SonarQube Reviews

We utilize a stage that's part of our Jenkins CI builds for our services CI processes. Our server runs static code analysis for our Golang project.

Some of the static code analysis capabilities are the most beneficial. We review them on a weekly or bi-weekly basis to identify code regressions and suggestions for code improvements. The feedback provided aligns with our goals for code quality assurance.

At the moment, I am totally happy with SonarQube Server. Any suggestions for potential improvements may include bill of materials functionality.

We have been using SonarQube Server for more than two years now.

SonarQube Server has had no downtimes so far.

We are currently using one instance only and not employing any kind of high availability. The product handles numerous builds executed daily, meeting our needs effectively.

Since we are using some kind of freemium version, we have resolved issues via community support rather than the paid version. The community support is quite effective.

We previously worked with Snyk. We switched due to the high cost and because the freemium version of SonarQube Server met our needs better.

The initial setup involved two to three days of R&D and proof of concepts for deployment and integration. Production deployment took another one to two days.

I was involved with the deployment of SonarQube, however, the majority was done by another team member. In total, I have a team of four DevOps engineers.

The freemium version of SonarQube Server offers excellent value, especially compared to the high costs of Snyk.

We are experimenting with Wiz and previously used Microsoft Defender for Cloud and Snyk.

I rate SonarQube Server as nine out of ten. 

We are happy with its suggestions for code improvement. No significant issues have been experienced, ensuring smooth operation during our CI processes. 

On-premises

My main use case for SonarQube Cloud (formerly SonarCloud) is for code checking and the quality of code.

A specific example of how I use SonarQube Cloud (formerly SonarCloud) for code checking and quality is that we have enabled quality gates for the pipeline.

The best features SonarQube Cloud (formerly SonarCloud) offers are that it is quite good and offers a perfunct feature.

The perfunct feature in SonarQube Cloud (formerly SonarCloud) shows the bugs in the codes and suggests the fixes.

SonarQube Cloud (formerly SonarCloud) has had a positive impact on my organization by giving the best impact for code checking and code structuring, making the code more usable and better.

It has made my code better because the team can improve their skills. It suggests fixes where needed, enabling the team to code better and maintain high code quality.

SonarQube Cloud (formerly SonarCloud) performs well currently and I cannot identify any needed improvements at this time.

I have been using SonarQube Cloud (formerly SonarCloud) for three years.

In my experience, SonarQube Cloud (formerly SonarCloud) is stable and I did not face any major issues.

SonarQube Cloud (formerly SonarCloud) has handled my organization's needs as we've grown.

The customer support for SonarQube Cloud (formerly SonarCloud) has been better. Some of my teammates have interacted with support by raising tickets, and their issues were successfully resolved.

Positive

My advice to others is to use SonarQube Cloud (formerly SonarCloud).

I rate SonarQube Cloud (formerly SonarCloud) nine out of ten.

Public Cloud

Other

The use case involves setting up code inspection, identifying security vulnerabilities, ensuring adherence to coding standards, and managing technical debt. I have established a quality gate in the CI/CD pipeline to ensure a minimum quality percentage is achieved for the build to pass. This is integrated within CI/CD pipelines.

The most valuable features of SonarQube Cloud (formerly SonarCloud) include code inspection, addressing technical debt, and identifying security vulnerabilities. These features help me ensure high-quality code and improve security posture via vulnerability checks, particularly on Java applications. SonarQube Cloud’s integration with CI/CD tools is also a significant benefit. The product offers a good user interface which enhances usability.

SonarQube Cloud needs improvements in dynamic code analysis. Static code analysis is good, but the product lacks dynamic code scanning capabilities, an area where Veracode excels.

I have extensive work experience with SonarQube Cloud, exceeding five years.

I would rate the stability a nine out of ten. The product is quite stable and reliable.

I would rate it eight out of ten for scalability. There is room for improvement, but SonarQube Cloud is generally reliable. It has been used in multiple projects and performs well.

The major benefit of SonarQube Cloud over other solutions is its integration with CI/CD tools and support for various languages and platforms. Its user interface is also superior compared to traditional code inspection and SAST tools.

The initial setup for SonarQube Cloud is straightforward. This applies to both in-house server setup and integration.

The product has had a positive impact by identifying gaps in application code related to technical debt and coding standards.

We used the open-source version of SonarQube Cloud for its minimum features and did not license its extensive capabilities.

I would recommend SonarQube Cloud to other development teams. Overall, I rate the solution eight out of ten.

On-premises

We use the solution for security vulnerabilities, static code analysis, and a few code quality issues like code smells. We mostly concentrate on security vulnerabilities.

SonarQube is admin friendly.

SonarQube is not development-centric like Snyk. The product gives an IDE plug-in called SonarLint. It needs to be expanded more. SonarLint is very limited.

I have been using the solution for the last five years.

The solution is quite mature. We did not have many issues.

The tool is very scalable.

Since it is an open-source product, we need to purchase support. However, the enterprise edition comes with a support package. The support package is really good. We get good support. We’ll have problems if we do not have support. I rate the support team a seven or eight out of ten. The quality of support depends on the support package we get. We had a limited package, so our support was at that level.

I have worked with Snyk. Snyk is more developer friendly. I have also worked with Coverity. SonarQube has features that are similar to Snyk and Coverity. So, SonarQube is better because it is an open-source tool.

The tool is easy to install compared to other products. We have to do basic things like installing our database and web applications. I do not find many problems with installation. The time taken for deployment depends on the nature of the setup and whether we are doing it for a large enterprise. The installation is quite simple, but it took a week to plan it. We had a good IT setup, which helped us. We do not need many people for implementation. It depends on the project structure.

Our IT team installed the solution. The product is easy to maintain. We have a mature system, so we do not have many issues. To manage reports, we need people to run scans. However, we need only one person to manage the environment.

It's an open-source product. All other solutions are commercial.

SonarQube is introducing a developer edition, but I have not explored it yet. We are using the enterprise edition of the solution. My advice to other users would depend on their requirements. If an organization has Synopsys products, Coverity would be the right choice for them. However, it is costly. SonarQube has an open-source and enterprise edition along with support packages, which is really good. If someone wants a developer-friendly tool, then Snyk would be a good choice. Overall, I rate the solution an eight out of ten.

At our company, we are using SonarQube to scan some of the Dot.Net and Java sources. The solution is also used for generating reports, which is a customer-mandate to scan source codes. The solution is used to setup a CI/CD pipeline following which scans are implemented and the report is shared with the developer. 

One of the solution's most vital features is its multi-programming language support. The solution also functions on an open-source model that allows users to easily check the setup and installation process and gain further knowledge regarding the solution across production grades. 

In our organization, C/C++ programmers are preferring to use CodeSonar than SonarQube, so I believe the tool needs to be more compatible and user-friendly for the specific C/C++ language. 

The solution provider can evaluate how SonarQube can be integrated with AI in future versions similar to how Copilot is working with Outlook and GitHub. 

I have been using the solution for two years. 

The product is stable, but there are rarely a few configuration issues. I would rate the stability a ten out of ten. 

There are about 20-30 users of the solution in our organization. 

The initial setup process of the solution is quite simple. For the installation process, a database is required; at our company, we initially had four databases. To build the database properly, our company integrated AWS Postgres database to store all the data.

The SSL certificate installation can be carried out later on when the need arises while configuring the database for a specific project. For the setup process, our company got some support from the solution provider. 

Our company previously paid around $15000 for the solution which later on got increased by $1500 the next year. 

The code quality metrics from the solution help us generate reliable reports on behalf of our company instead of asking questions like whether the codes are scanned, whether they are vulnerable, and whether the code meets all standards. SonarQube is also able to identify to what level the code is secure, making it easier for the developer to check and understand the application. 

I would rate SonarQube an eight out of ten. I would recommend the solutions to others who are in need to scan their codes and are looking for the support that SonarQube provides through its features, but for core languages like C/C++ they can choose an alternative. 

On-premises

We use SonicWall for static core analysis.

The reporting is somewhat delayed, there is something missing. For example, if you compare it with GitHub Advanced Security, SonarQube has a more native integration, and its analysis is more structured and precise. SonarQube can do a better job compared to other native tools. It supports a good number of language tags and is continuously improving its analytics functions.

Any developer can easily identify issues using the process flow or steps provided by SonarQube. In terms of integration, SonarQube makes it quite easy, simplifying the steps for users.

The detection and reporting are structured, with reporting being better compared to other tools. However, in terms of analysis and findings, other tools provide more in-depth insights and detailed steps to mitigate or handle issues. Therefore, the analysis engine of SonarQube could benefit from significant improvements to better compete in the market.

I have been using SonarQube for around a year and a half.

The solution is scalable.

I have used many open source solutions.

The initial setup is not easy, as there are many product protocol improvements that can be made. 

I rate the initial setup an eight out of ten, where one is difficult and ten is easy.

The engine needs significant improvement, but it is a good solution for detecting flaws. Enhancing the analytics engine could further improve its capabilities. The effectiveness of SonarQube depends on these factors. If you enhance the analytics engine, the quality of flaw detection will obviously improve as well.

The solution is expensive.

SonarQube has many integrations, even in our development backup environment. While setting up notifications was possible, it was quite complex to manage.

However, SonarQube is one of the solutions I would recommend. In terms of code quality, it offers many features compared to other solutions in the market. It has been around for a while and delivers many functionalities. There are different solutions with better detection engines than SonarQube, but in terms of scalability and compliance, SonarQube is superior. Taking all factors into consideration, it is a better option.

Overall, I rate the solution an eight-point five out of ten.

My main use case for SonarQube is to analyze code quality in various programming projects, particularly focusing on identifying bugs, vulnerabilities, and code smells. I also use it to detect patterns in data clusters and ensure there are no leaks in the codebase.

The features of SonarQube that I find most valuable for identifying code smells are its comprehensive code analysis capabilities, which cover various aspects of code sustainability. Specifically, its ability to detect issues across different functions and methods, including security vulnerabilities, is particularly useful.

SonarQube could be improved by implementing inter-procedural code analysis capabilities, allowing for a more comprehensive detection of defects and vulnerabilities across the entire codebase.  Additional functionality that could improve SonarQube includes features like automatic code correction and AI-generated suggestions to streamline code maintenance.

I have been using SonarQube for almost three years.

I would rate the stability of the solution as an eight out of ten.

I would rate the scalability of the solution as an eight out of ten.

In comparing Coverity and SonarQube, Coverity stands out for its superior vendor support and enterprise-level analysis capabilities, particularly in security and leak detection across procedures. SonarQube excels in dashboard usability and cost-effectiveness but lacks certain advanced features like inter-procedural analysis and some leak detections available in Coverity.

Setting up SonarQube was relatively straightforward.

In terms of pricing, SonarQube is more comfortable for global licensing and cloud-based usage, while Coverity's licenses, particularly in India, may come with more restrictions and be less flexible.

I integrate SonarQube into my CI/CD pipeline by running it during the build process for static code analysis. Once the analysis is complete, the results are sent to the dashboard for easy monitoring and tracking of code quality.

Using SonarQube for security vulnerability detection offers several benefits such as comprehensive security rule coverage and integration with the dashboard for easy monitoring. Additionally, SonarQube provides features like password handling, eliminating the need for separate tools and enhancing overall code security.

SonarQube handles false positives during code analysis by allowing teams to review and exclude them, especially in long-term projects where patterns are familiar. While false positives may occur, experienced teams can easily identify and manage them, ensuring accurate analysis results.

For software development, especially in Java-based environments, I highly recommend using SonarQube due to its effectiveness in ensuring code quality and minimizing potential issues. While there are free tools available, SonarQube's comprehensive support for various languages and its benefits make it a valuable choice for developers.

Overall, I would rate SonarQube as an eight out of ten.

Public Cloud

We use it to check the code quality of our software.

We've configured it to run on each commit, providing feedback on our software quality. The solution works quite well remotely.

We would appreciate having PNC checking, though that's only available in a more expensive license type.

There is also room for improvement in the installation process.

I have been using this solution for a couple of years.

It is a stable solution. So, no issues with stability.

We haven't had much requirement for scalability. We had a single-node instance, and that is sufficient for our needs.

We have around 13 developers using this solution. 

Another department handled the installation. We only had one issue related to the number of available files. To perform the analysis, you have quite a lot of available file handles, so we had to increase that limit.

However, maintenance is actually quite easy. It requires a couple of people.

We used some main code quality tools before, along with certain plugins. SonarQube is better due to its integrated nature and easier management. There is no hassle to keep everything up to date.

I would definitely recommend using the solution.

Overall, I would rate the solution an eight out of ten. While I'm satisfied with the product, there's always room for improvement.

On-premises

I work on vulnerability management. I use the security features in SonarQube. I also use Veracode. I use both solutions to verify each other’s results.

We see the security issues in our solutions with the help of the product. It helps us improve the solutions.

There are many options and examples available in the tool that help us fix the issues it shows us.

The product must improve security analysis. It must introduce software composition analysis in future releases.

I have been using the solution for three years or more. I am using the latest version of the solution.

I rate the tool’s stability a nine out of ten.

I rate the tool’s scalability a seven out of ten.

The solution is deployed on the cloud.

We have seen an ROI because we are avoiding rework. The product helps us to fix security and quality.

The product’s price is lower than Veracode’s price.

Veracode is more efficient in security analysis. It also has software composition analysis features. So, it would be difficult for SonarQube to compete with Veracode.

There are a lot of functions and features in SonarQube. I would recommend the product to others. Overall, I rate the tool an eight out of ten.

SonarQube provides security vulnerabilities within the cloud. It identifies the code pattern and quality and detects the causes of any particular issues. We use this to minimize a lot of coding errors. I'm a lead dev ops consultant in IT infrastructure.

SonarQube helps to improve the code coverage in your core base and will give you the evaluation of the technical steps and the percentage of code being resolved. It can auto-calculate the technical depth. The beauty of the product is the quality gate where all parameters come together. If those parameters can pass through the quality gate successfully, you can go ahead with your build. You get clear and clean visibility in your code and it provides reliability. It's the most valuable feature. 

We would like to have more visibility and more documentation, starting with the installation. It needs to be more standardized and explain all the features. We'd also like to get an idea of the level of stability we can get for our larger-sized projects. The notifications from the channel queue can be improved including email notifications. We currently rely on getting those notifications passed onto us and that should not be the case. The customization of different languages would also be helpful. If all the above could be implemented, SonarQube would be the best vulnerability security scanning tool.

We've been using this solution for two years. 

The stability is very good. 

Scalability is high and that includes within the different zones and regions that we require in the company. We use SonarQube about once a week and don't plan to increase usage for now. 

The technical support is excellent. 

Positive

We previously used a different solution but moved to SonarQube because it better suits our use cases. 

The initial setup is straightforward and doesn't take much time. That said, setting up the quality level is challenging because of the different calculations required, setting up for issue tracking and getting the appropriate quality gate feature. It requires proper allocation and understanding the perameters. Deployment time is generally less than an hour, but it depends on the project size. Implementation generally requires a minimum of two people.

The fact that we have bug-free coding is a good return on investment. 

Licensing costs are in the mid-range for this kind of solution. 

This product provides a lot of freedom to achieve many things including generating certain reports that can be integrated with numerous other tools such as Power BI.

I rate this solution eight out of 10. 

Private Cloud

Other