SonarSource Blog
  • Code Quality
  • Code Security
  • Integration
  • Company
  • Products

    In-IDE

    Code Quality and Code Security in your IDE with SonarLint

    IDE extension that lets you fix coding issues before they exist!

    Discover SonarLint

    In-Cloud

    Code Quality and Code Security in the cloud with SonarCloud

    Setup is effortless and analysis is automatic for most languages

    Discover SonarCloud

    On-premise

    Code Quality and Code Security on-premise with SonarQube

    Fast, accurate Code Quality and Code Security analysis for most languages

    Discover SonarQube

Articles about SonarCloud

  1. Compilation database: An alternative way to configure your C or C++ analysis



    Analyzing your C or C++ code requires, in addition to the source code, the configuration that is used to build the code. Historically we have provided a tool to automate the extraction of this information, called the build wrapper. Recently we introduced another way to configure your analysis, the compilation database. Learn more about the pros and cons of each option.

    By loic joly | August 24, 2021

  2. Meet the new project experience for SonarCloud



    We are very pleased to announce that we have released a new project experience. It’s now available in SonarCloud for all users. You’ll notice a few improvements the next time you open SonarCloud. We’re going to tell you more about what this makeover is about in this article.

    By thomas olivier | October 21, 2021
  3. SonarCloud new project overview

    Know where your project stands with the new project overview!



    In late April, I introduced the new project experience for SonarCloud, which has already been adopted by a lot of you. Today, we’re adding a brand new project overview page! We can’t wait for you to try it!

    By thomas olivier | July 06, 2021
  4. Clean As You Code Essentials

    Clean As You Code essentials - What are Quality Profiles and Quality Gates?



    Learn how the functionality of Quality Profiles and Quality Gates come together to enable the SonarSource Clean As You Code methodology.

    By clint cameron | July 21, 2021
  5. Our JavaScript and TypeScript SAST engines filter the Vulnerabilities out of OWASP JuiceShop.

    What to expect from JavaScript/TypeScript analysis on OWASP JuiceShop



    In April 2021, we updated our JavaScript and TypeScript SAST engines to explore more execution flows, increase performance and improve overall accuracy. It now goes far beyond what we did in the past for these languages. With this post, we’re going to tell you what you can expect for these languages, and more specifically which vulnerabilities can be detected.

    By alexandre gigleux | May 12, 2021
  6. SonarCloud new UX

    Discover SonarCloud’s new project experience. Join the beta today!



    SonarCloud’s interface has received a nice refresh! We’re happy to invite you to join our beta program, which is just three clicks away! It’s open to all existing users, without prior registration, and is easily activated.

    By thomas olivier | April 20, 2021
  7. Monorepo support for Bitbucket Cloud in SonarCloud

    Mono-repository support for Bitbucket Cloud now available for SonarCloud!



    Last September, we announced that mono-repository support was added for GitHub and Azure DevOps Services. The good news is: mono-repository support is now also available for Bitbucket Cloud! See what it brings and how you can configure it in SonarCloud.

    By thomas olivier | March 29, 2021

  8. SonarCloud or SonarQube? - Guidance on Choosing One for Your Team



    Learn about the similarities and key differences between SonarCloud and SonarQube and which one is best for your use case.

    By clint cameron | April 28, 2020
  9. A sheep lurks in wolf's clothing.

    False positives are our enemies, but may still be your friends



    When writing a rule for static analysis, it’s possible that in some cases, the rule does not give the results that were expected. Unfortunately, naming a false positive is often far easier than fixing it. In this post, I’ll discuss how the different types of rules give rise to different types of false positives, which ones are easier to fix than others, and how you can help. I’ll end with insight into how issues that are false positives can still be true indicators that the code needs to change.

    By loic joly | September 15, 2020

  10. Security Hotspots maintain engagement in developer-led security



    By g. ann-campbell | January 26, 2021
  11. A Developer runs from the reanimated horror - the Mummy known as Quarterly Security Analysis.

    Taking the angst out of SAST analysis



    By g. ann-campbell | January 14, 2021

  12. Blazing a trail on the SAST road less traveled by



    By g. ann-campbell | January 19, 2021
  13. Security Auditors are the Cinderella of developer-led SAST, moving from the drudgery of triaging issues to higher-level concerns.

    Security auditors - the Cinderella story of SAST



    By g. ann-campbell | February 02, 2021

  14. Lay a strong foundation by writing secure C and C++ utilities



    By g. ann-campbell | October 14, 2020

  15. Code security: now there's a tool for developers



    Hey SonarQube and SonarCloud users! You now have a tool to own Code Security!  SonarSource has been hard at work for the last year to give you the tooling to review and improve your code security. We're glad to say that today you have at your fingertips  unmatched precision and performance in SAST (Static Application Security Testing) analysis for five languages and counting.

    By g. ann-campbell | December 11, 2020

  16. Mono-repository support for GitHub and Azure DevOps Services available now!



    Take a tour of SonarCloud's integration with mono-repositories in GitHub and Azure DevOps Services. This new feature allows you to define multiple Quality Gates per project and receive multiple results in your pull requests.

    By thomas olivier | September 29, 2020

  17. For secure code, maintainability matters



    By g. ann-campbell | October 20, 2020

  18. Winning the race against TOCTOU vulnerabilities in C & C++



    Security is an eternal race between the techniques and technologies of attackers and those of the defenders. Today, I'm proud to announce a step forward for defenders with a new rule to detect a literal race condition: TOCTOU (or TOCTTOU) vulnerabilities, known in long-form as Time Of Check (to) Time Of Use. 

    By g. ann-campbell | October 07, 2020

  19. More security rules injected into Python analysis



    I've talked before about SonarSource's commitment to helping developers improve their Code Quality and Security in Python. Today I can say that we're making progress on that, with significant improvements for both quality and security.

    By g. ann-campbell | May 06, 2020

  20. Detect C++ buffer overflows in POSIX functions



    By g. ann-campbell | May 20, 2020

  21. Cognitive Complexity, Because Testability != Understandability



    Cyclomatic Complexity works very well for measuring testability, but not for maintainability. That's why we're introducing Cognitive Complexity, which you'll begin seeing in upcoming versions of our language analyzers.

    By g. ann-campbell | December 07, 2016

  22. Security Hotspots bring a new approach to C++ SAST



    A lot of people associate Static Application Security Testing (SAST) with false positives, but it doesn't have to be that way. The fact is that there are really three classes of SAST issues: true positives, false positives, and what we call Security Hotspots - security-sensitive pieces of code that need human review. We feel that introducing the distinction between Vulnerabilities and Security Hotspots is the SAST innovation developers have sorely needed to face analysis results with clear expectations about what they'll get and how to deal with it.

    By g. ann-campbell | July 30, 2020

  23. Shift left for higher quality pull requests with Code Insights for Bitbucket Cloud



    Atlassian officially released its new feature Code Insights for Bitbucket Cloud. With SonarCloud, discover what it brings for Code Quality and Security.

    By thomas olivier | June 03, 2020

  24. What is 'taint analysis' and why do I care?



    By g. ann-campbell | February 10, 2020

  25. From Community post to a new feature: a brief history of Mono-repository support in SonarCloud



    It all started a few months ago, with a message on our Community forum. One of our users wrote a post in the “Suggest new features” section of the forum... Let's have a closer look at this story of how a community post resulted in a product feature. Let's also see how, as a user, you can contribute to SonarCloud.

    By thomas olivier | July 30, 2020

  26. Takeaways from building a developer-led SAST tool...



    Why effectiveness doesn't mean achieving a perfect OWASP score. The quest to make the ultimate SAST tool while staying true to our developer roots meant forging a new, "imperfect" path.

    By alexandre gigleux | October 16, 2019

  27. Fully Automated Promotion Pipelines with SonarQube and Artifactory



    Catch builds constructed from poor quality code before they make it to production. Discover how to integrate Artifactory and SonarQube.

    By fabrice bellingard | September 25, 2018

  28. Announcing the SonarCloud Pipe for Bitbucket Cloud users!



    SonarSource is proud to be a launch partner of the Atlassian Bitbucket Pipes. Thanks to the SonarCloud Scan Pipe, you can configure code analysis in your Bitbucket Pipeline in no time.

    By nicolas bontoux | February 28, 2019

  29. SonarSource is taking Python analysis by storm in 2020



    By g. ann-campbell | March 16, 2020

  30. Driving continuous improvement for Python security



    Our goal for Python analysis this year is to Kick Asp & Take Names, and we're making good on that promise, with regular deposits of new functionality. Our next target? Making Django and Flask development more secure.

    By g. ann-campbell | June 09, 2020

  31. Why did my coverage just drop?!



    After an upgrade people are sometimes surprised to find that the next analysis of a project with no real changes shows a significant drop in coverage. Believe it or not, that really is a feature, not a bug, and it's called Executable Lines.

    By g. ann-campbell | January 23, 2018

  32. Pragmatic Application Security - The SonarSource Way



    At SonarSource, we've taken a pragmatic approach to application security. The best security tools are the ones that get used and not abandonded. Learn how your organization can adopt an effective methodology to reduce vulnerabilities without disruption.

    By clint cameron | January 08, 2019

  33. Continuously Improving Analysis of C/C++/Objective-C Code



    Today we have improved the functionality of SonarCloud centered around the analysis of C/C++/Objective-C code. It’s an important change and we’d like to take a moment to provide you with the reason behind our decision.

    By nicolas bontoux | November 12, 2018

  34. Protect your code against injection vulnerabilities with SonarCloud!



    Injection security vulnerabilities (OWASP-A1) can run scared, as latest SonarCloud updates now provide advanced security checks to continuously detect them.

    By alexandre gigleux | July 10, 2018

  35. SonarCloud loves your build pipelines



    Over the past 2 weeks, the following new features were deployed on SonarCloud: pull requests as first class citizen, a dedicated webhooks console, and new rules for C#, Java and T-SQL projects.

    By fabrice bellingard | April 06, 2018

  36. Integrate SonarCloud with VSTS to boost code quality



    The SonarCloud extension now brings the missing piece on VSTS to have everything in hand to write clean code: the automatic analysis of pull requests.

    By fabrice bellingard | May 09, 2018

  37. Celebrating SonarCloud 1 year anniversary!



    Since its inception, SonarSource has been committed to Continuous Code Quality, i.e. to providing teams with the best products to analyze the quality of their code at every stage of the development process. Over the past 12 months, we have pushed that commitment into the cloud with SonarCloud.

    By fabrice bellingard | June 12, 2018

  38. Import issues of your favorite linters in SonarCloud!



    Over the past 2 weeks, the following new features were deployed on SonarCloud: import of issues from external linters with built-in support for TypeScript projects, support for the Go language, graceful handling of username change, first version of the GitHub Application, new rules for Python, Java and Swift

    By fabrice bellingard | June 04, 2018
Sign up today never miss an update from SonarSource
Sign up today & never miss an update from SonarSource

We have received your subscription request. Please click on the confirmation link that was sent to your email. If you don’t see an email, check your spam/junk folder. Thank you!

We respect your privacy.

In-IDE

Code Quality and Code Security in your IDE with SonarLint

IDE extension that lets you fix coding issues before they exist!

Discover SonarLint

In-Cloud

Code Quality and Code Security in the cloud with SonarCloud

Setup is effortless and analysis is automatic for most languages

Discover SonarCloud

On-premise

Code Quality and Code Security on-premise with SonarQube

Fast, accurate Code Quality and Code Security analysis for most languages

Discover SonarQube

SonarSource blog delivered directly to your inbox!

We respect your privacy.

We have received your subscription request. Please click on the confirmation link that was sent to your email. If you don’t see an email, check your spam/junk folder. Thank you!

  • SonarSource
© 2008-2021, SonarSource S.A., Switzerland. All content is copyright protected. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, and SONARCLOUD are trademarks of SonarSource SA.
All other trademarks and copyrights are the property of their respective owners. All rights are expressly reserved.
Privacy PolicyTerms and Conditions