Hi Peter,
Interesting and important topic: security!
Although the visual Mendix models are precompiled to some Java code, we can't access this resulting Java code for obvious (licensing) reasons. The mpa-file is further compiled and doesn't contain source code anymore, while I expect SonarQube exactly wants to scan this high code (Java / C / ...).
I'm not familiar with SonarQube, you could ask them if and how they support Low Code platforms.
Hopefully this helps a bit!
Kind regards,
Johan Flikweert