Figure 1: The SonarQube dashboard lists security vulnerabilities detected by RIPS code analysis.

Global organizations use SonarQube to concentrate different quality analysis tools in one place for easy management, maintenance, and learning potential of findings. Seasoned developers are able to focus on their work without using multiple tools, whereas new developers can be quickly onboarded. This is enabled by the vast language support provided in the default plugin repository. Additionally, SonarQube can be connected to the most commonly used continuous integration tools, including Bamboo, Travis CI, Jenkins, and TeamCity. Find out more about the values of continuous integration in our Jenkins blog post.

Figure 2: Supported CI tools. Source:


The default analysis tool to scan PHP applications within SonarQube is SonarPHP. It includes a total of 128 rules categorized in Bugs (18), Code Smells (100), and Vulnerabilities (10). Most of the security-related rules are simple configuration checks (e.g. “file_uploads should be disabled”, “allow_url_fopen should be disabled”) or trivial function-call signatures (such as sleep() and eval()).

Figure 3: Overview of the default SonarPHP rules.

While heuristical reports of potentially dangerous PHP features can help in a general code quality review, the detection of real security vulnerabilities requires a much more complex data flow analysis. With the help of our RIPS SonarQube plugin, an in-depth security analysis can be easily added to reveal critical security vulnerabilities within minutes.

RIPS SonarQube Plugin

Our plugin includes over 100 security-related analysis rules extracted from our current analysis engine, providing the most complete and accurate static analysis solution available for PHP. By using this plugin you can automatically trigger new security analyses of your applications with your self-hosted RIPS instance or via your RIPS SaaS account. All findings can then be examined directly in SonarQube. Further, you can configure a project-based security risk that results in a quality gate fail whenever a custom threshold of vulnerabilities is detected.

Figure 4: The quality gate failed because new security vulnerabilities were detected since the last analysis.

The analysis overview shown in Figure 4 provides a summary of the latest analysis with a direct comparison to the previous scan. In this example, it is clearly indicated that the new version has a security-related regression and that further actions are required by the developer or project manager. In addition to the comparison generated by SonarQube, a more detailed comparison can be reviewed in the user interface of RIPS.

As a next step, a list of all detected security vulnerabilities categorized by issue type can be reviewed in SonarQube (see Figure 6). The issues can be assigned to different users that can prioritize and manage the resolution with additional comments or review states.

Figure 6: List of detected security issues with severity level, review state, assigned user, and estimated remediation effort.

Finally, each security issue can be verified from the highlighted code lines and then resolved by following the instructions in the issue description. The detected issues are also referred to the interactive RIPS dashboard that provides many additional features for an efficient review of complex issues.

Figure 7: The affected code line is highlighted as well as an issue description and resolution.


SonarQube is an extremely useful tool to govern and drive the quality of your source code. Due to the substantial distribution of SonarQube and the extensive amount of plugins and further integrations it is straightforward to implement into your SDLC for the majority of platforms. Combining SonarQube with the efficient security analysis of RIPS enables the measurement of the overall quality and security of your applications in a single place.