My company is a product engineering company, and we work for different clients. The majority of the projects use SonarQube, and some projects use Checkmarx. SonarQube is primarily used for static code analysis and checking the overall unit test coverage and vulnerabilities.
At our company, we are using SonarQube to scan some of the Dot.Net and Java sources. The solution is also used for generating reports, which is a customer-mandate to scan source codes. The solution is used to setup a CI/CD pipeline following which scans are implemented and the report is shared with the developer.
My main use case for SonarQube is to analyze code quality in various programming projects, particularly focusing on identifying bugs, vulnerabilities, and code smells. I also use it to detect patterns in data clusters and ensure there are no leaks in the codebase.
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
System Analyst // System Architect at a tech services company with 10,001+ employees
Real User
Top 20
2023-08-28T05:56:03Z
Aug 28, 2023
We wanted a coding standard. We used to get coverage using SonarQube, so once the coding coverage was more than 80%, it was only then we could get Jenkins to start the build. Otherwise, Jenkins would fail from the build process. SonarQube is the point at which we confirm the DI. It is in the JUnit test cases where the coverage of the source code was more than 80%.
I work on vulnerability management. I use the security features in SonarQube. I also use Veracode. I use both solutions to verify each other’s results.
I have used it to test clients' websites. After testing, it gives a deep overview of website bugs and issues. A good point about SonarQube is that it gives you the solutions to resolve your issues. At times, I find the blocker (during times of emergency code deployment) doesn't allow the code to be checked-in to the repository unless the violations are fixed, which should enable the user to bypass the number of lines that should be part of the written method.
Lead Engineer at a healthcare company with 10,001+ employees
Real User
2022-01-28T21:25:20Z
Jan 28, 2022
I have it integrated with our continuous integration server. On a scheduled basis, typically in the middle of the night, it'll do performance scans so that the results are available and viewable by the developers on the website. The scans are done automatically by using a continuous integration server, which is TeamCity. We are using version 5.6.6. It is a very old version, but that's what we've been using. We haven't gotten around to updating it.
Independent Professional at Studio Dott. Ing. Angelo Quaglia
Real User
Top 5
2021-12-21T10:08:00Z
Dec 21, 2021
We have many developers and we use SonarQube to ensure that we don't have badly written code. We must have a way to write code that can be understood by different people.
Our primary use case of SonarQube is getting feedback on code. We are using Spring Boot and Java 8. We are also using SonarLint, which is an Eclipse IDE plugin, to detect vulnerabilities during development. Once the developer finishes the code and commits the code into the Bitbucket code repository, the continuous integration pipeline will automatically run using Jenkins. As part of this pipeline, there is a build unit test and a SonarQube scan. All the parameters are configured as per project requirements, and the SonarQube scan will run immediately once the developer commits the code to the repository. The advantage of this is that we can see immediate feedback: how many vulnerabilities there are, what the code quality is, the code quality metrics, and if there are any issues with the changes that we made. Since the feedback is immediate, the developer can rectify it immediately and can further communicate changes. This helps us with product quality and having less vulnerabilities in the early stages of development. This solution is deployed on-premise.
Development Team Lead at a financial services firm with 1,001-5,000 employees
Real User
2021-12-10T13:11:09Z
Dec 10, 2021
I use SonarQube for Google's web services, from a security perspective, as well as Oracle Forms, HTML Forms, and script. SonarQube is deployed on-premises.
Staff DevOps Specialist at a computer software company with 201-500 employees
MSP
2021-11-11T06:09:33Z
Nov 11, 2021
It is mainly used as part of the CI/CD pipeline through Azure DevOps and Jenkins to do static code analysis. We have the enterprise version. In terms of deployment, on-premise is the best description because they have their own cloud, but it is not a real cloud. It is like VMware.
Project Manager at a manufacturing company with 1,001-5,000 employees
Real User
2021-11-03T20:00:00Z
Nov 3, 2021
We mainly need to do certain static analyses. While doing the coding, everybody sends a pool request. Before committing the code on the main branch, we need to ensure that the code is up to level. That is basically our way of working to ensure that whatever rules we have configured, whatever gates we have defined, that gets passed before committing the code into the main branch.
Founder at a tech services company with 11-50 employees
Real User
2021-08-10T12:55:11Z
Aug 10, 2021
We use it as a gatekeeper for our external developers to follow the rules. If they don't comply with the rules within the source code, they cannot commit.
SonarQube can be used to analyze application code. We are testing SonarQube with some of our other products. We use the Sonar Link plugin with Teamscale, which is then applied to the main product we are using.
Senior Security Engineer at a financial services firm with 10,001+ employees
Real User
2021-06-29T00:34:24Z
Jun 29, 2021
We are using SonarQube for many different reasons, but I was interested more in the security metrics based on the new updates for more particular rules.
Digital Solutions Architect at a tech services company with 1,001-5,000 employees
Real User
2021-04-05T15:27:37Z
Apr 5, 2021
We are a $4 billion valuation large company and we use the solution for status security, scanning, and code quality. I am currently in the process of building a pipeline for one of my customers and for that we are utilizing this solution for the static analysis.
CTO at a computer software company with 11-50 employees
Real User
2021-01-08T15:43:25Z
Jan 8, 2021
There are two versions: a free, open-source community version, and a subscription-based version.We use the community version, not the enterprise version. We are a very small organization. In total, there are four of us who use this solution. We will keep using SonarQube, with some additions, in the future. Firstly, we use SonarQube to evaluate code for M&A projects. Secondly, we use it to detect vulnerabilities while performing security audits. Our third use case is the detection of violation of programming practices towards code refactoring and code maintenance.
Security at a tech services company with 51-200 employees
Real User
2021-01-06T10:11:58Z
Jan 6, 2021
We use SonarQube to help with our software development and testing. At the moment, we're mainly using it for static analysis and code inspection. We have an on-premises server and we connect to it from there. Our main use case is testing software for security weaknesses, but we also use it to help eliminate code smells and to make sure our code is compliant with established coding standards.
I am now working in a consultancy company and I work with different clients in different industries. For this reason I implement, for example, a delivery pipeline with the process whereby we need to validate the quality gate of the quality code. Meaning, the developer creates the unit testing and the code coverage, but grants the code coverage for a specific person. In other cases, we used to see what the technical depth was to see if if there are any bugs in the applications - the web application, mobile application and different languages, like, C-Sharp, JavaScript or Java, et cetera. We deploy SonarQube on-premise on a Linux server and our pipelines were created with GitLab and Azure DevOps. Meaning that Azure DevOps and GitLab are the tools that do the build and release process. We use Microsoft Azure and Google Cloud Platform a little.
We usually do the development in Java, and when we finish the development, we usually run the SonarQube tests and review the critical level, bugs, and security issues. We also review the license and the web issues and try to solve them, and then pass again through SonarQube. We usually deploy it in the cloud, but sometimes we also have on-premises solutions.
Information Technology Technical Architect at a insurance company with 51-200 employees
Real User
2020-10-27T06:39:00Z
Oct 27, 2020
I'm a user also, but I'm also responsible for information security. I am the principal of security in the office. I'm the one that actually advises people about enhancing or incorporating information security aspects. Right now, we are using a community version. We have yet to subscribe for the enterprise license because we need more disciplined developers first. Within our organization, there are roughly 14 people using this solution. We use it to find the scoop, or the use, for peer review for the developers. It will require more time, to get used to it and to get trained. My team is very small and I am part of the development team — I'm in the security team but I'm also part of the development team. I am helping to build this along with the team.
Security consultant at a computer software company with 1,001-5,000 employees
Real User
Top 20
2020-09-01T05:25:12Z
Sep 1, 2020
We are a security organization, and we deploy security solutions and applications related to network for our clients. We mostly focus on open source products because clients don't like to have proprietary products because of the available budget for their different projects. We try to find the possible solution, and then we deploy the solution for them. Deployments are done on the AWS cloud as well as on-premises. I came to know that there is a SonarQube solution that is used for clean and secure coding purposes and bug fixes in a large DevOps team. That's why I have deployed SonarQube. Currently, I'm testing SonarQube to demonstrate to my higher department what this tool can do. We are testing this solution for one of our clients, who may use it for two or three use cases during static code analysis and the software development life cycle.
Team Lead at a computer software company with 10,001+ employees
Real User
2020-08-30T08:33:32Z
Aug 30, 2020
We are using the free version of the SonarQube product. Be warned if you choose this version because it is lacking some of the capabilities and support. It is for this reason that we are currently considering migrating to a commercial solution.
DevSecOps Lead at a tech services company with 11-50 employees
MSP
2020-08-20T07:50:18Z
Aug 20, 2020
Our software developers use SonarQube to catch any issues that can be found by using static code analysis. My understanding is that it checks the core complexity by evaluating the coding rules to make sure of things such as the correct classes are private.
Engineer at a pharma/biotech company with 201-500 employees
Real User
2020-07-28T06:50:14Z
Jul 28, 2020
The primary use case of this solution is for static code analysis, and benchmarking our code standards according to our preferences. Our builds process through SonarQube and if it passes the required set of requirements we have set, it will then go through to production.
We use it to check the code quality, and the code review to find out the vulnerabilities about the central codes like simplifications and codes. We also use it for security management.
Head of Software Delivery at a tech services company with 51-200 employees
Real User
2020-07-06T14:59:00Z
Jul 6, 2020
Our primary use case is to analyze source code for software bugs, technical debt, vulnerabilities, and test coverage. It provides an automated gated procedure to ensure that engineers are able to deliver great, secure code to production. We plug this process into our process right from the start enabling the IDE integrations so that engineers can scan their code before submission. Following on from that we run the scans on every change that has been submitted for review. This way we ensure that no core/fundamental issues are added to our codebases.
Cyber Security Architect (USDA) at a government with 10,001+ employees
Real User
2019-06-16T07:23:00Z
Jun 16, 2019
I work for a government agency and we use this tool. It is lightweight and very cost effective as compared to IBM AppScan, but I wouldn't say it's a very good tool for vulnerability assessment. The dashboard is neat and easy to operate and the information on the dashboard makes it easy for the developers to work on. You can have it automated and set up for you to have an automated process every time the code is checked in.
Country Manager Senegal at a financial services firm with 10,001+ employees
Real User
2019-05-30T08:12:00Z
May 30, 2019
We are working on a payment system, and we need it to be secure. We use this solution to analyze our code to ensure that it is clean, easy to understand and maintain, and secure.
Manager at a wireless company with 11-50 employees
Real User
2019-05-15T05:16:00Z
May 15, 2019
Our primary use is for coding best practice management and quality. Aside from that, we also use it for security. I'm getting involved in moving this solution forward and positioning it in our enterprise so I haven't gotten to the point where we're nailing down the configuration and release controls yet.
Our primary use case is to provide more coverage and reduce the reliance on code reviews alone. It also provides confidence and helps begin a path towards continuous improvement.
Automation Tool Specialist at a comms service provider with 1,001-5,000 employees
Real User
2018-07-30T09:01:00Z
Jul 30, 2018
Primary use is code standards, or code quality. It's worked out okay. I find it is light on the security side though. We brought into our CI pipeline to see if we could help our developers fix issues and identify issues sooner.
SonarQube Server enhances code quality and security via static code analysis. It detects vulnerabilities, improves standards, and reduces technical debt, integrating into CI/CD pipelines.SonarQube Server is a comprehensive tool for enhancing code quality and security. It offers static code analysis to identify vulnerabilities, improve coding standards, and reduce technical debt. By integrating into CI/CD pipelines, it provides automated checks for adherence to best practices. Organizations...
My company is a product engineering company, and we work for different clients. The majority of the projects use SonarQube, and some projects use Checkmarx. SonarQube is primarily used for static code analysis and checking the overall unit test coverage and vulnerabilities.
At our company, we are using SonarQube to scan some of the Dot.Net and Java sources. The solution is also used for generating reports, which is a customer-mandate to scan source codes. The solution is used to setup a CI/CD pipeline following which scans are implemented and the report is shared with the developer.
We used SonarQube during the development period and AppScan after the system was deployed on the production site.
We use SonicWall for static core analysis.
My main use case for SonarQube is to analyze code quality in various programming projects, particularly focusing on identifying bugs, vulnerabilities, and code smells. I also use it to detect patterns in data clusters and ensure there are no leaks in the codebase.
We used SonarQube for secure code review.
We use SonarQube mostly for code quality testing.
We use SonarQube to check for vulnerabilities and quality.
We wanted a coding standard. We used to get coverage using SonarQube, so once the coding coverage was more than 80%, it was only then we could get Jenkins to start the build. Otherwise, Jenkins would fail from the build process. SonarQube is the point at which we confirm the DI. It is in the JUnit test cases where the coverage of the source code was more than 80%.
I work on vulnerability management. I use the security features in SonarQube. I also use Veracode. I use both solutions to verify each other’s results.
We use the tool to check our code. It's used for static quality checks.
We use this solution to configure our pipeline using Jenkins. From an integration perspective, it encompasses many languages and this is very useful.
I have used it to test clients' websites. After testing, it gives a deep overview of website bugs and issues. A good point about SonarQube is that it gives you the solutions to resolve your issues. At times, I find the blocker (during times of emergency code deployment) doesn't allow the code to be checked-in to the repository unless the violations are fixed, which should enable the user to bypass the number of lines that should be part of the written method.
We are using SonarQube for scanning our services for issues as part of our IT department.
We use this solution for qualitative coding. We make use of the SonarLint plugin as well as the dashboard.
SonarQube delivers a continuous inspection of code quality.
I have it integrated with our continuous integration server. On a scheduled basis, typically in the middle of the night, it'll do performance scans so that the results are available and viewable by the developers on the website. The scans are done automatically by using a continuous integration server, which is TeamCity. We are using version 5.6.6. It is a very old version, but that's what we've been using. We haven't gotten around to updating it.
We have many developers and we use SonarQube to ensure that we don't have badly written code. We must have a way to write code that can be understood by different people.
Our primary use case of SonarQube is getting feedback on code. We are using Spring Boot and Java 8. We are also using SonarLint, which is an Eclipse IDE plugin, to detect vulnerabilities during development. Once the developer finishes the code and commits the code into the Bitbucket code repository, the continuous integration pipeline will automatically run using Jenkins. As part of this pipeline, there is a build unit test and a SonarQube scan. All the parameters are configured as per project requirements, and the SonarQube scan will run immediately once the developer commits the code to the repository. The advantage of this is that we can see immediate feedback: how many vulnerabilities there are, what the code quality is, the code quality metrics, and if there are any issues with the changes that we made. Since the feedback is immediate, the developer can rectify it immediately and can further communicate changes. This helps us with product quality and having less vulnerabilities in the early stages of development. This solution is deployed on-premise.
I use SonarQube for Google's web services, from a security perspective, as well as Oracle Forms, HTML Forms, and script. SonarQube is deployed on-premises.
It is mainly used as part of the CI/CD pipeline through Azure DevOps and Jenkins to do static code analysis. We have the enterprise version. In terms of deployment, on-premise is the best description because they have their own cloud, but it is not a real cloud. It is like VMware.
We mainly need to do certain static analyses. While doing the coding, everybody sends a pool request. Before committing the code on the main branch, we need to ensure that the code is up to level. That is basically our way of working to ensure that whatever rules we have configured, whatever gates we have defined, that gets passed before committing the code into the main branch.
I use SonarQube for testing software.
SonarQube is used for in-production scanning of applications. We are only doing unit testing to improve the overall quality of the code.
We use SonarQube to scan SAS code for quality control in mostly mobile applications, such as iOS and Android applications.
We use it as a gatekeeper for our external developers to follow the rules. If they don't comply with the rules within the source code, they cannot commit.
I'm a software development engineer and we are customers of SonarQube.
SonarQube can be used to analyze application code. We are testing SonarQube with some of our other products. We use the Sonar Link plugin with Teamscale, which is then applied to the main product we are using.
We are using SonarQube for many different reasons, but I was interested more in the security metrics based on the new updates for more particular rules.
I use this solution for our staging environment to review the security issues before going live or into production.
We generally use the solution in order to do static code analysis.
We are a $4 billion valuation large company and we use the solution for status security, scanning, and code quality. I am currently in the process of building a pipeline for one of my customers and for that we are utilizing this solution for the static analysis.
We are using the solution for code quality and security.
We use it for the static analysis of the source code to find issues or vulnerabilities.
We use SonarQube to scan our security protection.
We use SonarQube for testing and quality assurance. We use this in banks for testing. We also use SonarQube for security static testing.
There are two versions: a free, open-source community version, and a subscription-based version.We use the community version, not the enterprise version. We are a very small organization. In total, there are four of us who use this solution. We will keep using SonarQube, with some additions, in the future. Firstly, we use SonarQube to evaluate code for M&A projects. Secondly, we use it to detect vulnerabilities while performing security audits. Our third use case is the detection of violation of programming practices towards code refactoring and code maintenance.
We use SonarQube to help with our software development and testing. At the moment, we're mainly using it for static analysis and code inspection. We have an on-premises server and we connect to it from there. Our main use case is testing software for security weaknesses, but we also use it to help eliminate code smells and to make sure our code is compliant with established coding standards.
I am now working in a consultancy company and I work with different clients in different industries. For this reason I implement, for example, a delivery pipeline with the process whereby we need to validate the quality gate of the quality code. Meaning, the developer creates the unit testing and the code coverage, but grants the code coverage for a specific person. In other cases, we used to see what the technical depth was to see if if there are any bugs in the applications - the web application, mobile application and different languages, like, C-Sharp, JavaScript or Java, et cetera. We deploy SonarQube on-premise on a Linux server and our pipelines were created with GitLab and Azure DevOps. Meaning that Azure DevOps and GitLab are the tools that do the build and release process. We use Microsoft Azure and Google Cloud Platform a little.
We decided to implement the solution to keep up to date with testing, security, and other issues with developments, such as bugs.
We usually do the development in Java, and when we finish the development, we usually run the SonarQube tests and review the critical level, bugs, and security issues. We also review the license and the web issues and try to solve them, and then pass again through SonarQube. We usually deploy it in the cloud, but sometimes we also have on-premises solutions.
We are using this solution for analyzing sales, profit, and FI documents. We are using the HR section as well.
We are using it for scanning our web applications, some internal applications and using it for code reviews.
I have used SonarQube for static code analysis. I am using it to assess my internal applications.
I'm a user also, but I'm also responsible for information security. I am the principal of security in the office. I'm the one that actually advises people about enhancing or incorporating information security aspects. Right now, we are using a community version. We have yet to subscribe for the enterprise license because we need more disciplined developers first. Within our organization, there are roughly 14 people using this solution. We use it to find the scoop, or the use, for peer review for the developers. It will require more time, to get used to it and to get trained. My team is very small and I am part of the development team — I'm in the security team but I'm also part of the development team. I am helping to build this along with the team.
SonarQube can be used for any missing components or component vulnerabilities.
We use this solution for auditing our system.
We are a security organization, and we deploy security solutions and applications related to network for our clients. We mostly focus on open source products because clients don't like to have proprietary products because of the available budget for their different projects. We try to find the possible solution, and then we deploy the solution for them. Deployments are done on the AWS cloud as well as on-premises. I came to know that there is a SonarQube solution that is used for clean and secure coding purposes and bug fixes in a large DevOps team. That's why I have deployed SonarQube. Currently, I'm testing SonarQube to demonstrate to my higher department what this tool can do. We are testing this solution for one of our clients, who may use it for two or three use cases during static code analysis and the software development life cycle.
We are using the free version of the SonarQube product. Be warned if you choose this version because it is lacking some of the capabilities and support. It is for this reason that we are currently considering migrating to a commercial solution.
Our software developers use SonarQube to catch any issues that can be found by using static code analysis. My understanding is that it checks the core complexity by evaluating the coding rules to make sure of things such as the correct classes are private.
The primary use case of this solution is for static code analysis, and benchmarking our code standards according to our preferences. Our builds process through SonarQube and if it passes the required set of requirements we have set, it will then go through to production.
We use it to check the code quality, and the code review to find out the vulnerabilities about the central codes like simplifications and codes. We also use it for security management.
I was using SonarQube to scan my code for vulnerabilities as part of the DevOps process.
Our primary use case is to analyze source code for software bugs, technical debt, vulnerabilities, and test coverage. It provides an automated gated procedure to ensure that engineers are able to deliver great, secure code to production. We plug this process into our process right from the start enabling the IDE integrations so that engineers can scan their code before submission. Following on from that we run the scans on every change that has been submitted for review. This way we ensure that no core/fundamental issues are added to our codebases.
We use SonarQube for determining code coverage, finding bugs, and searching for security-related issues in our development environment.
I work for a government agency and we use this tool. It is lightweight and very cost effective as compared to IBM AppScan, but I wouldn't say it's a very good tool for vulnerability assessment. The dashboard is neat and easy to operate and the information on the dashboard makes it easy for the developers to work on. You can have it automated and set up for you to have an automated process every time the code is checked in.
We use this SonarQube solution for code quality and as a basic security issues solution for our clients.
We are working on a payment system, and we need it to be secure. We use this solution to analyze our code to ensure that it is clean, easy to understand and maintain, and secure.
Our primary use for this solution is to improve code quality and reduce technical debt.
My primary use for this solution is to perform static code analysis.
We primarily use this solution for code quality purposes. We have a CICD environment, without a lot of manual steps.
We're collecting code quality metrics.
We use this solution in the development of our travel programs.
Our primary use is for coding best practice management and quality. Aside from that, we also use it for security. I'm getting involved in moving this solution forward and positioning it in our enterprise so I haven't gotten to the point where we're nailing down the configuration and release controls yet.
Our primary use case is to provide more coverage and reduce the reliance on code reviews alone. It also provides confidence and helps begin a path towards continuous improvement.
Our primary use case for this solution is security testing using the FindSecBugs plugin.
Primary use is code standards, or code quality. It's worked out okay. I find it is light on the security side though. We brought into our CI pipeline to see if we could help our developers fix issues and identify issues sooner.