We use it to check the code quality, and the code review to find out the vulnerabilities about the central codes like simplifications and codes. We also use it for security management.
Devops Engineer at BNP Paribas
Security hotspot feature identifies where your code is prone to have security issues
Pros and Cons
- "The most valuable feature is the security hotspot feature that identifies where your code is prone to have security issues."
- "In the next release, I would like to have notifications because now, it is a bit difficult. I think that's a feature which we could add there and it would benefit the users as well. For every full request, they should be able to see their bugs or vulnerability directly on the surface."
What is our primary use case?
What is most valuable?
The most valuable feature is the security hotspot feature that identifies where your code is prone to have security issues.
It also gives you a very good highlight of what's changed, and what has to be changed in the future.
Apart from that, there are many other good features as it's a code analytics platform. It also has a dashboard reporting feature, which is very good. I also like the ease of its integration with Jenkins.
Another valuable feature is the time snapshot that it provides for the code. It provides the code quality, the lagging, and the training features like what already has gone wrong and what is likely to go wrong. It's a very good feature for a project to have a dashboard where the users can find everything about their project at a single glance.
What needs improvement?
There are various standards that are followed. Awareness is a must.
Product awareness is something that I would recommend. If the users are not aware of how to use the product, they won't understand the features.
For how long have I used the solution?
I have been using SonarQube for three years.
Buyer's Guide
SonarQube Server (formerly SonarQube)
March 2025

Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
848,716 professionals have used our research since 2012.
What do I think about the stability of the solution?
It is quite stable. There are no kind of issues that we face on SonarQube. It's just about the awareness where the users are not aware of a feature and that's where we need to jump in and explain some of the features about how it works.
What do I think about the scalability of the solution?
It's definitely easy to scale.
How are customer service and support?
We do contact them based on the project team requirement. We contact them if they have to set up any specific kind of portfolio application and such application et cetera, internal.
Their support is good. They respond quickly. The response time is very good. They answer the queries within 24 to 48 hours. That's a plus for them. It's a very costly product, so we use the enterprise-level product. It does consume a lot of license cost for that.
Which solution did I use previously and why did I switch?
We used Fortify, it is also another tool for static code analysis. The security team used to use that, but not in our team because ours was a newly assembled team for the work.
How was the initial setup?
The initial setup is simple. It's basically an orchestration platform on which I manage around 400 SonarQube incentives.
It's a mass production environment. I'm currently managing around 400 plus teams who are using the product. We are trying to migrate it onto Kubernetes.
The setup takes around five to ten minutes as I have created automation.
It requires maintenance on the platform side, but not on the SonarQube side. Because there is a DB cleanup automatically inbuilt in Sonar, it does not require much to maintain within SonarQube itself.
It eats up a lot of memory. For a stack it's around 2.5GB. We use it on a daily basis.
What's my experience with pricing, setup cost, and licensing?
Everything is included in the standard licensing.
What other advice do I have?
Awareness about how to use the product is important. It's a very good product for developers because it gives you timely notifications about where the tool has gone wrong or what could go wrong in the future. That's popular for developers. It's very good for the stats about the product for architects
The metrics are how the budgeting should be done et cetera. These are the things that they can find out from the dashboard based on the lines of codes.
In the next release, I would like to have notifications because now, it is a bit difficult. I think that's a feature which we could add there and it would benefit the users as well. For every full request, they should be able to see their bugs or vulnerability directly on the surface.
I would rate it an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.

Lead Engineer at a healthcare company with 10,001+ employees
Open-source, stable, and finds the problems for you and tells you where they are
Pros and Cons
- "I like that it's easy to navigate not just in terms of code findings but you can actually see them in the context of your source code because it gives you a copy of your code with the items that it found and highlights them. You can see it directly in your code, so you can easily go back and make the corrections in the code. It basically finds the problems for you and tells you where they are."
- "The learning curve can be fairly steep at first, but then, it's not an entry-level type of application. It's not like an introduction to C programming. You should know not just C programming and how to make projects but also how to apply its findings to the bigger picture. I've had users who said that they wish it was easier to understand how to configure, but I don't know if that's doable because what it's doing is a very complicated thing. I don't know if it is possible to make a complicated thing trivially simple."
What is our primary use case?
I have it integrated with our continuous integration server. On a scheduled basis, typically in the middle of the night, it'll do performance scans so that the results are available and viewable by the developers on the website. The scans are done automatically by using a continuous integration server, which is TeamCity.
We are using version 5.6.6. It is a very old version, but that's what we've been using. We haven't gotten around to updating it.
What is most valuable?
I like that it's easy to navigate not just in terms of code findings but you can actually see them in the context of your source code because it gives you a copy of your code with the items that it found and highlights them. You can see it directly in your code, so you can easily go back and make the corrections in the code. It basically finds the problems for you and tells you where they are.
What needs improvement?
The learning curve can be fairly steep at first, but then, it's not an entry-level type of application. It's not like an introduction to C programming. You should know not just C programming and how to make projects but also how to apply its findings to the bigger picture. I've had users who said that they wish it was easier to understand how to configure, but I don't know if that's doable because what it's doing is a very complicated thing. I don't know if it is possible to make a complicated thing trivially simple.
They could improve their documentation. There were some books written about it, but even when we first started using it, the books were out of date. It's more of a plea to some of the authors who have become experts in using it to revise their books. I'd buy a copy of it. SonarQube does a good job of supporting the open-source community, but some of the documentation tends to lag behind. That's not unique to SonarQube. It gives an opportunity to those who have taken the time to learn about it to author books and become resident experts or community experts. It'd be nice if some of those guys made another edition to support the open-source efforts that are there.
In terms of features, at this point, I don't have any requirements. We've been growing into it slowly, and we haven't really exhausted what it already has. When and if we get to a point where we are aggressively applying what it's telling us, we may reach a point where it's like, "If it could tell us this as well, that'd be nice." We haven't reached that point yet. We haven't listened to all of the advice that it's giving us now.
For how long have I used the solution?
It has been a couple of years.
What do I think about the stability of the solution?
Any lack of stability is because it's being expanded and updated pretty much constantly. We haven't experienced any crashes or bugs. We do have an opportunity here coming up within the next few weeks of revisiting some of the ways we do things there.
What do I think about the scalability of the solution?
It is definitely scalable. We plan to increase its usage.
How are customer service and support?
Since we're using the open-source components, we use web searches and online resources. Once you get a little used to their website, they have a lot of information. The support, even for an older version, is pretty good. I've been able to find workable solutions. You just have to do a little searching.
We don't have stability issues. It hasn't crashed since we got it up and running, but there are some configurations or different options you can apply when you're scanning. So, you have to learn its language, and the information is available if you search the web.
Which solution did I use previously and why did I switch?
Way back in the past, we used other static analysis tools like PC-lint or Gimpel Lint. I still have plans to resurrect some of that, but I'm of the mindset that the more opinions you get about your code, the better off you are. You get to look from different angles with different tools. In terms of the automated tool, SonarQube was the first one we had for getting into the DevOps generation of stuff.
How was the initial setup?
We did have some issues, but they were because we didn't understand the relationship between different flavors. You've got the server, and the SonarQube service itself provides an HTTP type input. There are also versions of the scanners for different tools we're using, which are typically C++. We started with a mismatch of that. It may have been the server and the scanner, which runs on your client workstations. We had a mismatch of versions. After we dug into it a little bit and realized that was the problem, it was pretty straightforward. The setup from there was pretty trivial.
You do need to know how to use a database. I most certainly use MySQL just because it's easily available on a minimal Linux install, CentOS. It's a Red Hat 7. It's BaseOS, a minimal install. It probably needed Java and a few tools that are fairly common. If you know how to set up a MySQL database, you can do it. If you know how to set up Java on Red Hat, which is pretty straightforward other than the fact that some path issues come into play, but that's just part of the game. Once you do that, it installs pretty easily.
What about the implementation team?
We did have a consultant. He was looking at our overall engineering infrastructure, things beyond SonarQube. He was helpful in finding out, or pointing out, that it was the issue with the revisions. The versions of the different pieces weren't matching up. He did help with that, but in terms of putting it in, I did the validation work for validating the installation process and reproducibility for future users in case I leave the company and they need to recreate it. They've got the documentation to do so. So, I did all that. For an application of its complexity, it was fairly straightforward once we resolved the version issue.
Its deployment and maintenance can be done by one engineer.
What's my experience with pricing, setup cost, and licensing?
We're using an older version because it is the open-source flavor of it and we can continue using it at no cost. We're not paying any licensing at all, which was another factor in choosing this route so that we can learn and grow with it and not be committed to licenses and other similar things. If we choose to get something else, we have to relearn, but we don't have to relicense. Basically, we're paying no license costs.
Which other solutions did I evaluate?
We did look at a lot of other ones. Some of the names I actually can't recall. There were code quality analyzers out there besides that. We did review them and settled on this one because it's very widely used, and the open-source capabilities are pretty well-supported to where you can use it without obligation. None of them are trivial to set up and use because they are doing a very complicated process. They all have their different ways of going about things, but you've got to understand any one of them. We picked this route.
What other advice do I have?
You have to be willing to invest. For any tool of this magnitude, if you're going to say, "Well, we want to do the least we can possibly do and see what's the least we can get by with," you'll get the least possible benefit. My recommendation is that you do the opposite. You should consider everything it's telling you. You may not want to fix everything, but you should be aware of everything that's showing in your code. After that, you have the opportunity to look at your whole development process and just the way you do things and go back to your roots and look for ways to change things at the beginning that can have an impact. You have a big impact on the output of things towards the end, but maybe change the way you start things. Instead of trying to get the least that you can get with the least amount of effort, partner yourself with it as much as possible.
I would rate it an eight out of 10.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
SonarQube Server (formerly SonarQube)
March 2025

Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
848,716 professionals have used our research since 2012.
Technology Manager at Publicis Sapient
Supports multiple program languages, highly scalable, and has open-source version
Pros and Cons
- "The solution has a wide variety of features and an open-source community that you are able to learn Java, JavaScript, or any other programing language."
- "There are times that we have the database crash. However, this might be an issue with how we have configured it and not a software issue. Apart from this, I do not see any issues with the solution."
What is our primary use case?
We are using the solution for code quality and security.
What is most valuable?
The solution has a wide variety of features and an open-source community that you are able to learn Java, JavaScript, or any other programing language. The quality profile rules that it provides based on the architect are set across the board, this provides continuity. Being able to fix all the application vulnerabilities before it reaches production is a huge benefit.
What needs improvement?
There are times that we have the database crash. However, this might be an issue with how we have configured it and not a software issue. Apart from this, I do not see any issues with the solution.
For how long have I used the solution?
I have been using the solution for approximately eight years.
What do I think about the scalability of the solution?
The scalability depends on the use case. You cannot install it with minimal resources and expect it to run thousands of jobs. It is scalable based on your environment. How big is your project? How many APIs do you want to scan? How many APIs per minute, etc. Based on that information you need to first decide upfront how much memory or how much storage you want to give to it. You need to have clear data with you and then use the resources to design accordingly. I think it is highly scalable and can operate seamlessly if you give it the environment that is sufficient. You cannot expect magic from it.
We have some projects that have 150 users with ten teams using the solution.
How are customer service and technical support?
We had to contact technical support back several years ago because we had an issue with one of the new SQL plugins which ended up being resolved. The support is not required anymore because they have very good documentation that meets our needs.
How was the initial setup?
The initial setup is straightforward.
What's my experience with pricing, setup cost, and licensing?
I do not know the price of the solution since I have not been involved in purchasing licenses. However, this solution requires a license and we have enterprise-level licenses for our organization and for our client.
The beauty of this solution is the free open-source version is capable enough in doing pretty much what an enterprise-level version can do. The enterprise-level has only a few more options, such as better reporting and generating PDFs. If you have a small-scale project or if you do not have a high budget, I think open-source will do wonders.
What other advice do I have?
For those wanting to implement this solution, I would suggest it is the best tool. It has a big open-source community where you learn any language. There are many extra plugins you can apply to scan in your code. It has support for Android, iOS, COBOL, Java, JavaScript databases, and more. It has everything you need.
I rate SonarQube a nine out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
System Quality Assurance Manager at AIS - Advanced Info Services Plc.
Easy to use, stable, and installation straightforward
Pros and Cons
- "SonarQube is designed well making it easy to use, simple to identify issues and find solutions to problems."
- "The solution could improve the management reports by making them easier to understand for the technical team that needs to review them."
What is our primary use case?
We use SonarQube to scan SAS code for quality control in mostly mobile applications, such as iOS and Android applications.
What is most valuable?
SonarQube is designed well making it easy to use, simple to identify issues and find solutions to problems.
What needs improvement?
The solution could improve the management reports by making them easier to understand for the technical team that needs to review them.
For how long have I used the solution?
I have been using the free version of SonarQube for approximately one year and then I purchased a subscription that I have been using for the last three years.
What do I think about the stability of the solution?
The solution is stable.
What do I think about the scalability of the solution?
The solution has scaled well for our needs. We have two million lines of code and we have not had a problem.
We work for a large enterprise that has approximately 1,000 IT employees.
How are customer service and technical support?
There is a lot of information for SonarQube online in the community forums. I only used technical support when I needed to renew my license.
How was the initial setup?
The installation is not difficult.
What's my experience with pricing, setup cost, and licensing?
The solution has a free version and a license version. The license is priced reasonably, the cost of hiring one programmer is more expensive than the solution.
The licensing process could be improved. We need to contact purchasing to receive the key for the license but the process should be automatic, similar to a SAS purchase.
Which other solutions did I evaluate?
I have evaluated Fortify Application Defender.
What other advice do I have?
I rate SonarQube a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Application Security Coordinator at Banco Votorantim
An affordable and stable solution that has a variety of features that enable users to improve their products
Pros and Cons
- "There are many options and examples available in the tool that help us fix the issues it shows us."
- "The product must improve security analysis."
What is our primary use case?
I work on vulnerability management. I use the security features in SonarQube. I also use Veracode. I use both solutions to verify each other’s results.
How has it helped my organization?
We see the security issues in our solutions with the help of the product. It helps us improve the solutions.
What is most valuable?
There are many options and examples available in the tool that help us fix the issues it shows us.
What needs improvement?
The product must improve security analysis. It must introduce software composition analysis in future releases.
For how long have I used the solution?
I have been using the solution for three years or more. I am using the latest version of the solution.
What do I think about the stability of the solution?
I rate the tool’s stability a nine out of ten.
What do I think about the scalability of the solution?
I rate the tool’s scalability a seven out of ten.
How was the initial setup?
The solution is deployed on the cloud.
What was our ROI?
We have seen an ROI because we are avoiding rework. The product helps us to fix security and quality.
What's my experience with pricing, setup cost, and licensing?
The product’s price is lower than Veracode’s price.
Which other solutions did I evaluate?
Veracode is more efficient in security analysis. It also has software composition analysis features. So, it would be difficult for SonarQube to compete with Veracode.
What other advice do I have?
There are a lot of functions and features in SonarQube. I would recommend the product to others. Overall, I rate the tool an eight out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Good ROI, easy to install but it could use more functionality, and faster updates
Pros and Cons
- "The most valuable feature of this solution is that it is free."
- "There could be better integration with other products."
What is our primary use case?
We use SonarQube to find vulnerabilities in the source code, for better code quality, and code security.
What is most valuable?
The most valuable feature of this solution is that it is free.
What needs improvement?
There could be better integration with other products.
It could have more functionality, and the updates could be faster.
People must be trained extensively before they can use it.
For how long have I used the solution?
I have been using SonarQube for three years.
It's a software as a service that you can access from on-premise.
What do I think about the stability of the solution?
The stability is fine. With any software, you must ensure that you keep up to date with the software. As a result, when there are new ways to attack you, the software detects it. You must be prepared. You can't just put it in and forget about it, you have to stay current.
What do I think about the scalability of the solution?
More than just an environment, it was a project. There were about a dozen developers and five testers to ensure that the developers used the tool before handing it over to the testers. To ensure that everything was in order.
How are customer service and support?
I have not contacted technical support.
Which solution did I use previously and why did I switch?
Previously, we used Fortify. The company that I worked for owned Fortify. We then sold Fortify to another company. We could look at other products to do the job.
How was the initial setup?
The initial setup was straightforward. It only took about two weeks to deploy.
Like in anything, if you're too restricted, it can result in being problematic, the same if you are too loose. In terms of the length of time it takes to deploy, we try to find a happy medium. Two weeks is reasonable.
What about the implementation team?
I am the team leader, and I was assisted with the deployment by another very knowledgeable individual. We are a team of two.
What was our ROI?
We have seen a return on investment. It finds potential vulnerabilities inside a program's code. If you catch it and you fix it, it's good.
What's my experience with pricing, setup cost, and licensing?
It's an open-source solution, with no additional costs.
Which other solutions did I evaluate?
We evaluated other products such as Veracode, Checkmarx as well as SonarQube.
The main difference is that SonarQube is free.
What other advice do I have?
I am an expert in so many things, including security experts. We looked at the various products and chose one. And the reason was that any tool, any automated tool that can detect errors, is preferable to none at all.
Most systems are vulnerable at the application level, which means that people who program in Java or.NET may be brilliant, but they don't know about the security. The advice is that those who work in development must also understand security. They must test for security in the same way they test for whether something is red or blue. My recommendation is to have some type of training and to be aware that the application level is the place where most people attack.
I would rate SonarQube a six out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
General Manager at Dalmia Bharat Group
Community edition is the best part, but there is no integration with the development environment
Pros and Cons
- "We are using the Community edition. So, we don't have to incur any licensing costs. This is the best part."
- "There is no automation. You need to put the code there and test. You then pull the results and put them back in the development environment. There is no integration with the development environment. We would like it to be integrated with our development environment, which is basically the CI/CD pipeline or the IDE that we have."
What is our primary use case?
We do a lot of development. We were previously doing it internally, and then we hired a couple of development partners. So, day in and day out, a lot of changes were happening. We wanted to ensure that whatever changes happened, they undergo some level of quality assessments. That was one of the reasons why we wanted to use it.
We have started looking into it from the information security side, but it is being used by the core development team.
What is most valuable?
We are using the Community edition. So, we don't have to incur any licensing costs. This is the best part.
What needs improvement?
There is no automation. You need to put the code there and test. You then pull the results and put them back in the development environment. There is no integration with the development environment. We would like it to be integrated with our development environment, which is basically the CI/CD pipeline or the IDE that we have.
What do I think about the stability of the solution?
It's a stable solution.
What do I think about the scalability of the solution?
It is not scalable if you have a bigger workload. Because it is a Community edition, it has its own restrictions and limitations in terms of the number of lines of codes.
We have 15 to 20 people who are using it.
How are customer service and support?
We don't have any experience with them. We don't have any AMCs, and we don't have any technical support.
How was the initial setup?
It was easy, but because we were using it for the first time, it took some time. I would rate it 3.5 out of five in terms of ease of setup.
What about the implementation team?
We deployed it in-house. In terms of maintenance, there is only one person who is taking care of SonarQube as a platform or the services that are provided by SonarQube.
What's my experience with pricing, setup cost, and licensing?
We are using the Community edition of SonarQube.
What other advice do I have?
For a small setup with less number of applications, it is okay because it is easy to deploy and manage with a simple console. When the number of lines of code is high, it takes time, and you have to spend a lot of time in terms of getting the right results.
I would rate it a seven out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Security Engineer at a financial services firm with 10,001+ employees
Useful depth features, stable, but more programming languages needed
Pros and Cons
- "The depth features I have found most valuable. You receive a quick comprehensive comparison overview regarding the current release and the last release and what type of depths dependency or duplication should be used. This is going to help you to make a more readable code and have more flexibility for the engineers to understand how things should work when they do not know."
- "If there was an official Docker image of SonarQube that could easily integrate into the pipeline would help the user to plug in and plug out and use it directly without any custom configuration. I am not sure if this is being offered already in an update but it would be very helpful."
What is our primary use case?
We are using SonarQube for many different reasons, but I was interested more in the security metrics based on the new updates for more particular rules.
What is most valuable?
The depth features I have found most valuable. You receive a quick comprehensive comparison overview regarding the current release and the last release and what type of depths dependency or duplication should be used. This is going to help you to make a more readable code and have more flexibility for the engineers to understand how things should work when they do not know.
What needs improvement?
I was more focused on the security aspects and not on quality. SonarQube focuses a lot on security and is going to provide some visibility around that area, but if there could be more focus on team management. For example, what type of remediation is going to be provided when the types of scans are being applied based on different rule sets at the SonarQube level, from the security point of view, this would be helpful.
If there was an official Docker image of SonarQube that could easily integrate into the pipeline would help the user to plug in and plug out and use it directly without any custom configuration. I am not sure if this is being offered already in an update but it would be very helpful.
In an upcoming release of the solution, I would like to see more types of programming languages added and improvement in their SaaS offering to compete better with other enterprise solutions, such as Fortify.
For how long have I used the solution?
I have been using this SonarQube for approximately four years.
What do I think about the stability of the solution?
We are not relying on this solution as a go-to application security scanning tool. We use it for some minor enhancement regarding security, but we are using it actively in other departments for the code quality scanning. I have not had any problems using the solution, it has been stable.
What do I think about the scalability of the solution?
We have approximately 15,000 engineers in my company and many of them are using this solution.
Which other solutions did I evaluate?
I have evaluated Fortify.
What other advice do I have?
I rate SonarQube a six out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.

Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros
sharing their opinions.
Updated: March 2025
Product Categories
Application Security Tools Static Application Security Testing (SAST) Software Development AnalyticsPopular Comparisons
Fortify on Demand
CrowdStrike Falcon Cloud Security
Sonatype Lifecycle
GitHub Advanced Security
PortSwigger Burp Suite Professional
Qualys Web Application Scanning
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Is SonarQube the best tool for static analysis?
- Which gives you more for your money - SonarQube or Veracode?
- What Is The Biggest Difference Between Fortify on Demand And SonarQube?
- What is the biggest difference between Checkmarx and SonarQube?
- Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
- How does SonarQube instance relate to the license?
- Which software is ideal for code quality and security?
- What is the difference between Coverity and SonarQube?
- What is the biggest difference between Coverity and SonarQube?
- How would you decide between Coverity and Sonarqube?