Retrieve issues categorized through application security and development STIG

  • The version of SonarQube:
  • A way to categorize issues under the Application Security and Development STIG. The Security Category under Issues has a list but there is no STIG mentioned. Is there a way to have issues reported under STIG category?


I’m going to move this to the Suggest New Features category, since the functionality isn’t currently available.

While there are security reports in Enterprise Edition($$) (here’s an example from our internal dogfooding server), STIG isn’t one of them. (Yet?)


Hello @harshi24,

I did not find a lot of publicly available information about STIG.

Can you share some references about it: list of requirements, context in which being compliant with STIG is mandatory, …?


The context would be deploying our software to federal environments where STIG compliance is mandatory and must be reported to federal partners for continued operation (specifically the Application Secuity and Development STIG is required for software developed in-house, but there are other STIGs when deploying 3rd-party software).

This is the official download portal for STIG documents

This is the official download portal for the tool needed to view STIG documents:

This is an online mirror that shows the current version of each STIG for ease of use: Application Security and Development Security Technical Implementation Guide


Is this really a question of whether SonarQube itself is STIG-compliant, or how SonarQube can help you make your projects STIG-compliant?


It’s about

1 Like

Okay, thanks.

I asked because SonarQube has STIG-compliant images in the Iron Bank, so that would have been an easy answer.