We are using SonarQube Enterprise Edition v2025.1 (build 102418) in Connected Mode with Visual Studio 2022 and the SonarQube for Visual Studio extension (v8.19).
Our project is a SQL/T-SQL solution (e.g., SQLDACPAC), and we’re trying to understand the current support for:
Security Hotspot Detection
Code Analysis / Taint Vulnerability detection
Quality Gate enforcement for SQL
We noticed that:
No security hotspots or taint issues appear in Visual Studio.
The SonarQube UI and local panes remain empty after analysis.
There is limited/no documentation on SQL language support for static analysis or hotspots.
Could you please confirm:
Is T-SQL (Transact-SQL) supported for security hotspot detection or static analysis in SonarQube 2025.1?
If not yet supported, are there any workarounds or future plans to add SQL/T-SQL static analysis features?
SonarQube Server supports analyzing T-SQL code. You should make sure that you have configured the file extensions correctly for SonarQube to analyse your code as T-SQL (instead of PL/SQL). Concretely that means adding .sql to sonar.tsql.file.suffixes and removing sql from sonar.plsql.file.suffixes.
You can find a list of supported rules either in your instance, or here.
SonarQube for Visual Studio does not support analyzing T-SQL Code at this point. You can voice you’re interested on this roadmap item!
Whoops, I missed the part where that card said released.
Indeed, T-SQL analysis should be possible if you are using Connected Mode.
As I mentioned earlier:
Are you sure your code is triggering one of these rules? Can you give an example?
My understanding (based on the docs) is that local Hotspot detection (all 4 of them) is not supported for T-SQL. Let me double check with the responsible team to confirm.
It is possible to locally detect and report hotspots in SonarQube for Visual Studio for C, C++, and JS/TS languages.
