In the following article, I will review SonarQube’s capabilities related to C++ that help developers and R&D managers, including demonstrations.
SonarQube offers Static Application Security Testing (SAST) for over 30 languages and frameworks (including infrastructure languages).
One of the most popular among them is C++.
The tool offers over 790 rules for C++ (many of which are unique), and supports 5 aspects:
Bugs, Security Vulnerabilities, Security Hotspots, Code Smells, and Quick Fixes.
You can request a detailed and updated Excel file containing all the rules for C++ (and other languages) from us – just contact us using the email below.
Questions? Feel free to contact us and we’ll be happy to answer! Email sonarqube@almtoolbox.com (phone number later in the article)
Bugs
SonarQube has over 170 rules for C++ that find bugs and explain how to fix them.
Here are a few examples:
Security Vulnerability
SonarQube currently has 14 rules for C++ that find security vulnerabilities and explain how to fix them.
Here are a few examples:
In the 2026.1 release (February 2026), SCA capabilities were added to detect vulnerabilities in external code packages based on C and C++ languages.
Security Hotspots
SonarQube has over 18 rules for C++ that find Security Hotspots and explain how to fix them.
A Security Hotspot is a suspected vulnerability area in the code – usually due to interaction with a sensitive API,
patterns, or actions that may be sensitive – and requires manual human review to decide whether a vulnerability exists.
Here are a few examples:
Code Smell
SonarQube has over 590 rules for C++ that find Code Smells and explain how to fix them.
Here are a few examples:
What makes SonarQube especially suitable for C++?
- A wide variety of rules (over 670)
- Compliance with many C / C++ standards (such as MISRA and more – details below)
- “Clean Code” approach
- Fast scanning! Including incremental analysis only on the changed code,
as well as multi-threaded analysis for optimal utilization of computing resources - Detecting bugs related to information security and Security
- Strong integration with development and CI processes
- Integration with IDEs and development tools that support C++ and C
- High-quality support from the vendor, including the option for local support or a managed service (ours) that saves you the need to deal with server maintenance and ongoing operation
Video Demonstration of SonarQube and C++
Below is a video demonstration of SonarQube with C++.
For your convenience, we have added key points on the video’s timeline (you can jump to them via the player):
- 04:03 – Demonstration of Maintainability rules
- 07:25 – Demonstration of Reliability rules
- 11:10 – Demonstration of Security rules
- 16:04 – Demonstration of integration with development processes
Support for a wide range of standards:
- Classical and modern C++: C++98, C++03, C++ 11, C++14, C++17, C++20
- C++ Core Guidelines
- MISRA C++ 2023, MISRA C++ 2008, MISRA C++ 2012, MISRA C++ 2004, MISRA C 2012 & 2004
- “OWASP Top 10” 2021 & 2017
- CWE Top 25
- SANS Top 25
- PCI DSS
Support for a variety of operating systems and compilers:
- Windows, Linux, macOS
- Clang, GCC, MSVC, ARM, QNX compilers
- Intel compilers for Linux, macOS
- Compilers based wholly on GCC including Linaro GCC
- Wind River Diab and GCC
- IAR compilers for 8051, ARM, AVR32, AVR, Renesas RL78, Renesas RX, Renesas V850, Renesas H8, and Texas Instruments MSP430
- Texas Instruments compilers on Windows and macOS for ARM, C2000, C6000, C7000, MSP430, PRU
Information on costs and pricing:
Support for C++ is not available in the free SonarQube Community Edition.
Support for C++ is available in the following editions: Developer Edition, Enterprise Edition, and DataCenter Edition.
Support for Security and OWASP reports is available only in the SonarQube Enterprise edition.
Support for scanning dependencies and external libraries (SCA) requires an “Advanced Security” license.
For more details, contact us (details below).
SonarQube pricing depends on several parameters. For more details on the differences between the editions, you can read the following article or contact us (details below).
This article was originally published in October 2022 and we have been updating it periodically ever since.
ALM-Toolbox is the only official distributor of SonarSource (maker of SonarQube, SonarCloud, and SonarLint) in Israel and other countries,
providing managed services, support, training, consulting, and licenses for SonarQube and a variety of complementary development and DevOps tools.
For more details, contact us at sonarqube@almtoolbox.com or by phone at 072-240-5222
Relevant Links:
- SonarQube Israel website
- How does SonarQube help developers and R&D managers?
- Recording of Webinar: SonarQube Overview and What’s New (September 2025)
- Webinar recording with a customer story: SonarQube @ Dell (Hebrew)
- Recording of Webinar: SonarQube Overview and What’s New (February 2024)
- Webinar recording: SonarQube Overview (Hebrew) (recorded in November 2023)
- Webinar recording – Explanation of SonarQube & Code Security (recorded in 2021 in Hebrew)
- Explanation of SonarQube’s support for Java
- Explanation of SonarQube’s support for C#
- Vendor’s website (Technical)
