Export the ordering party’s custom rules and enable CISQ validation on my company’s Sonar

I was advised by the SonarSource sales team to check with you the feasibility of some of my requests and, based on that, identify the most suitable Sonar license to use (Community, Cloud, Server, etc.), as well as any relevant plugins, tools, or other resources we could leverage.

We are a small company of 4–5 developers. Currently, we only use SonarLint / SonarQube for IDE (primarily with IntelliJ), and we do not have a dedicated Sonar server.

For potential software development contracts, mainly involving the Java language, the ordering party requires us to:

a) validate the code against their custom Sonar rules;

b) in a second phase, apply CISQ compliance checks on the source code (performed using CAST).

All validations are carried out in the ordering party’s pre-production environment, which is not accessible during development.
It is important for us to validate our code in real time during development, rather than making all corrections at the time of final code delivery. However, SonarLint for IDE does not support all the required rules.

At this time, I haven’t been able to speak directly with the ordering party’s technical team, but I’ve informally obtained the attached image of their SONAR configuration, which I believe represents their quality profile:

00000RZF366×276 18.5 KB

We need to export the ordering party’s Sonar rules — what type of Sonar license would be required for this, and what methods are available to perform such an export/import?

Regarding CISQ compliance, we understand that it may not be possible to cover all rules. (We are also aware that full CISQ-compliant solutions are far beyond our budget.) However:

• are there any plugins available that can partially address CISQ requirements?

• does Sonar provide a broad preconfigured list of CWE rules that can be enabled if needed?

We would appreciate any information you can provide regarding first-party or third-party plugins, IDE tools, or AI assistants that could support us in applying these two levels of validation using custom rules.

Lastly, we would like to know if there is a plugin that allows exporting violations in SARIF format.

Thank you for your cooperation and for the time you have kindly devoted to us.

Best regards.
Vincenzo Verrone
Developer – SmartIT

Hey there.

Import/Export:

All SonarQube editions support exporting and importing quality profiles, so even the free Community Edition will work for this. You can export their custom rules as XML and import them into your own SonarQube instance. See the docs here.

If they use any custom plugins that provide rules to the Quality Profile , ensure these are installed on your SonarQube instance
If they’re using a commercial edition (Developer, Enterprise, or Data Center), you’ll need the same edition to access advanced vulnerability detection or bug detection rules that may be part of their profile

CISQ:

While SonarQube doesn’t have dedicated CISQ plugins, it does provide extensive CWE coverage. You can filter for rules targeting specific CWEs in the Rules interface using the Security category facet.

image2448×1372 423 KB

Most of these rules are enabled in default Sonar Way Quality Profile for each language.

Security Reports is probably also an interesting feature for you.

Sarif export:

There’s no native SARIF export plugin, but SonarQube’s Web API provides comprehensive access to findings data that you can use to generate SARIF reports programmatically, if needed.

Hope these answers help!