Yes, SonarQube is a Static Application Security Testing (SAST) tool. SAST is the process of analyzing source code and binaries of applications. And the test conducted is static, that is when the code is not running and is at rest, the analysis takes place.
Enroll in an industry-grade DevOps training course from Intellipaat, and watch a video on SonarQube Tutorial to gain more insights.