Top Rated
About TrustRadius Scoring
Score 8.2 out of 100
Top Rated


Recent Reviews

Code scanning for developers

9 out of 10
April 30, 2021
Our organization has a dedicated static security scanning tools we run against our code to check for vulnerabilities. While the security …
Continue reading
Read all reviews


Products that are considered exceptional by their customers based on a variety of criteria win TrustRadius awards. Learn more about the types of TrustRadius awards to make the best purchase decision. More about TrustRadius Awards

Reviewer Pros & Cons

View all pros & cons

Video Reviews

Leaving a video review helps other professionals like you evaluate products. Be the first one in your network to record a review of SonarQube, and make your voice heard!


View all pricing



On Premise

Developer EDITION

Starts at $150

On Premise
100,000 Lines of Code

Enterprise EDITION

Starts at $20,000

On Premise
1 Million Lines of Code

Entry-level set up fee?

  • No setup fee
For the latest information on pricing, visit…


  • Free Trial
  • Free/Freemium Version
  • Premium Consulting / Integration Services

Features Scorecard

No scorecards have been submitted for this product yet..

Product Details

What is SonarQube?

SonarQube is a tool for continuously inspecting Code Quality and Code Security, and guiding development teams during code reviews. SonarQube provides remediation guidance for 27 languages so developers can understand and fix issues, and so teams can deliver better and safer software. SonarQube integrates into the user's workflow to provide the right feedback at the right time: in-IDE with SonarLint, in pull requests, and in SonarQube itself. Boasting over 225,000 deployments helping small development teams and global organizations, SonarQube provides a means for teams and companies around the world to own and impact their Code Quality and Code Security.

SonarQube Features

  • Supported: Code Quality and Code Security
  • Supported: Developer workflow integration
  • Supported: Deep support for the Clean as You Code methodology

SonarQube Integrations

  • GitLab
  • Bitbucket
  • ALM Integration available for GitHub
  • Azure DevOps - self-managed & in-cloud
  • CI integrations with: Jenkins
  • GitHub Actions
  • GitLab CI
  • Bitbucket Pipelines
  • Azure DevOps Pipelines
  • SCM integrations with: Git
  • Subversion
  • Authentication integrations with: GitHub
  • LDAP
  • SAML
  • HTTP headers

SonarQube Competitors

SonarQube Technical Details

Deployment TypesOn-premise, SaaS
Operating SystemsWindows, Linux, Mac, Cloud
Mobile ApplicationNo
Supported CountriesGlobal
Supported LanguagesCommunity localization plugins support several languages.

Frequently Asked Questions

SonarQube (formerly Sonar) is an open source application security solution.

Veracode, Checkmarx, and Snyk are common alternatives for SonarQube.

The most common users of SonarQube are Enterprises (1,001+ employees) from the Information Technology & Services industry.


View all alternatives

Reviews and Ratings




(1-15 of 15)
Companies can't remove reviews or game the system. Here's why
Score 8 out of 10
Vetted Review
Verified User
Review Source
We use SonarQube in our project to basically calculate the code quality report mostly, in that report we test for the bugs, vulnerabilities, code smells, code issues, criticals, blockers, major & minor issues, and also calculate the code coverage of junits. We also set the quality profile which contains the rules which we set according to the rules we follow in our project and on that basis, we generate the junit coverage report.

One business problem I mostly faced was that if we had run the server once, and tried to run it again if we closed it, then it does not run and closes automatically. To run the server again we have to restart the system, then only it works, so those issues can be resolved.

The scope of my case is to generate the code quality report for the codebase in our project according to the custom quality profile we add in SonarQube.
  • Generating code quality report
  • Calculates junit coverage of the codebase very efficiently and precisely
  • Highlights the bugs and vulnerabilities in our codebase
  • Informs the user of the improvements which can be done to the code to make it cleaner
  • SonarQube also suggests remediation and resolution of the problems it highlights
  • Importing a new custom quality profile on SonarQube is a bit tricky, it can be made easier
  • Every second time when we want to rerun the server, we have to restart the whole system, otherwise, the server stops and closes automatically
  • When we generate a new report a second time and try to access the report, it shows details of the old report only and takes a lot of time to get updated with the details of the new and fresh report generated
Debobrata Bose | TrustRadius Reviewer
Score 7 out of 10
Vetted Review
Verified User
Review Source
SonarQube is being used in my organization as an Static Application Security tool which will detect the security issues in code and will try to fix the vulnerabilities that compromises the app. It is being currently used in all the projects in my department.
It being used in our Azure devops Continuous Integration pipeline to identify the vulnerabilities in code and provides detailed issue descriptions and code highlights that explain why your code is at risk.
  • Identify Security Vulnerabilities and highlights the code
  • Highlight suspicious code snippets that developers should review
  • Providing security feedback during code review
  • Identify technical debts in code
  • The community version have some issues, example Integrating with Azure or Single Sign On
  • Automation scripts can be improved. At times you have to configure some of the rules in the detection
  • It takes time to configure and create profiles
SonarQube has a friendly UI that is easy to use and understand. The admin's control panel is very good and It's not really difficult to get through the settings. Its possible to build many rules that apply for each programming language, for example, .NET, and Java. You can easily set up rules and even with the community version. It's a great tool but you have to have a good project plan before being introduced to the tools. I would recommend using the SonarQube open-source version to get used to it before purchasing the license. Before we go with an enterprise product, we have to know the terms and how things are done to run software quality
Daniel Anjos | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
Verified User
Review Source
SonarQube is used as part of the build process (Continuous Integration and Continuous Delivery) in all Java services to ensure a high quality of code and remove bugs that can be found during static analysis. The whole engineering organisation is using it, and it solves the problem of low quality code reaching to production and causing bugs and incidents due to poor reviews. With Sonar we are able to quickly identify if a new change will introduce issues in Production before it is merged and deployed. It also helps identify issues with legacy code and improve code quality in existing services, by providing solutions to known problems. I would definitively recommend Sonar to any Software Engineering company, either using Java or C++ or any other supported language.
  • Static Code Analysis
  • Security Vulnerabilities Scan
  • Multi software language support
  • Configurable quality gates for PR analysis
  • Better IDE integration and support
  • Easier GitHub actions integration and support
  • Better support and integration for dynamic code analysis during automated tests
There's no other tool in the market that is as reliable and trust worthy than SonarQube for Static Analysis. They are the industry standard for software quality analysis and should be part of any company that requires audits on software quality and vulnerability (like financial institutions). Of course SonarQube doesn't replace application testing and security testing by specialists, but their automated testing should be baseline for any engineers that values their time, by pointing problems automatically before they are reviewed by other specialist, or even released to production. Don't waste your company's most valuable resource (engineer time and attention) and make sure to invest in automated software quality and static code review tools like SonarQube from the start. You will regret having to retroactively fit such tools in your development process.
Score 8 out of 10
Vetted Review
Verified User
Review Source
We use SonarQube to check and ensure Java code quality as part of our development process. With built in suggestions for coding improvements the rate at which we produce and deploy quality code has been a game changer. Also, it works to train developers continuously helping to adhere to best practices.
  • Easy to Use
  • Code Quality Improvements
  • Code Suggestions
  • Lacks custom rule sets
  • Expensive
  • Smaller / Less active user community
We only use SonarQube for Java development, so this review can't speak to its effectiveness for other programming languages, of which SonarQube has coverage for many. There are a plethora of CI/CD integrations, so chances are you can put in an automated code quality check in your process to squash bugs before they are deployed.
October 14, 2021

SonarQube wins!

Score 8 out of 10
Vetted Review
Verified User
Review Source
Used across the organization for static code analysis.
  • Static code analysis
  • Code coverage
  • Scan security vulnerability
  • Technical support
  • Better documentation
  • Scan for third party tools
Well suited for code analysis. OWASP top 10 are pretty much covered.NOT suited for third party tools used in code.
Sharique Khan | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User
Review Source
SonarQube is the static security code analysis tool used in the organization. It is integrated with Continuous Integration pipelines of multiple product lines including legacy and modern applications. It has been implemented with TeamCity, Azure DevOps and VSTS CI/CD tools. Its purpose is to ensure the builds are of the highest quality and free of security vulnerabilities.
  • Customizable Ruleset
  • Support multiple programming stacks
  • Ease of integration with multiple CI/CD tools
  • Admin Portal could have more usability
  • Enhanced Reporting
  • More live examples and samples
SonarQube is well suited to implement Secure SDLC and incorporate the best secure coding practices. It would ensure adherence to the organization's coding standards and have uniform code across various development teams. It enables early identification and remediation of security flaws in the code
Prathamesh Sawant | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User
Review Source
SonarQube is currently used in silos in our organizations. One of our departments is using it full-time for all their code repositories whereas in the other department we are slowly ramping up from a POC to full-blown organization-wide usage. For us it solves the problems of Code quality, figuring out static code issues, bad coding practices, and mostly enabling toll-gating on our side to prevent bad code from making it to the production environments.
  • Ability to provide static code coverage in integration with Jenkins CI/CD pipeline.
  • Ability to define custom rule sets, based on our organizational requirements.
  • Ability to add custom toll-gating for different applications.
  • Enterprise license is very costly.
  • Runs only on Java 11.
  • Another major issue is the way elastic search is used in Sonarqube, it makes it slightly challenging to run on a cloud environment like AWS.
SonarQube is well suited for the following:
  1. Code scanning & determining static code issues and bad practices.
  2. Customizing these rules and blockers at the application/module level.
  3. Easy integration with Jenkins CI/CD pipeline.
  4. Enterprise version provides the ability to integrate the scanning results with the code review process.
It's less appropriate, if:
  1. If you are a small organization & can't afford the enterprise license costs. You can go ahead with a free community version in this case albeit with limited features.
  2. Needs Java 11 & PostgresSQL database, which are not very common in most companies.
Score 8 out of 10
Vetted Review
Verified User
Review Source
We use [SonarQube] for static scans for all custom apps at JLL
  • Easy to integrate with MS tech stack
  • Scans can be configured
  • Endpoints can are setup on central server
  • Reporting on SonarQube is poor
  • The configuration is not intuitive
  • Role and IAM access is not accurate, too much dependence on admin
[SonarQube] has some clear advantages for C# code, Scans do work well once set up.
Arush Soel | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User
Review Source
We are using it currently while building a .NET CI\CD pipeline for an automated analysis of our code quality and all the vulnerabilities by scanning our various repositories in Bitbucket version control and publishing our stacks for any kinds of bugs found and ensure the proper code coverage and make our projects more reliable
  • Best thing about it is that it offers an online instance (SonarCloud) where we can dry run an open source project by forking a github repository
  • Provides detailed analysis of the stacks that it checks for bugs and issues in code stacks.
  • Provides a good amount of documentation on how for configuration and installation and how to use it.
  • Provides a strong integration with azure devops and jenkins for creating DSL pipelines.
  • Local dashboard wont work without java installed on your machine
  • If talking about the local ui the configuration may be quite complex. Needs an experts advise
  • Its enterprise edition cost a fortune depending on a company size or users that may use it.
It is quite a powerful code analysis tool if used by my colleagues in organisation but i would recommend a sonarcloud(cloud instance) or a community edition in order to get a demonstration or to get a quick hands on experience with its user interface and its administration along with local dashboard configuration and installation
Score 9 out of 10
Vetted Review
Verified User
Review Source
Our organization has a dedicated static security scanning tools we run against our code to check for vulnerabilities. While the security team runs this, the development team is running Sonar Qube to track bugs, code quality, and and code.
  • Nice UI.
  • Easy to see a project status and if it is passing/failing.
  • Simple but explanatory bug descriptions.
  • Code smells could be better at reducing repeated findings.
I think the setup we have of using Sonar Qube as a code quality tool along side a dedicated security scanning tool makes a lot of sense. The tools scanning for security issues don't usually cover things the developers want to see like code quality metrics, but give better results for vulnerabilities. If they see security issues getting flagged in Sonar Qube and fix those too, well that's an win for security.
Score 10 out of 10
Vetted Review
Verified User
Review Source
We use SonarQube to scan our code for vulnerabilities and code "smells." SonarQube is wired into our continuous integration software Jenkins, so it scans the code every time a build runs.
  • Finding security flaws.
  • Finding code that does not follow best practices and standards.
  • Looking for code coverage.
  • For code "smells" it would be nice to have different levels of issues.
  • It could be easier to define policies for different levels of code "smells."
  • Prioritize different types of code "smells."
It should always be a part of the continuous integration. Our application is quite old and has a lot of code "smells" unfortunately. We make it a rule that if you are going to fix a problem, then you should fix the code issues found by Sonar in that part of the code also. Eventually we will have a much cleaner code base.
Score 9 out of 10
Vetted Review
Verified User
Review Source
Our development team uses SonarQube in our web applications during out continuous integration check-in process.

The business problem we had in the past was that we weren't folloiwng a standard deveopment process. SonarQube offered us the ability to see code smells and apply our own development standards. Our code has become more robust and resilient because SonarQube helps catch problems before they're checked in.
  • SonarQube allows us to apply our own coding stardards during the check-in process so that our code is more standardized.
  • SonarQube forces our team members to write enough unit tests to have code coverage which in turn helps us not to break existing code during check-ins.
  • One area where SonarQube is lacking is letting us know how much code coverage we have before we start our check-in process. A live code coverage percentage built into Visual Studio would be very handy.
SonarQube has been well suited for us when new devleopers start working on our projects. With SonarQube checking code smells and our custom coding stardards, new developers write better code with less errors as outlined by our development standards.

It is also very handy to have SonarQube built right into our continuous integration process. Doing it this way results in having less worry around whether our coding standards have been followed. They are automatically applied before code is checked in.
We we easily able to integrate the SonarQube steps into our TFS process via the Microsoft Marektplace, we didn't have the need to call SonarQube support. We've used their online documentation and community forum if we ran into any issues.
Score 8 out of 10
Vetted Review
Verified User
Review Source
Excellent static analysis tool for identifying potential issues with your code. Sonarqube is easily integrated with your CI/CD workflow, including a containerized version. Once implemented, it scans code every time we push it and reports back any issues that need to be addressed. Customization is available to fine tune the reports, identifying what's really important to you and your team.
  • Core competency of static analysis. This is why SonarQube exists and it does it exceedingly well.
  • Customized quality settings let you tailor the tool for your specific needs.
  • Support for many languages including C, C++, Python, and more.
  • Ability to set automated alerts. For instance, when code hasn't been scanned in a long period of time.
  • Tighter integration with issue tracking systems such as jira and Gitlab.
Any modern-day CI/CD tool chain should include a static analyzer such as SonarQube. Using such a tool helps enhance the overall security of your application and helps train developers along the way. SonarQube does this exceedingly well and is lightweight enough to deploy quickly and easily. Definitely a great addition to your toolset.
Sanyam Jain | TrustRadius Reviewer
Score 7 out of 10
Vetted Review
Verified User
Review Source
We use SonarQube for the coding standards we follow within the organization. Whatever be the output executable of the code, the quality of our work must be reflected in the code. How clean is it to debug and how easy to understand with other developers. Helps in highlighting the issues with Atlassian Unit testing products. Integration support is good.
  • JUnit Testing and Integration testing.
  • Easy to find bugs and track the code. Highlights the issues separately.
  • Code analytics on demand.
  • Checkup for the code and projects.
  • Easy to integrate with IDE.
  • JIRA plugin has no support forum.
  • Weak Open Source forums, this can be grown by spreading the word around the community.
  • Every IDE does not support SonarQube and vice versa, thus you have to select.
Well suited for large scale code production and releases. Suitable for small devops productions also where coding standards matter a lot.
Saugandh Karan | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User
Review Source
SobarQube is used by the whole department. We use it for code quality analysis and to check code coverage. Also we use it to know the code smells in the code and adhere to the coding standards as expected.
  • Test scripts coverage data. It provides a line by line coverage stats, showing which condition is covered and which one is not
  • Checking the code quality. We have a particular coding standard which we need to adhere, so it helps in detecting if the code is written in that standard or not
  • Code smells
  • In terms of security of the code, it can improve. It is mostly used to check for coding standards but it would have been nice if we could have got a vulnerability check as well.