The features of SonarQube that I find most valuable for identifying code smells are its comprehensive code analysis capabilities, which cover various aspects of code sustainability.
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
Senior Product Manager at a financial services firm with 10,001+ employees
Real User
2022-02-02T08:29:04Z
Feb 2, 2022
When comparing other static code analysis tools, SonarQube has fewer false-positive issues being reported. They have a lot of support for different tech stacks. It covers the entire developer community which includes Salesforce or it could be the regular Java.net project. It has actually sufficed all the needs in one tool for static code analysis.
Lead Engineer at a healthcare company with 10,001+ employees
Real User
2022-01-28T21:25:20Z
Jan 28, 2022
I like that it's easy to navigate not just in terms of code findings but you can actually see them in the context of your source code because it gives you a copy of your code with the items that it found and highlights them. You can see it directly in your code, so you can easily go back and make the corrections in the code. It basically finds the problems for you and tells you where they are.
One of the most valuable features of SonarQube is its ability to detect code quality during development. There are rules that define various technologies—Java, C#, Python, everything—and these rules declare the coding standards and code quality. With SonarQube, everything is detectable during the time of development and continuous integration, which is an advantage. SonarQube also has a Quality Gate, where the code should reach 85%. Below that, the code cannot be promoted to a further environment, it should be in a development environment only. So the checks are there, and SonarQube will provide that increase. It also provides suggestions on how the code can be fixed and methods of going about this, without allowing hackers to exploit the code.
Another valuable feature is that it is tightly integrated with third-party tools. For example, we can see the SonarQube metrics in Bitbucket, the code repository. Once I raise the full request, the developer, team lead, or even the delivery lead can see the code quality metrics of the deliverable so that they can make a decision. SonarQube will also cover all of the top OWASP vulnerabilities, however it doesn't have penetration testing or hacker testing. We use other tools, like Checkmarx, to do penetration testing from the outside.
Development Team Lead at a financial services firm with 1,001-5,000 employees
Real User
2021-12-10T13:11:09Z
Dec 10, 2021
Some of the most valuable features have been the latest up-to-date of the OWASP, the monitoring, the reporting, and the ease of use with the IDE plugins, in terms of integration.
Staff DevOps Specialist at a computer software company with 201-500 employees
MSP
2021-11-11T06:09:33Z
Nov 11, 2021
My focus is mainly on the DevOps pipeline side of things, and from my perspective, the ease of use and configuration is valuable. It is pretty straightforward to take a deployment pipeline or CI/CD pipeline and integrate SonarQube into it.
Software Engineer at a tech services company with 11-50 employees
Real User
2021-10-08T20:35:29Z
Oct 8, 2021
The solution can verify vulnerabilities, code smells, and hotspots. It makes the software more secure and it helps make a junior or novice developer sharper.
I am only interested in the security features in SonarQube. There are plenty of features other features, such as test coverage, code anomalies, and pointer access are handled by the business logic teams. They get the reports and they have to fix them in JIRA or Bugzilla.
Senior Security Engineer at a financial services firm with 10,001+ employees
Real User
2021-06-29T00:34:24Z
Jun 29, 2021
The depth features I have found most valuable. You receive a quick comprehensive comparison overview regarding the current release and the last release and what type of depths dependency or duplication should be used. This is going to help you to make a more readable code and have more flexibility for the engineers to understand how things should work when they do not know.
The solution has a wide variety of features and an open-source community that you are able to learn Java, JavaScript, or any other programing language.
It is an easy tool that you can deploy and configure. After that you can measure the history of your obligation and integrate it with other tools like GitLab or GitHub or Azure DevOps to do quality code analysis.
Senior/Lead Software Engineer at General Pension Authority
Real User
2020-10-26T15:25:32Z
Oct 26, 2020
The static code analysis of the solution is the most important aspect for us. When it comes to security breaches within the code, we can leverage some rules to allow us to identify the repetition in our code and the possible targets that we may have. It makes it very easy to review our code for security purposes.
Security consultant at a computer software company with 1,001-5,000 employees
Real User
Top 20
2020-09-01T05:25:12Z
Sep 1, 2020
It's a great product. If you are in a hurry and just want to focus on the functional requirements of any kind of project, SonarQube is highly helpful. It enables the developers to code securely.
SonarQube has a Community edition, which is open source and free. There are also three proprietary or paid versions: Enterprise edition, Data Center edition, and Developer edition.
Lead Engineer at a healthcare company with 10,001+ employees
Real User
2019-05-20T07:59:00Z
May 20, 2019
We have the software metrics that SonarQube gives us, which is something we did not have before. This helps us work towards aiming coding standards to empower us to move in the direction of better code quality. SonarQube provides targets and metrics for that.
The most valuable features are the wide array of languages, multiple languages per project, the breakdown of bugs, and the description of vulnerabilities and code smells (best practices).
SonarQube Server enhances code quality and security via static code analysis. It detects vulnerabilities, improves standards, and reduces technical debt, integrating into CI/CD pipelines.SonarQube Server is a comprehensive tool for enhancing code quality and security. It offers static code analysis to identify vulnerabilities, improve coding standards, and reduce technical debt. By integrating into CI/CD pipelines, it provides automated checks for adherence to best practices. Organizations...
It automatically scans for code, detects vulnerabilities, and generates daily reports.
The tool helps us to monitor and manage violations. It manages the bugs and security violations.
The features of SonarQube that I find most valuable for identifying code smells are its comprehensive code analysis capabilities, which cover various aspects of code sustainability.
The solution's user interface is very user-friendly.
The integrations SonarQube provides with our software delivery pipeline are very seamless.
SonarQube is scalable. My company has 50 users.
This solution is simple to use and can be quickly deployed.
The SonarQube dashboard looks great.
There are many options and examples available in the tool that help us fix the issues it shows us.
The product is simple.
This solution has helped with the integration and building of our CICD pipeline.
We consider it a handy tool that helps to resolve our issues immediately.
SonarQube has a lot of value, it reviews the basic coding standards and security vulnerabilities of code that help to reduce issues.
We use this solution for qualitative coding. We make use of the SonarLint plugin as well as the dashboard.
When comparing other static code analysis tools, SonarQube has fewer false-positive issues being reported. They have a lot of support for different tech stacks. It covers the entire developer community which includes Salesforce or it could be the regular Java.net project. It has actually sufficed all the needs in one tool for static code analysis.
I like that it's easy to navigate not just in terms of code findings but you can actually see them in the context of your source code because it gives you a copy of your code with the items that it found and highlights them. You can see it directly in your code, so you can easily go back and make the corrections in the code. It basically finds the problems for you and tells you where they are.
The solution offers a very good community edition.
The most valuable features are the dashboard, the ability to drill down to the code, user-friendly, and the technical debt estimation.
One of the most valuable features of SonarQube is its ability to detect code quality during development. There are rules that define various technologies—Java, C#, Python, everything—and these rules declare the coding standards and code quality. With SonarQube, everything is detectable during the time of development and continuous integration, which is an advantage. SonarQube also has a Quality Gate, where the code should reach 85%. Below that, the code cannot be promoted to a further environment, it should be in a development environment only. So the checks are there, and SonarQube will provide that increase. It also provides suggestions on how the code can be fixed and methods of going about this, without allowing hackers to exploit the code.
Another valuable feature is that it is tightly integrated with third-party tools. For example, we can see the SonarQube metrics in Bitbucket, the code repository. Once I raise the full request, the developer, team lead, or even the delivery lead can see the code quality metrics of the deliverable so that they can make a decision. SonarQube will also cover all of the top OWASP vulnerabilities, however it doesn't have penetration testing or hacker testing. We use other tools, like Checkmarx, to do penetration testing from the outside.
Some of the most valuable features have been the latest up-to-date of the OWASP, the monitoring, the reporting, and the ease of use with the IDE plugins, in terms of integration.
My focus is mainly on the DevOps pipeline side of things, and from my perspective, the ease of use and configuration is valuable. It is pretty straightforward to take a deployment pipeline or CI/CD pipeline and integrate SonarQube into it.
There's plenty of documentation available to users.
The solution can verify vulnerabilities, code smells, and hotspots. It makes the software more secure and it helps make a junior or novice developer sharper.
We have worked with the support from SonarQube and we have had good experiences.
SonarQube is designed well making it easy to use, simple to identify issues and find solutions to problems.
It is working fine. It provides a good value for money.
Provides local scanning for developers.
I am only interested in the security features in SonarQube. There are plenty of features other features, such as test coverage, code anomalies, and pointer access are handled by the business logic teams. They get the reports and they have to fix them in JIRA or Bugzilla.
The depth features I have found most valuable. You receive a quick comprehensive comparison overview regarding the current release and the last release and what type of depths dependency or duplication should be used. This is going to help you to make a more readable code and have more flexibility for the engineers to understand how things should work when they do not know.
The solution is stable.
The reporting and the results are quick. It gets integrated within the pipeline well.
The fact that the solution does security scanning is valuable.
The solution has a wide variety of features and an open-source community that you are able to learn Java, JavaScript, or any other programing language.
The static code analysis is very good.
It is a very good tool for analysis and security vulnerability checking.
It provides the security that is required from a solution for financial businesses.
The good thing with SonarQube is it covers a lot of issues, it's a very robust framework.
Apart from the security point of view, I like that it makes it easy to detect code smells and other issues in terms of code quality and standards.
It is an easy tool that you can deploy and configure. After that you can measure the history of your obligation and integrate it with other tools like GitLab or GitHub or Azure DevOps to do quality code analysis.
It is a good deal compared to all other tools on the market.
It has very good scalability and stability.
The most valuable features are that it is user-friendly, easy to access, and they provide good training files.
SonarQube is good in terms of code review and to report on basic vulnerabilities in your applications.
I like the by-default policies that are they, as they seem to cover most of what I need.
The product itself has a friendly UI.
The static code analysis of the solution is the most important aspect for us. When it comes to security breaches within the code, we can leverage some rules to allow us to identify the repetition in our code and the possible targets that we may have. It makes it very easy to review our code for security purposes.
The product has a friendly UI that is easy to use and understand.
The overall quality of the indicator is good.
It's a great product. If you are in a hurry and just want to focus on the functional requirements of any kind of project, SonarQube is highly helpful. It enables the developers to code securely.
SonarQube has a Community edition, which is open source and free. There are also three proprietary or paid versions: Enterprise edition, Data Center edition, and Developer edition.
It is a very good tool for analysis despite its limitations.
Before you even compile, it can catch known vulnerability issues or patterns.
The most valuable features are the segregation containment and the suspension of product services.
The most valuable feature is the security hotspot feature that identifies where your code is prone to have security issues.
The most valuable features are code scanning and Quality Gates.
Engineers have also learned from the results and have improved themselves as engineers. This will help them with their careers.
The code coverage feature is very good.
The most valuable features are the dashboard reports and the ease of integrating it with Jenkins.
Strong code evaluation for budget-minded clients.
If code coverage is a low number then that's of great value to me.
SonarQube is good for checking and maintaining code quality.
Using SonarQube has helped us to identify areas of technical debt to work on, resulting in better code, fewer vulnerabilities, and fewer bugs.
We advise all of our developers to have this solution in place.
If you want to have your code scanned and timed then this is a good tool.
We have the software metrics that SonarQube gives us, which is something we did not have before. This helps us work towards aiming coding standards to empower us to move in the direction of better code quality. SonarQube provides targets and metrics for that.
The most valuable function is its usability.
Integrate it into the developers' workbench so that they can bench check their code against what will be done in the server-based audit version.
The most valuable features are the wide array of languages, multiple languages per project, the breakdown of bugs, and the description of vulnerabilities and code smells (best practices).
This has improved our organization because it has helped to find Security Vulnerabilities.
It is very good at identifying technical debt.