Once integrated with the pipeline for the organization, we would be able to fetch vulnerabilities and code smells. We can have quality gates installed in the pipeline so that the pipeline should only be moved and processed further if the quality gates are passed. This product is used with the deployment cycles. We have multiple CI/CD pipelines. When we push our code to the repo, while in continuous integration, it will run a few tests. Based on the vulnerability data set it has, it has multiple tests. We can also have multiple unit tests along with this for code coverage. It has multiple offerings, not only the quality check and the vulnerability check. It also has code coverage, indicating how much code is covered by all the unit tests, integration tests, and those sorts of things. It has a complete database by itself and depending on that, it needs to be regularly updated so that we can track the vulnerabilities in the code. If it is not connected to the data source, for example, it has 10 versions, so if we are using a very old version, it would not be able to track the vulnerabilities which have the latest release. We can track the vulnerabilities if our code is updated. If we are using the cloud version, then it is automatically upgraded because it is a paid version. We can track the vulnerabilities, where the vulnerability is, and at which code line we need to improve our code. We can have all the tracks only after we push our code to the repo.
We have SonarCloud integrated into our pipeline. It is used as a tool for checking code quality, clean code, bugs, and security issues. It acts as a quality gate for production, helping decide if our code can be applied.
It serves as our primary tool for static code analysis, addressing various aspects such as code duplication, code smells, and security concerns. It stands out as an all-encompassing solution and it excels in security analysis and offers robust features for code optimization and duplication detection.
Learn what your peers think about SonarQube Cloud (formerly SonarCloud). Get advice and tips from experienced pros sharing their opinions. Updated: September 2025.
We are using SonarCloud for static analysis. We must utilize this tool for code analysis prior to deployment. For instance, it is necessary to check for bugs or inconsistencies in the code and rectify them. SonarCloud can assist in this regard by providing high-quality content.
We have several development streams, so we want to standardize our tooling and not necessarily restrict each tool to one specific purpose. We have CI/CD pipelines, with cloud solutions on one side and solutions like GitHub and Jenkins on the other. We use SonarCloud to scan code for vulnerabilities. The idea is to have that in a plan-do-check-act iterative way. Some development teams work in sprints with a scope of two weeks. For example, they define and finish their own user stories. Others work in Kanban, which means they work on one user story and only go on to the next when that one is finished. But the underlying thing is we are continuously using SonarCloud to clean out vulnerabilities in software that has been developed in-house. +
SonarCloud is used for application security testing. The use cases you can bring into the pull request level, you can eliminate the problem into the developer's feature branch itself. The largest use case is if developers are writing a code and if the code has any vulnerabilities or problems, you can receive the feedback at the pull request level.
SonarQube Cloud offers static code analysis and application security testing, seamlessly integrating into CI/CD pipelines. It's a vital tool for identifying vulnerabilities and ensuring code quality before deployment.SonarQube Cloud is widely used for its ability to integrate with tools like GitHub, Jenkins, and Bitbucket, providing critical feedback at the pull request level. It's designed to help organizations maintain clean code by acting as a quality gate. This service supports...
Once integrated with the pipeline for the organization, we would be able to fetch vulnerabilities and code smells. We can have quality gates installed in the pipeline so that the pipeline should only be moved and processed further if the quality gates are passed. This product is used with the deployment cycles. We have multiple CI/CD pipelines. When we push our code to the repo, while in continuous integration, it will run a few tests. Based on the vulnerability data set it has, it has multiple tests. We can also have multiple unit tests along with this for code coverage. It has multiple offerings, not only the quality check and the vulnerability check. It also has code coverage, indicating how much code is covered by all the unit tests, integration tests, and those sorts of things. It has a complete database by itself and depending on that, it needs to be regularly updated so that we can track the vulnerabilities in the code. If it is not connected to the data source, for example, it has 10 versions, so if we are using a very old version, it would not be able to track the vulnerabilities which have the latest release. We can track the vulnerabilities if our code is updated. If we are using the cloud version, then it is automatically upgraded because it is a paid version. We can track the vulnerabilities, where the vulnerability is, and at which code line we need to improve our code. We can have all the tracks only after we push our code to the repo.
I use SonarQube Cloud (formerly SonarCloud) ( /products/sonarqube-cloud-formerly-sonarcloud-reviews ) for scanning code quality checks.
We mainly use SonarQube Cloud for code analysis, specifically static code analysis.
We have SonarCloud integrated into our pipeline. It is used as a tool for checking code quality, clean code, bugs, and security issues. It acts as a quality gate for production, helping decide if our code can be applied.
It serves as our primary tool for static code analysis, addressing various aspects such as code duplication, code smells, and security concerns. It stands out as an all-encompassing solution and it excels in security analysis and offers robust features for code optimization and duplication detection.
We use the product for code-based security scanning.
We are using SonarCloud for static analysis. We must utilize this tool for code analysis prior to deployment. For instance, it is necessary to check for bugs or inconsistencies in the code and rectify them. SonarCloud can assist in this regard by providing high-quality content.
We have several development streams, so we want to standardize our tooling and not necessarily restrict each tool to one specific purpose. We have CI/CD pipelines, with cloud solutions on one side and solutions like GitHub and Jenkins on the other. We use SonarCloud to scan code for vulnerabilities. The idea is to have that in a plan-do-check-act iterative way. Some development teams work in sprints with a scope of two weeks. For example, they define and finish their own user stories. Others work in Kanban, which means they work on one user story and only go on to the next when that one is finished. But the underlying thing is we are continuously using SonarCloud to clean out vulnerabilities in software that has been developed in-house. +
We are customers of SonarCloud.
SonarCloud is used for application security testing. The use cases you can bring into the pull request level, you can eliminate the problem into the developer's feature branch itself. The largest use case is if developers are writing a code and if the code has any vulnerabilities or problems, you can receive the feedback at the pull request level.
We use SonarCloud tools for all our 20 repositories and we are connecting the SonarCloud, from the Bitbucket pipeline.
The solution is a static code analysis tool. That's basically what we use it for in our organization.