I work for a government agency and we use this tool. It is lightweight and very cost effective as compared to IBM AppScan, but I wouldn't say it's a very good tool for vulnerability assessment. The dashboard is neat and easy to operate and the information on the dashboard makes it easy for the developers to work on. You can have it automated and set up for you to have an automated process every time the code is checked in.
Cyber Security Architect (USDA) at a government with 10,001+ employees
Easily integrates with Jenkins and the information on the dashboard makes it easy for the developers to work on
Pros and Cons
- "The most valuable features are the dashboard reports and the ease of integrating it with Jenkins."
- "Although it has Sonar built into it, it is still lacking. Customization features of identifying a particular attack still need to be worked on. To give you an example: if we want to scan and do a false positive analysis, those types of features are missing. If we want to rescan something from a particular point that is a feature that is also missing. It’s in our queue. That will hopefully save a lot of time."
What is our primary use case?
How has it helped my organization?
It definitely helped our organization in hardening the software, the application itself. This is a part of our process now.
What is most valuable?
The most valuable features are the dashboard reports and the ease of integrating it with Jenkins.
What needs improvement?
Although it has Sonar built into it, it is still lacking. Customization features of identifying a particular attack still need to be worked on. To give you an example: if we want to scan and do a false positive analysis, those types of features are missing. If we want to rescan something from a particular point that is a feature that is also missing. It’s in our queue. That will hopefully save a lot of time.
Buyer's Guide
SonarQube Server (formerly SonarQube)
March 2025

Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
842,672 professionals have used our research since 2012.
For how long have I used the solution?
Our company has been using it for quite a while now.
What do I think about the stability of the solution?
This solution is very stable.
What do I think about the scalability of the solution?
It supports around 25 plus languages.
How are customer service and support?
The technical support is very good. When a product is good, we don't use them as regularly.
Which solution did I use previously and why did I switch?
No, not that I am aware of.
How was the initial setup?
Compared to other tools, the initial setup was straightforward. The deployment of the tool didn't take long at all. You need to take intrinsic care but setting up this tool is pretty easy. One can do it in a couple of hours. The dashboard is really neat and easy to operate. It gives a lot of information that makes it very easy for the developers. We haven't ever used more than one resource for operations.
What about the implementation team?
We have this implemented in CSAD pipeline as one of the tools for finding bugs in source code. This kind of tool has the capabilities of debugging abnormalities or finding abnormalities. We use it the same as any other static one level detail, and with a few other static tools like AppScan and Checkmarx.
What other advice do I have?
SonarQube is a very good tool. It is lightweight and very cost effective as compared to IBM AppScan. The dashboard is really neat and easy to operate. It gives a lot of information that makes it very easy for the developers. You can get it set up as an automated process every time the code is checked in. I would say, however, that it is not a vulnerability assessment tool. The dev and security team use this solution very closely. Fifteen to twenty people in total use it.
I would rate this solution an eight out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.

IT Developer at PT Oto Multiartha
This solution is simple to use and can be quickly deployed
Pros and Cons
- "This solution is simple to use and can be quickly deployed."
- "I think the code security can be improved."
What is our primary use case?
We use SonarQube to check for vulnerabilities and quality.
How has it helped my organization?
The solution has helped us to find flaws in the Syntax and comply with requirements.
What is most valuable?
I have found the most valuable features to be scanning for bugs or fixing the hotspot. These features have helped to improve the code quality.
What needs improvement?
I think the code security can be improved. Code security should comply with the standard security list.
I would like to see the feature of Compliance Reporting added to the solution.
For how long have I used the solution?
I have been using this solution for two years.
What do I think about the stability of the solution?
I would rate the stability a ten out of ten.
What do I think about the scalability of the solution?
About ten people in my company are using this solution. On average, we use this solution once in a week.
Which solution did I use previously and why did I switch?
We chose SonarQube due to its free community edition. After a while, when we will need more features, we will probably purchase the solution next year.
How was the initial setup?
I would rate the initial setup a ten out of ten. The solution is easy to install and use. It took us only a day to deploy SonarQube. We downloaded the solution and followed the setup process. We simply integrated this solution with Azure DevOps. The maintenance of this solution is handled by one person from the database team.
What about the implementation team?
We implemented the solution through an in-house application developer.
What other advice do I have?
This solution is simple to use and can be quickly deployed. I would rate the solution an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
SonarQube Server (formerly SonarQube)
March 2025

Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
842,672 professionals have used our research since 2012.
Project Leader / Technical Expert at La francaise des jeux
Good performance, improves the security of our applications, helpful technical support
Pros and Cons
- "Using SonarQube benefits us because we are able to avoid the inclusion of malware in our applications."
- "The handling of the contents of Docker container images could be better."
What is our primary use case?
We primarily use SonarQube for quality control on the software being deployed in our company. We had to control the open-source software we use. We develop software and have to create builds around it. As part of this process, we want to be sure of the security conformity for each module.
It is installed and plugged into a Kubernetes pipeline build system.
How has it helped my organization?
Using SonarQube benefits us because we are able to avoid the inclusion of malware in our applications. We can repair vulnerabilities and exploits from outside of the organization.
What is most valuable?
The performance is good.
What needs improvement?
The handling of the contents of Docker container images could be better. We are building microservices using Docker containers, and the image is embedding a lot of software. The verification in the image could be improved because you're able to check the image while building it, but if you are using a prebuilt container image then it's more difficult to do.
For how long have I used the solution?
I have been using SonarQube for between three and four years.
What do I think about the stability of the solution?
This solution consumes resources but that's something that is needed. In terms of performance, it's okay. It depends on the power of the hardware and servers that you have.
This is a product that we use on a daily basis. We are constantly developing software and this is used as part of the process.
What do I think about the scalability of the solution?
We have never had problems in terms of scalability, so it's good. We have a license for approximately 250 users.
How are customer service and support?
The technical support is good.
Which solution did I use previously and why did I switch?
We did not use another similar solution prior to this one.
How was the initial setup?
The initial setup is a little bit complex, although that's because of the type of tooling that it is. It took one person perhaps two months to deploy it.
The main thing that takes time during deployment is to get the users accustomed to it and use it properly. Essentially, the longest part of the deployment is the training time. Change management for people is time-consuming.
What about the implementation team?
We handled the deployment completely in-house.
What was our ROI?
It is difficult to estimate ROI because this product is similar to insurance. If things were broken then it could cause a lot of damage to the company.
Which other solutions did I evaluate?
Once we identified the need, I researched different solutions. I tried SonarQube and one or two others.
What other advice do I have?
My advice for anybody who is implementing this solution varies based on the use case and infrastructure that they have. For large scale-deployment, it needs more container images because it's easier to maintain. For a small company, it may be fine without them.
Overall, this is a good product. The only suggestion that I have for improvement is deeper container image analysis. The verification is already good but it depends on the format of the image. If you are speaking about a classical format, like a table or a zip file, it's okay. But, if you are talking about container images, there is room for improvement.
I would rate this solution an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Head of Software Delivery at a tech services company with 51-200 employees
Provides an automated gated procedure to ensure that engineers are able to deliver great, secure code to production
Pros and Cons
- "Engineers have also learned from the results and have improved themselves as engineers. This will help them with their careers."
What is our primary use case?
Our primary use case is to analyze source code for software bugs, technical debt, vulnerabilities, and test coverage. It provides an automated gated procedure to ensure that engineers are able to deliver great, secure code to production.
We plug this process into our process right from the start enabling the IDE integrations so that engineers can scan their code before submission. Following on from that we run the scans on every change that has been submitted for review.
This way we ensure that no core/fundamental issues are added to our codebases.
How has it helped my organization?
It has helped many of the organizations that I have worked at to improve overall security, quality, and test confidence within the codebases. It also provides this in a speed efficient way. Engineers now feel much more proud of their solution as they gain confidence from these scans and their results.
Engineers have also learned from the results and have improved themselves as engineers. This will help them with their careers.
We are also able to get reports on our suite and generate a quality rating for ourselves utilizing this data and more.
What is most valuable?
By far the quality gate controls. Without this, there would be no way to really utilize the power of this tool. We are able to automatically ensure that no code is delivered to production when it contains severe bugs or vulnerabilities.
The tight integration to source control also helps us to keep the engineers in the loop with any follow-up actions for issues reported.
Finally, the historical trend analysis gives us great insight into how we are improving based on our decisions, which are now driven by clear data.
What needs improvement?
It should keep up with newer technologies. As this is primarily open-source, it does require updates from the community. As such, there is sometimes a delay for new technologies to be covered by this too.
Particularly around the languages that the webpages state they support. The big benefit of Sonar is that it handles so many different languages, problems, and static analysis in one place.
When that one place has a low coverage for the most basic rules (OWASP top 10 for example) it starts to lose its value add.
For how long have I used the solution?
I have been using SonarQube for five years.
What do I think about the stability of the solution?
Good, I have not really had many issues with it. No major ones either.
What do I think about the scalability of the solution?
It all depends on where/how you are hosting it. The tool itself scales well.
Which solution did I use previously and why did I switch?
I have used Checkmarx and also tried a demo of Veracode.
Checkmarx was far too heavy-handed and only handled security concerns for a VERY large price tag.
Veracode is very good, however, the price vs a free solution was a deciding factor in many cases.
How was the initial setup?
It's very straightforward for a SaaS setup.
For a self-hosted setup, it is documented well and fairly easy.
What about the implementation team?
We implemented in-house.
What's my experience with pricing, setup cost, and licensing?
SonarQube will incur hosting costs. There are SaaS options available at competitive prices too.
Self-hosting SonarQube is subject to its open-source licenses documented on their website.
Which other solutions did I evaluate?
We also evaluated Checkmarx, Veracode and open source solutions specific to each programming language.
What other advice do I have?
Security analysis is a MUST.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Tools manager at a tech vendor with 10,001+ employees
It supports 29 languages
Pros and Cons
- "SonarQube is one of the more popular solutions because it supports 29 languages."
- "I would also like SonarQube to be able to write custom scanning rules. More documentation would be helpful as well because some of our guys were struggling with the customization script."
What is our primary use case?
SonarQube is a code-scanning tool that ensures people follow the right coding standard. It detects any memory leaks or unwanted functions that have been written so developers can optimize the code for better performance. We don't know too much about how our customers use SonarQube because we just set it up for them. We show them how the reporting works and what to do to fix common issues.
What is most valuable?
SonarQube is one of the more popular solutions because it supports 29 languages.
What needs improvement?
SonarQube supports most database languages, like SQL queries, PL/SQL, etc., but some newer programming languages are not there. For example, it's missing some more popular languages like Apache Groovy. I would like to see some support for scanning these new popular languages.
I would also like SonarQube to be able to write custom scanning rules. More documentation would be helpful as well because some of our guys were struggling with the customization script.
For how long have I used the solution?
I've been using SonarQube for the past eight years or so. I am a DevOps consultant who helps the end-users set up their environments. My clients operate in various industries, including the service industry.
How was the initial setup?
SonarQube takes five to 10 minutes to install, and I train people on this technology, so I install it for them and teach them how to use it. On Linux, it maybe takes another five or 10 minutes, but it is straightforward.
We first try it out with a limited number of users, so four or five users will run it, but the report is shared with multiple users. The report generated will go to thousands of users. You run the report from the DevOps point of view, then share it with everyone.
What's my experience with pricing, setup cost, and licensing?
I'm involved in the price discussions, so I'm unaware of the cost. However, I don't see any other competitors in the same space. There are one or two, but they're not popular. SonarQube is free for one user, so people can explore it, but if they need enterprise support, they can buy licenses, and we can go forward.
Which other solutions did I evaluate?
SonarQube is the only code scanning software I've tried, but I've also seen Nexus Scanner. However, it's not for binary scanning and so forth. It won't scan your source code. It's just an artifact scanner.
What other advice do I have?
I rate SonarQube eight out of 10. I always recommend SonarQube because it is also available in an open-source version, so people can understand the power of this tool and how it can help in an IT setting.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Independent Professional at Studio Dott. Ing. Angelo Quaglia
Useful dashboard, user-friendly, and effective drill down ability
Pros and Cons
- "The most valuable features are the dashboard, the ability to drill down to the code, user-friendly, and the technical debt estimation."
- "The implementation of the solution is straightforward. However, we did have some initial initialization issues at the of the projects. I don't think it was SonarQube's fault. It was the way it was implemented in our organization because it's mainly integrated with many software, such as Jira, Confluence, and Butler."
What is our primary use case?
We have many developers and we use SonarQube to ensure that we don't have badly written code. We must have a way to write code that can be understood by different people.
How has it helped my organization?
Our developers are learning how to improve their code.
What is most valuable?
The most valuable features are the dashboard, the ability to drill down to the code, the technical debt estimation and the overall user-friendliness of the user interface.
What needs improvement?
The Enterprise edition has the additional features we need, but of course we have to pay for that.
For how long have I used the solution?
I have been using SonarQube for approximately three months.
What do I think about the stability of the solution?
SonarQube is a reliable solution.
What do I think about the scalability of the solution?
I have not tried to scale the solution. I am looking to integrate SonarQube with the 45 secure solutions.
How are customer service and support?
I have not needed to contact technical support.
I found the user interface messages quite explanatory about issues. I didn't have to look up many issues elsewhere.
Which solution did I use previously and why did I switch?
No.
How was the initial setup?
The implementation of the solution is straightforward and it is well integrated with Atlassian software, i.e. Jira, Confluence, Bamboo and Butler.
What about the implementation team?
We have a different group that is managing the SonarQube installation and setup.
What's my experience with pricing, setup cost, and licensing?
SonarQube enterprise, I am not sure of the price but from what I understand they are charging a fee. It's is not clear if it is an annual fee or a one-off.
I don't know the global figure but they are asking each director general approximately a lump sum of $5,000, which doesn't sound like a lot for what the solution does.
Which other solutions did I evaluate?
No.
What other advice do I have?
My advice to others would be to take a look at the community edition of the SonarQube because it might be enough for their use case.
I rate SonarQube a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Sr DevOps Engineer at incatech
Open-source with great extensions and great for identifying bugs
Pros and Cons
- "It helps our developers work more efficiently as we can identify things in a code prior to it being pushed to where it needs to go."
- "You may need to purchase add-ons to get the useability you desire."
What is our primary use case?
We use the product in our pipeline. We primarily use it for development testing tool.
How has it helped my organization?
We can see what's being flagged by whatever requirements in the environment that we're going to. SonarCube has these rules that you set up. You can set the rules and adjust them. It allows us to either be at 80% or whatever the case may be. If you set up these conditions that can tighten down the developer's coding.
What is most valuable?
It's convenient due to the fact that it's open-source.
We're able to identify bugs and those kinds of things before we actually push anything into a staging or production area. It helps our developers work more efficiently as we can identify things in a code prior to it being pushed to where it needs to go. It's a great little loop. You see this, fix it, take it back. Versus, putting something into an environment and then everything is all broken. It's a good development test tool.
Nowadays you can add extensions, similar to what you can do with the Jenkins tool, the CICB tool, the build tool. Jenkins can have a lot of plugins that interface with a lot of vendors or it can do a lot of things. Just like Google Chrome where you can bring in an extension, you can do the same here. In SonarQube, you can add something by just adding an extension that you may have to pay extra for, However, that add-on has additional functionality that the base software may not necessarily have in its core.
For example, Fortify has some kind of special capability that they have for checking and SonarQube has created an extension that allows the Fortify extensions. Right now, I have Fortify, however, it's in this product at a very modular level.
What needs improvement?
The solution is still maturing a bit.
You may need to purchase add-ons to get the useability you desire.
For how long have I used the solution?
We've been using the solution for about two years at this point.
What's my experience with pricing, setup cost, and licensing?
The solution is open-source. It's free to use.
What other advice do I have?
Not everybody uses SonarQube. However, if they do use SonarQube and they're trying to look for functionality, then an extension into SonarQube is the way to go. We, for example, love how we can have Fortify functionality via this product. I can't speak for all the other shops, right. That's just our workflow.
I'd rate the solution at a perfect ten out of ten. For what it does as far as static code analysis, it's pretty good.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Test Expert at Saudi Telecom Company
Prevents vulnerabilities, supports most languages and built-in procedures
Pros and Cons
- "I like that it covers most programming languages for source code review."
- "The BPM language is important and should be considered in SonarQube."
How has it helped my organization?
It prevents some vulnerabilities in the production environment.
What is most valuable?
I like that it covers most programming languages for source code review.
I also like the procedures that are already built-in that cover most of the items that already exist.
What needs improvement?
SonarQube does not cover BPM programming language. It only covers the Java layer from BPM WebMethods. When we were faced with this issue with one of your applications, we found that we were not able to scan the BPM code for configurations generated from the WebMethod.
The BPM language is important and should be considered in SonarQube.
It utilizes a lot of resources from the servers. I think this issue should be resolved because it takes approx 20% of the CPU utilization.
Reporting related to SonarQube only exists in the enterprise edition, and not in the Community Edition.
There are no limitations in the lines of code with the Community Edition, but with the Enterprise Version, there are limitations related to the lines of code.
I don't understand why you can use an infinite line code amount with the Community Edition and the Enterprise Edition is limited.
For how long have I used the solution?
We have been dealing with SonarQube for more than one year.
What do I think about the stability of the solution?
It is stable in the system environment processes.
What do I think about the scalability of the solution?
We haven't used it with the microservices or containers to check the scalability. We have used it on a Windows Server or Linux Server.
How are customer service and technical support?
We contacted technical support about the BPM and WebMethod programming language. They supported us with a fast response and provided us with a solution that was not covered on SonarQube.
Which solution did I use previously and why did I switch?
We only use SonarQube with SonarScanner.
How was the initial setup?
The initial setup is simple and straightforward.
What about the implementation team?
I am a consultant and my team completed the system server.
What's my experience with pricing, setup cost, and licensing?
I requested this license for one million lines of code and they accepted this.
I don't know what was already paid.
Which other solutions did I evaluate?
We evaluated Micro Focus Fortify. From a cost perspective, we selected SonarQube. Now we are using the enterprise license as well.
What other advice do I have?
We are telecommunication customers, who have purchased a license. We are the largest telecommunications company in Saudi Arabia.
I would rate SonarQube an eight out of ten.
Which deployment model are you using for this solution?
Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.

Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros
sharing their opinions.
Updated: March 2025
Product Categories
Application Security Tools Static Application Security Testing (SAST) Software Development AnalyticsPopular Comparisons
Fortify on Demand
CrowdStrike Falcon Cloud Security
Sonatype Lifecycle
GitHub Advanced Security
PortSwigger Burp Suite Professional
Qualys Web Application Scanning
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Is SonarQube the best tool for static analysis?
- Which gives you more for your money - SonarQube or Veracode?
- What Is The Biggest Difference Between Fortify on Demand And SonarQube?
- What is the biggest difference between Checkmarx and SonarQube?
- Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
- How does SonarQube instance relate to the license?
- Which software is ideal for code quality and security?
- What is the difference between Coverity and SonarQube?
- What is the biggest difference between Coverity and SonarQube?
- How would you decide between Coverity and Sonarqube?