Security Scanning with SonarQube?

Hello everyone,

I am new to SonarQube. I tried using the search, but I did not find an answer, so apologies if this is a common question.

I am running SonarQube 7.9.1 on Ubuntu. I have also installed version of SonarScanner. I am going through the getting started tutorial that is presented when you start the console and browse

I made a simple C# application that is vulnerable to SQL injection. See below.

    static void Main(string[] args)
        int i = 0;

    static void VeryVeryBadSQL(string pId)
        SqlConnection conn = new SqlConnection("SomeConnectionString");
        SqlCommand comm = new SqlCommand();

        comm.Connection = conn;
        comm.CommandType = System.Data.CommandType.Text;
        comm.CommandText = "SELECT * FROM SomeTable WHERE ID = '" + pId + "'";

        var reader = comm.ExecuteReader(); 

When running SonarScanner against this, no SQL injection vulnerabilities are identified. Why is this? Do I need to add a plugin or something? If so, can someone direct me to a resource that shows how to do this?


Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
  • what are you trying to achieve
  • what have you tried so far to achieve this


What edition of SonarQube are you using? Injection vulnerability detection is available in Developer Edition and above, or on (free for open source projects).


Hi Colin,

Thanks for the response. I downloaded the community edition from this site: . This edition says it has security hotspots and vulnerabilities. Does SonarQube classify injections as something other than these?



The detection of Injection Vulnerabilities is a Commercial feature so far as SonarQube is concerned!

Detection of Security Hotspots (make sure _____ is safe here) and other kinds of vulnerabilities (hard-coded credentials, left-over logging, etc.) are available in the Community Edition.

Thanks Colin!

I’ve got a followup… I just added some hard coded credentials.

    public const string USER_NAME = "User1";
       public const string PASSWORD = "Password1!";

I still have 0 security findings after doing a scan. Why would it be missing this?