Sonar Buys Gitar to Deepen AI Code Verification and Agentic Governance

New updates have been reported about Sonar.

Sonar has acquired Gitar, an AI-native code review platform, in a deal that consolidates AI code review and multilayered verification into a single offering centered on SonarQube. Sonar will integrate Gitar’s post-generation review and automated fix capabilities directly into its AI code verification engine, extending coverage from the moment an AI agent starts writing code through to codebase integration and continuous integration workflows.

For Sonar’s enterprise base—more than 75% of the Fortune 100 and 7 million developers—the combined platform is positioned to harden the quality, security and architectural integrity of AI-generated code while reducing outages and agent token costs. CEO Tariq Shaukat framed the move as critical to enabling rapid AI adoption without compromising reliability, with Sonar citing internal data showing teams using its platform are 44% less likely to suffer outages from AI-generated code and can cut AI agent token consumption by up to 8%.

Gitar’s founders, Ali-Reza Adl-Tabatabai and Gautam Korlam, will join Sonar to lead development of the Gitar platform, which will remain available as a standalone product and also be bundled with SonarQube and SonarQube Advanced Security. Their experience building Uber’s centralized developer platform is expected to accelerate Sonar’s roadmap across what it calls the Agent Centric Development Cycle, a methodology for ensuring AI agents operate in a controlled, transparent and auditable manner.

The acquisition sits alongside a string of recent product launches that extend Sonar’s reach beyond static code scanning into full-stack AI governance. New modules include SonarQube Advanced Security for supply chain-focused SAST and SCA, Agentic Analysis for self-verifying AI agents, and Architecture controls to enforce structural standards so AI-generated code integrates cleanly with existing systems.

Sonar has also introduced SonarQube MCP Server and CLI to plug directly into tools like Claude Code, GitHub Copilot, Cursor and Devin, enabling real-time analysis of every snippet produced by AI agents and automatic interception of secrets before they reach LLM providers. Additional capabilities such as the SonarQube plugin for Claude Code, a Remediation Agent for verified fixes, Context Augmentation to embed organizational standards upfront and SonarSweep to reduce LLM security vulnerabilities by up to 67% are designed to move customers from noisy signals to actionable outcomes.

Strategically, these moves consolidate Sonar’s positioning as an independent verification and governance layer for AI-driven development, analyzing more than 750 billion lines of code daily for security, reliability and maintainability. For executives, the implications include a clearer path to scaling agentic coding with reduced operational risk, lower remediation and outage costs and tighter control over how AI tooling interacts with critical codebases and supply chains.