SonarSource raises $412M to scan codebases for bugs and vulnerabilities

Maintaining source code is one of the toughest challenges that software developers face. In a 2020 survey from Sourcegraph, 51% of developers said that they have more than 100 times the volume of code they had 10 years ago while 92% say the pressure to release software faster has increased. The growing responsibilities can lead to poor-quality code slipping into production environments, increasing costs. One report estimates the impact of buggy software at $2.84 trillion per year.

Products have emerged over the years to address the problem of code maintenance, including the cloud-based code quality management service SonarSource. SonarSource, whose technology detects reliability and vulnerability issues in code, today announced that it raised $412 million in a funding round co-led by Advent International and General Catalyst at a $4.7 billion valuation.

“Organizations across all industries have long understood that software is critical to running their businesses. Recently, they’ve begun to realize and recognize that source code is the key component of their software — source code dictates how software will behave and also perform — and as such must receive good care,” SonarSource CEO Olivier Gaudin told TechCrunch via email. “SonarSource enables companies to improve the quality of their source code.”

Detecting issues in source code

Gaudin says he launched SonarSource to enable developers to administer best code quality practices that, in theory, could help to fix problematic code. It’s an acute problem. An alarming report from Veracode and Enterprise Strategy Group found that nearly half of organizations knowingly ship vulnerable code despite using cybersecurity tools, often to meet release deadlines. A separate survey from Veracode suggests that the majority of software library flaws — 92% — can be fixed via an update, but that 79% of the time, developers never update libraries after they’re added to a codebase for fear of breaking functionality.

Gaudin has a financial industry background, having worked at JP Morgan as a developer and Deutsche Bank as a software team leader before co-founding SonarSource. Freddy Mallet, SonarSource’s second co-founder, was a project architect at E-Trade and CTO at agtech startup Hortis. Third co-founder Simon Brandhof also worked at Hortis and was a lead developer at online trading platform CPR Online.


One of the code analysis dashboards in SonarQube. Image Credits: SonarSource

“SonarSource was created to accommodate the market’s eventual realization that software — and its source code — is the foundation of business and must be stewarded as such,” Gaudin said. “From the beginning, SonarSource’s mission has been to empower every single developer — and thus every organization — to build software right.”

SonarSource was incorporated in 2008, and one of its first products was the open source program SonarQube. Designed to perform static code analysis — i.e., debugging by examining a program’s code without actually executing the program — SonarQube embeds clean code into the development process, supporting programming languages including Python, Java, C# and JavaScript.

In 2010, SonarSource’s open source project hit a milestone of over 2,000 downloads per month. The startup sought to capitalize on its success with View, a commercial plugin for project portfolio management. After releasing more plugins and software including SonarCloud (which analyzes open source projects) and SonarLint (an integrated developer environment extension for static analysis), SonarSource expanded the scope of its analyzers to cover standards that encompass maintainability, reliability and security.

“Many competitors focus on just one part of delivering clean code, such as the security aspect. That’s a promise to a risk or compliance department,” Gaudin said. “SonarSource has a different approach — we’re going to help the engineering team do a better job delivering code and help them invest the time they spend actually writing new code, as opposed to debugging old code. We provide a solution that allows these departments to raise their game and deliver better code. More time is spent on innovation and solving difficult problems for the organization.”

Accelerating momentum

SonarSource competes with a number of companies in the static code analysis software market, which one firm predicts could be worth $1.74 billion by the end of 2026 (up from $643 million in 2022). For example, r2c and DeepSource focus on code analysis for security and performance, while ShiftLeft attempts to automatically patch any code vulnerabilities that it finds.

All static code analysis products have downsides. They can’t support every programming language, sometimes produce false positives and negatives and can provide a false sense of security. They’re only as good as the rules they’re using to scan with, after all — which is why they aren’t likely to replace quality assurance teams anytime soon.

SonarSource doesn’t claim to have overcome these. To the extent that it has them, the company’s advantages are a head start and strong industry traction. SonarSource grew its commercial customer base by more than 2,000% over the last four years to more than 16,000 organizations. Over 300,000 organizations including 80 Fortune 100 companies, meanwhile, use a mix of the company’s commercial and free products.


Image Credits: SonarSource

SonarSource’s gross margin profile is above 90% and annual recurring revenue stands at $175 million, which the company projects will reach $240 million this year. SonarSource plans to expand its headcount from 290 employees to “north of 400” to meet that goal, according to Gaudin.

“SonarSource will use [the latest] investment to double its sales force in 2022 and grow its marketing team across existing offices in Geneva, Switzerland; Annecy, France; Bochum, Germany and Austin, Texas … In addition, SonarSource will open a new regional headquarters in Singapore, allowing the company to build its business within the burgeoning Asia-Pacific market,” Gaudin added. “Many competitors focus on just one part of delivering clean code, such as the security aspect. That’s a promise to a risk or compliance department. SonarSource has a different approach — we’re going to help the engineering team do a better job delivering code and help them invest the time they spend actually writing new code, as opposed to debugging old code.”

Insight Partners and Permira also participated in SonarSource’s latest financing round.