Skip to main content
TrustRadius
SonarQube Server

SonarQube Server

Overview

What is SonarQube Server?

SonarQube is a code quality and vulnerability solution for development teams that integrates with CI/CD pipelines to ensure the software you produce is secure, reliable, and maintainable.

Read more

Learn from top reviewers

SonarQube Experience

Rating: 10 out of 10
August 26, 2024
Vetted ReviewVerified User
It is one of the components within the gateway to get products into production. We have over 700 projects and just over 20m lines of code. We have been using it since 2018. ...
Continue reading
Verified user
Engineer
SonarQube Server6 years of experience

Code Quality is a Must!

Rating: 9 out of 10
February 3, 2023
IncentivizedVetted ReviewVerified User
We use SonarQube as part of the CICD pipeline running on Azure DevOps. Mostly .Net projects, and currently integrating with react native.
Continue reading
Ariel Cabeza
Team Lead - Information Technology
Tech Lead
Andreani Grupo Logístico
SonarQube Server4 years of experience

SonarQube, you don't need to search more!

Rating: 8 out of 10
January 26, 2023
IncentivizedVetted ReviewVerified User
It's used as a quality gate for software development in the feature implementation, as well as a security barrier for bugs and good practices enforcer.
Continue reading
Sérgio Cagica
Technician - Other
Software Engineer
diconium
SonarQube Server3 years of experience

SonarQube: Helper of Dev and organisation for better code quality and security practices.

Rating: 10 out of 10
January 20, 2023
IncentivizedVetted ReviewVerified User
As service based and product based organisation we are dealing with variety of products and projects so in order to maintain the Code Quality and also improve the coding struc...
Continue reading
Aman Makwana
Engineer - Engineering
DevOps Engineer
Yudiz Solutions Pvt Ltd
SonarQube Server2 years of experience

Great Code Analysis Tool

Rating: 9 out of 10
January 18, 2023
IncentivizedVetted ReviewVerified User
It's always best to catch bugs and other code issues as soon as possible, especially when people from different teams and time zones touch the same code. While code reviews ar...
Continue reading
Gabriel Freire
Engineer - Information Technology
Staff Network Software Engineer
Equinix
SonarQube Server3 years of experience
Log in with LinkedIn to see content from your network
Return to navigation

Pricing

View all pricing

Community

Free

On Premise

Developer EDITION

Starts at $160

On Premise
per year per installation

Enterprise EDITION

Starts at $21,000

On Premise
per year per installation

Entry-level set up fee?

  • No setup fee
For the latest information on pricing, visithttps://www.sonarsource.com/plans-and…

Offerings

  • Free Trial
  • Free/Freemium Version
  • Premium Consulting/Integration Services

Starting price (does not include set up fee)

  • $160 per year per installation
Return to navigation

Product Demos

Understanding Issues with Multiple Locations

YouTube

SonarQube analysis with Jenkins

YouTube

GitHub: Block the Merge of a Pull Requests

YouTube
Return to navigation

Product Details

What is SonarQube Server?

SonarQube is a self-managed open-source platform that helps developers create code devoid of quality and vulnerability issues. By integrating with DevOps platforms in the Continuous Integration (CI) pipeline, SonarQube continuously inspects projects across multiple programming languages, providing immediate status feedback while coding. SonarQube’s quality gates become part of the release pipeline, displaying pass/fail results for new code based on quality profiles that can be customized to a company's standards. Following Sonar’s Clean as You Code methodology guarantees that only software of the highest quality makes it to production. At its core, SonarQube includes a static code analyzer that identifies bugs, security vulnerabilities, hidden secrets, and code smells. The platform guides the user through issue resolution, fostering a culture of continuous improvement. SonarQube’s reporting helps dev teams to monitor their codebase's overall health and quality across multiple projects in their portfolio. UltimatelySonarQube aims to enable users to achieve a state of Clean Code, leading to secure, reliable, and maintainable software.

SonarQube Server Screenshots

Screenshot of Application Status.Screenshot of Portfolio Overview.Screenshot of Taint Analysis.

SonarQube Server Integrations

SonarQube Server Competitors

SonarQube Server Technical Details

Deployment TypesOn-premise, Software as a Service (SaaS), Cloud, or Web-Based
Operating SystemsWindows, Linux, Mac, Cloud
Mobile ApplicationNo
Supported CountriesGlobal
Supported LanguagesCommunity localization plugins support several languages.

Frequently Asked Questions

SonarQube is a code quality and vulnerability solution for development teams that integrates with CI/CD pipelines to ensure the software you produce is secure, reliable, and maintainable.

SonarQube Server starts at $160.

Veracode, Checkmarx, and Fugue, part of Snyk are common alternatives for SonarQube Server.

The most common users of SonarQube Server are from Enterprises (1,001+ employees).
Return to navigation

Comparisons

View all alternatives
Return to navigation

Reviews From Top Reviewers

View all reviews
(1-5 of 34)

SonarQube: The mandatory tool to elevate your code quality quality

Rating: 10 out of 10
Incentivized
February 06, 2023
Verified User
Technician in Engineering
Information Technology & Services Company, 201-500 employees
Vetted Review
Verified User
SonarQube Server
3 years of experience
Use Cases and Deployment Scope
We use SonarQube to analyze our codebase, the main goals are detection of code smells, security vulnerabilities, and performance issues, also to measure our test coverage. It is part of the continuous integration process. We perform analysis in different languages like Java, JavaScript, Typescript, and Python. We are planning to include new ones, like scala and PHP.
Pros
  • Code complexity detection
  • Code smell detection
  • Provides good default rules
  • Huge language support
  • Easy setup
  • Easy integration with common build tools
  • Great fix proposals, and issues description
Cons
  • It doesn't provide automatic pull request with fixes
  • It doesn't provide insights about the libraries of the projects
  • The administration management user interface could be simplified
  • It doesn't provide an order to fix issues, like archives with more and frequent commits have top priority
Likelihood to Recommend
- The SonarQube analysis provides good suggestions to improve our project's health
- The default rules "Sonar Way" are pretty good and provide good insights
- I consider it a mandatory tool for any serious project.
- You can use offline tools like error-prone, spotbugs, or PMD, but Sonar analysis is more complete and it has more features.

Code Quality Improvements Made Easy

Rating: 8 out of 10
Incentivized
November 04, 2021
Verified User
Director in Corporate
Information Technology & Services Company, 11-50 employees
Vetted Review
Verified User
SonarQube Server
1 year of experience
Use Cases and Deployment Scope
We use SonarQube to check and ensure Java code quality as part of our development process. With built in suggestions for coding improvements the rate at which we produce and deploy quality code has been a game changer. Also, it works to train developers continuously helping to adhere to best practices.
Pros
  • Easy to Use
  • Code Quality Improvements
  • Code Suggestions
Cons
  • Lacks custom rule sets
  • Expensive
  • Smaller / Less active user community
Likelihood to Recommend
We only use SonarQube for Java development, so this review can't speak to its effectiveness for other programming languages, of which SonarQube has coverage for many. There are a plethora of CI/CD integrations, so chances are you can put in an automated code quality check in your process to squash bugs before they are deployed.

Code Quality is a Must!

Rating: 9 out of 10
Incentivized
February 03, 2023
AC
Ariel Cabeza
Tech Lead
Andreani Grupo Logístico (Package/Freight Delivery, 5001-10,000 employees)
Vetted Review
Verified User
SonarQube Server
4 years of experience
View profile
Use Cases and Deployment Scope
We use SonarQube as part of the CICD pipeline running on Azure DevOps. Mostly .Net projects, and currently integrating with react native.
Pros
  • Ongoing code quality management
  • Increase developer skills.
  • Detect and report problems.
  • Scale with business needs
  • Optimize the quality
  • it is sustainable
Cons
  • The main “disadvantage” is code maintenance, being more expensive, it also takes more time, as well as producing “false positives”.
Likelihood to Recommend
SonarQube allows automatic static analysis of source code, looking for patterns with errors, bad practices or incidents.
In addition, it performs a calculation of the technical debt. It can be used in any scenario.
In order to use SonarQube, you need to install a server component, where the engine that performs the analysis and stores the results is located, and the analysis must be invoked in some way, which can be done with a client called SonarQube Scanner.
You can also integrate the analysis into the IDE you are using, with a plugin called SonarLint!.

SonarQube: The go-to tool for code quality

Rating: 8 out of 10
Incentivized
June 20, 2021
PS
Prathamesh Sawant
Senior Software Engineer
Boku Inc (Information Technology & Services, 201-500 employees)
Vetted Review
Verified User
SonarQube Server
4 years of experience
View profile
Use Cases and Deployment Scope
SonarQube is currently used in silos in our organizations. One of our departments is using it full-time for all their code repositories whereas in the other department we are slowly ramping up from a POC to full-blown organization-wide usage. For us it solves the problems of Code quality, figuring out static code issues, bad coding practices, and mostly enabling toll-gating on our side to prevent bad code from making it to the production environments.
Pros
  • Ability to provide static code coverage in integration with Jenkins CI/CD pipeline.
  • Ability to define custom rule sets, based on our organizational requirements.
  • Ability to add custom toll-gating for different applications.
Cons
  • Enterprise license is very costly.
  • Runs only on Java 11.
  • Another major issue is the way elastic search is used in Sonarqube, it makes it slightly challenging to run on a cloud environment like AWS.
Likelihood to Recommend
SonarQube is well suited for the following:
  1. Code scanning & determining static code issues and bad practices.
  2. Customizing these rules and blockers at the application/module level.
  3. Easy integration with Jenkins CI/CD pipeline.
  4. Enterprise version provides the ability to integrate the scanning results with the code review process.
It's less appropriate, if:
  1. If you are a small organization & can't afford the enterprise license costs. You can go ahead with a free community version in this case albeit with limited features.
  2. Needs Java 11 & PostgresSQL database, which are not very common in most companies.

SonarQube: A great solution for code quality management and analysis

Rating: 10 out of 10
Incentivized
January 18, 2023
Verified User
Professional in Information Technology
Industrial Automation Company, 10,001+ employees
Vetted Review
Verified User
SonarQube Server
7 years of experience
Use Cases and Deployment Scope
The main business problem that SonarQube addresses is ensuing our software is of high quality and free of defects. We use SonarQube to identify and fix issues in our code during development and integration before they become a bigger problem, thus reducing the risk of costly bugs and vulnerabilities.

Common use cases for SonarQube include:
  • Identifying and fixing bugs and vulnerabilities in code
  • Improving code readability and maintainability
  • Increasing code coverage and testing
  • Measuring code quality and compliance with industry standards
  • Keeping track of technical debt
Pros
  • Detecting bugs and vulnerabilities: SonarQube can identify a wide range of bugs and vulnerabilities in code, such as null pointer exceptions, SQL injection, and cross-site scripting (XSS) attacks. It uses static analysis to analyze the code and identify potential issues, and it can also integrate with dynamic analysis tools to provide even more detailed analysis.
  • Measuring code quality: SonarQube can measure a wide range of code quality metrics, such as cyclomatic complexity, duplicated code, and code coverage. This can help teams understand the quality of their code and identify areas that need improvement.
  • Providing actionable insights: SonarQube provides detailed information about issues in the code, including the file and line number where the issue occurs and the severity of the issue. This makes it easy for developers to understand and address issues in the code.
  • Integrating with other tools: SonarQube can be integrated with a wide range of development tools and programming languages, such as Git, Maven, and Java. This allows teams to use SonarQube in their existing development workflow and take advantage of its powerful code analysis capabilities.
  • Managing technical debt: SonarQube provides metrics and insights on the technical debt on the codebase, enabling teams to better prioritize issues to improve the quality of the code.
  • Compliance with coding standards: SonarQube can check the code against industry standards like OWASP, CWE and more, making sure the code is compliant with security and coding standards.
Cons
  • Complexity of setup and configuration: SonarQube can be quite complex to set up and configure, especially for organizations that have a large codebase or use a variety of different programming languages. This can make it difficult for teams to get started with the tool and may require specialized expertise.
  • Limited support for certain languages: While SonarQube supports a wide range of programming languages, it may not have full support for some languages, particularly newer or less common languages. This can limit the tool's usefulness for teams that use these languages.
  • Lack of integration with certain development tools: While SonarQube can be integrated with a wide range of development tools, it may not have integration with certain IDEs or build tools. This can make it difficult for teams to use SonarQube in their existing development workflow.
  • False-positive and False-negative issues: As with any static code analysis tool, SonarQube can generate a number of false positives, where it reports an issue that is not actually a problem, or false negatives, where it fails to report an issue that is actually a problem. This can make it difficult for teams to trust the tool's analysis results and may require manual review.
  • Limited scalability: For large codebase, SonarQube's performance and scalability can be an issue. It may take longer for the analysis to finish and the results may not be as accurate.
  • Limited collaboration capabilities: While SonarQube allows teams to view and track code quality issues, it has limited capabilities to collaborate and discuss those issues.
Likelihood to Recommend
Scenarios where SonarQube is well suited:
  1. Large codebase: The tool's static analysis capabilities can help teams quickly identify and fix bugs, vulnerabilities, and code smells in large codebases.
  2. Compliance and security: The tool can check the code against industry standards or regulations, such as OWASP and CWE, and identify any issues that need to be addressed.
  3. Agile development: SonarQube can be integrated with CI/CD pipelines allowing teams to continuously monitor and improve code quality throughout the development process.
  4. Teams using multiple languages: Teams that use multiple programming languages can benefit from using SonarQube, as the tool supports a wide range of languages and can be integrated with a variety of development tools.

Scenarios where SonarQube may be less appropriate:
  1. Small codebase: Organizations with a small codebase may not see the full benefits of using SonarQube, as the tool's static analysis capabilities may be overkill for a smaller codebase.
  2. Limited resources: Organizations with limited resources may find it difficult to set up and configure SonarQube, as the tool can be complex and may require specialized expertise.
  3. Limited integration: Organizations that use development tools or IDEs that are not supported by SonarQube may find it difficult to integrate the tool into their existing development workflow.
  4. Limited scalability: Large organizations with millions of lines of code may find SonarQube's performance and scalability to be an issue. It may take longer for the analysis to finish and the results may not be as accurate.
Return to navigation