SonarQube Reviews

We use the tool to check our code. It's used for static quality checks. 

The product is simple. 

The product's pricing could be lower. 

I have been using the product for two years. 

The tool is stable. 

The product is easy to deploy and update. 

We use the tool's community edition. 

I would rate the product an eight out of ten. 

We have several development streams, so we want to standardize our tooling and not necessarily restrict each tool to one specific purpose. We have CI/CD pipelines, with cloud solutions on one side and solutions like GitHub and Jenkins on the other.  

We use SonarCloud to scan code for vulnerabilities. The idea is to have that in a plan-do-check-act iterative way. Some development teams work in sprints with a scope of two weeks. For example, they define and finish their own user stories. 

Others work in Kanban, which means they work on one user story and only go on to the next when that one is finished. But the underlying thing is we are continuously using SonarCloud to clean out vulnerabilities in software that has been developed in-house.
+

CI/CD pipeline is part of a whole chain of design, development, and production, and it's becoming increasingly crucial to optimize the various tools across different stages. However, it's still a silo approach because the full integration is missing. This isn't just an issue with SonarCloud. It's a general problem with tooling.

We've used SonarCloud for nearly nine months, but we're slowly using it more and more.

The services are small, so scalability is not relevant. If you say that the service is an application, then the functionality of the application is, by definition, small and fit for purpose. The scalability of having lots of increased functionality within a service is not an issue. 

Scalability has more to do with the number of services or the full set of applications. A big company has multiple types of development going on that require SonarCloud. There are several services and applications that need to be scanned on a regular basis completely independently of each other. That's the issue. We're not hitting this threshold at the moment, so that's something we'll discover in the future as we add more to SonarCloud.

I'm not implementing the solutions. However, I've talked to the people who deploy the tools, and they are happy with how easy setting up SonarCloud is.

I can't say what it costs off the top of my head, but I believe the license is based on the number of users and services. Generally, it's considered inexpensive. 

The price is also based on the lines of code scanned. We use another solution instead of SonarCloud to scan third-party software. One thing is unclear. If you want to use SonarCloud for third-party software, you will reuse it for more services, but you only need to scan the latest version. 

You only need to scan once to cover all services that you're developing to minimize the cost of the scans. It doesn't make sense to redo the same scan for the third-party library version, which is used by many services. You only need to do it once.

I rate SonarCloud seven out of 10. That rating is more of an intuitive sense of the product based on many years of experience.

We use this solution for qualitative coding. We make use of the SonarLint plugin as well as the dashboard.

We previously experienced issues with security but a segregated security violation has been implemented and the issues we experienced are being fixed. We have also experienced duplications of rules within the system as well as code samples that are short of ten numbers. 

This is a stable solution.

This is a scalable solution. 

The initial setup was straightforward. 

Most of the deployment was done by me. Once a certain level of complexity was involved, a team was used to validate and deploy those parts of the solution. 

I would recommend SonarQube to other users as it is a good solution and the security issues we experienced are being fixed. 
I would rate this solution an eight out of ten. 

We are using SonarQube for scanning our services for issues as part of our IT department.

SonarQube has a lot of value, it reviews the basic coding standards and security vulnerabilities of code that help to reduce issues. 

SonarQube can improve by scanning the internal library which currently it does not do. We are looking for a solution for this.

I have been using SonarQube for approximately three years.

SonarQube is a stable solution.

I have found SonarQube to be stable. However, we have not tested it with more than one million lines of code.

We have a server that SonarQube is running on and we have approximately 50 people using it.

We have used technical support in the past but not recently.

I would rate the support from SonarQube a four out of five.

I have used Veracode previously.

The initial setup is straightforward for SonarQube.

We did the implementation in-house.

The DevOps team handles the maintenance of SonarQube.

We are using the Developer Edition and the cost is based on the amount of code that is being processed.

If SonarQube meets the needs of your use case then I use it.

I rate SonarQube an eight out of ten.

We find it very similar to Fortify and has the same advantages. 

The web interface is very good. 

We have found the solution to be stable. 

The solution offers a very good community edition.

There isn't a very good enterprise report. They also do not have an application report. We'd like for them to work on this aspect.

I've used the solution for three years. I've used it for a while now. 

In terms of stability, the solution is reliable and the performance is good. There are no bugs. It's not glitchy. It doesn't crash or freeze. 

I've never used technical support. I can't talk about how helpful they are, never spoken with them personally.

If I do need to troubleshoot, I tend to rely on the community and search for answers there. 

We've also used Fortify.

I didn't participate in the installation process. I can't speak to how easy or difficult the process was. 

I use the community version of the product.

We are a customer and an end-user.

I'd rate the solution at a seven out of ten. It's mostly reliable. 

We use SonarCloud tools for all our 20 repositories and we are connecting the SonarCloud, from the Bitbucket pipeline.

The reports from SonarCloud are very good.

We had some issues with the scanner.

I have been using SonarCloud for approximately three weeks.

The solution is stable.

SonarCloud is scalable.

We plan to increase our package to the enterprise edition and decrease the lines of code in the future.

We have not needed the support at this time.

We previously used Codacy. We switch to SonarCloud because of their good reputation and we compared reports from both of them. SonarCloud seems to be more accurate. However, Codacy has a simpler installation. SonarCloud has more steps involved.

The solution is straightforward to implement. Some of the implementations can be quick.

The installation of the framwork was a bit difficult, it could be improved.

The price of SonarCloud could be less expensive. We are using the community version and the price should be more reasonable.

We have purchased a license for 2 million lines of code. However, we have 10 million lines of code but it would be too costly for us to have a license for all the amount.

I would recommend SonarCloud to others.

I rate SonarCloud a nine out of ten.

I use SonarQube for Google's web services, from a security perspective, as well as Oracle Forms, HTML Forms, and script. 

SonarQube is deployed on-premises. 

Some of the most valuable features have been the latest up-to-date of the OWASP, the monitoring, the reporting, and the ease of use with the IDE plugins, in terms of integration.

SonarQube's detail in the security could be improved. It may be helpful to have additional details, with regards to Oracle PL/SQL. For example, it's neither as built nor as thorough as Java. For now, this is the only additional feature I would like to see. 

I have been working with the Community Edition for at least ten years, and I have been working with the Enterprise version for about a year. 

So far, we are happy and haven't had any issues with stability.

The only maintenance this product needs, for now, is just updates and patches. 

SonarQube is an auditing requirement from our side and for our SDLC, so it is a gate in our SDLC. 

SonarQube is easy to scale. As we've opted for the Docker builds, we haven't had issues yet. 

At this point, there are at least 300 people in my company who are working with SonarQube. 

I have minor experience with Q One. The main difference is in the licensing structure, with regards to lines of code. We have noticed that Q One has a bit more details, but support for various languages is lacking. 

The setup process of SonarQube is straightforward. Deployment took about a week, but the integration of the multiple teams—introducing them and getting them on board—took about a month. 

We implemented this solution through an in-house team. 

Compared to similar solutions, SonarQube was more accessible to us and had more benefits, with regards to size of the code base and supported languages. Apart from the Enterprise licensing fee, there are no additional costs. 

I rate SonarQube an eight out of ten. 

To anyone who is looking into implementing SonarQube, I would recommend they look at what their requirements are, with regards to languages. If it's just Java, then the Community Edition is fine, but if there are any additional languages, then I would recommend Enterprise. 

It is mainly used as part of the CI/CD pipeline through Azure DevOps and Jenkins to do static code analysis.

We have the enterprise version. In terms of deployment, on-premise is the best description because they have their own cloud, but it is not a real cloud. It is like VMware.

In some instances, the project stakeholders were able to implement quality gate control for code coverage, security alerts, and things like that. It greatly improved the quality of the product. If our test code coverage is 80% and a person commits a change that brings the code coverage to below 80%, that code cannot be merged. We've been able to improve the quality of the products that we produce by using SonarQube. We are using it as a gate.

It is a great tool in a situation where you have a dynamic team, and you sometimes hire staff or subcontractors from other companies. It provided us with the ability to implement quality gates in our project. We could look at the data and see which developers were producing quality code and which developers were not too worried about the quality. It helped us out with our junior devs. I know of a few cases where having this system helped our junior devs in taking their skills one level up because we had set up a hard quality gate.

My focus is mainly on the DevOps pipeline side of things, and from my perspective, the ease of use and configuration is valuable. It is pretty straightforward to take a deployment pipeline or CI/CD pipeline and integrate SonarQube into it.

A little bit more emphasis on security and a bit more security scanning features would be nice. 

It would also be nice if the discrepancy between the basic or free version and the enterprise version was less. In my opinion, some of the base functionality in the enterprise version should be in the basic version.

Currently, we have static code scanning, and we have the scanning of the Docker containers. It would be great if some sort of penetration testing could easily be implemented in SonarQube for deploying something and doing some basic security scans. Currently, we have to use third-party tools for that. If everything was all under one roof, it would be more comfortable, but I don't know if it is possible or feasible. It is a typical issue of centralization versus distribution. In our particular case, because we're using SonarQube for almost every other project, it would make sense, but that doesn't necessarily mean that it is the same case with everybody else.

I have been using this solution for four years in my current job.

I don't think I ever had a problem.

We haven't reached a point where it is anywhere near saturation. We haven't scaled it yet, and I don't know if it will ever happen. The way it is implemented right now is more than enough for what we need. 

We have used it in almost all projects of our client. It is a part of their process. It is used extensively, and it will be used for any future work that they might have where they develop any code that can be analyzed with SonarQube.

We probably have 30 or 40 users. Their roles are developer team leads, developers, and DevOps people. These are the three roles of people who use it on a daily basis and look at the reports and work with the system. At some point, the data might be shown to the actual client or somebody else.

I've never been in a situation where I needed their support.

I don't think that we used anything else previously. SonarQube was the first one.

It was straightforward. I wasn't technically involved in the deployment of SonarQube, but as far as I know, it was a matter of a few days.

We probably just bought the license and did it ourselves. For its deployment and maintenance, we don't have a dedicated person. It is one of the many systems that our internal IT team manages.

I don't have that data. I don't think that we've ever calculated that. 

My guess is that we have a yearly subscription. We use it quite extensively, so a monthly license wouldn't make sense. Yearly subscriptions are usually cheaper. 

In addition to the standard licensing fee, there is just the cost of running the hardware where it is hosted.

It is pretty straightforward, but if you don't intend to use it as a gate, it would just be a waste of time. You should invest in implementing such tools only when you have a clear understanding of how their results are going to be a part of a business process.

I would rate it a 10 out of 10. I've never had any kind of problems with it. I have some products because of which I have had a bad day, but I never had a bad day because of it.