SonarQube & Dynatrace Integration: Enrich Security Findings | Sonar Summit 2026

Description

How can DevSecOps teams prioritize the most critical vulnerabilities in production? In this Sonar Summit 2026 session, we explore how integrating SonarQube with Dynatrace enriches static analysis findings with real-time runtime context, enabling teams to better prioritize remediation efforts. Traditional static code analysis identifies vulnerabilities, bugs, and code quality issues early in the software development lifecycle. However, understanding which issues have the greatest impact in production requires runtime observability and contextual intelligence. By integrating SonarQube findings into the Dynatrace AI-powered observability platform, development and security teams can: - Ingest vulnerability findings, code quality metrics, and audit logs - Enrich static analysis results with runtime context from production environments - Reduce alert noise and focus on the most critical issues - Prioritize remediation based on real-world application behavior - Automate security workflows across DevSecOps pipelines This integration helps organizations strengthen application security, software quality, and DevSecOps automation by connecting development insights with operational data. Timestamps: 00:00 — Introduction 00:30 — Dynatrace Platform Overview: Data Intelligence & Monitoring 01:13 — Smartscape Overview: Kubernetes, Containers, Runtime Entities 01:54 — Connecting Code, Build, and Runtime with SonarQube 02:31 — Semantic Mapping for Vulnerability Prioritization 02:48 — Security Dashboard: Explore Risks and Link to SonarQube 03:30 — Posture Overview: Security, Reliability, Maintainability 04:01 — Automating Vulnerability Workflows with Dynatrace 04:40 — Runtime Context: Prioritizing Production Risks 05:20 — Trigger Workflow for Critical SonarQube Vulnerabilities 05:56 — Mapping Vulnerabilities to Kubernetes via Smartscape 06:19 — Mapping Repositories to Deployed Services 07:26 — Runtime Vulnerability Analytics and Data Context 08:08 — Ingesting Enriched Vulnerability Events into Dynatrace 08:21 — Creating Jira Tickets for Production Vulnerabilities 09:06 — Jira Ticket Example with Runtime Mapping 09:38 — Investigating Kubernetes Workloads and Production Tags 10:03 — Ticket Details: Internet Exposure and Data Signals 10:18 — Finding Additional Runtime Vulnerabilities 10:51 — Visualizing Enriched Vulnerabilities in the Dashboard 11:12 — Runtime Entity Mapping: Containers with Critical Issues 12:02 — Runtime Security Gates from Staging to Production 12:55 — Deployment Gate Failure and Optional Rollback 13:24 — Wrap-Up: Connecting Code Vulnerabilities to Runtime Risk #SonarSummit #DevSecOps #ApplicationSecurity #Observability #SoftwareQuality