SonarQube Advanced Security now supports detecting malicious packages

bill.nottingham · February 5, 2026, 7:12pm

With the rise of developer account compromises and incidents such as the Shai-Hulud worm, there has been an increase in malicious software published to upstream software repositories.

SonarQube Advanced Security (on both SonarQube Cloud, and SonarQube Server 2026.1+) now supports detecting publicly known malicious packages, and raises new risks when they are found.

This allows organizations to quickly react when developers pull a malicious package to contain and eliminate the risk.

Learn more on the Sonar blog and in our documentation

Allen568 · February 10, 2026, 9:13am

For supply-chain security, this is a huge victory. Because SonarQube Advanced Security can detect known harmful packages directly, teams may halt dangerous deps during analysis rather than after they have shipped. exposing it as a potential danger inside SonarQube Cloud/Server 2026.Compared to a standalone tool that many overlook, 1+ suits actual CI use far better. Although it won’t detect zero-days, this fills a significant hole for corrupted or tainted packages.

Topic		Replies	Views
SonarQube Advanced Security now available for SonarQube Cloud Sonar Updates sonarqube , security , sonarqube-cloud	0	272	September 15, 2025
SonarQube Advanced Security now available Sonar Updates sonarqube , security	0	249	May 29, 2025
Software compositin analysis in SonarCloud/SonarQube SonarQube Cloud sast	2	1531	March 18, 2025
SonarQube opensource vulnerability detection SonarQube Server / Community Build	4	10480	March 18, 2025
Should Sonar Cloud detect Java CVEs? SonarQube Cloud	2	448	March 18, 2025

SonarQube Advanced Security now supports detecting malicious packages

Related topics