« Blog Home

Customer Story: How a Global Luxury Automaker Controlled Unexpected Code Risks with SonarQube SCA and SAST

Getting your Trinity Audio player ready...

The Challenge: Unexpected Security Risks, Low Visibility, and Delivery Disruptions

Recently, a significant shift in the industry has increased complexity for engineering leadership: rapid growth in the complexity of the software supply chain, a steady rise in newly reported CVEs, and growing expectations for transparency and governance.

Dependency risk was no longer just a technical issue – it became a strategic threat to customer trust and delivery velocity. 

Global Luxury Automaker sonarqube sast sca

Similar to many modern development organizations, the team faced challenges of hidden dependency risks in complex build processes, unpredictable delivery pipelines, and persistent gaps in portfolio-level vulnerability visibility. 

Their internally developed Software Composition Analysis (SCA) tool supported SBOM generation and identified known open-source vulnerabilities. However, as their dependency trees deepened and post-build threats emerged, the limitations became clear: 

  • It was almost impossible to track transitive (indirect) dependencies. 
  • Newly discovered vulnerabilities led to sudden and unpredictable build failures. 
  • Management struggled to obtain real-time insights across the entire portfolio, leading to time-consuming manual audits. 
  • Security and platform teams identified these “blind spots” as the “biggest pain point” in their governance model. 

The accumulation of vulnerabilities forces an urgent modernization of governance:
For years, the organization maintained the status quo until mounting risks created a tipping point. Vulnerabilities discovered post-build exposed business-critical pipelines. Unplanned downtime caused missed target dates, and developers dedicated significant time to manual triage, slowing down team progress.
“They needed to know, instantly and at scale, where they were exposed – and what was most important,” explained an engineering director. 

And so began the search for a solution built to address velocity, scale, and cross-team collaboration around governance and security. 

SonarQube Advanced Security Provides Immediate Portfolio Coverage 

The technology team at the global luxury automaker chose SonarQube Advanced Security to modernize their SCA workflows. The transition, which spanned hundreds of projects, was described by engineers as “as easy as it gets.” No custom configuration was required, and scan speeds outperformed their previous tools, saving time and reducing manual overhead. Engineers highlighted SonarQube as a “huge timesaver,” freeing up development and security resources for higher-impact work. Onboarding was straightforward and clear, scaling easily across projects.

Three SonarQube Advanced Security Capabilities Driving Secure and Predictable Software Delivery: 

  1. Exploit-aware risk prioritization:
    Rather than relying solely on CVSS scores, SonarQube’s SCA risk signals integrate sources like the CISA Known Exploited Vulnerabilities list and EPSS scores. This allows teams to prioritize remediation for vulnerabilities with known exploits, accelerating response to those posing a real-world threat. 
  2. Actionable Triage Process:
    SonarQube’s intuitive dashboard provides rich context for vulnerabilities, even for deeply nested dependencies. Engineers noted, “The dashboard made everything clear. We could understand the problem right down to the specific library affected and act with confidence.” Real-time unified reports replaced manual exposure mapping across the portfolio. SonarQube’s unique data also includes deeper reviews of CVEs to deliver actionable guidance, directly from Sonar’s contractual partnership with open-source maintainers. This human-curated intelligence significantly reduces the “noise” often associated with dependency scanning. 

    A full demonstration of the dashboard is available (contact us – details below).

  3. Stable and Predictable Pipelines:
    Importantly, SCA findings have now been separated from quality gates.
    In the past, newly discovered vulnerabilities could automatically fail builds; SonarQube allows teams to remediate at their own pace, preventing surprise failures and improving delivery consistency.

The Result: Governance and Compliance scaled across applications using a unified SBOM and intelligent SCA. 

With SonarQube Advanced Security, the organization standardized SBOMs and SCA intelligence across applications and shared services, uniting code quality and security into a single workflow. Managers can now handle license compliance, monitor vulnerability exposure, and enforce code quality standards through quality gates and SCA dashboards. Platform and AppSec teams report reduced developer toil, improved velocity, and a repeatable framework for incident response. Their transformation highlights actionable insights, developer empowerment, and measurable business impact at scale. 

What’s Next: Preparing for Next-Generation Governance and Closing Remaining Security Blind Spots

The next step involves addressing remaining governance gaps. With portfolio- and application-level component searching coming soon to SonarQube, management will gain the unified, cross-project visibility they need, turning “blind spots” into best practices. 

By implementing SonarQube Advanced Security, this global luxury automaker achieved scalable governance, a developer-centric approach, and alignment with the velocity and risk requirements of modern software development. This journey offers a practical blueprint for any Platform or AppSec leader looking to modernize code security while maintaining speed and control. 

Summary: 

The dashboard (of SonarQube) made everything clear. We could understand the problem right down to the specific library affected and act with confidence.(Development Team Engineer) 

We officially represent Sonar solutions and offer licenses, consulting, support and training.
For more details, contact us: sonar@almtoolbox.com or call us: 866-503-1471 (USA / Canada) or +31 85 064 4633

    * Full Name

    * Work Email

    * Are you using any AI tools today? What tools?

      * Full Name

      * Work Email

      Are you using any SCA solution? Which one?

        * Full Name

        * Work Email

        * Are you using OpenProject?

        Do you have any questions you'd like to ask before the webinar?

          * Full Name

          * Work Email

          * Are you using any Secrets Management solution? Which one?