How to start Static Application Security Testing(SAST) with SonarQube?

3 min readMar 24, 2021


In practice, I have used different SAST solutions, and in my opinion, one of the best is Sonarqube. The advantages are: supports multiple programming languages, have different plugins that can increase the coverage, integration possibilities, and of course, a free community version. In this article, I will describe how to install and launch scanning with SonarQube on MacOS.

  1. Install

Open your console and run the commands below to install sonar and sonar-scanner:

brew install sonar

brew install sonar-scanner

2. Run Sonar

Open your console and run the following command to run Sonar:

  • sonar console

After successful launch, open http://localhost:9000 . Use the default credentials(admin/admin) to Login.

3. Create new Project

  • Open Projects tab > Add project > Manually > Write “Project key” > Set Up
  • Enter a name for your token > Generate > Continue
  • Select the “technology” and “OS”

3. Launch the scan

  • For the test, I chose and downloaded the well-known vulnerable application juice-shop(
  • Open console > Navigate to the project folder > Execute the command from the “Execute the Scanner from your computer” part
  • The scan ended
  • Open the “Security Hotspots” > Review the findings

Follow me and stay secure!




MSc in Cyber Security, OSCP, eWPTXv2, CEH Master. Awarded by Apple, Trello, Paysera..