Skip to main content
TrustRadius
SonarQube

SonarQube

Overview

What is SonarQube?

SonarQube is a code quality and vulnerability solution for development teams that integrates with CI/CD pipelines to ensure the software you produce is secure, reliable, and maintainable.

Read more
Recent Reviews

TrustRadius Insights

SonarQube has proven to be invaluable for software engineering companies looking to ensure code quality and prevent the release of faulty …
Continue reading
TrustRadius Insights
TrustRadius Insights
Read all reviews

Awards

Products that are considered exceptional by their customers based on a variety of criteria win TrustRadius awards. Learn more about the types of TrustRadius awards to make the best purchase decision. More about TrustRadius Awards

Return to navigation

Pricing

View all pricing

Community

Free

On Premise

Developer EDITION

Starts at $160

On Premise
per year per installation

Enterprise EDITION

Starts at $21,000

On Premise
per year per installation

Entry-level set up fee?

  • No setup fee
For the latest information on pricing, visithttps://www.sonarsource.com/plans-and…

Offerings

  • Free Trial
  • Free/Freemium Version
  • Premium Consulting/Integration Services

Starting price (does not include set up fee)

  • $160 per year per installation
Return to navigation

Product Demos

Understanding Issues with Multiple Locations

YouTube

SonarQube analysis with Jenkins

YouTube

GitHub: Block the Merge of a Pull Requests

YouTube
Return to navigation

Product Details

What is SonarQube?

SonarQube is a self-managed open-source platform that helps developers create code devoid of quality and vulnerability issues. By integrating with DevOps platforms in the Continuous Integration (CI) pipeline, SonarQube continuously inspects projects across multiple programming languages, providing immediate status feedback while coding. SonarQube’s quality gates become part of the release pipeline, displaying pass/fail results for new code based on quality profiles that can be customized to a company's standards. Following Sonar’s Clean as You Code methodology guarantees that only software of the highest quality makes it to production. At its core, SonarQube includes a static code analyzer that identifies bugs, security vulnerabilities, hidden secrets, and code smells. The platform guides the user through issue resolution, fostering a culture of continuous improvement. SonarQube’s reporting helps dev teams to monitor their codebase's overall health and quality across multiple projects in their portfolio. UltimatelySonarQube aims to enable users to achieve a state of Clean Code, leading to secure, reliable, and maintainable software.

SonarQube Screenshots

Screenshot of Application Status.Screenshot of Portfolio Overview.Screenshot of Taint Analysis.

SonarQube Integrations

SonarQube Competitors

SonarQube Technical Details

Deployment TypesOn-premise, Software as a Service (SaaS), Cloud, or Web-Based
Operating SystemsWindows, Linux, Mac, Cloud
Mobile ApplicationNo
Supported CountriesGlobal
Supported LanguagesCommunity localization plugins support several languages.

Frequently Asked Questions

SonarQube is a code quality and vulnerability solution for development teams that integrates with CI/CD pipelines to ensure the software you produce is secure, reliable, and maintainable.

SonarQube starts at $160.

Veracode, Checkmarx, and Fugue, part of Snyk are common alternatives for SonarQube.

The most common users of SonarQube are from Enterprises (1,001+ employees).
Return to navigation

Comparisons

View all alternatives
Return to navigation

Reviews and Ratings

(88)

Community Insights

TrustRadius Insights are summaries of user sentiment data from TrustRadius reviews and, when necessary, 3rd-party data sources. Have feedback on this content? Let us know!

SonarQube has proven to be invaluable for software engineering companies looking to ensure code quality and prevent the release of faulty software. Users have utilized SonarQube for a wide range of use cases, including generating code quality reports, detecting bugs, vulnerabilities, and code smells, and analyzing code coverage for JUnit tests. The software serves as a static application security tool, helping to identify and fix security issues and vulnerabilities in code. It is seamlessly integrated into Azure DevOps Continuous Integration pipelines, providing detailed issue descriptions and code highlights to identify vulnerabilities. With its comprehensive analysis of the codebase, SonarQube helps in enforcing good practices and preventing bugs, serving as a quality gate for software development. By utilizing static code analysis, SonarQube helps developers create bug-free code and detect vulnerabilities early on, saving valuable time in the development process. Additionally, SonarQube aids in maintaining code quality, improving coding structure, and ensuring code reliability and security. Beyond these primary use cases, users have found value in using SonarQube to check code coverage, follow coding suggestions, manage technical debt, monitor unit test coverage for C++ projects, track bugs and code quality while the security team focuses on vulnerability scanning, and adhere to industry standards. Its customization options allow users to tailor the rules to their specific needs and enable toll-gating to prevent bad code from reaching production. The plugin-based framework of SonarQube ensures extensibility for new use cases and has been highly regarded by users who find it easy to integrate with existing tools and infrastructure. Whether it's identifying design flaws before committing or merging code or tracking legacy code issues and offering solutions for improvement, SonarQube plays a crucial role in improving the overall quality of software development projects across various industries.

Efficient and Precise Code Quality Reports: Multiple users have praised SonarQube for its highly efficient and precise code quality reports. This feature has allowed them to gain a comprehensive understanding of their code's quality, identify areas for improvement, and enhance the overall quality of their code.

Detection of Bugs and Vulnerabilities: Reviewers have found SonarQube's ability to highlight bugs and vulnerabilities in the codebase to be a valuable asset. This feature has helped them identify potential issues early on, enabling them to take proactive measures to improve the code's quality and security.

Valuable Code Remediation Suggestions: Many users have expressed appreciation for SonarQube's suggestions for code remediation and resolution. These suggestions have proven extremely valuable in helping them make their code cleaner, more maintainable, and ultimately improving long-term code quality.

Tricky Importing of Custom Quality Profile: Reviewers have found that importing a new custom quality profile on SonarQube can be challenging and tricky, causing frustration during the setup process.

Inconvenient Server Restart Requirement: Some users have reported the inconvenience of having to restart the server every second time in order to rerun it, which disrupts their workflow and wastes time.

Slow Report Generation and Updating: Several reviewers have mentioned that generating a new report on SonarQube takes a significant amount of time. Additionally, they have experienced delays in updating the details of the new report, as it continues to display information from previous reports instead.

Based on user feedback, here are the most common recommendations for using SonarQube:

Consider using SonarQube if your team size is above 10. For smaller groups, it is recommended to use the community version or integrate Sonarlint with IDE for free.

Integrate SonarQube with CI servers like Cloudbees and Jenkins, as well as version control and testing tools like UFT. This will make the development process smoother and more efficient.

Leverage SonarQube's features, such as code coverage analysis, testing, and code health monitoring. Users find these features valuable for understanding code conventions, maintaining code quality, and identifying security issues or code smells in applications.

Attribute Ratings

Reviews

(1-6 of 6)
Companies can't remove reviews or game the system. Here's why
February 03, 2023

Code Quality is a Must!

Ariel Cabeza | TrustRadius Reviewer
Ariel Cabeza
Tech Lead
Andreani Grupo Logístico (Package/Freight Delivery, 5001-10,000 employees)
Score 9 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
We use SonarQube as part of the CICD pipeline running on Azure DevOps. Mostly .Net projects, and currently integrating with react native.
Pros and Cons
  • Ongoing code quality management
  • Increase developer skills.
  • Detect and report problems.
  • Scale with business needs
  • Optimize the quality
  • it is sustainable
  • The main “disadvantage” is code maintenance, being more expensive, it also takes more time, as well as producing “false positives”.
Likelihood to Recommend
SonarQube allows automatic static analysis of source code, looking for patterns with errors, bad practices or incidents.
In addition, it performs a calculation of the technical debt. It can be used in any scenario.
In order to use SonarQube, you need to install a server component, where the engine that performs the analysis and stores the results is located, and the analysis must be invoked in some way, which can be done with a client called SonarQube Scanner.
You can also integrate the analysis into the IDE you are using, with a plugin called SonarLint!.
January 26, 2023

SonarQube, you don't need to search more!

Sérgio Cagica | TrustRadius Reviewer
Sérgio Cagica
Software Engineer
diconium (Program Development, 1-10 employees)
Score 8 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
It's used as a quality gate for software development in the feature implementation, as well as a security barrier for bugs and good practices enforcer.
Pros and Cons
  • Easily setup quality gate for code analysis and tests.
  • Quick reports for vulnerabilities and good practices.
  • Easy setup of vulnerabilities level requirements.
  • Credentials manager, like managing users, groups and permissions is complex.
  • UI for code review can be improved, feels old but is useful nonetheless.
  • The ticket management system can also be improved.
Likelihood to Recommend
Sonarqube does its job properly, it can improve in some points like usability and user experience, but in the end, it does everything you need well.
January 19, 2023

SonarQube - solid static code analysis tool

Verified User
Engineer in Research & Development
Biotechnology Company, 10,001+ employees
Score 7 out of 10
Vetted Review
Verified User
Use Cases and Deployment Scope
We use SonarQube in the software department in our devOps pipeline to analyze source code for our application and provide metrics on issues that it identifies within the codebase. Basically we'll run SonarQube at various steps of code check ins and merges as one of many metricsto determine code quality and alert the teams to potential issues in recently checked in codde that may need to be triaged and addressed.
Pros and Cons
  • Works well with .Net
  • Has a nice extension that allows us to run it in our IDE (visual studio)
  • Is customizable in the sense that you can write your own rule set that you want SonarQube to analyze the code against
  • Often it finds errors that aren't really errors that have impact, takes a lot of time to sort through those cases
  • It's a good screener, but by no means can it catch all bugs or be the sole predictor of code quality, so the metrics that it provides need to be caveated when reporting to leadership, etc
Likelihood to Recommend
Overall it's a nice check to incorporate into the devOps pipeline as another sanity check on the code that's being checked in and the codebase in general. It's good as a supplemental tool, but not if an org is looking for a complete view into code quality or security. Basically SonarQube is able to give you some flagged issues to look into and a metric that reflects the number of issues with the code it identifies, but still requires developers to take a second look and adequately triage which of the SonarQube issues are high impact and need to be addressed.
January 18, 2023

A very thorough code analysis tool that helps improve overall quality

Verified User
Engineer in Information Technology
Computer Software Company, 11-50 employees
Score 8 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
We are using SonarQube to do static source analysis on our C# projects. This allows us to monitor unit test coverage and discover code smells that have escaped peer review at the merge request phase.
This may not seem to be of the outmost importance, but it has saved us from publishing bogus software to our clients in a number of occasions.
Pros and Cons
  • Static analysis
  • Code coverage
  • Code smells
  • Configuration management
  • Reporting
  • Rules deactivation flexibility
Likelihood to Recommend
Whenever you are doing C# based development, you will want to do some static analysis. While Visual Studio comes with some tools, SonarQube is much more advanced and targets more than just C#
There are cases, however, when it is not very suited : when trying to use it on languages that it does not support natively. For instance, we'd love to use it on pascal flavored languages, but without official support, this proved to be impractical.
May 20, 2021

SAST Tools selection - SonarQube to the rescue

KT
Kirti Thakkar
Devops Manager
JLL (Real Estate, 10,001+ employees)
Score 8 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
We use [SonarQube] for static scans for all custom apps at JLL
Pros and Cons
  • Easy to integrate with MS tech stack
  • Scans can be configured
  • Endpoints can are setup on central server
  • Reporting on SonarQube is poor
  • The configuration is not intuitive
  • Role and IAM access is not accurate, too much dependence on admin
Likelihood to Recommend
[SonarQube] has some clear advantages for C# code, Scans do work well once set up.
February 26, 2020

Excellent tool for enforcing good coding practices and conventions

Verified User
Professional in Information Technology
Insurance Company, 51-200 employees
Score 9 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
Our development team uses SonarQube in our web applications during out continuous integration check-in process.

The business problem we had in the past was that we weren't folloiwng a standard deveopment process. SonarQube offered us the ability to see code smells and apply our own development standards. Our code has become more robust and resilient because SonarQube helps catch problems before they're checked in.
Pros and Cons
  • SonarQube allows us to apply our own coding stardards during the check-in process so that our code is more standardized.
  • SonarQube forces our team members to write enough unit tests to have code coverage which in turn helps us not to break existing code during check-ins.
  • One area where SonarQube is lacking is letting us know how much code coverage we have before we start our check-in process. A live code coverage percentage built into Visual Studio would be very handy.
Likelihood to Recommend
SonarQube has been well suited for us when new devleopers start working on our projects. With SonarQube checking code smells and our custom coding stardards, new developers write better code with less errors as outlined by our development standards.

It is also very handy to have SonarQube built right into our continuous integration process. Doing it this way results in having less worry around whether our coding standards have been followed. They are automatically applied before code is checked in.
Return to navigation