How Sonar is elevating code quality in the age of AI

In software development, maintaining code quality can feel like swimming against the tide. With increasing pressure for faster delivery and the rise of artificial intelligence (AI) coding assistants, ensuring clean, efficient and secure code has become more crucial than before.

Sonar, a company with a 15-year history of championing code quality, is helping developers do just that. Founded by three engineering managers frustrated by recurring code errors, Sonar developed a platform that acts as an automated code reviewer.

Using a proprietary set of analysers and a rulebook covering 30 languages and over 5,500 rules, the company’s software scrutinises code for security vulnerabilities, performance issues and maintainability.

Sonar also integrates seamlessly with developer workflows, providing feedback in integrated developer environments (IDEs) and pull requests. It can even block the merging of pull requests that contain quality issues, ensuring only high-quality code makes it into production.

“We’re like an extra set of deterministic eyes,” said Andrea Malagodi, Sonar’s CIO and a 25-year technology veteran who worked for JP Morgan Chase, adding that the company’s goal is to help customers identify bugs and security vulnerabilities before they snowball into major headaches later.

One unique feature it offers is the static application security testing (SAST) analysis of the 1,000 largest open source libraries. This allows Sonar to detect vulnerabilities that developers might inherit through the use of third-party software.

Beyond the technical aspects, Sonar also addresses the broader concept of clean code. The company advocates for consistent formatting, clear logic, efficient performance and adaptable code, while giving customers the flexibility to customise rules based on their specific needs.

The ultimate responsibility for code quality, however, rests with developers. Malagodi stressed the importance of fostering a culture of quality within engineering teams, noting that when developers are confronted with a messy, poorly written codebase, it leads to frustration, decreased job satisfaction and, ultimately, higher turnover.

While generative AI coding assistants such as GitHub Copilot can help, they are not without their flaws. These assistants, often trained on vast amounts of open source code, can occasionally suggest incorrect syntax or logic, potentially introducing new risks as developers may not always review the AI-generated code.

With our analysers, we want more coverage, less false positives and increased performance, a triad of competing qualities that we need to fight for because we know developers have very little patience

“The biggest fear I have is that more junior developers who don’t have the practical experience are going to be more susceptible to say, ‘somebody else came up with a great suggestion and it’s probably okay, so I’ll accept that’,” said Malagodi.

Malagodi highlighted the importance of “quality gates”, or control parameters that define what code is acceptable and what code is rejected. He believes AI-generated code should also be subject to rigorous review to ensure that it meets quality standards. “Humans have to review this stuff – it can’t just go in unadulterated.”

Sonar sees this as an opportunity to enhance its value proposition as organisations deal with a growing mix of human- and AI-generated code. “We are already seeing growth as any developer or business owner now needs to think about cleaning up their AI-generated code,” said Malagodi.

With the rise of cloud-based IDEs and low-code, no-code development platforms generating code behind the scenes, ensuring transparency and provenance of code is crucial, particularly in regulated industries, but the suppliers of those platforms do not always expose their code to customers.

“Low-code, no-code is great in the beginning, but over time you’re introducing more risk for yourself and higher costs,” he said, adding that no regulator will accept a “remote call to private, closed-door source code” as proof of provenance during an audit. “You’re going to have to do some work.”

Malagodi believes Sonar’s strength lies in its focus on developers, noting that some offerings in the market start with the needs of risk officers and then try to translate that down to developers. This can lead to challenges, such as false positives, which can frustrate developers.

“With our analysers, we want more coverage, less false positives and increased performance, a triad of competing qualities that we need to fight for because we know developers have very little patience,” said Malagodi.

As Sonar expands its global footprint, the company sees potential in Asia where it had not focused until recently, when it opened its regional headquarters in Singapore staffed by engineers, a corporate IT team and sales personnel to serve the region.

Malagodi said the response to Sonar’s offerings in Asia has been positive, with the company seeing growing interest from customers including government agencies and the financial sector. “We have lots of companies working with us now to look at solutions, be it in Japan, Korea and elsewhere in the region,” he added.

Globally, the finance industry, in particular, has been an early adopter of Sonar’s tools as the sector’s high software development velocity and stringent regulatory requirements have created a strong need to ensure code quality and security. “That story probably will repeat itself in Asia,” said Malagodi.