Supported Standards

Could you confirm which of the following standards Sonar Cloud checks for?

  1. OWASP Top 10
  2. SANS Top 25
  3. CERT Coding Standards
  4. HIPAA standard to determine PII data
  5. PCI standard to determine sensitive Data


Welcome to the community!

To be clear, OWASP Top 10 isn’t a standard, and the OWASP folks have been rather firm about that recently.

That said, we do have rules that address OWASP Top 10 across multiple languages, and to some degree SANS Top 25, although that one’s a bit dusty by now. Really, the CWE Top 25 is a better one to go by, and we have rules for that too.

In Java, C, C++ and Objective-C we have rules that map to some of the CERT standards, altho we can’t boast global coverage. (For that matter, IIRC, not all the CERT rules are statically checkable…?)

We’ve done some mapping against PCI, although I don’t believe anything’s visible to the user yet.

But for HIPAA, I’m not sure we have anything.

Your best bet is to poke around on the rules page, looking at the Security Category, and at the tags of the rules of your language of interest.



Thanks for your response. That’s great.