Does SonarQube audit NPM packages for vulnerabilities?

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    SonarQube 9.9 LTS
  • how is SonarQube deployed: zip, Docker, Helm
    App Service

Does SonarQube scan for the NPM package vulnerabilities or analysis of used dependencies? Could not find any relevant information. Maybe someone could assist on this? Thanks.

Hey there.

SonarQube does not flag specific dependencies like a typical SCA tool would.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.