SonarQube Cloud (formerly SonarCloud) Reviews

SonarCloud's user interface integrates with version control tools like GitLab, showing code smells and commits for code reviews. Within these code reviews, we gain a complete analysis of things like code flow, which was a particularly helpful feature.

SonarCloud is overall a good tool for identifying code smells, bugs, and code duplication, but we've found that using Android Lint is more effective for our needs.

The main advantage of using Android Lint over SonarCloud is its ease of integration. It was a bit tricky to integrate SonarCloud, inside the CI/CD pipeline, which had some integration challenges. No proper documentation existed, making it tough. 

Specifically, when pushing code and creating merge requests, SonarCloud wouldn't generate the merge request or run itself. This felt clunky and required extra configuration. The documentation just wasn't sufficient for integrating with our cloud and Android Lint. Ultimately, it took too long to integrate SonarCloud, leading us to explore other options like Android lint for improving code quality.

So, adding better documentation on integrating SonarCloud's pipeline within GitLab CI/CD would definitely be a valuable addition from my perspective. That's the key takeaway they should work on.

We've been using SonarCloud for a while, inside TruckITAM, stopping about four months ago. We established our pipeline for seamless build sharing with stakeholders, using Android Lint to optimize the pipeline process and costs.

SonarCloud is well-stable. It's a good system. Whenever I used to commit, it gave proper feedback about our code, like duplication or optimization suggestions. 

Overall, the product is stable, but a few features need addressing to improve the user experience. The integration process and overall flow feel a bit clunky. They need to optimize the user experience. 

It requires a bit of work on the user side. It is difficult for non-trained users. If someone untrained reads their documentation, integrating with SonarCoud should be easy. That's the tricky part. They need a good onboarding process and a support team for communication. We're the clients, so they should provide daily updates on new features and address any integration issues on our cloud.

There should be an open-source community available so that they can target small queries. Our cloud community feels a bit small and not very active. I searched for workarounds and how to cancel merge requests, which took forever.

Also, on the GitLab side, working on CI/CD pipeline automation was challenging. Improving the build time of the application was a pain. We had to write XML files and run scripts.

The documentation needs improvement on optimizing build time for seamless CI/CD integration with our Android apps. That's something I noticed for GitLab and researched for a while. We integrated it successfully for the driver side, but the other application timed out. We used BigRise as an alternative, and it optimized the build time to 10 minutes. That's how we successfully integrated our CI/CD pipeline at TaxRise.

Technical support as a whole, it was a while ago, like three months after we stopped using their services, that they emailed us. They should approach users proactively and try to ensure a smooth integration process. 

We already have a lot on our plates, so we don't have time to chase them. Even if we email them and they respond, we have other tasks in the pipeline. They should take ownership and manage the integration. Our SonarCloud integration ended up getting put on the back burner.

So, in terms of technical support, if you're providing a service, you need to be quick to respond to users and grab their attention. These are a few things SonarCloud could improve.

I wouldn't want to discourage their efforts, so I won't rate them a very bad rating. The product itself is still good, so I'd rate their technical support around six and a half out of ten.

And one other thing you can tell the SonarCloud team: they can improve their open-source community. A strong open-source community can significantly reduce the need for technical support. 

If they have good documentation for integrating with various platforms like web applications, back-end applications, server-side applications, Android, iOS, etc., and also GitLab pipelines, their rating could easily go up to eight and a half, maybe even nine.

Neutral

I currently work with the Android Lint. It's a built-in tool in Android Studio, used for checking errors in the code, code duplication, code smells, and improving code reusability. 

It helps in identifying spelling mistakes, unused variables, and imports, optimizing the code. We chose Android Lint over SonarCloud for similar functionalities, allowing us to improve code quality without relying on a third-party app. 

As an alternative to improve our code quality, we migrated the same functionality to our own cloud environment. This allows us to utilize Android lint for code improvements internally, eliminating reliance on any third-party app.

Some of the good features we found in SonarCloud that were valuable include the user interface integration with version control tools like GitLab. This lets us see code smells and track commits associated with specific code portions for code reviews.

Within these code reviews, we gain a complete analysis of things like code flow, which was a particularly helpful feature. Additionally, we can integrate Android lint directly into our CI/CD pipeline, allowing us to run critical lint checks automatically within the pipeline. This further automates our system and streamlines the development process.

The current pricing is quite cheap. The thousand-line package costs only ten euros per month, which is much cheaper compared to competitors like Veracode, which charge around a hundred or even ninety-nine dollars per month. So, the pricing is good as it is, but if they add features like AI-powered algorithms and core data optimization, they could easily see significant growth.

Overall, I would rate this product around nine out of ten. They're putting a lot of effort into developing the product, and it compares favorably to other options available. Plus, it's free initially with a set limit, making it quite accessible.

One thing SonarCloud could add is a separate AI for comprehensive code analysis. They already suggest improvements and urge users to adopt specific practices, but it could go further. 

For example, imagine using Android Studio and writing some code. SonarCloud's AI could analyze it and suggest algorithm or coding structure improvements.

There are also some application crashes and concurrency issues we encounter due to shared multi-threaded environments. So, another AI check they could offer would be analyzing how to optimize the application's algorithms for better performance. That would be another great improvement for SonarCloud.

We use the product for code-based security scanning.

The platform has fewer false positives. It helps efficient code duplication concentration and integrates well with coverage tooling for generating reports. Its dashboard provides a unified view of various code quality metrics, including code duplication, unit test coverage, and security hotspots.

SonarCloud's UI needs enhancement.

We have been using SonarCloud for five years.

I rate the product's stability a ten out of ten.

We have more than 1000 SonarCloud users in our organization. It scales as per our project requirements. I rate its scalability a nine out of ten.

We have ten dedicated engineers working on the product's deployment and maintenance.

I rate the pricing a five out of ten. It has an expensive on-premise version and a community version as well.

I recommend SonarCloud and rate it an eight out of ten. Sometimes, the updates for the product's beta version are simple.

We are using SonarCloud for static analysis. We must utilize this tool for code analysis prior to deployment. For instance, it is necessary to check for bugs or inconsistencies in the code and rectify them. SonarCloud can assist in this regard by providing high-quality content.

The most valuable feature of SonarCloud is its overall performance.

The reports could improve by providing more information. We are not able to use the reports in our operation until they are improved. Additionally, if the vendor provided more customization capabilities it would be a benefit.

I have been using SonarCloud for approximately one month.

I rate the stability SonarCloud a nine out of ten.

We have approximately 50 it specialists using this solution across a number of projects.

I rate the scalability of SonarCloud a seven out of ten.

I have not used the support often.

I rate SonarCloud an eight out of ten.

Positive

I have used other solutions prior to SonarCloud.

The initial setup of SonarCloud was done without too many issues. It was able to be done in approximately 10 minutes.

I did the implementation of the solution myself.

I am using the free version of the solution.

One person is enough for the maintenance of the solution.

I would recommend this solution to others.

I rate SonarCloud a nine out of ten.

We are customers of SonarCloud.

I like that the solution can be installed locally. 

I'd like them to include an alert for a third person. Sometimes there are very big problems that come up, possibly a large bug report, and it would be helpful if a notification could go out to an extra person. 

I've been using this solution for about three years. 

The solution is stable. 

I believe the solution is scalable. For now, we have 20 users but we are planning to expand usage. 

I wasn't involved in the setup but I believe it was relatively easy. 

I rate this solution nine out of 10. 

We use SonarCloud tools for all our 20 repositories and we are connecting the SonarCloud, from the Bitbucket pipeline.

The reports from SonarCloud are very good.

We had some issues with the scanner.

I have been using SonarCloud for approximately three weeks.

The solution is stable.

SonarCloud is scalable.

We plan to increase our package to the enterprise edition and decrease the lines of code in the future.

We have not needed the support at this time.

We previously used Codacy. We switch to SonarCloud because of their good reputation and we compared reports from both of them. SonarCloud seems to be more accurate. However, Codacy has a simpler installation. SonarCloud has more steps involved.

The solution is straightforward to implement. Some of the implementations can be quick.

The installation of the framwork was a bit difficult, it could be improved.

The price of SonarCloud could be less expensive. We are using the community version and the price should be more reasonable.

We have purchased a license for 2 million lines of code. However, we have 10 million lines of code but it would be too costly for us to have a license for all the amount.

I would recommend SonarCloud to others.

I rate SonarCloud a nine out of ten.

The solution provides continuous code analysis which has improved the quality of our code. It can raise alarms on vulnerabilities with immediate reports on the dashboard. Few things are false positives and we can customize the rules. 

The solution needs to improve its customization and flexibility. 

I have been using the solution for ten days. 

I would rate the product's stability an eight out of ten. 

We have received instant replies from the support but not actual answers. We contacted support regarding upgrading the edition.  

The tool's setup is not complex. Our engineers were not experienced and they took time to implement the product. 

The tool is simple and I would rate it an eight out of ten. 

We have several development streams, so we want to standardize our tooling and not necessarily restrict each tool to one specific purpose. We have CI/CD pipelines, with cloud solutions on one side and solutions like GitHub and Jenkins on the other.  

We use SonarCloud to scan code for vulnerabilities. The idea is to have that in a plan-do-check-act iterative way. Some development teams work in sprints with a scope of two weeks. For example, they define and finish their own user stories. 

Others work in Kanban, which means they work on one user story and only go on to the next when that one is finished. But the underlying thing is we are continuously using SonarCloud to clean out vulnerabilities in software that has been developed in-house.
+

CI/CD pipeline is part of a whole chain of design, development, and production, and it's becoming increasingly crucial to optimize the various tools across different stages. However, it's still a silo approach because the full integration is missing. This isn't just an issue with SonarCloud. It's a general problem with tooling.

We've used SonarCloud for nearly nine months, but we're slowly using it more and more.

The services are small, so scalability is not relevant. If you say that the service is an application, then the functionality of the application is, by definition, small and fit for purpose. The scalability of having lots of increased functionality within a service is not an issue. 

Scalability has more to do with the number of services or the full set of applications. A big company has multiple types of development going on that require SonarCloud. There are several services and applications that need to be scanned on a regular basis completely independently of each other. That's the issue. We're not hitting this threshold at the moment, so that's something we'll discover in the future as we add more to SonarCloud.

I'm not implementing the solutions. However, I've talked to the people who deploy the tools, and they are happy with how easy setting up SonarCloud is.

I can't say what it costs off the top of my head, but I believe the license is based on the number of users and services. Generally, it's considered inexpensive. 

The price is also based on the lines of code scanned. We use another solution instead of SonarCloud to scan third-party software. One thing is unclear. If you want to use SonarCloud for third-party software, you will reuse it for more services, but you only need to scan the latest version. 

You only need to scan once to cover all services that you're developing to minimize the cost of the scans. It doesn't make sense to redo the same scan for the third-party library version, which is used by many services. You only need to do it once.

I rate SonarCloud seven out of 10. That rating is more of an intuitive sense of the product based on many years of experience.

The solution is a static code analysis tool. That's basically what we use it for in our organization.

We bought the solution due to the fact that it was the lowest price. 

For what it is meant to do, it works pretty well. 

It's good for analysis.

I've been told by the developers that the solution is too limited. It's not testing enough within the containers. For instance, it only checks for obvious code errors. They should work to improve this.

At that moment we needed to scan the codes that the developers are producing, we found out that we needed more features.

I've been using the solution for six months or so now. It's been less than a year.

The former product we used was Twistlock.

I haven't had much experience with the initial setup. I can't speak to what the deployment or setup was like.

The pricing is very good.

We're currently looking into other options.

We're either looking for an integrated product for the whole CICB pipeline, such as StackRox, or we're looking at Fishman from Palo Alto. We're also looking at individual products for the whole CICB pipeline. In fact, this afternoon we are having a meeting to further discuss what tools we will use, or what can we use for dependency decks in the whole CICB pipeline, and for us to get a container image.

We're a customer and an end-user of the product. We don't have a business relationship with them. 

I'm not sure which version of the solution we're using.

I'd advise potential users to first check all the features to see if what they need is there and then check them off to ensure that SonarCloud fills all your needs.

It's a good product for its purpose.

I'd rate the solution at a seven out of ten.