Safe code, from the start

SonarCloud helps developers write secure code with Static Application Security Testing (SAST).

Empowering developers

Conventional SAST tools were not built for developers, SonarCloud is!

Super-fast analysis, highly precise results

No need to wait for hours… Get code analysis results in minutes! And know that when a vulnerability is raised on your code, there’s something to fix. We’ve made it our mission to kill false-positives.

High-quality feedback, early in your workflow

The best Code Security approach is not creating code vulnerabilities in the first place. With a clear analysis report for your code review, you merge only safe code to your repositories.

Developer-centric experience

Developers are an essential key to success when it comes to Code Security. We tailored SonarCloud to help you learn and implement secure coding best practices.

One tool for Code Quality and Code Security

It’s all about writing great code, and you can do it all at the same place. We give you one tool to sharpen your skills and remediate all Maintainability, Reliability, and Security flaws.

Find and fix vulnerabilities

Code security skills are no longer optional. We’re here to help!

Security Hotspots

Security Hotspots highlight security-sensitive pieces of code that need review. As you discover Security Hotspots, learn how to evaluate the risk while becoming more acquainted with secure coding best practices.

Secure your applications

Detect vulnerabilities before they make their way through the Software Development Life Cycle (SDLC)! Integrate DevSecOps practices into your daily routines and stay one step ahead of malicious attacks!

Release with confidence!

Protect your users and your reputation with SonarCloud. From now on, you know that when it comes to code security, we’ve got you covered!

SonarCloud Security Coverage

SQL Injection*

Cross-Site Scripting (XSS)*

Open Redirect*

HTTP Response Splitting*

Path Traversal Injection*

LDAP Injection*

Log Injection*

OS Command Injection*

RegExp Injection*

Server-Side Request Forgery (SSRF)*

XPath Injection*

Deserialization Injection*

Code Injection*

Object Injection*

Buffer Overflow

Weak Cryptography

Hard-Code Credentials



Broken Access Control

XML External Entitiy (XXE)

Security Misconfiguration

* Not available for C and C++