SonarQube Alternate Sources

Statement of Work (SOW) / Performance Work Statement (PWS)

This Statement of Objectives (SOO) aims to provide Platform One (P1) with the ability to create and maintain software threat models and secure compliant code, supporting the United States Air Force (USAF) Development Security Operations (DevSecOps). The objective is to utilize SonarQube, a Code Quality Assurance tool, to collect and analyze source code, providing reports on code quality for P1.

• SonarQube will be deployed on Impact Level 2 and Impact Level 4 in support of the P1 Party Value Stream.

• The tool combines static and dynamic analysis to measure code quality continuously.

• It will ensure code reliability, application security, and reduce technical debt by maintaining a clean and maintainable codebase.

• The goal is to improve productivity by enabling DevSecOps teams to identify and eliminate redundancy and duplication within the P1 software ecosystem.

• Period of Performance (PoP):

  • Base: May 15, 2026 - May 14, 2027
  • Option Year 1 (OY1): May 15, 2027 - May 14, 2028
  • Option Year 2 (OY2): May 15, 2028 - May 14, 2029

• Place of Performance: Platform One/HNCX, 420 Broadway, San Antonio, TX 78205

• This is an initial license purchase for P1.

• The contract shall provide SonarQube Server Enterprise Edition licenses for up to 5M and 10M Lines of Code (LOCs), with and without support, across the Base Year, OY1, and OY2.

• License keys must be delivered within 5 business days After Receipt Of, Award (ARO).

• The Contractor shall have a single Point of Contact (POC) for coordination with the P1 Program/Acquisition Manager (PM/AM) and the Procurement Contracting Officer (PCO).

• The Contractor shall provide necessary licenses/keys, identify issues, provide root cause remedies, and communicate updates/timelines/expiration dates.

Request for Information (RFI)

This RFI is issued by the Government for market research and acquisition planning purposes. The objective is to identify and assess commercially available alternatives to SonarQube for enterprise code quality and application security analysis in support of Platform One (P1) mission requirements. The Government is seeking solutions that support secure software development lifecycle (SDLC) practices, automated code inspection, vulnerability identification, coding standards enforcement, quality gate management, developer workflow integration, and enterprise scalability within a Government security-compliant DevSecOps environment.

• Company Information: Legal name, CAGE Code, UEI, business size, socioeconomic status, point of contact, and three examples of relevant enterprise implementations for secure software development.
• Technical Capability: Description of code analysis capabilities (bugs, vulnerabilities, code smells, security hotspots, duplications, technical debt), supported programming languages, alignment to CWE, OWASP Top 10, STIG, and NIST SSDF, and details on CI/CD integrations and API extensibility.
• Enterprise Capability: Maximum supported lines of code (LOC), multi-tenant and RBAC capabilities, reporting/dashboard capabilities, and data ownership, storage, and retention controls for on-prem environments.
• Support: Description of the support model, escalation procedures, and confirmation of ability to deliver license keys within 5 business days ARO.
• Pricing: Information on base year and option years.

Responses should be submitted electronically in PDF format, including all supporting documentation, technical specifications, and pricing details. The Government emphasizes that this RFI is for informational and planning purposes only and does not constitute a solicitation or commitment to award a contract. Responses will be used strictly for market research and acquisition planning.

Responses are encouraged from all capable vendors. The Government seeks to maximize practicable competition.