Sonarqube for SAST

Hi everyone,

I don’t know if it is the scope of this forum but I’ll ask anyways.

I am implementing this tool as a part of the DevSecOps lifecycle but I have been thinking if this tool could be enough to perform SAST on my developer’s code?

Are there any recommendations talking about plugins, rules, quality gates or something that I might consider before implementing this tool? I mean, recommendations while using Sonarqube but aiming specifcally to improve security.

Thanks in advance.


Commercial editions of SonarQube include taint analysis rules for flagship languages (Java, C#, JS/TS, PHP, Python). Those rules are on by default in the build-in Quality Profiles, so you would just want to be sure you’re using those build-in profiles or derivatives.