Filter Ratings and Reviews
Filter 38 vetted SonarQube reviews and ratings
Reviews (1-13 of 13)
Companies can't remove reviews or game the system. Here's why.
May 23, 2021
SonarQube could be used for very different language code analysis: both front-end and back-end.
Every new commit on Jenkins also motivates SonarQube to run all possible tests. A very useful tool to find different issues, test code coverage, code smells, and get whole statistics in percentage. Such analysis allows achieving the best quality code. Also, it works as a SonarLint plugin in IntelliJ to highlight different errors and wrong syntax.
Every new commit on Jenkins also motivates SonarQube to run all possible tests. A very useful tool to find different issues, test code coverage, code smells, and get whole statistics in percentage. Such analysis allows achieving the best quality code. Also, it works as a SonarLint plugin in IntelliJ to highlight different errors and wrong syntax.
- We can tune this tool to set the threshold test level of acceptance.
- Shows green and red bars in front of lines of code that does (not) covered by tests.
- Allows to be part of Jenkins pipeline to make the correct decision before the merge.
- Detect code smells where we have possible not clean code.
- Detailed result report with percentage test coverage.
- Reduce time of code review.
- SonarQube motivates us to get a big team to write these endless tests to cover everything.
- Integration with Jira and Jenkins has some tricky moments.
- Setup process could take a lot of time.
- Sometimes check rules could be very strict, like 'too many parameters in constructor.'
May 07, 2021
SonarQube is being used in my organization as an Static Application Security tool which will detect the security issues in code and will try to fix the vulnerabilities that compromises the app. It is being currently used in all the projects in my department.
It being used in our Azure devops Continuous Integration pipeline to identify the vulnerabilities in code and provides detailed issue descriptions and code highlights that explain why your code is at risk.
It being used in our Azure devops Continuous Integration pipeline to identify the vulnerabilities in code and provides detailed issue descriptions and code highlights that explain why your code is at risk.
- Identify Security Vulnerabilities and highlights the code
- Highlight suspicious code snippets that developers should review
- Providing security feedback during code review
- Identify technical debts in code
- The community version have some issues, example Integrating with Azure or Single Sign On
- Automation scripts can be improved. At times you have to configure some of the rules in the detection
- It takes time to configure and create profiles
June 20, 2021
SonarQube is currently used in silos in our organizations. One of our departments is using it full-time for all their code repositories whereas in the other department we are slowly ramping up from a POC to full-blown organization-wide usage. For us it solves the problems of Code quality, figuring out static code issues, bad coding practices, and mostly enabling toll-gating on our side to prevent bad code from making it to the production environments.
- Ability to provide static code coverage in integration with Jenkins CI/CD pipeline.
- Ability to define custom rule sets, based on our organizational requirements.
- Ability to add custom toll-gating for different applications.
- Enterprise license is very costly.
- Runs only on Java 11.
- Another major issue is the way elastic search is used in Sonarqube, it makes it slightly challenging to run on a cloud environment like AWS.
We are using it currently while building a .NET CI\CD pipeline for an automated analysis of our code quality and all the vulnerabilities by scanning our various repositories in Bitbucket version control and publishing our stacks for any kinds of bugs found and ensure the proper code coverage and make our projects more reliable
- Best thing about it is that it offers an online instance (SonarCloud) where we can dry run an open source project by forking a github repository
- Provides detailed analysis of the stacks that it checks for bugs and issues in code stacks.
- Provides a good amount of documentation on how for configuration and installation and how to use it.
- Provides a strong integration with azure devops and jenkins for creating DSL pipelines.
- Local dashboard wont work without java installed on your machine
- If talking about the local ui the configuration may be quite complex. Needs an experts advise
- Its enterprise edition cost a fortune depending on a company size or users that may use it.
April 30, 2021
We are using SonarQube for checking the code Quality & reviewing. SonarQube helps us to discover the bugs in code & remediate the vulnerabilities. We are using it in our Development Team environment. After using SonarQube our code quality improves & we see a lot of improvement areas in our code specifically security.
- Code review
- Bugs dedection
- vulnerability Assessment
- UI
- Installation process can be smooth
May 20, 2021
We use [SonarQube] for static scans for all custom apps at JLL
- Easy to integrate with MS tech stack
- Scans can be configured
- Endpoints can are setup on central server
- Reporting on SonarQube is poor
- The configuration is not intuitive
- Role and IAM access is not accurate, too much dependence on admin
Our organization has a dedicated static security scanning tools we run against our code to check for vulnerabilities. While the security team runs this, the development team is running Sonar Qube to track bugs, code quality, and and code.
- Nice UI.
- Easy to see a project status and if it is passing/failing.
- Simple but explanatory bug descriptions.
- Code smells could be better at reducing repeated findings.
April 30, 2021
We use SonarQube to scan our code for vulnerabilities and code "smells." SonarQube is wired into our continuous integration software Jenkins, so it scans the code every time a build runs.
- Finding security flaws.
- Finding code that does not follow best practices and standards.
- Looking for code coverage.
- For code "smells" it would be nice to have different levels of issues.
- It could be easier to define policies for different levels of code "smells."
- Prioritize different types of code "smells."
February 26, 2020
Our development team uses SonarQube in our web applications during out continuous integration check-in process.
The business problem we had in the past was that we weren't folloiwng a standard deveopment process. SonarQube offered us the ability to see code smells and apply our own development standards. Our code has become more robust and resilient because SonarQube helps catch problems before they're checked in.
The business problem we had in the past was that we weren't folloiwng a standard deveopment process. SonarQube offered us the ability to see code smells and apply our own development standards. Our code has become more robust and resilient because SonarQube helps catch problems before they're checked in.
- SonarQube allows us to apply our own coding stardards during the check-in process so that our code is more standardized.
- SonarQube forces our team members to write enough unit tests to have code coverage which in turn helps us not to break existing code during check-ins.
- One area where SonarQube is lacking is letting us know how much code coverage we have before we start our check-in process. A live code coverage percentage built into Visual Studio would be very handy.
March 28, 2019
SonarQube is the de-facto standard static code review tool for many languages such as Java and PHP. It is easy to setup the SonarQube server and configure it. It has rich built-in rule-sets which includes coding standards, best practices, security, and convention. These are good enough for almost any application. SonarQube is mandatory for all our Java applications. All developers must ensure that they do not create any critical or block issues and keep the coverage unit code when committing the code, every app must fix all critical or block issues before going live. SonarQube is integrated with our CICD pipeline so it produces a quality report. Our SonarQube also integrates with other tools such as Coverity, Junit to provide a better report and more checking areas.
- Quality scan on code convention, best practices, coding standards, unit test coverage.
- Detailed report on estimated time to fix the issue.
- Graphing to show the current status of the project with a number of issues, which area has a problem and the history of the project over time.
- Flexible on customizing the rule-set and importing more rules based on the application.
- Easy to give a comment, assignment on the issue, could generate a good S report in the form of PDF so the PM or tech lead can have a look at it.
- Have a way to ignore the issues that the team decides not to fix.
June 05, 2019
We use SonarQube for the coding standards we follow within the organization. Whatever be the output executable of the code, the quality of our work must be reflected in the code. How clean is it to debug and how easy to understand with other developers. Helps in highlighting the issues with Atlassian Unit testing products. Integration support is good.
- JUnit Testing and Integration testing.
- Easy to find bugs and track the code. Highlights the issues separately.
- Code analytics on demand.
- Checkup for the code and projects.
- Easy to integrate with IDE.
- JIRA plugin has no support forum.
- Weak Open Source forums, this can be grown by spreading the word around the community.
- Every IDE does not support SonarQube and vice versa, thus you have to select.
September 13, 2017
SobarQube is used by the whole department. We use it for code quality analysis and to check code coverage. Also we use it to know the code smells in the code and adhere to the coding standards as expected.
- Test scripts coverage data. It provides a line by line coverage stats, showing which condition is covered and which one is not
- Checking the code quality. We have a particular coding standard which we need to adhere, so it helps in detecting if the code is written in that standard or not
- Code smells
- In terms of security of the code, it can improve. It is mostly used to check for coding standards but it would have been nice if we could have got a vulnerability check as well.
June 29, 2019
Excellent static analysis tool for identifying potential issues with your code. Sonarqube is easily integrated with your CI/CD workflow, including a containerized version. Once implemented, it scans code every time we push it and reports back any issues that need to be addressed. Customization is available to fine tune the reports, identifying what's really important to you and your team.
- Core competency of static analysis. This is why SonarQube exists and it does it exceedingly well.
- Customized quality settings let you tailor the tool for your specific needs.
- Support for many languages including C, C++, Python, and more.
- Ability to set automated alerts. For instance, when code hasn't been scanned in a long period of time.
- Tighter integration with issue tracking systems such as jira and Gitlab.
SonarQube Scorecard Summary
What is SonarQube?
SonarQube is a tool for continuously inspecting Code Quality and Code Security, and guiding development teams during code reviews. SonarQube provides remediation guidance for 27 languages so developers can understand and fix issues, and so teams can deliver better and safer software. SonarQube integrates into the user's workflow to provide the right feedback at the right time: in-IDE with SonarLint, in pull requests, and in SonarQube itself. Boasting over 225,000 deployments helping small development teams and global organizations, SonarQube provides a means for teams and companies around the world to own and impact their Code Quality and Code Security.
SonarQube Integrations
GitLab, Bitbucket, ALM Integration available for GitHub, Azure DevOps - self-managed & in-cloud, CI integrations with: Jenkins, GitHub Actions, GitLab CI, Bitbucket Pipelines, Azure DevOps Pipelines, SCM integrations with: Git, Subversion, Authentication integrations with: GitHub, LDAP, SAML, HTTP headers
SonarQube Competitors
SonarQube Pricing
- Has featureFree Trial Available?Yes
- Has featureFree or Freemium Version Available?Yes
- Has featurePremium Consulting/Integration Services Available?Yes
- Entry-level set up fee?No
| Edition | Pricing Details | Terms |
|---|---|---|
| Community | Free | |
| Developer EDITION | Starts at $150 | 100,000 Lines of Code |
| Enterprise EDITION | Starts at $20,000 | 1 Million Lines of Code |
| Data Center EDITION | Starts at $130,000 | 20 Million Lines of Code |
SonarQube Support Options
| Free Version | |
|---|---|
| Forum/Community | |
| Video Tutorials / Webinar |
SonarQube Technical Details
| Deployment Types: | On-premise, SaaS |
|---|---|
| Operating Systems: | Windows, Linux, Mac, Cloud |
| Mobile Application: | No |
| Supported Countries: | Global |
| Supported Languages: | Community localization plugins support several languages. |
Frequently Asked Questions
What is SonarQube?
SonarQube (formerly Sonar) is an open source application security solution.
What are SonarQube's top competitors?
Who uses SonarQube?
The most common users of SonarQube are Enterprises from the Information Technology & Services industry.