SonarQube

SonarQube by SonarSource is the most widely deployed static analysis platform in the industry, used by over 400,000 organisations to continuously inspect code quality and security across their development pipelines. The Community Edition is open-source under LGPL 3.0, while Developer, Enterprise, and Data Center editions add branch analysis, portfolio management, and advanced security rules. SonarCloud provides the same engine as a fully managed SaaS offering.

The analysis engine performs intra-procedural and inter-procedural dataflow analysis across 30+ languages — including Java, C#, Python, JavaScript, TypeScript, Go, C, C++, PHP, Ruby, Kotlin, and Swift. For security, it implements taint tracking that traces data from untrusted sources (HTTP parameters, file reads, database results) through transformations and function calls to dangerous sinks (SQL queries, OS commands, file paths, HTML output), detecting injection, XSS, SSRF, path traversal, and other vulnerability classes with low false-positive rates. Security Hotspots flag code patterns that are security-sensitive but require human judgement — such as cryptographic algorithm choices or permission checks — and provide contextual guidance for review.

SonarQube’s defining workflow concept is “Clean as You Code”: analysis focuses on new and changed code in pull requests and feature branches, applying Quality Gates that enforce minimum thresholds for test coverage, code duplication, reliability, and security ratings. This means teams can adopt the platform without a backlog of legacy findings blocking their pipeline — existing issues are tracked but do not fail builds. Integration is native via plugins for GitHub, GitLab, Bitbucket, and Azure DevOps, with IDE support through SonarLint providing real-time feedback as developers write code.