Sonar de facto Public Sector Standard | Sonar | Sonar

Federal Government

Clean Code for the Federal Government

Sonar provides developer-first solutions to deliver secure, reliable, maintainable code. We offer the functionality developers need with the security and stability government agencies and contractors require.

DoD Stamp of Approval

Our Docker images are hardened to U.S. Department of Defense standards (STIG-hardened) and available in the Iron Bank.


With more than 1,000 live instances, SonarQube is already trusted by leaders in the public sector including the FBI, NASA, the U.S. Department of Justice and many more.

Department of Defense and Docker
Cure53

a pen-tested, secure part of your pipeline

A routine part of delivery is periodic penetration testing. In addition to hardening SonarQube itself, we’ve also hardened our own build pipeline so you can be sure we’re delivering SonarQube to you securely. You can read more about what our penetration test, Cure53, had to say about SonarQube 9.8 and 9.9 LTS.

Read More -->

In Cure53’s expert opinion, this project confirmed a very solid security premise at SonarSource… [SonarQube] is currently well protected against a broad number of web application attack vectors.


One can argue that the outcome highlights the development team’s commitment to maintaining security features with due diligence and adherence to best practices. Despite extensive deep-dives and exemplary coverage toward a plethora of application features by the Cure53 testers, no serious issues were detected.

Penetration Testing @ Cure53

Trusted by Public Sector Leaders

  • Logo of the FBI
  • Nasa logo
  • Canada Logo
  • Agence De Services Logo
  • Northrop Grumman Logo
  • Freddie Mac Logo
  • USPS Dot Com Logo
  • Raytheon Technologies Logo

clean code throughout the development workflow

Our solutions integrate with your existing developer tools and workflows to give early, continuous feedback on whether your code meets the release standards set by your organization.

PR analysis in your DevOps platform

Analyze PRs and reflect the results directly in your DevOps platform to reliably track codebase health and prevent issues from flowing downstream.

full branch analysis in SonarQube

Full branch analysis in SonarQube keeps the team on track to release clean, safe code.

connected mode

Connected mode brings it full circle by synching the organizational rule set into the IDE so the same rules are applied at every stage.

SonarLint in your IDE

SonarLint is a free IDE plugin offering instant feedback as you code. Fix issues before they exist.

Security reporting

OWASP / CWE Top 25 security reports in projects and portfolios

Dedicated reports track project security against the OWASP Top 10 and CWE Top 25 standards with a PDF export of the top reports. But securing your code isn’t just about reports. That’s why our custom SonarSource Vulnerability categorization helps translate security categorizations into language developers understand.

Clean Code delivers the fundamentals

Sonar’s ongoing research and innovation mean continuous delivery of important new rules and rule implementations; hence better quality and secure code.

Developer-led security helps protect your assets

The pace of delivery is always increasing. That means you don’t have time to wait for periodic audits. Sonar's developer-led security approach means its highly accurate Vulnerability reports get into developer hands - and fixed - sooner. So your vulnerabilities are patched faster and your assets are more secure.

Reliability means your code does what it should

Sensitive projects deployed in critical environments have to work right. Every. Time. Buggy, unstable code is simply unacceptable. Sonar provides valuable rules to find critical Bugs early - before they can make it into production. Every version brings you more and smarter rules to keep your code - and your reputation - reliable.

Maintainability keeps overall project costs in check

Estimates vary, but industry and academic experts agree that the vast majority of project costs (up to 90%) go to maintenance. With a deep store of maintainability-related rules across all supported languages, SonarQube helps improve efficiency so developer time is spent delivering value.

Background image of bits of code connecting to each other

doing business is easy

get started today -->
  • Follow SonarSource on Twitter
  • Follow SonarSource on Linkedin

© 2008-2023, SonarSource S.A, Switzerland. All content is copyright protected. SONAR, SONARSOURCE, SONARLINT, SONARQUBE and SONARCLOUD are trademarks of SonarSource SA. All other trademarks and copyrights are the property of their respective owners. All rights are expressly reserved.