SonarQube Reviews

I use SonarQube for testing software.

The solution can verify vulnerabilities, code smells, and hotspots. It makes the software more secure and it helps make a junior or novice developer sharper.

The software testing tool capability could improve. It does not always integrate well. You have to use a specific plugin and the plugin does not always go in Apple's applications.

In the next release, they should add the ability to analyze containers.

I have been using SonarQube for approximately three years.

We have mostly software developers using this solution are there are approximately 50 using it.

I have used Snyk and it is more catered to a different audience than SolarQube.SolarQube is more for software developers.

The installation is straightforward, especially with the new Docker implementation.

I did the implementation of the solution myself.

The process of purchasing the solution could improve.

This solution is a good static test tool for developers. It helps keep the maintainability and security of software.

I rate SonarQube an eight out of ten.

SonarQube can be used to analyze application code. We are testing SonarQube with some of our other products. We use the Sonar Link plugin with Teamscale, which is then applied to the main product we are using.

I am only interested in the security features in SonarQube. There are plenty of features other features, such as test coverage, code anomalies, and pointer access are handled by the business logic teams. They get the reports and they have to fix them in JIRA or Bugzilla.

We have to combine several products in order to cover as many flaws that might exist in the code. We have to integrate several products to set the security functionality of the product. SonarQube should have better functionality to cover all areas of security limiting our need for other products.

We have tens of millions of code to be analyzed and processed. There can be some performance degradation if we are applying Sonar Link to large code or code that is complex. When the code had to be analyzed is when we ran into the main issues. There were several routines involved to solve those performance issues but this process should be improved.

I have been using this solution for approximately three years.

There can be some stability issues.

I have used Veracode.

I have evaluated many other solutions similar to SonarQube.

I rate SonarQube a six out of ten.

We are using this solution to check and monitor application code to ensure security quality.

The solution has helped us mitigate problems in applications before they were a bigger issue.

The solution could improve by having better-consulting services.

I have been using SonarQube within the last 12 months.

The stability is good.

The installation was straightforward, we have an internal team that does it.

We have a team in our organization that does the implementation, configuration, and maintenance of the solution.

The price of the solution could be reduced.

I rate SonarQube a ten out of ten.

I have used it in my previous company. In my current company, which I have joined recently, we don't use any of these tools. That's why I want to implement something for the company. I have the Community Edition of SonarQube. I am using one version prior to the latest one.

It was integrated with our build pipeline, and we had also customized the rules for the quality gate. For each release that got through SonarQube, it gave the results in terms of whether it was releasable or not. 

SLA was another use case. We internally had a rule that in case there are severity defects, they need to be fixed. If there is a false positive, it needs to be justified. That's the way it was used.

It assists during the development with SonarLint and helps the developer to change his approach or rather improve his coding pattern or style. That's one advantage I've seen. Another advantage is that we can customize the rules. 

I did an evaluation of the Enterprise Edition. It has the Portfolio view, which means you can roll up all your projects to the Portfolio level, and then it gives a visualization of each and every project's state in terms of security and other vulnerabilities.

It is very expensive. That's something that can be improved. 

I'm not sure if the latest vulnerabilities are being updated. When I compare it with Fortify on Demand (FoD), every now and then, they get all the latest and greatest versions for all these vulnerabilities as a rule pack. I'm not very sure about how that works in SonarQube, and how frequently they are updating the vulnerability databases and other things.

Their dashboarding is very limited. They can improve their dashboards for multiple areas, such as security review, maintainability, etc. They have all this information, so they should publish all this information on the dashboard so that the users can view the summary and then analyze it further. This is something that I would like to see in the next version. 

The portfolio-level dashboard is currently available only in the Enterprise Edition. They can have a similar dashboard in the Community Edition or at least in the Developer Edition. The portfolio-level dashboard is also very limited currently. There is hardly one report.

I have been using this solution for four years. 

It looks stable. So far, we haven't found any issues.

I contacted them once or twice. I am very satisfied with their support. I didn't have any concerns in terms of support.

It is straightforward. It takes very little time as compared to the other solutions.

It is very expensive. Its price should be improved.

I have worked on only two tools: one is Fortify on Demand, and the other one is SonarQube. Comparing these two, I would rate SonarQube an eight out of 10.

The solution is a static code analysis tool. That's basically what we use it for in our organization.

We bought the solution due to the fact that it was the lowest price. 

For what it is meant to do, it works pretty well. 

It's good for analysis.

I've been told by the developers that the solution is too limited. It's not testing enough within the containers. For instance, it only checks for obvious code errors. They should work to improve this.

At that moment we needed to scan the codes that the developers are producing, we found out that we needed more features.

I've been using the solution for six months or so now. It's been less than a year.

The former product we used was Twistlock.

I haven't had much experience with the initial setup. I can't speak to what the deployment or setup was like.

The pricing is very good.

We're currently looking into other options.

We're either looking for an integrated product for the whole CICB pipeline, such as StackRox, or we're looking at Fishman from Palo Alto. We're also looking at individual products for the whole CICB pipeline. In fact, this afternoon we are having a meeting to further discuss what tools we will use, or what can we use for dependency decks in the whole CICB pipeline, and for us to get a container image.

We're a customer and an end-user of the product. We don't have a business relationship with them. 

I'm not sure which version of the solution we're using.

I'd advise potential users to first check all the features to see if what they need is there and then check them off to ensure that SonarCloud fills all your needs.

It's a good product for its purpose.

I'd rate the solution at a seven out of ten.

We use the solution to do quality code analysis for keeping track of security hotspots. We also use it to avoid the delivery of problems as the result of new code from our partners who may be developing software for systems, making improvements and carrying out bug corrections. These are the features of SonarQube of which I am aware. 

SonarQube is a fantastic tool which saves us precious time. Prior to using the solution, all our code analysis was manual and this was very time consuming. The increase in the number of projects, including those involving the development team, meant that it was becoming increasingly challenging to keep up with our delivery schedules. SonarQube helped a lot in this regard. So too, the wonderful tool from Eclipse, SonarLint, was very helpful. These solutions allow the partners who develop our system, our code, to receive on-the-fly analysis of their computers. This affords delivery of a much more reliable code, something which allows us to focus our work on more aggregated value operations.

I am struggling to come up with an area needing improvement. I am a big fan of SonarQube. I do have familiarity with the solution, but not extensively on a daily basis in respect of development. 

This said, we did have some trouble with the LDAP integration for the console. 

As our company is not primarily IT-related we are late comers when it comes to adopting new technology. As such, we started using the community version of SonarQube around eight to ten months ago. 

I have limited personal experience working with the solution. I have a colleague who works with me and she is actually engaged in its operation. My role is to provide guidance in how to implement products. 

She works more in implementing the installation of the solution, in deploying the projects on SonarQube. But, I have a little more context with this tool.

I am a customer of SonarQube. 

At the moment, SonarQube is deployed on-premises. We have an installation running in one of our servers.

When we deploy on-cloud, we normally use Amazon Web Services. 

I rate SonarQube as a ten out of ten, easily. I think its fantastic, a wonderful tool. Even if I don't use it directly, it frees me up to focus on other tasks in my daily routine. 

I use this solution for our staging environment to review the security issues before going live or into production.

I have found this solution creates more noise than competitors. 

The documentation and reporting extract can improve because other solutions are far more advanced.

I have been using this solution for approximately two years.

The solution is stable.

The solution is scalable. However, we do not use it as a SaaS solution, we use it for our staging environment at a minimum scale. 

We have approximately 10 people using this solution in my organization.

Previously I worked with Fortify and Veracode and I have found those tools provided much better because they are from a commercial solution.

Our development team did the implementation of this solution.

This solution is free.

My advice to others is this solution is one of the best in the free market in the industry and it is a good one to use.

I rate SonarQube a seven out of ten.

I like that it has a better dashboard compared to Clockwork. It's also stable.

Technical support and the price could be better.

I have been using SonarQube for seven or eight years.

SonarQube is quite good in terms of stability.

Technical support could be better. If we request support, it's a little bit delayed, and it's not consistent on email.

SonarQube price is a little bit higher than Kiuwan's. Kiuwan also gives a little bit of flexibility in terms of pricing.

On a scale from one to ten, I would give SonarQube an eight.