Sonarqube interaction with DefectDojo and Threadfix !?


i want to evaluate some aggregator tools like
DefectDojo and

WRT to the Sonarqube integration:

Do you have practical experience with this tools ?
The timestamp of the threadfix documentation of the Sonar plugin is rather old = 2017, it seems the development has stalled !?
What’s the status of ?
Also checked , but it’s still not clear,
whether Sonarqube integration works.


1 Like

I’m Dan Cornell from Denim Group / ThreadFix.

We’ve recently updated our SonarQube integration to pull in the results of the updated vulnerability scanning - the vulnerabilities and security hotspots. It is currently a plugin but will be rolled into the main build shortly. If you want to take a look could you please shoot me an email dan at denimgroup dot com or just fill out the contact form at and mention me/SonarQube in the comments.

1 Like

Welcome Dan :slight_smile:

sorry for late response, had been on a business trip.
Just wondering why Sonarqube support is not reflected at !?
If this is still work in progress i prefer to evaluate the final good.
Why has been archived, did you switch from
open source to closed source ?


Yeah we need to get the SonarQube/SonarSource integration listed on the integrations page. I’ll ping the folks who maintain the site.

Also we stopped actively maintaining the open source version of ThreadFix a couple of years ago in order to focus on the commercial edition. The economics of the dual open/commercial versions just weren’t working out for us so we chose to focus on the commercial side.

As i also didn’t find JFrog Artifactory and XRay on the integration page, are these supported ?

We don’t have native integrations with those yet, but it should be pretty easy to convert their results to our .threadfix file format:
You’d use the “DEPENDENCY” vulnerability type for the results.

You also have to add a new scanner type - docs for that are here:

Thanks for the update. For further questions i’ll go via threadfix/contact.