SonarQube Reviews

39 Ratings
<a href='https://www.trustradius.com/static/about-trustradius-scoring' target='_blank' rel='nofollow noopener'>trScore algorithm: Learn more.</a>
Score 8.5 out of 100

Do you work for this company? Learn how we help vendors

Overall Rating

Reviewer's Company Size

Last Updated

By Topic

Industry

Department

Experience

Job Type

Role

Reviews (1-13 of 13)

Companies can't remove reviews or game the system. Here's why.
May 23, 2021
Aleksei Jegorov | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
Verified User
Review Source
SonarQube could be used for very different language code analysis: both front-end and back-end.
Every new commit on Jenkins also motivates SonarQube to run all possible tests. A very useful tool to find different issues, test code coverage, code smells, and get whole statistics in percentage. Such analysis allows achieving the best quality code. Also, it works as a SonarLint plugin in IntelliJ to highlight different errors and wrong syntax.
  • We can tune this tool to set the threshold test level of acceptance.
  • Shows green and red bars in front of lines of code that does (not) covered by tests.
  • Allows to be part of Jenkins pipeline to make the correct decision before the merge.
  • Detect code smells where we have possible not clean code.
  • Detailed result report with percentage test coverage.
  • Reduce time of code review.
  • SonarQube motivates us to get a big team to write these endless tests to cover everything.
  • Integration with Jira and Jenkins has some tricky moments.
  • Setup process could take a lot of time.
  • Sometimes check rules could be very strict, like 'too many parameters in constructor.'
We have a headache every time when making a new commit+push, because:
  • Check rules could be tight and motivate developers to change the source code.
  • Sonar rules insist on their own rules and no way for trade.
  • Sometimes we missed that some piece of code does not cover by the test, so we need to return to the task again
  • SonarCube + SonarLint helps us to achieve the best quality source code but takes so much time for it.
Read Aleksei Jegorov's full review
May 07, 2021
Debobrata Bose | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User
Review Source
SonarQube is being used in my organization as an Static Application Security tool which will detect the security issues in code and will try to fix the vulnerabilities that compromises the app. It is being currently used in all the projects in my department.
It being used in our Azure devops Continuous Integration pipeline to identify the vulnerabilities in code and provides detailed issue descriptions and code highlights that explain why your code is at risk.
  • Identify Security Vulnerabilities and highlights the code
  • Highlight suspicious code snippets that developers should review
  • Providing security feedback during code review
  • Identify technical debts in code
  • The community version have some issues, example Integrating with Azure or Single Sign On
  • Automation scripts can be improved. At times you have to configure some of the rules in the detection
  • It takes time to configure and create profiles
SonarQube has a friendly UI that is easy to use and understand. The admin's control panel is very good and It's not really difficult to get through the settings. Its possible to build many rules that apply for each programming language, for example, .NET, and Java. You can easily set up rules and even with the community version. It's a great tool but you have to have a good project plan before being introduced to the tools. I would recommend using the SonarQube open-source version to get used to it before purchasing the license. Before we go with an enterprise product, we have to know the terms and how things are done to run software quality
Read Debobrata Bose's full review
June 20, 2021
Prathamesh Sawant | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User
Review Source
SonarQube is currently used in silos in our organizations. One of our departments is using it full-time for all their code repositories whereas in the other department we are slowly ramping up from a POC to full-blown organization-wide usage. For us it solves the problems of Code quality, figuring out static code issues, bad coding practices, and mostly enabling toll-gating on our side to prevent bad code from making it to the production environments.
  • Ability to provide static code coverage in integration with Jenkins CI/CD pipeline.
  • Ability to define custom rule sets, based on our organizational requirements.
  • Ability to add custom toll-gating for different applications.
  • Enterprise license is very costly.
  • Runs only on Java 11.
  • Another major issue is the way elastic search is used in Sonarqube, it makes it slightly challenging to run on a cloud environment like AWS.
SonarQube is well suited for the following:
  1. Code scanning & determining static code issues and bad practices.
  2. Customizing these rules and blockers at the application/module level.
  3. Easy integration with Jenkins CI/CD pipeline.
  4. Enterprise version provides the ability to integrate the scanning results with the code review process.
It's less appropriate, if:
  1. If you are a small organization & can't afford the enterprise license costs. You can go ahead with a free community version in this case albeit with limited features.
  2. Needs Java 11 & PostgresSQL database, which are not very common in most companies.
Read Prathamesh Sawant's full review
May 03, 2021
Arush Soel | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User
Review Source
We are using it currently while building a .NET CI\CD pipeline for an automated analysis of our code quality and all the vulnerabilities by scanning our various repositories in Bitbucket version control and publishing our stacks for any kinds of bugs found and ensure the proper code coverage and make our projects more reliable
  • Best thing about it is that it offers an online instance (SonarCloud) where we can dry run an open source project by forking a github repository
  • Provides detailed analysis of the stacks that it checks for bugs and issues in code stacks.
  • Provides a good amount of documentation on how for configuration and installation and how to use it.
  • Provides a strong integration with azure devops and jenkins for creating DSL pipelines.
  • Local dashboard wont work without java installed on your machine
  • If talking about the local ui the configuration may be quite complex. Needs an experts advise
  • Its enterprise edition cost a fortune depending on a company size or users that may use it.
It is quite a powerful code analysis tool if used by my colleagues in organisation but i would recommend a sonarcloud(cloud instance) or a community edition in order to get a demonstration or to get a quick hands on experience with its user interface and its administration along with local dashboard configuration and installation
Read Arush Soel's full review
April 30, 2021
Vipin Garg | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
Verified User
Review Source
We are using SonarQube for checking the code Quality & reviewing. SonarQube helps us to discover the bugs in code & remediate the vulnerabilities. We are using it in our Development Team environment. After using SonarQube our code quality improves & we see a lot of improvement areas in our code specifically security.
  • Code review
  • Bugs dedection
  • vulnerability Assessment
  • UI
  • Installation process can be smooth
Code review & Security Vulnerability Assessment. We use SonarQube for improving our code Quality & Most of my clients also recommend it.
Read Vipin Garg's full review
May 20, 2021
Kirti Thakkar | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User
Review Source
We use [SonarQube] for static scans for all custom apps at JLL
  • Easy to integrate with MS tech stack
  • Scans can be configured
  • Endpoints can are setup on central server
  • Reporting on SonarQube is poor
  • The configuration is not intuitive
  • Role and IAM access is not accurate, too much dependence on admin
[SonarQube] has some clear advantages for C# code, Scans do work well once set up.
Read Kirti Thakkar's full review
April 30, 2021
Anonymous | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User
Review Source
Our organization has a dedicated static security scanning tools we run against our code to check for vulnerabilities. While the security team runs this, the development team is running Sonar Qube to track bugs, code quality, and and code.
  • Nice UI.
  • Easy to see a project status and if it is passing/failing.
  • Simple but explanatory bug descriptions.
  • Code smells could be better at reducing repeated findings.
I think the setup we have of using Sonar Qube as a code quality tool along side a dedicated security scanning tool makes a lot of sense. The tools scanning for security issues don't usually cover things the developers want to see like code quality metrics, but give better results for vulnerabilities. If they see security issues getting flagged in Sonar Qube and fix those too, well that's an win for security.
Read this authenticated review
April 30, 2021
Anonymous | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
Verified User
Review Source
We use SonarQube to scan our code for vulnerabilities and code "smells." SonarQube is wired into our continuous integration software Jenkins, so it scans the code every time a build runs.
  • Finding security flaws.
  • Finding code that does not follow best practices and standards.
  • Looking for code coverage.
  • For code "smells" it would be nice to have different levels of issues.
  • It could be easier to define policies for different levels of code "smells."
  • Prioritize different types of code "smells."
It should always be a part of the continuous integration. Our application is quite old and has a lot of code "smells" unfortunately. We make it a rule that if you are going to fix a problem, then you should fix the code issues found by Sonar in that part of the code also. Eventually we will have a much cleaner code base.
Read this authenticated review
February 26, 2020
Anonymous | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User
Review Source
Our development team uses SonarQube in our web applications during out continuous integration check-in process.

The business problem we had in the past was that we weren't folloiwng a standard deveopment process. SonarQube offered us the ability to see code smells and apply our own development standards. Our code has become more robust and resilient because SonarQube helps catch problems before they're checked in.
  • SonarQube allows us to apply our own coding stardards during the check-in process so that our code is more standardized.
  • SonarQube forces our team members to write enough unit tests to have code coverage which in turn helps us not to break existing code during check-ins.
  • One area where SonarQube is lacking is letting us know how much code coverage we have before we start our check-in process. A live code coverage percentage built into Visual Studio would be very handy.
SonarQube has been well suited for us when new devleopers start working on our projects. With SonarQube checking code smells and our custom coding stardards, new developers write better code with less errors as outlined by our development standards.

It is also very handy to have SonarQube built right into our continuous integration process. Doing it this way results in having less worry around whether our coding standards have been followed. They are automatically applied before code is checked in.
We we easily able to integrate the SonarQube steps into our TFS process via the Microsoft Marektplace, we didn't have the need to call SonarQube support. We've used their online documentation and community forum if we ran into any issues.
Read this authenticated review
March 28, 2019
Hung Vu | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User
Review Source
SonarQube is the de-facto standard static code review tool for many languages such as Java and PHP. It is easy to setup the SonarQube server and configure it. It has rich built-in rule-sets which includes coding standards, best practices, security, and convention. These are good enough for almost any application. SonarQube is mandatory for all our Java applications. All developers must ensure that they do not create any critical or block issues and keep the coverage unit code when committing the code, every app must fix all critical or block issues before going live. SonarQube is integrated with our CICD pipeline so it produces a quality report. Our SonarQube also integrates with other tools such as Coverity, Junit to provide a better report and more checking areas.
  • Quality scan on code convention, best practices, coding standards, unit test coverage.
  • Detailed report on estimated time to fix the issue.
  • Graphing to show the current status of the project with a number of issues, which area has a problem and the history of the project over time.
  • Flexible on customizing the rule-set and importing more rules based on the application.
  • Easy to give a comment, assignment on the issue, could generate a good S report in the form of PDF so the PM or tech lead can have a look at it.
  • Have a way to ignore the issues that the team decides not to fix.
Set up and configuration of SonarQube server is very simple and easy to learn, it integrates well with CICD pipelines such as Jenkin and Gitlab. SonarQube is well suited for almost any Java or PHP based project of any size. But SonarQube does not have support much for UI code, so if your project mainly focuses on UI with HTML or AngularJS it is not a good fit.
Read Hung Vu's full review
June 05, 2019
Sanyam Jain | TrustRadius Reviewer
Score 7 out of 10
Vetted Review
Verified User
Review Source
We use SonarQube for the coding standards we follow within the organization. Whatever be the output executable of the code, the quality of our work must be reflected in the code. How clean is it to debug and how easy to understand with other developers. Helps in highlighting the issues with Atlassian Unit testing products. Integration support is good.
  • JUnit Testing and Integration testing.
  • Easy to find bugs and track the code. Highlights the issues separately.
  • Code analytics on demand.
  • Checkup for the code and projects.
  • Easy to integrate with IDE.
  • JIRA plugin has no support forum.
  • Weak Open Source forums, this can be grown by spreading the word around the community.
  • Every IDE does not support SonarQube and vice versa, thus you have to select.
Well suited for large scale code production and releases. Suitable for small devops productions also where coding standards matter a lot.
Read Sanyam Jain's full review
September 13, 2017
Saugandh Karan | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User
Review Source
SobarQube is used by the whole department. We use it for code quality analysis and to check code coverage. Also we use it to know the code smells in the code and adhere to the coding standards as expected.
  • Test scripts coverage data. It provides a line by line coverage stats, showing which condition is covered and which one is not
  • Checking the code quality. We have a particular coding standard which we need to adhere, so it helps in detecting if the code is written in that standard or not
  • Code smells
  • In terms of security of the code, it can improve. It is mostly used to check for coding standards but it would have been nice if we could have got a vulnerability check as well.
Read Saugandh Karan's full review
June 29, 2019
Anonymous | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User
Review Source
Excellent static analysis tool for identifying potential issues with your code. Sonarqube is easily integrated with your CI/CD workflow, including a containerized version. Once implemented, it scans code every time we push it and reports back any issues that need to be addressed. Customization is available to fine tune the reports, identifying what's really important to you and your team.
  • Core competency of static analysis. This is why SonarQube exists and it does it exceedingly well.
  • Customized quality settings let you tailor the tool for your specific needs.
  • Support for many languages including C, C++, Python, and more.
  • Ability to set automated alerts. For instance, when code hasn't been scanned in a long period of time.
  • Tighter integration with issue tracking systems such as jira and Gitlab.
Any modern-day CI/CD tool chain should include a static analyzer such as SonarQube. Using such a tool helps enhance the overall security of your application and helps train developers along the way. SonarQube does this exceedingly well and is lightweight enough to deploy quickly and easily. Definitely a great addition to your toolset.
Read this authenticated review

What is SonarQube?

SonarQube is a tool for continuously inspecting Code Quality and Code Security, and guiding development teams during code reviews. SonarQube provides remediation guidance for 27 languages so developers can understand and fix issues, and so teams can deliver better and safer software. SonarQube integrates into the user's workflow to provide the right feedback at the right time: in-IDE with SonarLint, in pull requests, and in SonarQube itself. Boasting over 225,000 deployments helping small development teams and global organizations, SonarQube provides a means for teams and companies around the world to own and impact their Code Quality and Code Security.

SonarQube Features

Has featureCode Quality and Code Security
Has featureDeveloper workflow integration
Has featureDeep support for the Clean as You Code methodology

SonarQube Integrations

GitLab, Bitbucket, ALM Integration available for GitHub, Azure DevOps - self-managed & in-cloud, CI integrations with: Jenkins, GitHub Actions, GitLab CI, Bitbucket Pipelines, Azure DevOps Pipelines, SCM integrations with: Git, Subversion, Authentication integrations with: GitHub, LDAP, SAML, HTTP headers

SonarQube Competitors

SonarQube Pricing

  • Has featureFree Trial Available?Yes
  • Has featureFree or Freemium Version Available?Yes
  • Has featurePremium Consulting/Integration Services Available?Yes
  • Entry-level set up fee?No
EditionPricing DetailsTerms
CommunityFree
Developer EDITIONStarts at $150100,000 Lines of Code
Enterprise EDITIONStarts at $20,0001 Million Lines of Code
Data Center EDITIONStarts at $130,00020 Million Lines of Code

SonarQube Support Options

 Free Version
Forum/Community
Video Tutorials / Webinar

SonarQube Technical Details

Deployment Types:On-premise, SaaS
Operating Systems: Windows, Linux, Mac, Cloud
Mobile Application:No
Supported Countries:Global
Supported Languages: Community localization plugins support several languages.

Frequently Asked Questions

What is SonarQube?

SonarQube (formerly Sonar) is an open source application security solution.

What are SonarQube's top competitors?

Veracode, Checkmarx, and Snyk are common alternatives for SonarQube.

Who uses SonarQube?

The most common users of SonarQube are Enterprises from the Information Technology & Services industry.