Overview
Recent Reviews
Awards
Products that are considered exceptional by their customers based on a variety of criteria win TrustRadius awards. Learn more about the types of TrustRadius awards to make the best purchase decision. More about TrustRadius Awards
Reviewer Pros & Cons
View all pros & consVideo Reviews
Leaving a video review helps other professionals like you evaluate products. Be the first one in your network to record a review of SonarQube, and make your voice heard!
Pricing
View all pricingCommunity
Free
Developer EDITION
Starts at $150
Enterprise EDITION
Starts at $20,000
Entry-level set up fee?
- No setup fee
Offerings
- Free Trial
- Free/Freemium Version
- Premium Consulting / Integration Services
Features Scorecard
Product Details
What is SonarQube?
SonarQube is a tool for continuously inspecting Code Quality and Code Security, and guiding development teams during code reviews. SonarQube provides remediation guidance for 27 languages so developers can understand and fix issues, and so teams can deliver better and safer software. SonarQube integrates into the user's workflow to provide the right feedback at the right time: in-IDE with SonarLint, in pull requests, and in SonarQube itself. Boasting over 225,000 deployments helping small development teams and global organizations, SonarQube provides a means for teams and companies around the world to own and impact their Code Quality and Code Security.
SonarQube Features
- Supported: Code Quality and Code Security
- Supported: Developer workflow integration
- Supported: Deep support for the Clean as You Code methodology
SonarQube Integrations
SonarQube Competitors
SonarQube Technical Details
Deployment Types | On-premise, SaaS |
---|---|
Operating Systems | Windows, Linux, Mac, Cloud |
Mobile Application | No |
Supported Countries | Global |
Supported Languages | Community localization plugins support several languages. |
Frequently Asked Questions
Comparisons
View all alternativesCompare with
Reviews and Ratings
Reviews
(1-15 of 15)- Popular Filters
SonarQube review by a Hybris Developer
One business problem I mostly faced was that if we had run the server once, and tried to run it again if we closed it, then it does not run and closes automatically. To run the server again we have to restart the system, then only it works, so those issues can be resolved.
The scope of my case is to generate the code quality report for the codebase in our project according to the custom quality profile we add in SonarQube.
- Generating code quality report
- Calculates junit coverage of the codebase very efficiently and precisely
- Highlights the bugs and vulnerabilities in our codebase
- Informs the user of the improvements which can be done to the code to make it cleaner
- SonarQube also suggests remediation and resolution of the problems it highlights
- Importing a new custom quality profile on SonarQube is a bit tricky, it can be made easier
- Every second time when we want to rerun the server, we have to restart the whole system, otherwise, the server stops and closes automatically
- When we generate a new report a second time and try to access the report, it shows details of the old report only and takes a lot of time to get updated with the details of the new and fresh report generated
SonarQube, the best choice for a Static Code Analysis tool leveraging application security at large
It being used in our Azure devops Continuous Integration pipeline to identify the vulnerabilities in code and provides detailed issue descriptions and code highlights that explain why your code is at risk.
- Identify Security Vulnerabilities and highlights the code
- Highlight suspicious code snippets that developers should review
- Providing security feedback during code review
- Identify technical debts in code
- The community version have some issues, example Integrating with Azure or Single Sign On
- Automation scripts can be improved. At times you have to configure some of the rules in the detection
- It takes time to configure and create profiles
Using SonarQube professionally for more than 7 years and fully recommend it to any Software Engineer
- Static Code Analysis
- Security Vulnerabilities Scan
- Multi software language support
- Configurable quality gates for PR analysis
- Better IDE integration and support
- Easier GitHub actions integration and support
- Better support and integration for dynamic code analysis during automated tests
Code Quality Improvements Made Easy
- Easy to Use
- Code Quality Improvements
- Code Suggestions
- Lacks custom rule sets
- Expensive
- Smaller / Less active user community
SonarQube wins!
- Static code analysis
- Code coverage
- Scan security vulnerability
- Technical support
- Better documentation
- Scan for third party tools
An important tool to implement Secure SDLC practices
- Customizable Ruleset
- Support multiple programming stacks
- Ease of integration with multiple CI/CD tools
- Admin Portal could have more usability
- Enhanced Reporting
- More live examples and samples
SonarQube: The go-to tool for code quality
- Ability to provide static code coverage in integration with Jenkins CI/CD pipeline.
- Ability to define custom rule sets, based on our organizational requirements.
- Ability to add custom toll-gating for different applications.
- Enterprise license is very costly.
- Runs only on Java 11.
- Another major issue is the way elastic search is used in Sonarqube, it makes it slightly challenging to run on a cloud environment like AWS.
SAST Tools selection - SonarQube to the rescue
- Easy to integrate with MS tech stack
- Scans can be configured
- Endpoints can are setup on central server
- Reporting on SonarQube is poor
- The configuration is not intuitive
- Role and IAM access is not accurate, too much dependence on admin
Quality archway for projects
- Best thing about it is that it offers an online instance (SonarCloud) where we can dry run an open source project by forking a github repository
- Provides detailed analysis of the stacks that it checks for bugs and issues in code stacks.
- Provides a good amount of documentation on how for configuration and installation and how to use it.
- Provides a strong integration with azure devops and jenkins for creating DSL pipelines.
- Local dashboard wont work without java installed on your machine
- If talking about the local ui the configuration may be quite complex. Needs an experts advise
- Its enterprise edition cost a fortune depending on a company size or users that may use it.
Code scanning for developers
- Nice UI.
- Easy to see a project status and if it is passing/failing.
- Simple but explanatory bug descriptions.
- Code smells could be better at reducing repeated findings.
Great tool to keep your code clean
- Finding security flaws.
- Finding code that does not follow best practices and standards.
- Looking for code coverage.
- For code "smells" it would be nice to have different levels of issues.
- It could be easier to define policies for different levels of code "smells."
- Prioritize different types of code "smells."
Excellent tool for enforcing good coding practices and conventions
The business problem we had in the past was that we weren't folloiwng a standard deveopment process. SonarQube offered us the ability to see code smells and apply our own development standards. Our code has become more robust and resilient because SonarQube helps catch problems before they're checked in.
- SonarQube allows us to apply our own coding stardards during the check-in process so that our code is more standardized.
- SonarQube forces our team members to write enough unit tests to have code coverage which in turn helps us not to break existing code during check-ins.
- One area where SonarQube is lacking is letting us know how much code coverage we have before we start our check-in process. A live code coverage percentage built into Visual Studio would be very handy.
Sonarqube is a worth static analysis tool
- Core competency of static analysis. This is why SonarQube exists and it does it exceedingly well.
- Customized quality settings let you tailor the tool for your specific needs.
- Support for many languages including C, C++, Python, and more.
- Ability to set automated alerts. For instance, when code hasn't been scanned in a long period of time.
- Tighter integration with issue tracking systems such as jira and Gitlab.
- JUnit Testing and Integration testing.
- Easy to find bugs and track the code. Highlights the issues separately.
- Code analytics on demand.
- Checkup for the code and projects.
- Easy to integrate with IDE.
- JIRA plugin has no support forum.
- Weak Open Source forums, this can be grown by spreading the word around the community.
- Every IDE does not support SonarQube and vice versa, thus you have to select.
SonarQube : perfect SONAR for your code
- Test scripts coverage data. It provides a line by line coverage stats, showing which condition is covered and which one is not
- Checking the code quality. We have a particular coding standard which we need to adhere, so it helps in detecting if the code is written in that standard or not
- Code smells
- In terms of security of the code, it can improve. It is mostly used to check for coding standards but it would have been nice if we could have got a vulnerability check as well.