Does it scan for insecure data storage, network communication?
SonarQube’s rules are documented at https://rules.sonarsource.com/. You should look into the specific languages used in your org, and look at Vulnerabilties/Security Hotspots.
For example, for Java, there’s a rule Weak SSL/TLS protocols should not be used!