What Is SonarQube?

SonarQube is an open-source platform for continuous inspection of code quality. Using static code analysis, it tries to detect bugs, code smells and security vulnerabilities. SonarQube supports many languages through built-in rulesets and can also be extended with various plugins.

In this article, we are particularly interested in security issues. Many static analysis tools exist for the Java language, including free and open-source ones. Some advantages of SonarQube are the following:

It is actively developed and well integrated. Many plugins are available to use it as part of continuous integration pipelines, including for Maven, Jenkins and GitHub.
Its built-in rulesets can be extended with plugins that are more security-oriented. For instance, we will use the FindBugs plugin to take advantage of FindBugs rules.
It can also report things such as duplicated code, code coverage or coding standards.

Some of the screenshots :

https://www.sourceallies.com/2010/02/sonar-code-quality-analysis-tool/