SonarQube is used for in-production scanning of applications. We are only doing unit testing to improve the overall quality of the code.
Director at PepsiCo
Scalable, good technical support, but multiple application project option needed
Pros and Cons
- "We have worked with the support from SonarQube and we have had good experiences."
- "We had some issues scanning the master branch but when we upgraded to version 7.9 we noticed it does scan the master branch but we had to do a workaround for it to happen. This process could be improved in a future release."
What is our primary use case?
How has it helped my organization?
The developers have responsibility for unit testing, but it is very important that we check what they have been doing. SonarQube allows us to see the result directly in the pipeline.
What needs improvement?
We had some issues scanning the master branch but when we upgraded to version 7.9 we noticed it does scan the master branch but we had to do a workaround for it to happen. This process could be improved in a future release.
What we are seeing is for some of the Javascript projects SonarQube is not reading all the files. We had to manually configure it to accomplish what we wanted. However, we probably needed some documentation that we did not have that explained this process.
In an upcoming release, it would be beneficial to have the ability to use multiple applications under one project, and if we want to scan one of the applications we can just switch to that application, this would be really helpful.
For how long have I used the solution?
I have been using SonarQube for approximately two years.
Buyer's Guide
SonarQube Server (formerly SonarQube)
October 2024
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
816,406 professionals have used our research since 2012.
What do I think about the scalability of the solution?
The solution is scalable.
We have plans to increase the number of users using this solution because we have approximately 3,000 applications but only 200 are being used.
There are a lot of people using this solution in my organization because they are able to scan directly from their IDs.
How are customer service and support?
We have worked with the support from SonarQube and we have had good experiences.
How was the initial setup?
The initial setup was simple. When we did the upgrade and it took our team approximately two hours.
What about the implementation team?
Our internal team did the implementation of the solution.
What's my experience with pricing, setup cost, and licensing?
We are using the community version of the solution and we plan on purchasing licenses for the upgraded version soon. There is a limitation on how many lines of code can be scanned and this is why we are going to purchase a license for an increased amount.
What other advice do I have?
SonarQube is a very nice tool and people can learn to code better from the analysis it provides. We needed to make sure our code is maintained properly and has high quality and this tool helped.
The solution has made the developers have more confidence in their code because from the scanning they can fix bugs and problems easily.
I rate SonarQube a seven out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
System Quality Assurance Manager at AIS - Advanced Info Services Plc.
Easy to use, stable, and installation straightforward
Pros and Cons
- "SonarQube is designed well making it easy to use, simple to identify issues and find solutions to problems."
- "The solution could improve the management reports by making them easier to understand for the technical team that needs to review them."
What is our primary use case?
We use SonarQube to scan SAS code for quality control in mostly mobile applications, such as iOS and Android applications.
What is most valuable?
SonarQube is designed well making it easy to use, simple to identify issues and find solutions to problems.
What needs improvement?
The solution could improve the management reports by making them easier to understand for the technical team that needs to review them.
For how long have I used the solution?
I have been using the free version of SonarQube for approximately one year and then I purchased a subscription that I have been using for the last three years.
What do I think about the stability of the solution?
The solution is stable.
What do I think about the scalability of the solution?
The solution has scaled well for our needs. We have two million lines of code and we have not had a problem.
We work for a large enterprise that has approximately 1,000 IT employees.
How are customer service and technical support?
There is a lot of information for SonarQube online in the community forums. I only used technical support when I needed to renew my license.
How was the initial setup?
The installation is not difficult.
What's my experience with pricing, setup cost, and licensing?
The solution has a free version and a license version. The license is priced reasonably, the cost of hiring one programmer is more expensive than the solution.
The licensing process could be improved. We need to contact purchasing to receive the key for the license but the process should be automatic, similar to a SAS purchase.
Which other solutions did I evaluate?
I have evaluated Fortify Application Defender.
What other advice do I have?
I rate SonarQube a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
SonarQube Server (formerly SonarQube)
October 2024
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
816,406 professionals have used our research since 2012.
Software Developer at BKWI
Allows for real-time feedback on code quality and highly stable solution
Pros and Cons
- "We've configured it to run on each commit, providing feedback on our software quality. ]"
- "During the setup process, we only had one issue related to the number of available files. To perform the analysis, you have quite a lot of available file handles, so we had to increase that limit."
What is our primary use case?
We use it to check the code quality of our software.
What is most valuable?
We've configured it to run on each commit, providing feedback on our software quality. The solution works quite well remotely.
What needs improvement?
We would appreciate having PNC checking, though that's only available in a more expensive license type.
There is also room for improvement in the installation process.
For how long have I used the solution?
I have been using this solution for a couple of years.
What do I think about the stability of the solution?
It is a stable solution. So, no issues with stability.
What do I think about the scalability of the solution?
We haven't had much requirement for scalability. We had a single-node instance, and that is sufficient for our needs.
We have around 13 developers using this solution.
Which solution did I use previously and why did I switch?
How was the initial setup?
Another department handled the installation. We only had one issue related to the number of available files. To perform the analysis, you have quite a lot of available file handles, so we had to increase that limit.
However, maintenance is actually quite easy. It requires a couple of people.
Which other solutions did I evaluate?
We used some main code quality tools before, along with certain plugins. SonarQube is better due to its integrated nature and easier management. There is no hassle to keep everything up to date.
What other advice do I have?
I would definitely recommend using the solution.
Overall, I would rate the solution an eight out of ten. While I'm satisfied with the product, there's always room for improvement.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Cloud Architecture Head at PagoNxt Merchant Solutions S.L.
Works well with very good integrations and pipelines
Pros and Cons
- "Can tweak rules and feed them into our build pipelines."
- "Currently requires multiple tools, lacking one overall tool."
What is our primary use case?
Our use case of SonarQube is to analyze code quality and to implement quality dates in our build pipelines.
What is most valuable?
The ability to tweak the rules and feed them into our build pipelines so that they can become an integral part of those pipelines is a valuable feature. This product works really well, the integrations and pipelines are good.
What needs improvement?
SonarQube currently requires multiple tools. I'd like to have the ability to use one tool overall.
For how long have I used the solution?
We've been using this solution for a few years.
What do I think about the stability of the solution?
The solution is stable.
What do I think about the scalability of the solution?
The solution is scalable.
What's my experience with pricing, setup cost, and licensing?
We pay a very reasonable, annual licensing fee.
What other advice do I have?
My recommendation is to just go with this out-of-the-box rule set first. Don't try to tweak them and learn what they mean. First learn what the alerts mean and then slowly tweak it to your specific use cases.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Security Engineer at a financial services firm with 10,001+ employees
Useful depth features, stable, but more programming languages needed
Pros and Cons
- "The depth features I have found most valuable. You receive a quick comprehensive comparison overview regarding the current release and the last release and what type of depths dependency or duplication should be used. This is going to help you to make a more readable code and have more flexibility for the engineers to understand how things should work when they do not know."
- "If there was an official Docker image of SonarQube that could easily integrate into the pipeline would help the user to plug in and plug out and use it directly without any custom configuration. I am not sure if this is being offered already in an update but it would be very helpful."
What is our primary use case?
We are using SonarQube for many different reasons, but I was interested more in the security metrics based on the new updates for more particular rules.
What is most valuable?
The depth features I have found most valuable. You receive a quick comprehensive comparison overview regarding the current release and the last release and what type of depths dependency or duplication should be used. This is going to help you to make a more readable code and have more flexibility for the engineers to understand how things should work when they do not know.
What needs improvement?
I was more focused on the security aspects and not on quality. SonarQube focuses a lot on security and is going to provide some visibility around that area, but if there could be more focus on team management. For example, what type of remediation is going to be provided when the types of scans are being applied based on different rule sets at the SonarQube level, from the security point of view, this would be helpful.
If there was an official Docker image of SonarQube that could easily integrate into the pipeline would help the user to plug in and plug out and use it directly without any custom configuration. I am not sure if this is being offered already in an update but it would be very helpful.
In an upcoming release of the solution, I would like to see more types of programming languages added and improvement in their SaaS offering to compete better with other enterprise solutions, such as Fortify.
For how long have I used the solution?
I have been using this SonarQube for approximately four years.
What do I think about the stability of the solution?
We are not relying on this solution as a go-to application security scanning tool. We use it for some minor enhancement regarding security, but we are using it actively in other departments for the code quality scanning. I have not had any problems using the solution, it has been stable.
What do I think about the scalability of the solution?
We have approximately 15,000 engineers in my company and many of them are using this solution.
Which other solutions did I evaluate?
I have evaluated Fortify.
What other advice do I have?
I rate SonarQube a six out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Devops Engineer at BNP Paribas
Security hotspot feature identifies where your code is prone to have security issues
Pros and Cons
- "The most valuable feature is the security hotspot feature that identifies where your code is prone to have security issues."
- "In the next release, I would like to have notifications because now, it is a bit difficult. I think that's a feature which we could add there and it would benefit the users as well. For every full request, they should be able to see their bugs or vulnerability directly on the surface."
What is our primary use case?
We use it to check the code quality, and the code review to find out the vulnerabilities about the central codes like simplifications and codes. We also use it for security management.
What is most valuable?
The most valuable feature is the security hotspot feature that identifies where your code is prone to have security issues.
It also gives you a very good highlight of what's changed, and what has to be changed in the future.
Apart from that, there are many other good features as it's a code analytics platform. It also has a dashboard reporting feature, which is very good. I also like the ease of its integration with Jenkins.
Another valuable feature is the time snapshot that it provides for the code. It provides the code quality, the lagging, and the training features like what already has gone wrong and what is likely to go wrong. It's a very good feature for a project to have a dashboard where the users can find everything about their project at a single glance.
What needs improvement?
There are various standards that are followed. Awareness is a must.
Product awareness is something that I would recommend. If the users are not aware of how to use the product, they won't understand the features.
For how long have I used the solution?
I have been using SonarQube for three years.
What do I think about the stability of the solution?
It is quite stable. There are no kind of issues that we face on SonarQube. It's just about the awareness where the users are not aware of a feature and that's where we need to jump in and explain some of the features about how it works.
What do I think about the scalability of the solution?
It's definitely easy to scale.
How are customer service and technical support?
We do contact them based on the project team requirement. We contact them if they have to set up any specific kind of portfolio application and such application et cetera, internal.
Their support is good. They respond quickly. The response time is very good. They answer the queries within 24 to 48 hours. That's a plus for them. It's a very costly product, so we use the enterprise-level product. It does consume a lot of license cost for that.
Which solution did I use previously and why did I switch?
We used Fortify, it is also another tool for static code analysis. The security team used to use that, but not in our team because ours was a newly assembled team for the work.
How was the initial setup?
The initial setup is simple. It's basically an orchestration platform on which I manage around 400 SonarQube incentives.
It's a mass production environment. I'm currently managing around 400 plus teams who are using the product. We are trying to migrate it onto Kubernetes.
The setup takes around five to ten minutes as I have created automation.
It requires maintenance on the platform side, but not on the SonarQube side. Because there is a DB cleanup automatically inbuilt in Sonar, it does not require much to maintain within SonarQube itself.
It eats up a lot of memory. For a stack it's around 2.5GB. We use it on a daily basis.
What's my experience with pricing, setup cost, and licensing?
Everything is included in the standard licensing.
What other advice do I have?
Awareness about how to use the product is important. It's a very good product for developers because it gives you timely notifications about where the tool has gone wrong or what could go wrong in the future. That's popular for developers. It's very good for the stats about the product for architects
The metrics are how the budgeting should be done et cetera. These are the things that they can find out from the dashboard based on the lines of codes.
In the next release, I would like to have notifications because now, it is a bit difficult. I think that's a feature which we could add there and it would benefit the users as well. For every full request, they should be able to see their bugs or vulnerability directly on the surface.
I would rate it an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Cyber Security Architect (USDA) at a government with 10,001+ employees
Easily integrates with Jenkins and the information on the dashboard makes it easy for the developers to work on
Pros and Cons
- "The most valuable features are the dashboard reports and the ease of integrating it with Jenkins."
- "Although it has Sonar built into it, it is still lacking. Customization features of identifying a particular attack still need to be worked on. To give you an example: if we want to scan and do a false positive analysis, those types of features are missing. If we want to rescan something from a particular point that is a feature that is also missing. It’s in our queue. That will hopefully save a lot of time."
What is our primary use case?
I work for a government agency and we use this tool. It is lightweight and very cost effective as compared to IBM AppScan, but I wouldn't say it's a very good tool for vulnerability assessment. The dashboard is neat and easy to operate and the information on the dashboard makes it easy for the developers to work on. You can have it automated and set up for you to have an automated process every time the code is checked in.
How has it helped my organization?
It definitely helped our organization in hardening the software, the application itself. This is a part of our process now.
What is most valuable?
The most valuable features are the dashboard reports and the ease of integrating it with Jenkins.
What needs improvement?
Although it has Sonar built into it, it is still lacking. Customization features of identifying a particular attack still need to be worked on. To give you an example: if we want to scan and do a false positive analysis, those types of features are missing. If we want to rescan something from a particular point that is a feature that is also missing. It’s in our queue. That will hopefully save a lot of time.
For how long have I used the solution?
Our company has been using it for quite a while now.
What do I think about the stability of the solution?
This solution is very stable.
What do I think about the scalability of the solution?
It supports around 25 plus languages.
How are customer service and technical support?
The technical support is very good. When a product is good, we don't use them as regularly.
Which solution did I use previously and why did I switch?
No, not that I am aware of.
How was the initial setup?
Compared to other tools, the initial setup was straightforward. The deployment of the tool didn't take long at all. You need to take intrinsic care but setting up this tool is pretty easy. One can do it in a couple of hours. The dashboard is really neat and easy to operate. It gives a lot of information that makes it very easy for the developers. We haven't ever used more than one resource for operations.
What about the implementation team?
We have this implemented in CSAD pipeline as one of the tools for finding bugs in source code. This kind of tool has the capabilities of debugging abnormalities or finding abnormalities. We use it the same as any other static one level detail, and with a few other static tools like AppScan and Checkmarx.
What other advice do I have?
SonarQube is a very good tool. It is lightweight and very cost effective as compared to IBM AppScan. The dashboard is really neat and easy to operate. It gives a lot of information that makes it very easy for the developers. You can get it set up as an automated process every time the code is checked in. I would say, however, that it is not a vulnerability assessment tool. The dev and security team use this solution very closely. Fifteen to twenty people in total use it.
I would rate this solution an eight out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Head Section Mobile Developer at a manufacturing company with 10,001+ employees
A scalable solution that needs integration with other tools
Pros and Cons
- "SonarQube is scalable. My company has 50 users."
- "The product needs to integrate other security tools for security scanning."
What needs improvement?
The product needs to integrate other security tools for security scanning.
For how long have I used the solution?
I have been using the product for a year.
What do I think about the scalability of the solution?
SonarQube is scalable. My company has 50 users.
What other advice do I have?
I rate SonarQube an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros
sharing their opinions.
Updated: October 2024
Product Categories
Application Security Tools Static Application Security Testing (SAST) Software Development AnalyticsPopular Comparisons
Fortify on Demand
Sonatype Lifecycle
CrowdStrike Falcon Cloud Security
PortSwigger Burp Suite Professional
GitHub Advanced Security
Qualys Web Application Scanning
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Is SonarQube the best tool for static analysis?
- Which gives you more for your money - SonarQube or Veracode?
- What Is The Biggest Difference Between Fortify on Demand And SonarQube?
- What is the biggest difference between Checkmarx and SonarQube?
- Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
- How does SonarQube instance relate to the license?
- Which software is ideal for code quality and security?
- What is the difference between Coverity and SonarQube?
- What is the biggest difference between Coverity and SonarQube?
- How would you decide between Coverity and Sonarqube?