SonarQube 2025.4 is now live with stronger security and faster code
Most engineering teams know the tension between speed and safety. Rushing code into production increases risk. Slowing down for checks frustrates delivery. Tools often add noise instead of clarity, and teams end up spending more time triaging results than improving their code.
The new SonarQube Server 2025 Release 4 is designed to break this trade-off. It adds major advances in security, performance, maintainability and compliance that help developers find issues earlier, act with more precision, and keep momentum without cutting corners. This release strengthens the platform across multiple languages, integrates deeper into developer workflows, and brings continuous visibility into dependency risks.
Expanded Core Security
Security has to start inside the codebase. This release expands Static Application Security Testing (SAST) and taint analysis to more languages:
- SAST for Go: Integrated taint analysis detects vulnerabilities such as injection flaws directly in Go code, giving developers immediate feedback within their workflow.
- Taint analysis for VB.NET: Extends the same SAST infrastructure used for C# to VB.NET, making it easier to detect complex data flow vulnerabilities across .NET projects.
- Next-gen JS/TS taint analysis engine: Replaces the previous JavaScript and TypeScript engine with a more accurate and performant version, providing stronger coverage for modern web applications.
The outcome is fewer blind spots, faster detection, and a stronger security posture across diverse technology stacks.
Best-in-class Secrets Detection
Secrets left in code are one of the fastest ways to invite breaches. SonarQube 2025.4 expands its already strong detection:
- Over 400 secret patterns covered by 340 rules, across 248 cloud services.
- Detection extended to YAML and JSON files, where sensitive data is often stored in configuration and infrastructure-as-code.
- Improved detection for Kotlin, with zero configuration required.
This reduces false alerts while giving teams comprehensive visibility into sensitive data risks, ensuring compliance and protecting code integrity.
Compliance Made Simpler
For organizations working under strict industry standards, compliance checks are no longer optional. This release makes them easier and earlier:
- MISRA C++ 2023 rules are now available directly in IDEs like VS Code, Visual Studio, and CLion, allowing developers to resolve compliance issues as they code.
- Configurable security reports that align to PCI, OWASP, CWE, STIG, and CASA, with customizable PDF exports and CSV downloads. Reports now include accepted security issues and hyperlinks for clearer navigation.
By surfacing compliance insights directly in the workflow, SonarQube reduces rework and shortens audit cycles.
Developer Productivity Improvements
Code quality should not come at the cost of developer flow. This release adds targeted improvements that keep teams moving:
- 33% faster C/C++ analysis through a new caching mechanism that shortens reanalysis time for large or complex codebases.
- New Python rules for asynchronous programming, reducing common pitfalls in coroutines and comprehensions for cleaner, more performant code.
- Java performance upgrades with new rules and automated quick fixes to eliminate bottlenecks.
- Full support for Java 23, Java 24, and Dart 3.8, ensuring teams stay ahead with the latest language features.
- Advanced Java bug detection powered by the Dataflow Bug Detection (DBD) engine, replacing older analyzers with cross-procedural analysis to catch issues like null dereferences and division-by-zero across multiple function calls.
- Expanded NOSONAR for Python, allowing developers to suppress specific rules at the line level for more precise control and less noise.
These updates cut delays, reduce false positives, and help developers focus on meaningful progress.
Advanced Security: Continuous Visibility Into Dependencies
Modern applications rely heavily on third-party code, and unmanaged dependencies create hidden risks. SonarQube 2025.4 expands Advanced Security with stronger Software Composition Analysis (SCA):
- Continuous vulnerability detection that updates dependency risks automatically, without requiring full reanalysis.
- Customizable risk severity, giving teams the flexibility to align severity levels with their unique context.
- Machine-readable SCA reports in JSON and CSV, making it easy to integrate with BI tools and automate reporting.
- PHP dependency support, extending vulnerability scanning and license management to Packagist/Composer packages.
- IDE integration for Visual Studio, IntelliJ, and VS Code, so developers can see dependency risks directly while coding.
The result is up-to-date visibility, fewer surprises, and remediation that happens faster and earlier.
Why This Release Matters
The 2025.4 release is not just an incremental update. It reflects a shift in how SonarQube supports teams:
- Security is integrated into more languages so vulnerabilities are caught at the source.
- Secrets detection broadened to where risks actually live.
- Compliance built into the workflow instead of bolted on later.
- Productivity gains that keep feedback loops short and meaningful.
- Continuous dependency monitoring so third-party risks are managed automatically.
Together, these changes allow organizations to scale development without scaling risk.
SonarQube Server 2025.4 Available Now
The new release is now available for Developer, Enterprise, and Data Center Editions, with Advanced Security features available in Enterprise and Data Center.
At Amrut Software, we are a trusted Sonar partner with hands-on expertise in upgrades and implementations. We help teams adopt the latest releases seamlessly, align them to real-world workflows, and see results from day one.
Explore SonarQube Server 2025.4 with Amrut Software. Contact us to learn how your teams can upgrade and gain the full benefit of these new features.
