Sonarqube Plugins for Enhanced Security checking

In addition to finding code smells and bugs, we would like to beef up finding security vulnerabilities in our code using Sonarqube. I understand that Sonarqube already uses OWASP Top 10 and SANS Top 25 as basis for rules related to security, but we would like to implement our own too based on our company’s own security directives.

Here are the options we are thinking off:

  1. Develop our own custom plugins for enhanced security checking
  2. Reuse existing custom plugins out there related to security

The thing is, we want this ASAP so it seems Option 1 is not an option due to the learning curve. We haven’t got experience yet creating our own plugins. Might take much of our time. So, the question is, are there available plugins for Option 2? or can anyone give us advise on the best approach to achieve what we want.


Welcome to the community!

I think your first step here is to adopt Developer Edition. Out of the box, it comes with taint analysis (advanced detection) rules for a number of languages.

More info: Automatic Branch Analysis & Pull Request Decoration Tools | SonarQube