Skip to main content
TrustRadius
SonarQube

SonarQube

Overview

What is SonarQube?

SonarQube is a code quality and vulnerability solution for development teams that integrates with CI/CD pipelines to ensure the software you produce is secure, reliable, and maintainable.

Read more
Recent Reviews

TrustRadius Insights

SonarQube has proven to be invaluable for software engineering companies looking to ensure code quality and prevent the release of faulty …
Continue reading
TrustRadius Insights
TrustRadius Insights
Read all reviews

Awards

Products that are considered exceptional by their customers based on a variety of criteria win TrustRadius awards. Learn more about the types of TrustRadius awards to make the best purchase decision. More about TrustRadius Awards

Return to navigation

Pricing

View all pricing

Community

Free

On Premise

Developer EDITION

Starts at $160

On Premise
per year per installation

Enterprise EDITION

Starts at $21,000

On Premise
per year per installation

Entry-level set up fee?

  • No setup fee
For the latest information on pricing, visithttps://www.sonarsource.com/plans-and…

Offerings

  • Free Trial
  • Free/Freemium Version
  • Premium Consulting/Integration Services

Starting price (does not include set up fee)

  • $160 per year per installation
Return to navigation

Product Demos

Understanding Issues with Multiple Locations

YouTube

SonarQube analysis with Jenkins

YouTube

GitHub: Block the Merge of a Pull Requests

YouTube
Return to navigation

Product Details

What is SonarQube?

SonarQube is a self-managed open-source platform that helps developers create code devoid of quality and vulnerability issues. By integrating with DevOps platforms in the Continuous Integration (CI) pipeline, SonarQube continuously inspects projects across multiple programming languages, providing immediate status feedback while coding. SonarQube’s quality gates become part of the release pipeline, displaying pass/fail results for new code based on quality profiles that can be customized to a company's standards. Following Sonar’s Clean as You Code methodology guarantees that only software of the highest quality makes it to production. At its core, SonarQube includes a static code analyzer that identifies bugs, security vulnerabilities, hidden secrets, and code smells. The platform guides the user through issue resolution, fostering a culture of continuous improvement. SonarQube’s reporting helps dev teams to monitor their codebase's overall health and quality across multiple projects in their portfolio. UltimatelySonarQube aims to enable users to achieve a state of Clean Code, leading to secure, reliable, and maintainable software.

SonarQube Screenshots

Screenshot of Application Status.Screenshot of Portfolio Overview.Screenshot of Taint Analysis.

SonarQube Integrations

SonarQube Competitors

SonarQube Technical Details

Deployment TypesOn-premise, Software as a Service (SaaS), Cloud, or Web-Based
Operating SystemsWindows, Linux, Mac, Cloud
Mobile ApplicationNo
Supported CountriesGlobal
Supported LanguagesCommunity localization plugins support several languages.

Frequently Asked Questions

SonarQube is a code quality and vulnerability solution for development teams that integrates with CI/CD pipelines to ensure the software you produce is secure, reliable, and maintainable.

SonarQube starts at $160.

Veracode, Checkmarx, and Fugue, part of Snyk are common alternatives for SonarQube.

The most common users of SonarQube are from Enterprises (1,001+ employees).
Return to navigation

Comparisons

View all alternatives
Return to navigation

Reviews and Ratings

(88)

Community Insights

TrustRadius Insights are summaries of user sentiment data from TrustRadius reviews and, when necessary, 3rd-party data sources. Have feedback on this content? Let us know!

SonarQube has proven to be invaluable for software engineering companies looking to ensure code quality and prevent the release of faulty software. Users have utilized SonarQube for a wide range of use cases, including generating code quality reports, detecting bugs, vulnerabilities, and code smells, and analyzing code coverage for JUnit tests. The software serves as a static application security tool, helping to identify and fix security issues and vulnerabilities in code. It is seamlessly integrated into Azure DevOps Continuous Integration pipelines, providing detailed issue descriptions and code highlights to identify vulnerabilities. With its comprehensive analysis of the codebase, SonarQube helps in enforcing good practices and preventing bugs, serving as a quality gate for software development. By utilizing static code analysis, SonarQube helps developers create bug-free code and detect vulnerabilities early on, saving valuable time in the development process. Additionally, SonarQube aids in maintaining code quality, improving coding structure, and ensuring code reliability and security. Beyond these primary use cases, users have found value in using SonarQube to check code coverage, follow coding suggestions, manage technical debt, monitor unit test coverage for C++ projects, track bugs and code quality while the security team focuses on vulnerability scanning, and adhere to industry standards. Its customization options allow users to tailor the rules to their specific needs and enable toll-gating to prevent bad code from reaching production. The plugin-based framework of SonarQube ensures extensibility for new use cases and has been highly regarded by users who find it easy to integrate with existing tools and infrastructure. Whether it's identifying design flaws before committing or merging code or tracking legacy code issues and offering solutions for improvement, SonarQube plays a crucial role in improving the overall quality of software development projects across various industries.

Efficient and Precise Code Quality Reports: Multiple users have praised SonarQube for its highly efficient and precise code quality reports. This feature has allowed them to gain a comprehensive understanding of their code's quality, identify areas for improvement, and enhance the overall quality of their code.

Detection of Bugs and Vulnerabilities: Reviewers have found SonarQube's ability to highlight bugs and vulnerabilities in the codebase to be a valuable asset. This feature has helped them identify potential issues early on, enabling them to take proactive measures to improve the code's quality and security.

Valuable Code Remediation Suggestions: Many users have expressed appreciation for SonarQube's suggestions for code remediation and resolution. These suggestions have proven extremely valuable in helping them make their code cleaner, more maintainable, and ultimately improving long-term code quality.

Tricky Importing of Custom Quality Profile: Reviewers have found that importing a new custom quality profile on SonarQube can be challenging and tricky, causing frustration during the setup process.

Inconvenient Server Restart Requirement: Some users have reported the inconvenience of having to restart the server every second time in order to rerun it, which disrupts their workflow and wastes time.

Slow Report Generation and Updating: Several reviewers have mentioned that generating a new report on SonarQube takes a significant amount of time. Additionally, they have experienced delays in updating the details of the new report, as it continues to display information from previous reports instead.

Based on user feedback, here are the most common recommendations for using SonarQube:

Consider using SonarQube if your team size is above 10. For smaller groups, it is recommended to use the community version or integrate Sonarlint with IDE for free.

Integrate SonarQube with CI servers like Cloudbees and Jenkins, as well as version control and testing tools like UFT. This will make the development process smoother and more efficient.

Leverage SonarQube's features, such as code coverage analysis, testing, and code health monitoring. Users find these features valuable for understanding code conventions, maintaining code quality, and identifying security issues or code smells in applications.

Attribute Ratings

Reviews

(1-17 of 17)
Companies can't remove reviews or game the system. Here's why
February 03, 2023

Code Quality is a Must!

Ariel Cabeza | TrustRadius Reviewer
Ariel Cabeza
Tech Lead
Andreani Grupo Logístico (Package/Freight Delivery, 5001-10,000 employees)
Score 9 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
We use SonarQube as part of the CICD pipeline running on Azure DevOps. Mostly .Net projects, and currently integrating with react native.
Pros and Cons
  • Ongoing code quality management
  • Increase developer skills.
  • Detect and report problems.
  • Scale with business needs
  • Optimize the quality
  • it is sustainable
  • The main “disadvantage” is code maintenance, being more expensive, it also takes more time, as well as producing “false positives”.
Likelihood to Recommend
SonarQube allows automatic static analysis of source code, looking for patterns with errors, bad practices or incidents.
In addition, it performs a calculation of the technical debt. It can be used in any scenario.
In order to use SonarQube, you need to install a server component, where the engine that performs the analysis and stores the results is located, and the analysis must be invoked in some way, which can be done with a client called SonarQube Scanner.
You can also integrate the analysis into the IDE you are using, with a plugin called SonarLint!.
February 01, 2023

Sonarqube - The ultimate tool for end to end code analysis

Verified User
Engineer in Engineering
Computer Software Company, 1001-5000 employees
Score 9 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
SonarQube is the default choice for static analysis tools for all the projects in our organization. We use it extensively for examining code quality, detect code smells, detect security issues in code and identify complexities in code for every project. SonarQube is extremely useful since it works for almost all languages that we write our code in, including python and Java. The plugin based framework ensures extensibility and easy enhancement of functionality for new usecases.
Pros and Cons
  • Easy integration with all coding languages
  • Plugin integration ensures easy extensibility
  • Detects code smells and vulnerabilities
  • Generate test coverage reports
  • Custom quality gates to ensure no bad code is merged
  • Learning curve is steep
  • Report generation is often very time consuming
  • Works particularly well for Java, but not so good for Python and R
  • Initial setup is quite complicated
Likelihood to Recommend
You should buy: If you need static analysis for multiple languages in your teams If static analysis integration with IDEs is an important requirement If you need custom quality gates for code quality analysis If highly detailed test coverage reports is important for your organization Do not buy if you cannot afford a dedicated team to manage the SonarQube instance for your organization
January 19, 2023

SonarQube - solid static code analysis tool

Verified User
Engineer in Research & Development
Biotechnology Company, 10,001+ employees
Score 7 out of 10
Vetted Review
Verified User
Use Cases and Deployment Scope
We use SonarQube in the software department in our devOps pipeline to analyze source code for our application and provide metrics on issues that it identifies within the codebase. Basically we'll run SonarQube at various steps of code check ins and merges as one of many metricsto determine code quality and alert the teams to potential issues in recently checked in codde that may need to be triaged and addressed.
Pros and Cons
  • Works well with .Net
  • Has a nice extension that allows us to run it in our IDE (visual studio)
  • Is customizable in the sense that you can write your own rule set that you want SonarQube to analyze the code against
  • Often it finds errors that aren't really errors that have impact, takes a lot of time to sort through those cases
  • It's a good screener, but by no means can it catch all bugs or be the sole predictor of code quality, so the metrics that it provides need to be caveated when reporting to leadership, etc
Likelihood to Recommend
Overall it's a nice check to incorporate into the devOps pipeline as another sanity check on the code that's being checked in and the codebase in general. It's good as a supplemental tool, but not if an org is looking for a complete view into code quality or security. Basically SonarQube is able to give you some flagged issues to look into and a metric that reflects the number of issues with the code it identifies, but still requires developers to take a second look and adequately triage which of the SonarQube issues are high impact and need to be addressed.
January 19, 2023

Let the SonarQube guide your devs towards a better future.

Verified User
Engineer in Professional Services
Food & Beverages Company, 501-1000 employees
Score 9 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
We use SonarQube and SonarLint to improve our code and locate vulnerabilities. It helps our developers learn best practices and secure our code.
Pros and Cons
  • Gives advice on coding practices
  • Rates our code over time
  • Highlights worst offending code to make prioritization easier
  • Helps improve our code over time
  • Notifications based on findings needs a lot of work. Options are extremely basic so far.
  • Integration of Dependency Check is very basic and could use some UX love.
  • Making it easier to turn down the noise of problems so teams can focus on the highest priority first without getting bogged down.
Likelihood to Recommend
SonarQube is best at giving advice over a wide array of languages. It's ability to filter results by many facets is excellent.
January 18, 2023

Don't Skip Static Analysis with Sonar!

Verified User
Engineer in Information Technology
Food & Beverages Company, 10,001+ employees
Score 8 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
In my company, we started using the SonarCloud (the SaaS version) a couple of years ago, and then quickly switched for the enterprise edition of SonarQube. This edition offered several governance features that were not available in the other types of Sonar subscription.
Since then, we made automated Sonar scanning mandatory for all projects, integrated directly in our CI/CD pipelines
Pros and Cons
  • Scanning source code for a defined set of quality gates and rules
  • Reporting security issues with static scans
  • Managing portfolios application in the enterprise edition
  • The scanner is a bit heavy and can be rewritten in a lighter language (like Go or rust)
  • Scans can take a bit of time
  • Some languages like C++ are much harder to scan than others
Likelihood to Recommend
Honestly, a tool like SonarQube should be always used all the time for any project that uses a supported language (there are lots of them)
When developers produce applications and source code, it's easy for them to miss critical quality and security issues in their Pull Requests.
Sonar makes it much easier to detect those kind of issues, and allows the builds to fail if the quality threshold are not respect for some reason.
It's easy for those kind of issues to end up in production if they are not detected early within the CI/CD steps.
January 18, 2023

Great Code Analysis Tool

Gabriel Freire | TrustRadius Reviewer
Gabriel Freire
Staff Network Software Engineer
Equinix (Computer Software, 10,001+ employees)
Score 9 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
It's always best to catch bugs and other code issues as soon as possible, especially when people from different teams and time zones touch the same code. While code reviews are obviously still necessary, SonarQube does filter the code seamlessly so that obvious issues are immediately detected and resolved. In some cases, there is customisation required for the general best practice rules and SonarQube accommodates this.
Pros and Cons
  • Static code analysis
  • Code best practices
  • Quality profile selection
Likelihood to Recommend
A scenario that is particularly useful is integrating SonarQube into a Github Actions pipeline so that before any new Pull Request is reviewed and/or merged, you know whether the new code is clean of bugs or major issues.
It is also useful to create custom Quality Profiles to educate new developers that join the company.
January 18, 2023

SonarQube to make your project secure

Verified User
Employee in Information Technology
Computer Software Company, 10,001+ employees
Score 8 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
We use Sonar in order to ensure our code is secure. We have used it on APIs and on our Frontend. We have also used the Sonar lint for Android. We have a plug in for our Jenkins account which will check our project code coverage etc in Sonar if this fails then our code cannot go live or merged into master
Pros and Cons
  • Code coverage
  • Shows potential fixes
  • Speed
  • Sometimes the messages can be long and for someone's first time seeing this it can be hard to find what to look for
  • Sometimes potential fixes are not available
  • Documentation on setting up with Jenkins was hard to follow at some parts
Likelihood to Recommend
I think having SonarQube in your project is a big bonus as it can spot small vulnerabilities that you might not think of. This also will improve your overall skill in coding securely. They also update regularly so that it can spot new vulnerabilities which may not be known. As package updates there can be more vulnerabilities deep in your project that you may not know about
January 18, 2023

Quick and easy static analysis and bug detection

Verified User
Employee in Engineering
Computer Software Company, 1001-5000 employees
Score 9 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
  • Standardized scanning tools to make sure code doesn't use obvious code smells
  • Enfrocement of standardized naming conventions in code
  • Identification of potentially needlessly complicated code
Pros and Cons
  • Identify code smells
  • Low level bugs
  • Basic static analysis
  • Reports can take a bit of time
  • Custom rules can be a bit annoying to setup
Likelihood to Recommend
If you are looking for something that is reasonably simple and validates your code, this is the tool you are looking for. It works well and gives very helpful feedback, especially for more junior devs.
May 08, 2022

SonarQube review by a Hybris Developer

SJ
shaurya jain
digital tech developer associate
Accenture (Information Technology & Services, 10,001+ employees)
Score 8 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
We use SonarQube in our project to basically calculate the code quality report mostly, in that report we test for the bugs, vulnerabilities, code smells, code issues, criticals, blockers, major & minor issues, and also calculate the code coverage of junits. We also set the quality profile which contains the rules which we set according to the rules we follow in our project and on that basis, we generate the junit coverage report.

One business problem I mostly faced was that if we had run the server once, and tried to run it again if we closed it, then it does not run and closes automatically. To run the server again we have to restart the system, then only it works, so those issues can be resolved.

The scope of my case is to generate the code quality report for the codebase in our project according to the custom quality profile we add in SonarQube.
Pros and Cons
  • Generating code quality report
  • Calculates junit coverage of the codebase very efficiently and precisely
  • Highlights the bugs and vulnerabilities in our codebase
  • Informs the user of the improvements which can be done to the code to make it cleaner
  • SonarQube also suggests remediation and resolution of the problems it highlights
  • Importing a new custom quality profile on SonarQube is a bit tricky, it can be made easier
  • Every second time when we want to rerun the server, we have to restart the whole system, otherwise, the server stops and closes automatically
  • When we generate a new report a second time and try to access the report, it shows details of the old report only and takes a lot of time to get updated with the details of the new and fresh report generated
Likelihood to Recommend
April 26, 2022

SonarQube, the best choice for a Static Code Analysis tool leveraging application security at large

Debobrata Bose | TrustRadius Reviewer
Debobrata Bose
Solution Architect
Danske IT and Support Services India Pvt Ltd (Financial Services, 10,001+ employees)
Score 7 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
SonarQube is being used in my organization as an Static Application Security tool which will detect the security issues in code and will try to fix the vulnerabilities that compromises the app. It is being currently used in all the projects in my department.
It being used in our Azure devops Continuous Integration pipeline to identify the vulnerabilities in code and provides detailed issue descriptions and code highlights that explain why your code is at risk.
Pros and Cons
  • Identify Security Vulnerabilities and highlights the code
  • Highlight suspicious code snippets that developers should review
  • Providing security feedback during code review
  • Identify technical debts in code
  • The community version have some issues, example Integrating with Azure or Single Sign On
  • Automation scripts can be improved. At times you have to configure some of the rules in the detection
  • It takes time to configure and create profiles
Likelihood to Recommend
SonarQube has a friendly UI that is easy to use and understand. The admin's control panel is very good and It's not really difficult to get through the settings. Its possible to build many rules that apply for each programming language, for example, .NET, and Java. You can easily set up rules and even with the community version. It's a great tool but you have to have a good project plan before being introduced to the tools. I would recommend using the SonarQube open-source version to get used to it before purchasing the license. Before we go with an enterprise product, we have to know the terms and how things are done to run software quality
November 05, 2021

Using SonarQube professionally for more than 7 years and fully recommend it to any Software Engineer

Daniel Anjos | TrustRadius Reviewer
Daniel Anjos
Product Design/Development Engineer
Transferwise (Financial Services, 1001-5000 employees)
Score 10 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
SonarQube is used as part of the build process (Continuous Integration and Continuous Delivery) in all Java services to ensure a high quality of code and remove bugs that can be found during static analysis. The whole engineering organisation is using it, and it solves the problem of low quality code reaching to production and causing bugs and incidents due to poor reviews. With Sonar we are able to quickly identify if a new change will introduce issues in Production before it is merged and deployed. It also helps identify issues with legacy code and improve code quality in existing services, by providing solutions to known problems. I would definitively recommend Sonar to any Software Engineering company, either using Java or C++ or any other supported language.
Pros and Cons
  • Static Code Analysis
  • Security Vulnerabilities Scan
  • Multi software language support
  • Configurable quality gates for PR analysis
  • Better IDE integration and support
  • Easier GitHub actions integration and support
  • Better support and integration for dynamic code analysis during automated tests
Likelihood to Recommend
There's no other tool in the market that is as reliable and trust worthy than SonarQube for Static Analysis. They are the industry standard for software quality analysis and should be part of any company that requires audits on software quality and vulnerability (like financial institutions). Of course SonarQube doesn't replace application testing and security testing by specialists, but their automated testing should be baseline for any engineers that values their time, by pointing problems automatically before they are reviewed by other specialist, or even released to production. Don't waste your company's most valuable resource (engineer time and attention) and make sure to invest in automated software quality and static code review tools like SonarQube from the start. You will regret having to retroactively fit such tools in your development process.
June 20, 2021

SonarQube: The go-to tool for code quality

Prathamesh Sawant | TrustRadius Reviewer
Prathamesh Sawant
Senior Software Engineer
Boku Inc (Information Technology & Services, 201-500 employees)
Score 8 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
SonarQube is currently used in silos in our organizations. One of our departments is using it full-time for all their code repositories whereas in the other department we are slowly ramping up from a POC to full-blown organization-wide usage. For us it solves the problems of Code quality, figuring out static code issues, bad coding practices, and mostly enabling toll-gating on our side to prevent bad code from making it to the production environments.
Pros and Cons
  • Ability to provide static code coverage in integration with Jenkins CI/CD pipeline.
  • Ability to define custom rule sets, based on our organizational requirements.
  • Ability to add custom toll-gating for different applications.
  • Enterprise license is very costly.
  • Runs only on Java 11.
  • Another major issue is the way elastic search is used in Sonarqube, it makes it slightly challenging to run on a cloud environment like AWS.
Likelihood to Recommend
SonarQube is well suited for the following:
  1. Code scanning & determining static code issues and bad practices.
  2. Customizing these rules and blockers at the application/module level.
  3. Easy integration with Jenkins CI/CD pipeline.
  4. Enterprise version provides the ability to integrate the scanning results with the code review process.
It's less appropriate, if:
  1. If you are a small organization & can't afford the enterprise license costs. You can go ahead with a free community version in this case albeit with limited features.
  2. Needs Java 11 & PostgresSQL database, which are not very common in most companies.
May 20, 2021

SAST Tools selection - SonarQube to the rescue

KT
Kirti Thakkar
Devops Manager
JLL (Real Estate, 10,001+ employees)
Score 8 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
We use [SonarQube] for static scans for all custom apps at JLL
Pros and Cons
  • Easy to integrate with MS tech stack
  • Scans can be configured
  • Endpoints can are setup on central server
  • Reporting on SonarQube is poor
  • The configuration is not intuitive
  • Role and IAM access is not accurate, too much dependence on admin
Likelihood to Recommend
[SonarQube] has some clear advantages for C# code, Scans do work well once set up.
May 03, 2021

Quality archway for projects

Arush Soel | TrustRadius Reviewer
Arush Soel
DevOps Engineer
Bebo Technologies Pvt Ltd (Computer Software, 501-1000 employees)
Score 8 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
We are using it currently while building a .NET CI\CD pipeline for an automated analysis of our code quality and all the vulnerabilities by scanning our various repositories in Bitbucket version control and publishing our stacks for any kinds of bugs found and ensure the proper code coverage and make our projects more reliable
Pros and Cons
  • Best thing about it is that it offers an online instance (SonarCloud) where we can dry run an open source project by forking a github repository
  • Provides detailed analysis of the stacks that it checks for bugs and issues in code stacks.
  • Provides a good amount of documentation on how for configuration and installation and how to use it.
  • Provides a strong integration with azure devops and jenkins for creating DSL pipelines.
  • Local dashboard wont work without java installed on your machine
  • If talking about the local ui the configuration may be quite complex. Needs an experts advise
  • Its enterprise edition cost a fortune depending on a company size or users that may use it.
Likelihood to Recommend
It is quite a powerful code analysis tool if used by my colleagues in organisation but i would recommend a sonarcloud(cloud instance) or a community edition in order to get a demonstration or to get a quick hands on experience with its user interface and its administration along with local dashboard configuration and installation
April 30, 2021

Great tool to keep your code clean

Verified User
Engineer in Information Technology
Financial Services Company, 51-200 employees
Score 10 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
We use SonarQube to scan our code for vulnerabilities and code "smells." SonarQube is wired into our continuous integration software Jenkins, so it scans the code every time a build runs.
Pros and Cons
  • Finding security flaws.
  • Finding code that does not follow best practices and standards.
  • Looking for code coverage.
  • For code "smells" it would be nice to have different levels of issues.
  • It could be easier to define policies for different levels of code "smells."
  • Prioritize different types of code "smells."
Likelihood to Recommend
It should always be a part of the continuous integration. Our application is quite old and has a lot of code "smells" unfortunately. We make it a rule that if you are going to fix a problem, then you should fix the code issues found by Sonar in that part of the code also. Eventually we will have a much cleaner code base.
February 26, 2020

Excellent tool for enforcing good coding practices and conventions

Verified User
Professional in Information Technology
Insurance Company, 51-200 employees
Score 9 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
Our development team uses SonarQube in our web applications during out continuous integration check-in process.

The business problem we had in the past was that we weren't folloiwng a standard deveopment process. SonarQube offered us the ability to see code smells and apply our own development standards. Our code has become more robust and resilient because SonarQube helps catch problems before they're checked in.
Pros and Cons
  • SonarQube allows us to apply our own coding stardards during the check-in process so that our code is more standardized.
  • SonarQube forces our team members to write enough unit tests to have code coverage which in turn helps us not to break existing code during check-ins.
  • One area where SonarQube is lacking is letting us know how much code coverage we have before we start our check-in process. A live code coverage percentage built into Visual Studio would be very handy.
Likelihood to Recommend
SonarQube has been well suited for us when new devleopers start working on our projects. With SonarQube checking code smells and our custom coding stardards, new developers write better code with less errors as outlined by our development standards.

It is also very handy to have SonarQube built right into our continuous integration process. Doing it this way results in having less worry around whether our coding standards have been followed. They are automatically applied before code is checked in.
June 29, 2019

Sonarqube is a worth static analysis tool

Verified User
Engineer in Engineering
Computer & Network Security Company, 1-10 employees
Score 8 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
Excellent static analysis tool for identifying potential issues with your code. Sonarqube is easily integrated with your CI/CD workflow, including a containerized version. Once implemented, it scans code every time we push it and reports back any issues that need to be addressed. Customization is available to fine tune the reports, identifying what's really important to you and your team.
Pros and Cons
  • Core competency of static analysis. This is why SonarQube exists and it does it exceedingly well.
  • Customized quality settings let you tailor the tool for your specific needs.
  • Support for many languages including C, C++, Python, and more.
  • Ability to set automated alerts. For instance, when code hasn't been scanned in a long period of time.
  • Tighter integration with issue tracking systems such as jira and Gitlab.
Likelihood to Recommend
Any modern-day CI/CD tool chain should include a static analyzer such as SonarQube. Using such a tool helps enhance the overall security of your application and helps train developers along the way. SonarQube does this exceedingly well and is lightweight enough to deploy quickly and easily. Definitely a great addition to your toolset.
Return to navigation