the tool for OWASP audits and it did a fantastic job. Wanted to know if this feature is in the works OR if there is someone who has already (wishful thinking I know) created a set of rules that can be added to SQ as plugins which check for SOC 2.
Thanks for any help with this.


According to this SOC 2 is mainly about

develop[ing] security policies and procedures. These need to be written out and followed, and auditors can and will ask to review them.

So… unless I’m missing something, SonarQube doesn’t seem relevant for that. But thanks for thinking of us as your go-to solution!


Hi Ann,
Thanks for replying. Well SOC 2 is about policies and procedures as you pointed out with the article. However there are specific things like parameter verification i.e. size, datatype & acceptable ranges or formats in the API that need to be evaluated.
Besides that even data passed from the UI to the backing beans is also part of the compliance.

These do sound like candidates with which SQ can work and help evaluate.


So… what language(s) are we talking about? Also, could you be a little more specific about these potential rules? It may be that we’ve already implemented some of them, or at least specified them. If not, we’d certainly need more detail to get started. Alternately, several languages offer support to allow you to write custom rules…


Hi - To answer your questions - currently I’m looking for Java related help. And about specific details about the rules there aren’t many. I know that our compliance is based on Hitrust principles 9.1. And like I said before for in-house software explicit error checking has to be performed & documented for all input data including size, datatype & acceptable ranges or formats.