We use SonarQube mostly for code quality testing.
DevOps Lead at a marketing services firm with 1,001-5,000 employees
Used for code quality testing and helps streamline coding practices in an organization
Pros and Cons
- "The integrations SonarQube provides with our software delivery pipeline are very seamless."
- "SonarQube could improve its static application security testing as per the industry standard."
What is our primary use case?
What is most valuable?
The integrations SonarQube provides with our software delivery pipeline are very seamless. The main benefit of using SonarQube in our organization was having a clean code with fewer static vulnerabilities within the application.
What needs improvement?
SonarQube could improve its static application security testing as per the industry standard. It would be really great if I could extract the overall report that I see in the dashboard.
For how long have I used the solution?
I have been using SonarQube for a few years.
Buyer's Guide
SonarQube Server (formerly SonarQube)
October 2024
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
816,406 professionals have used our research since 2012.
What do I think about the stability of the solution?
SonarQube is a stable solution.
What do I think about the scalability of the solution?
Around 20 to 25 people use the solution in my team.
How was the initial setup?
The solution’s initial setup is straightforward.
What about the implementation team?
The solution can be deployed within a couple of days. We don’t need many people to deploy SonarQube. It is not difficult to maintain the solution.
What other advice do I have?
We use the API call for SonarQube to integrate it into our development workflow. It's a continuous process for us to review the reports and remediate any findings we get from SonarQube. The quality gates and quality profiles are helpful in establishing the required gates and governance that we may need. SonarQube has impacted our team's productivity and code quality over time.
I would recommend SonarQube to other users evaluating it because it helps streamline some of the coding practices. The solution helps teams within the organization get into a good habit of writing clean code. The solution is helpful from a long-term sustainability standpoint.
I would recommend users to try out the open source version of SonarQube. If that doesn't suffice their needs, then they can go for an enterprise version.
Overall, I rate SonarQube an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Feb 26, 2024
Flag as inappropriateSr DevOps Engineer at incatech
Open-source with great extensions and great for identifying bugs
Pros and Cons
- "It helps our developers work more efficiently as we can identify things in a code prior to it being pushed to where it needs to go."
- "You may need to purchase add-ons to get the useability you desire."
What is our primary use case?
We use the product in our pipeline. We primarily use it for development testing tool.
How has it helped my organization?
We can see what's being flagged by whatever requirements in the environment that we're going to. SonarCube has these rules that you set up. You can set the rules and adjust them. It allows us to either be at 80% or whatever the case may be. If you set up these conditions that can tighten down the developer's coding.
What is most valuable?
It's convenient due to the fact that it's open-source.
We're able to identify bugs and those kinds of things before we actually push anything into a staging or production area. It helps our developers work more efficiently as we can identify things in a code prior to it being pushed to where it needs to go. It's a great little loop. You see this, fix it, take it back. Versus, putting something into an environment and then everything is all broken. It's a good development test tool.
Nowadays you can add extensions, similar to what you can do with the Jenkins tool, the CICB tool, the build tool. Jenkins can have a lot of plugins that interface with a lot of vendors or it can do a lot of things. Just like Google Chrome where you can bring in an extension, you can do the same here. In SonarQube, you can add something by just adding an extension that you may have to pay extra for, However, that add-on has additional functionality that the base software may not necessarily have in its core.
For example, Fortify has some kind of special capability that they have for checking and SonarQube has created an extension that allows the Fortify extensions. Right now, I have Fortify, however, it's in this product at a very modular level.
What needs improvement?
The solution is still maturing a bit.
You may need to purchase add-ons to get the useability you desire.
For how long have I used the solution?
We've been using the solution for about two years at this point.
What's my experience with pricing, setup cost, and licensing?
The solution is open-source. It's free to use.
What other advice do I have?
Not everybody uses SonarQube. However, if they do use SonarQube and they're trying to look for functionality, then an extension into SonarQube is the way to go. We, for example, love how we can have Fortify functionality via this product. I can't speak for all the other shops, right. That's just our workflow.
I'd rate the solution at a perfect ten out of ten. For what it does as far as static code analysis, it's pretty good.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
SonarQube Server (formerly SonarQube)
October 2024
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
816,406 professionals have used our research since 2012.
IT Systems Architect at Banco Ripley
Open-source, secure static testing, but cannot be used for dynamic testing
Pros and Cons
- "It provides the security that is required from a solution for financial businesses."
- "We found a solution with dynamic testing, and are looking to find a solution that can be used for both types of testing."
What is our primary use case?
We use SonarQube for testing and quality assurance. We use this in banks for testing.
We also use SonarQube for security static testing.
What is most valuable?
It provides the security that is required from a solution for financial businesses.
What needs improvement?
SonarQube is used for static testing, not for dynamic. We found a solution with dynamic testing, and are looking to find a solution that can be used for both types of testing.
I would like to see software included that can be used with Waterfall projects.
Which solution did I use previously and why did I switch?
We try to primarily use open-source solutions. The organization tries not to spend money for the moment. Many clients do not want to pay for solutions during this time, especially in the case of products that are expensive.
What's my experience with pricing, setup cost, and licensing?
We have partnered with B2B American to help with the purchasing of the license.
We have just been approved to purchase SonarQube Developer Edition.
We have a license with 125,000 lines of code. We did not purchase a lot of lines but it is specific to our code environment.
It's an open-source solution.
Which other solutions did I evaluate?
We are currently evaluating other solutions that are open-source. The company is trying to reduce the amount of money spent on solutions.
We are looking for the newest technologies but the biggest stopper for us is money.
What other advice do I have?
For the units of architecture, we have tried to find the newest technology that would benefit the manifest of their orientation.
It has been very difficult. Last year many projects stopped.
I would rate SonarQube a six out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Country Manager Senegal at a financial services firm with 10,001+ employees
Ensures a high quality of code, but would be improved with better support for security
Pros and Cons
- "SonarQube is good for checking and maintaining code quality."
- "I would like to see more options for security, beyond the basics like SQL injection."
What is our primary use case?
We are working on a payment system, and we need it to be secure. We use this solution to analyze our code to ensure that it is clean, easy to understand and maintain, and secure.
What is most valuable?
SonarQube is good for checking and maintaining code quality.
What needs improvement?
It would be nice is SonarQube analyzed external libraries, in addition to our current code.
I would like to see more options for security, beyond the basics like SQL injection.
For how long have I used the solution?
Five years.
What do I think about the stability of the solution?
The stability of this solution is quite good.
What do I think about the scalability of the solution?
I think that scalability is fine. We have a large number of users at my company.
The majority of the users for this solution are architects, but some technical managers use it too.
Which solution did I use previously and why did I switch?
We use this solution in parallel with Checkmarx because both of them are good for different things. SonarQube is good for code quality, whereas Checkmarx is more for security.
How was the initial setup?
This initial setup of this solution is not basic, but it is not complex. If you have some experience in IT then you should be able to do it.
We have this tool integrated with Jenkins.
One or two days is enough for deployment. There is some configuration to do, which takes time, but it is not difficult to deploy.
Three or four staff are enough for deployment and maintenance.
What was our ROI?
We have seen a return of investment, for sure. It is integrated with jobs on Jenkins and helps to provide stability.
Which other solutions did I evaluate?
We did not evaluate other options before choosing this solution.
What other advice do I have?
This is a very nice product and I would recommend it. It is one of the best tools on the market to analyze your code.
If more rules for security were added then we would not have to use Checkmarx or other tools. SonarQube is very nice, but just missing some security rules.
I would rate this solution a seven out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Product Security Architect at a tech services company with 51-200 employees
A mature and admin-friendly solution that is easy to deploy and easy to maintain
Pros and Cons
- "SonarQube is admin friendly."
- "SonarQube is not development-centric like Snyk."
What is our primary use case?
We use the solution for security vulnerabilities, static code analysis, and a few code quality issues like code smells. We mostly concentrate on security vulnerabilities.
What is most valuable?
SonarQube is admin friendly.
What needs improvement?
SonarQube is not development-centric like Snyk. The product gives an IDE plug-in called SonarLint. It needs to be expanded more. SonarLint is very limited.
For how long have I used the solution?
I have been using the solution for the last five years.
What do I think about the stability of the solution?
The solution is quite mature. We did not have many issues.
What do I think about the scalability of the solution?
The tool is very scalable.
How are customer service and support?
Since it is an open-source product, we need to purchase support. However, the enterprise edition comes with a support package. The support package is really good. We get good support. We’ll have problems if we do not have support. I rate the support team a seven or eight out of ten. The quality of support depends on the support package we get. We had a limited package, so our support was at that level.
Which solution did I use previously and why did I switch?
I have worked with Snyk. Snyk is more developer friendly. I have also worked with Coverity. SonarQube has features that are similar to Snyk and Coverity. So, SonarQube is better because it is an open-source tool.
How was the initial setup?
The tool is easy to install compared to other products. We have to do basic things like installing our database and web applications. I do not find many problems with installation. The time taken for deployment depends on the nature of the setup and whether we are doing it for a large enterprise. The installation is quite simple, but it took a week to plan it. We had a good IT setup, which helped us. We do not need many people for implementation. It depends on the project structure.
What about the implementation team?
Our IT team installed the solution. The product is easy to maintain. We have a mature system, so we do not have many issues. To manage reports, we need people to run scans. However, we need only one person to manage the environment.
What's my experience with pricing, setup cost, and licensing?
It's an open-source product. All other solutions are commercial.
What other advice do I have?
SonarQube is introducing a developer edition, but I have not explored it yet. We are using the enterprise edition of the solution. My advice to other users would depend on their requirements. If an organization has Synopsys products, Coverity would be the right choice for them. However, it is costly. SonarQube has an open-source and enterprise edition along with support packages, which is really good. If someone wants a developer-friendly tool, then Snyk would be a good choice. Overall, I rate the solution an eight out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior System Analyst at a non-profit with 10,001+ employees
Open-source, feature-rich, integrates well, and has good community support but the user experience could be better
Pros and Cons
- "It provides you with many features, as it does with the premium model, but there are still extra features that can be purchased if needed."
- "The security in SonarQube could be better."
What is most valuable?
There is a large support system in the community. When we have issues we can get answers quickly and easily.
It provides you with many features, as it does with the premium model, but there are still extra features that can be purchased if needed.
It's very flexible.
I am from the application development team and for me, it is very good because it offers a lot of features in terms of code review, quality check, and more.
What needs improvement?
In discussions with the security team, there are many other products that are available that perform better. The security in SonarQube could be better.
SonarQube is more about the quality checks of the source code. It allows us to do a code review but it lacks security. It could perform better.
I would like to have better support for CI/CD as DevOps appliances, in terms of reporting on the issue and to be integrated with the pipeline.
It integrates well but there is always room in this area to improve and to provide reports on the results.
The user experience for the on-premises installation, creating a new project, defining the quality gate, and the user interface could be improved. It wasn't a simple experience.
For how long have I used the solution?
I have been using SonarQube for six months. We implemented it in September of last year.
What do I think about the stability of the solution?
It is very stable. We are still new to this product and learning, but there are times where SonarQube disconnects from the server with no alert or notification, and we have to run it again.
It can be managed by running different scripts. From time to time we have claims that SonarQube is not running on the server and discovered that the server was restarted but SonarQube did not restart.
I don't know if it is a flaw in the product itself or if we can manage it from our infrastructure.
It's stable but could be improved.
What do I think about the scalability of the solution?
I believe that it is scalable, but this is an area that we have not yet explored.
I know that there is an option to add a new rule. For example, if we are creating an application using Java, there is a list of predefined rules to check the quality against.
It's expandable at least in terms of code quality checks.
For now, I am the only user of this solution.
How was the initial setup?
The initial setup wasn't straightforward, but still, it was manageable.
This is an area that can also be improved to make it easier to install and setup. There are many other products that are easy to set up and install.
What about the implementation team?
I called an expert or a technical person who could work on it and manage it.
What's my experience with pricing, setup cost, and licensing?
SonarQube is a free, open-source product.
There are many different packages with different pricing options available. We are able to try what we have and if we need extra features we can upgrade the license.
What other advice do I have?
We will be using this solution for the next year, but we are considering migrating to the cloud.
From my experience, I would rate SonarQube a seven out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Infosec Consultant at Anzen Technologies
Has a user-friendly UI and can be used for secure code review
Pros and Cons
- "The solution's user interface is very user-friendly."
- "It would be a great add-on if SonarQube could update its database for vulnerabilities or plugging parts."
What is our primary use case?
We used SonarQube for secure code review.
What is most valuable?
The solution's user interface is very user-friendly. The solution also provides good efficiency.
What needs improvement?
It would be a great add-on if SonarQube could update its database for vulnerabilities or plugging parts.
For how long have I used the solution?
What do I think about the stability of the solution?
I rate the solution a seven out of ten for stability.
What do I think about the scalability of the solution?
I rate the solution a nine out of ten for scalability.
How was the initial setup?
On a scale from one to ten, where one is difficult and ten is easy, I rate the solution's initial setup an eight out of ten.
What about the implementation team?
It takes around one hour to deploy SonarQube.
What's my experience with pricing, setup cost, and licensing?
SonarQube is a fairly affordable solution for a larger scale if you have a specific role or specific department for secure code. We didn't pay for SonarQube. We used a free version of the solution because we had a small amount of code.
What other advice do I have?
We used SonarQube for one project. To improve code quality, we do vulnerability assessment. We have an R&D department, and we collaborate with other teams to do any work related to secure code.
SonarQube simplified our code review process. Since we are new to secure code review, we mostly use freely available or impactful applications. That's why our R&D team suggested using SonarQube.
We use SonarQube to find vulnerabilities in the application code. The code is related to the application used by our client. We find vulnerabilities in their application, and we suggest solutions.
We have experienced challenges related to the client-side code. Sometimes, the server faces downtime, and our R&D team knows how to resolve such errors. It is easy to maintain the solution.
Overall, I rate the solution a nine out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Feb 29, 2024
Flag as inappropriateStable, beneficial code review, and efficient
Pros and Cons
- "The most valuable feature of SonarQube I have found to be the configuration that has allowed us to can make adjusts to the demands of the code review. It gives a specified classification regarding the skill, prioritization, and it is easy for me to review and make my code."
- "The time it took for me to do the whole process was approximately two hours because I had to download, read the documentation, and do the configurations."
What is our primary use case?
We are using SonarQube for code reviews.
How has it helped my organization?
Code quality improvement, Secure coding pracitices
What is most valuable?
The most valuable feature of SonarQube I have found to be the configuration that has allowed us to can make adjusts to the demands of the code review. It gives a specified classification regarding the skill, prioritization, and it is easy for me to review and make my code.
What needs improvement?
NA
For how long have I used the solution?
I have been using SonarQube for approximately five years.
What do I think about the stability of the solution?
The solution is stable.
How are customer service and support?
I have not needed to use technical support.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I have used some tools previously, such as Eclipse and Checkmarx. I used some tools directly linked with Eclipse, but SonarQube is much better. It has a better ability to link with Eclipse as well as the standalone features for a code review I have found the SonarQube most efficient.
How was the initial setup?
I deployed SonarQube on my laptop. I found it to be straightforward and easy. I wanted my technical team to do implement it but since they didn't have time I took the initiative and did it myself. I am not exactly from a technical background, and it was very easy for me.
The time it took for me to do the whole process was approximately two hours because I had to download, read the documentation, and do the configurations.
What about the implementation team?
The solution does not require any maintenance.
What other advice do I have?
SonarQube fits my purpose. It doesn't cause any hassles for me.
I rate SonarQube a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros
sharing their opinions.
Updated: October 2024
Product Categories
Application Security Tools Static Application Security Testing (SAST) Software Development AnalyticsPopular Comparisons
Fortify on Demand
Sonatype Lifecycle
CrowdStrike Falcon Cloud Security
PortSwigger Burp Suite Professional
GitHub Advanced Security
Qualys Web Application Scanning
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Is SonarQube the best tool for static analysis?
- Which gives you more for your money - SonarQube or Veracode?
- What Is The Biggest Difference Between Fortify on Demand And SonarQube?
- What is the biggest difference between Checkmarx and SonarQube?
- Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
- How does SonarQube instance relate to the license?
- Which software is ideal for code quality and security?
- What is the difference between Coverity and SonarQube?
- What is the biggest difference between Coverity and SonarQube?
- How would you decide between Coverity and Sonarqube?