Docker, Inc.® announced Docker Hardened Images (DHI), a curated catalog of security-hardened, enterprise-grade container images designed to meet today’s toughest software supply chain challenges.
Sonar announced the upcoming availability of SonarQube Advanced Security.
The new offering will extend SonarQube’s analysis capabilities beyond first-party and AI-generated code to include third-party open source code. With this announcement, Sonar will deliver the first fully integrated solution for developers to find and fix code quality and code security issues in the development phase of the software development lifecycle (SDLC).
SonarQube Advanced Security includes Software Composition Analysis (SCA) and advanced Static Application Security Testing (SAST), and will be available to all SonarQube customers. Today, SonarQube is the industry standard for code quality, used by +7 million developers at over 400,000 organizations.
Sonar’s new, enhanced security offering gives developers unprecedented visibility to find and fix security issues as they code. SonarQube Advanced Security features strengthen a robust set of existing security capabilities, which will remain available in the core SonarQube solution.
SonarQube Advanced Security includes the following features:
■ Software Composition Analysis (SCA):
- Vulnerability identification in third-party dependencies. Streamlined processes for tracking, managing, and mitigating known vulnerabilities (including CVEs) in third-party open source dependencies.
- License compliance. Ensuring that all incorporated components meet the organization’s policies for allowed software licenses.
- The ability to generate software bill of materials (SBOMs). Detailed inventories that help teams understand, manage, and report on the composition of their code.
■ Advanced SAST. Detection of hidden vulnerabilities in your code's interactions with third-party dependencies that traditional tools fail to detect.
SonarQube core code security capabilities include:
- SAST. The foundation of secure code, identifying security weaknesses and vulnerabilities in first-party code.
- Taint analysis. Uncovering injection vulnerabilities (e.g. cross-site scripting, SQL Injection) that span multiple files to ensure user input is used safely across the entire application.
- Secrets detection. Automatically scanning for hard-coded secrets, helping teams prevent credential leakage.
- Infrastructure as Code (IaC) scanning. Finding security misconfigurations in your infrastructure as code to ensure secure production environments.
- Security reporting. Report on code compliance for standards like OWASP Top 10, PCI DSS, STIG, CASA, and CWE Top 25.
- Security engine custom configuration. Fine-tune security configurations for organization-specific needs.
“Our approach to code security is rooted in the same philosophy that allowed us to become the leaders in code quality — we put developers first,” said Tariq Shaukat, CEO of Sonar. “The release of advanced security features as an extension of our existing SonarQube offering provides an even more comprehensive integrated code quality and code security solution that empowers developers to build better, faster.”
SonarQube Advanced Security is the first step in integrating Sonar’s recent acquisition of Tidelift and its unique, proactive approach to improving third-party code quality and code security by working directly with open source maintainers.
SonarQube Advanced Security takes the concept of “shift left” a step further to “start left.” With this “start left” approach, code security and code quality issues are prioritized at the beginning of the SDLC. The later code security and code quality issues are caught in the SDLC, the more expensive they are to fix. By starting left, developers increase their productivity and effectiveness while producing high quality, secure code.
Industry News
GitHub announced that GitHub Copilot now includes an asynchronous coding agent, embedded directly in GitHub and accessible from VS Code—creating a powerful Agentic DevOps loop across coding environments.
Red Hat announced its integration with the newly announced NVIDIA Enterprise AI Factory validated design, helping to power a new wave of agentic AI innovation.
JFrog announced the integration of its foundational DevSecOps tools with the NVIDIA Enterprise AI Factory validated design.
GitLab announced the launch of GitLab 18, including AI capabilities natively integrated into the platform and major new innovations across core DevOps, and security and compliance workflows that are available now, with further enhancements planned throughout the year.
Perforce Software is partnering with Siemens Digital Industries Software to transform how smart, connected products are designed and developed.
Reply launched Silicon Shoring, a new software delivery model powered by Artificial Intelligence.
CIQ announced the tech preview launch of Rocky Linux from CIQ for AI (RLC-AI), an operating system engineered and optimized for artificial intelligence workloads.
The Linux Foundation, the nonprofit organization enabling mass innovation through open source, announced the launch of the Cybersecurity Skills Framework, a global reference guide that helps organizations identify and address critical cybersecurity competencies across a broad range of IT job families; extending beyond cybersecurity specialists.
CodeRabbit is now available on the Visual Studio Code editor.
The integration brings CodeRabbit’s AI code reviews directly into Cursor, Windsurf, and VS Code at the earliest stages of software development—inside the code editor itself—at no cost to the developers.
Chainguard announced Chainguard Libraries for Python, an index of malware-resistant Python dependencies built securely from source on SLSA L2 infrastructure.
Sysdig announced the donation of Stratoshark, the company’s open source cloud forensics tool, to the Wireshark Foundation.
Pegasystems unveiled Pega Predictable AI™ Agents that give enterprises extraordinary control and visibility as they design and deploy AI-optimized processes.
Kong announced the introduction of the Kong Event Gateway as a part of their unified API platform.
Azul and Moderne announced a technical partnership to help Java development teams identify, remove and refactor unused and dead code to improve productivity and dramatically accelerate modernization initiatives.