We are using SonarQube for static analyzing and finding vulnerabilities in our code.
Head of IT Security Department at a energy/utilities company with 5,001-10,000 employees
Simple implementation, effective scanning, and tracking
Pros and Cons
- "SonarQube is useful for controlling all of our Azure task tracking and scanning."
- "SonarQube could improve by adding automatic creation of tasks after scanning and more support for the Czech language."
What is our primary use case?
What is most valuable?
Easy installation. Very accurate finding of vulnerabilities and a minimum of false positives.
What needs improvement?
SonarQube could improve by adding automatic creation of tasks after scanning and more supported languages.
For how long have I used the solution?
I have been using SonarQube for approximately two years.
Buyer's Guide
SonarQube Server (formerly SonarQube)
October 2024
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
816,406 professionals have used our research since 2012.
What do I think about the stability of the solution?
SonarQube is a highly stable solution.
What do I think about the scalability of the solution?
I have found SonarQube to be scalable.
We have 20 to 25 specialists using SonarQube in my organization.
We have plans to increase the usage of the solution.
How are customer service and support?
We search Google for solutions to any problems we may face.
How was the initial setup?
The solution is easy to implement in our process of continuous integration, continuous delivery, and continuous deployment(CI/CD).
What about the implementation team?
We did the implementation of the solution ourselves.
We have assigned each project one DevOps, and each DevOps is deploying SonarQube in their project and we have in total about 20 projects.
What's my experience with pricing, setup cost, and licensing?
The free version of SonarQube does everything that we need it to.
Licenses of this solution can be purchased annually. We plan to buy the maximum license enterprise edition of the solution.
What other advice do I have?
I highly recommend this solution to others.
I rate SonarQube a nine out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Director IT Security, CISO at a transportation company with 10,001+ employees
Cost-effective with good out-of-the-box features
Pros and Cons
- "I like the by-default policies that are they, as they seem to cover most of what I need."
- "The interface could be a little better and should be enhanced."
What is our primary use case?
I have used SonarQube for static code analysis. I am using it to assess my internal applications.
What is most valuable?
I like the by-default policies that are they, as they seem to cover most of what I need. I see that as an essential feature.
What needs improvement?
The interface could be a little better and should be enhanced.
More support for integration with third-party products would be an improvement.
For how long have I used the solution?
I have been using SonarQube for more than five years.
What do I think about the stability of the solution?
I have not faced any bugs or glitches in SonarQube.
How are customer service and technical support?
I have not been in contact with technical support, although my teams would have definitely reached out.
How was the initial setup?
I would not say that the initial setup was complex, although it was not smooth enough. This was a mixed, hybrid set up because every environment has its own applications to deploy. That said, it was not so critical that we were no able to manage it.
What about the implementation team?
We have an in-house team in charge of maintenance. I have four people who are on payroll and an augmented staff of three more.
What's my experience with pricing, setup cost, and licensing?
SonarQube is an open-source product that can be used free of charge. It is a cost-effective solution.
Which other solutions did I evaluate?
You cannot really compare this product to commercial solutions. However, the features that it provides out of the box are very good.
When it comes to other technologies, such as the Checkmarx of the world, they are better than SonarQube. This is something that they should look at as this project evolves.
What other advice do I have?
This product is leading its class in the open-source community. It is absolutely a product that I can recommend. I think that digital organizations that have budget constraints should look at this technology, and then they can evolve it as per their needs.
In the future, I may look into deploying SonarQube in a hybrid model.
I would rate this solution an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
SonarQube Server (formerly SonarQube)
October 2024
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
816,406 professionals have used our research since 2012.
Vice President at a financial services firm with 1,001-5,000 employees
Good reporting and works well for code timing, but is lacking in the security space
Pros and Cons
- "If you want to have your code scanned and timed then this is a good tool."
- "The reporting is good, but I am not able to download a specific report as a PDF, so downloading reports is something that should be looked at."
What is our primary use case?
We primarily use this solution for code quality purposes. We have a CICD environment, without a lot of manual steps.
How has it helped my organization?
This solution figures out and tells you when there are code quality issues.
What is most valuable?
The quantification and reporting features are really good.
What needs improvement?
The security portion of this solution needs to be improved. They do have a few rules, but I don't think that they are of much use because you cannot position it as a security scanner. I think that there is a lot more that can be done in the security space. I would like to see, for example, more security updates as part of the scan.
The reporting is good, but I am not able to download a specific report as a PDF, so downloading reports is something that should be looked at.
We would like to be able to perform differential scans for a few modules or a few lines, rather than for the whole source code each time.
For how long have I used the solution?
Two years.
What do I think about the stability of the solution?
We have been using this for quite a number of applications, and its stability is very good. The scan time is very fast because it is a text-based scan.
What do I think about the scalability of the solution?
We have not had any problems with scalability. We have a big organization with a lot of applications and all of our critical applications are on this platform. We are planning to increase the scope by adding less critical applications over time.
Which solution did I use previously and why did I switch?
We were using some other products, but not on an enterprise level. There were several locally developed applications, but when we tried to consolidate all of these into an enterprise-level solution, we opted for this.
How was the initial setup?
The initial setup was not complex. It is pretty simple and straightforward.
What's my experience with pricing, setup cost, and licensing?
The costs for this application, for the kind of job it does, are pretty decent.
What other advice do I have?
This product is good but it is not meant to be a single solution for all issues.
If you want to have your code scanned and timed then this is a good tool. If you want security to be part of it then you may need multiple tools. Overall, my advice is to use this tool in areas where it is strong.
I would rate this solution a six out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Automation Tool Specialist at a comms service provider with 1,001-5,000 employees
It easily ties into our continuous integration pipeline, but it is light on the security side
Pros and Cons
- "It is very good at identifying technical debt."
- "It easily ties into our continuous integration pipeline."
- "I find it is light on the security side."
What is our primary use case?
Primary use is code standards, or code quality. It's worked out okay. I find it is light on the security side though.
We brought into our CI pipeline to see if we could help our developers fix issues and identify issues sooner.
How has it helped my organization?
- Higher code quality.
- Faster to market.
- Less errors.
What is most valuable?
- The issues it identifies.
- How easily it ties into our continuous integration pipeline.
- It is very good at identifying technical debt.
What needs improvement?
As far as code quality goes, I like it. It doesn't seem to do well when it comes to vulnerabilities on the security side. It may be that we don't have the right plugins, or we don't have the right add-ons.
For how long have I used the solution?
Less than one year.
What do I think about the stability of the solution?
It seems to be very stable. I haven't had many issues with it.
We just upgraded to the 6.7 version, which has been performing well.
What do I think about the scalability of the solution?
We haven't had any issues to date. We haven't had a huge number of projects to date. We're slowly slowing the uptake from some of our internal teams, but it seems to be fairly scalable.
How is customer service and technical support?
I haven't had to use technical support.
How was the initial setup?
The initial setup was fairly straightforward.
What's my experience with pricing, setup cost, and licensing?
The price point on SonarQube is good.
Which other solutions did I evaluate?
We are looking into corporate security and a couple different tooling options for doing data code analysis and security scanning.
We have looked into a few options:
- We are looking at IBM AppScan.
- I am going to be running a small PoC next week with Veracode. I started doing a bit of research on Veracode, and I saw how it ties in compared with SonarQube.
What other advice do I have?
We are looking at using another product to compliment it for security reasons.
Most important criteria when selecting a vendor:
- Usability of the product
- Responsiveness when we have issues.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Technical Architect at a insurance company with 1,001-5,000 employees
An open-source platform for the continuous inspection of code quality with a useful code security feature
Pros and Cons
- "I like that it helps us maintain our work quality and code security."
- "Code security could be better. They are already focusing on it, but I see a lot of improvement opportunities over there. I can see a lot of false positives in terms of security. They need to make the tests more accurate so that the false positives are not detected so frequently. It would also help if they provided us with an installer."
What is our primary use case?
We are application support vendors, and we develop applications for our clients. To maintain code quality, we were using SonarQube, and then we presented that to our clients in order to purchase that. That's where this whole thing got started.
One thing that we were using it majorly for was our work quality. It usually helped us in automating the review and making it more gate-oriented. Recently we were able to see the latest features like security hotspots and all that.
We were trying to serve two purposes; work quality and code security, with one tool. That's where our inclination was more towards Sonar because other tools generally target code security only.
What is most valuable?
I like that it helps us maintain our work quality and code security.
What needs improvement?
Code security could be better. They are already focusing on it, but I see a lot of improvement opportunities over there. I can see a lot of false positives in terms of security. They need to make the tests more accurate so that the false positives are not detected so frequently. It would also help if they provided us with an installer.
For how long have I used the solution?
I have been using SonarQube for about three or four years. However, in this organization, we have been using it for the last year or so.
What do I think about the scalability of the solution?
In Community Edition, I don't think that we have enough scalability options because it runs only on one instance, plus it runs only one scan at a time. It doesn't even provide a settings capability where multiple scans are running simultaneously. That's why we want to move to the Enterprise Edition because it gives you a possibility of parallel analysis of reports, and that could speed up things.
How are customer service and technical support?
We're using the Community Edition, and I think support comes only with the paid version. But we had an initial conversation with them, and we got our answers clarified. I certainly look forward to getting in touch with somebody from SonarCloud because I hear that they are separate entities. SonarSource people don't talk about SonarCloud. We want a contact whom we can speak to regarding our security-related concerns, privacy-related concerns, and how we can secure our code in their environment.
How was the initial setup?
The initial setup on-premise may take a while because you have to procure all the servers and do the reconfiguration yourself. But I think they have provided their steps very elaborately, and that certainly helps. However, you need to make an effort to set it up. It doesn't come with an installer, and you have to download it, extract it, then configure it to run on your server automatically with every server system. If they could have provided us with an installer setup, it could have made it much easier.
What's my experience with pricing, setup cost, and licensing?
We're using the Community Edition, and we don't pay for anything.
What other advice do I have?
On a scale from one to ten, I would give SonarQube a nine.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Backend Architect at Sngular
It has very good scalability and stability
Pros and Cons
- "It has very good scalability and stability."
- "We also use Fortify, which is another tool to find security errors. Fortify is a better security tool. It is better than SonarQube in finding errors. Sometimes, SonarQube doesn't find some of the errors that Fortify is able to find. Fortify also has a community, which SonarQube doesn't have. Its installation is a little bit complex. We need to install a database, install the product, and specify the version of the database and the product. They can simplify the installation and make it easier. We use docker for the installation because it is easier to use. Its dashboard needs to be improved. It is not intuitive. It is hard to understand the interface, and it can be improved to provide a better user experience."
What is our primary use case?
We usually do the development in Java, and when we finish the development, we usually run the SonarQube tests and review the critical level, bugs, and security issues. We also review the license and the web issues and try to solve them, and then pass again through SonarQube.
We usually deploy it in the cloud, but sometimes we also have on-premises solutions.
What is most valuable?
It has very good scalability and stability.
What needs improvement?
We also use Fortify, which is another tool to find security errors. Fortify is a better security tool. It is better than SonarQube in finding errors. Sometimes, SonarQube doesn't find some of the errors that Fortify is able to find. Fortify also has a community, which SonarQube doesn't have.
Its installation is a little bit complex. We need to install a database, install the product, and specify the version of the database and the product. They can simplify the installation and make it easier. We use docker for the installation because it is easier to use.
Its dashboard needs to be improved. It is not intuitive. It is hard to understand the interface, and it can be improved to provide a better user experience.
For how long have I used the solution?
I have been using SonarQube for two years.
What do I think about the stability of the solution?
Its stability is very good.
What do I think about the scalability of the solution?
It has very good scalability. In my company, we have less than 15 users. They are mostly developers.
How are customer service and technical support?
I have not used the support.
Which solution did I use previously and why did I switch?
I have used Codestyle and a few other tools. SonarQube is similar to other tools.
How was the initial setup?
Its installation is a little bit complex. They can simplify the installation and make it easier.
Which other solutions did I evaluate?
We didn't evaluate other options.
What other advice do I have?
I would rate SonarQube a nine out of ten.
Which deployment model are you using for this solution?
Private Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Technical Architect at Dwr Cymru Welsh Water
Ensures that quality is not compromised between builds
Pros and Cons
- "The most valuable features are the wide array of languages, multiple languages per project, the breakdown of bugs, and the description of vulnerabilities and code smells (best practices)."
- "A robust credential scanner would be a huge bonus as it would remove the need for yet another niche product."
What is our primary use case?
Our primary use case is to provide more coverage and reduce the reliance on code reviews alone. It also provides confidence and helps begin a path towards continuous improvement.
How has it helped my organization?
This has improved our process because it allows us to pick up on a lot of the smaller best practices that might otherwise be missed, in addition to ensuring code quality is not compromised between builds.
What is most valuable?
The most valuable features are the wide array of languages, multiple languages per project, the breakdown of bugs, and the description of vulnerabilities and code smells (best practices).
What needs improvement?
A robust credential scanner would be a huge bonus as it would remove the need for yet another niche product with additional cost, also gives the benefit of a single pane of glass view, although we still need white source bolt for 3rd part library scanning. The integration into docker builds could be better as pulling the latest version of the scanner, setting the path and then invoking the scan is an extra overhead to manage between versions of the scanner. An apt-get and scan start with the key passed as a variable would be a nicer implementation. Have not looked into SSL for the management page yet but hoping that goes smoothly.
For how long have I used the solution?
Trial/evaluations only.
What do I think about the stability of the solution?
We have only used this solution for a few weeks, but so far we have had no issues at all.
What do I think about the scalability of the solution?
My impression of the scalability is good, as it appears that it can support a much larger number of projects than we have.
How are customer service and technical support?
We have had no need to contact technical support.
Which solution did I use previously and why did I switch?
I did not use another solution prior to this one.
How was the initial setup?
The setup took a bit of work, but that was because we were combining Docker, Kubernetes, Azure Key Vault, and the Azure PaaS SQL Server.
What about the implementation team?
We took care of the implementation in-house.
What was our ROI?
In terms of ROI, it is difficult to put a number against code quality. For the cost of hosting it, I would say very good if you do not have a solution to start with.
What's my experience with pricing, setup cost, and licensing?
A self-hosted SonarQube on a Kubernetes cluster is very cost efficient if you already have the infrastructure and don’t need the premium features.
Which other solutions did I evaluate?
We evaluated the Checkmark Software Exposure Platform and Veracode, but they were expensive for a first go.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Director of Software Engineering at a computer software company with 201-500 employees
Helps to monitor and manage violations but improvement is needed in integration with third-party platforms and scalability
Pros and Cons
- "The tool helps us to monitor and manage violations. It manages the bugs and security violations."
- "SonarQube needs to improve its ease of use, integration with third-party platforms, and scalability."
What is most valuable?
The tool helps us to monitor and manage violations. It manages the bugs and security violations.
What needs improvement?
SonarQube needs to improve its ease of use, integration with third-party platforms, and scalability.
For how long have I used the solution?
I have been using the product for five years.
What do I think about the stability of the solution?
I rate the tool's stability a six out of ten.
What do I think about the scalability of the solution?
My company has 150 users for SonarQube.
How was the initial setup?
The tool's deployment is complex.
What's my experience with pricing, setup cost, and licensing?
The tool's pricing is reasonable.
What other advice do I have?
I rate the overall product a seven out of ten and would recommend it to others.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Apr 29, 2024
Flag as inappropriateBuyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros
sharing their opinions.
Updated: October 2024
Product Categories
Application Security Tools Static Application Security Testing (SAST) Software Development AnalyticsPopular Comparisons
Fortify on Demand
Sonatype Lifecycle
CrowdStrike Falcon Cloud Security
PortSwigger Burp Suite Professional
GitHub Advanced Security
Qualys Web Application Scanning
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Is SonarQube the best tool for static analysis?
- Which gives you more for your money - SonarQube or Veracode?
- What Is The Biggest Difference Between Fortify on Demand And SonarQube?
- What is the biggest difference between Checkmarx and SonarQube?
- Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
- How does SonarQube instance relate to the license?
- Which software is ideal for code quality and security?
- What is the difference between Coverity and SonarQube?
- What is the biggest difference between Coverity and SonarQube?
- How would you decide between Coverity and Sonarqube?