SonarQube

Score8.1 out of 10

96 Reviews and Ratings

What is SonarQube?

SonarQube is an automated code review solution, serving as the verification layer for code quality and SDLC security. SonarQube is used to ensure that code is secure, reliable, and maintainable. It is available through SaaS or self-managed deployment.

Categories & Use Cases

Media

1 / 3

Verified User

Engineer in Information Technology (10,001+ employees employees)

Use Cases and Deployment Scope

It is one of the components within the gateway to get products into production. We have over 700 projects and just over 20m lines of code.

We have been using it since 2018.

We focus currently on vulnerabilities with required gates and stepped options with temporary "get well plans". The more advanced teams are focusing on quality aspect and self-manage their maturity. But there is currently no hard lines for quality at this time except for team agreed upon minimum complexity and duplication standards on new code.

Regarding helm charts and kubernetes... this was long awaited and welcomed! Making our deployments easier. Concern was on testing and such, there was a mistep in the last 10.6.0 push which caused a slight concern, but SonarSource was very quick at getting 10.6.1 out and distributing the information.

The only other concern we had, that we hadn't experienced in that past (at least not like this), the change of JDKs at minor versions, scanners, linters, especially without backwards compatibility where pipelines must actively change from JDK 11 to JDK 17 might be tough for groups who have large amounts of pipelines. **Pipelines which support templates that inject SAST requirements help a bunch to reduce the scope of pipeline changes, but still caught us by surprise. This sort of change is expected at major versions, right... But still, very stable... this hiccup didn't sway our thoughts about the product overall.

We're still trying to figure out how we can reduce costs... although value is very tangible tangible to some, the significant overhead is often questioned. Prompts us into discussions that force decisions on which code bases to remove, even if temporarily, for code that is relatively static for long periods.

We really appreciate the engagement of the SonarSource Community site. We use it to stay informed and to get quick insights and responsive support. Great folks out there--appreciate them and the engagement and they represent SonarSource well.

Pros

community engagement
stability
documentation is improving
samples/examples are improving

Cons

helm charts stability
minimize breaking changes on minor builds--incl scanners, linters

Return on Investment

security
ease of integration

Usability

Alternatives Considered

Checkmarx, Codacy, Snyk and Mend SAST

Ariel Cabeza View profile

Tech Lead in Information Technology at Andreani Grupo Logístico (5001-10,000 employees employees)

Use Cases and Deployment Scope

We use SonarQube as part of the CICD pipeline running on Azure DevOps. Mostly .Net projects, and currently integrating with react native.

Pros

Ongoing code quality management
Increase developer skills.
Detect and report problems.
Scale with business needs
Optimize the quality
it is sustainable

Cons

The main “disadvantage” is code maintenance, being more expensive, it also takes more time, as well as producing “false positives”.

Most Important Features

Not conforming to code standards and conventions.
Duplicate code detection
Code file size.
Known security vulnerabilities.
Method size.
Cyclomatic complexity
Quality thresholds

Return on Investment

It gives the ability of the projects to evolve and be modified.
Keeping applications without bugs directly impacts the business. Giving continuity and maintaining productivity.

Alternatives Considered

Veracode

Other Software Used

Postman, Microsoft Visual Studio Code, Docker

Sérgio Cagica View profile

Software Engineer at diconium (1-10 employees employees)

Use Cases and Deployment Scope

It's used as a quality gate for software development in the feature implementation, as well as a security barrier for bugs and good practices enforcer.

Pros

Easily setup quality gate for code analysis and tests.
Quick reports for vulnerabilities and good practices.
Easy setup of vulnerabilities level requirements.

Cons

Credentials manager, like managing users, groups and permissions is complex.
UI for code review can be improved, feels old but is useful nonetheless.
The ticket management system can also be improved.

Most Important Features

Code analisys.
Quality Gate.
Vulnerability check.

Return on Investment

It can save some money finding and alerting for severe vulnerabilities that can cost money if exploited.
Development team speed and communication with Security departments greatly improved.

Other Software Used

Microsoft To Do, Microsoft Visual Studio Code, Azure Machine Learning

Usability

Aman Makwana View profile

DevOps Engineer in Engineering at Yudiz Solutions Pvt Ltd (201-500 employees employees)

Use Cases and Deployment Scope

As service based and product based organisation we are dealing with variety of products and projects so in order to maintain the Code Quality and also improve the coding structure by following the suggestions given by SonarQube Analysis and also checking the Code Coverage so we get to know that our code has fully passed through the Sonar Analysis. As a part of DevOps team we integrate SonarQube checks in CI(continuous integration part) so its an part of continuous code quality and we have also created custom Quality Gates in order to prevent the false or unimproved code from going into any environments.

Pros

Static Code Scanning
Code Coverage reports, User Friendly Dashboard
Integration with various tools in order to maintain code quality
Pre-built as well as Custom Quality Gates
Detect Bugs & Vulnerabilities, Review Security Hotspots, Track Code Smells
Also has many plugins to interact with

Cons

As in SonarQube community edition they should enable the after scanning report generation
other security reports like, vulnerability with preferred solution
Guide on scalability, backups, resiliency as well
small report type UI on other tools as well like Jenkins

Most Important Features

Integrations with CI/CD
Many plugins which we can integrate
Code coverage
Vulnerability, code smells, bugs
Custom as well prebuilt code quality gates
Support many current trends tech stacks languages
User management and project management
User friendly UI for seeing after scans report

Return on Investment

Helped the Developer in maintaining code quality and also better at coding structures
maintaining the security best practices before they are going to production
also resolved vulnerabilities and bugs on bases of best given suggestion

Other Software Used

Checkmarx, Amazon Elastic Kubernetes Service (EKS), Docker, GitLab, GitHub, Prometheus, Grafana Loki

Gabriel Freire View profile

Staff Network Software Engineer in Information Technology at Equinix (10,001+ employees employees)

Use Cases and Deployment Scope

It's always best to catch bugs and other code issues as soon as possible, especially when people from different teams and time zones touch the same code. While code reviews are obviously still necessary, SonarQube does filter the code seamlessly so that obvious issues are immediately detected and resolved. In some cases, there is customisation required for the general best practice rules and SonarQube accommodates this.