Interview › Security & DevSecOps
Is SonarQube primarily SAST, code quality, or both? [Basic]
Answer
SonarQube is both a code quality platform and a SAST-style static analysis tool. It detects security vulnerabilities and hotspots, but it also evaluates maintainability, reliability, duplication, test coverage, and technical debt.
Technical explanation
Calling it only SAST understates its quality-management role.
Calling it only code quality understates its security rules, vulnerability detection, taint analysis capabilities in supported editions, and security review workflows.
In interviews, I describe it as static code analysis for quality and security with quality gates for governance.
Hands-on example
Example: a PR analysis finds a SQL injection vulnerability, 12 code smells, duplicate blocks, and coverage below the new-code threshold. The pipeline fails because the quality gate checks all configured quality and security conditions together.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- What is a SonarQube quality gate, and how do you use it to fail a build? [Basic]