Skip to main content
TrustRadius
SonarQube

SonarQube

Overview

What is SonarQube?

SonarQube is a code quality and vulnerability solution for development teams that integrates with CI/CD pipelines to ensure the software you produce is secure, reliable, and maintainable.

Read more
Recent Reviews

TrustRadius Insights

SonarQube has proven to be invaluable for software engineering companies looking to ensure code quality and prevent the release of faulty …
Continue reading
Read all reviews

Awards

Products that are considered exceptional by their customers based on a variety of criteria win TrustRadius awards. Learn more about the types of TrustRadius awards to make the best purchase decision. More about TrustRadius Awards

Return to navigation

Pricing

View all pricing

Community

Free

On Premise

Developer EDITION

Starts at $160

On Premise
per year per installation

Enterprise EDITION

Starts at $21,000

On Premise
per year per installation

Entry-level set up fee?

  • No setup fee
For the latest information on pricing, visithttps://www.sonarsource.com/plans-and…

Offerings

  • Free Trial
  • Free/Freemium Version
  • Premium Consulting/Integration Services

Starting price (does not include set up fee)

  • $160 per year per installation
Return to navigation

Product Demos

Understanding Issues with Multiple Locations

YouTube

SonarQube analysis with Jenkins

YouTube

GitHub: Block the Merge of a Pull Requests

YouTube
Return to navigation

Product Details

What is SonarQube?

SonarQube is a self-managed open-source platform that helps developers create code devoid of quality and vulnerability issues. By integrating with DevOps platforms in the Continuous Integration (CI) pipeline, SonarQube continuously inspects projects across multiple programming languages, providing immediate status feedback while coding. SonarQube’s quality gates become part of the release pipeline, displaying pass/fail results for new code based on quality profiles that can be customized to a company's standards. Following Sonar’s Clean as You Code methodology guarantees that only software of the highest quality makes it to production. At its core, SonarQube includes a static code analyzer that identifies bugs, security vulnerabilities, hidden secrets, and code smells. The platform guides the user through issue resolution, fostering a culture of continuous improvement. SonarQube’s reporting helps dev teams to monitor their codebase's overall health and quality across multiple projects in their portfolio. UltimatelySonarQube aims to enable users to achieve a state of Clean Code, leading to secure, reliable, and maintainable software.

SonarQube Screenshots

Screenshot of Application Status.Screenshot of Portfolio Overview.Screenshot of Taint Analysis.

SonarQube Technical Details

Deployment TypesOn-premise, Software as a Service (SaaS), Cloud, or Web-Based
Operating SystemsWindows, Linux, Mac, Cloud
Mobile ApplicationNo
Supported CountriesGlobal
Supported LanguagesCommunity localization plugins support several languages.

Frequently Asked Questions

SonarQube is a code quality and vulnerability solution for development teams that integrates with CI/CD pipelines to ensure the software you produce is secure, reliable, and maintainable.

SonarQube starts at $160.

Veracode, Checkmarx, and Fugue, part of Snyk are common alternatives for SonarQube.

The most common users of SonarQube are from Enterprises (1,001+ employees).
Return to navigation

Comparisons

View all alternatives
Return to navigation

Reviews and Ratings

(87)

Community Insights

TrustRadius Insights are summaries of user sentiment data from TrustRadius reviews and, when necessary, 3rd-party data sources. Have feedback on this content? Let us know!

SonarQube has proven to be invaluable for software engineering companies looking to ensure code quality and prevent the release of faulty software. Users have utilized SonarQube for a wide range of use cases, including generating code quality reports, detecting bugs, vulnerabilities, and code smells, and analyzing code coverage for JUnit tests. The software serves as a static application security tool, helping to identify and fix security issues and vulnerabilities in code. It is seamlessly integrated into Azure DevOps Continuous Integration pipelines, providing detailed issue descriptions and code highlights to identify vulnerabilities. With its comprehensive analysis of the codebase, SonarQube helps in enforcing good practices and preventing bugs, serving as a quality gate for software development. By utilizing static code analysis, SonarQube helps developers create bug-free code and detect vulnerabilities early on, saving valuable time in the development process. Additionally, SonarQube aids in maintaining code quality, improving coding structure, and ensuring code reliability and security. Beyond these primary use cases, users have found value in using SonarQube to check code coverage, follow coding suggestions, manage technical debt, monitor unit test coverage for C++ projects, track bugs and code quality while the security team focuses on vulnerability scanning, and adhere to industry standards. Its customization options allow users to tailor the rules to their specific needs and enable toll-gating to prevent bad code from reaching production. The plugin-based framework of SonarQube ensures extensibility for new use cases and has been highly regarded by users who find it easy to integrate with existing tools and infrastructure. Whether it's identifying design flaws before committing or merging code or tracking legacy code issues and offering solutions for improvement, SonarQube plays a crucial role in improving the overall quality of software development projects across various industries.

Efficient and Precise Code Quality Reports: Multiple users have praised SonarQube for its highly efficient and precise code quality reports. This feature has allowed them to gain a comprehensive understanding of their code's quality, identify areas for improvement, and enhance the overall quality of their code.

Detection of Bugs and Vulnerabilities: Reviewers have found SonarQube's ability to highlight bugs and vulnerabilities in the codebase to be a valuable asset. This feature has helped them identify potential issues early on, enabling them to take proactive measures to improve the code's quality and security.

Valuable Code Remediation Suggestions: Many users have expressed appreciation for SonarQube's suggestions for code remediation and resolution. These suggestions have proven extremely valuable in helping them make their code cleaner, more maintainable, and ultimately improving long-term code quality.

Tricky Importing of Custom Quality Profile: Reviewers have found that importing a new custom quality profile on SonarQube can be challenging and tricky, causing frustration during the setup process.

Inconvenient Server Restart Requirement: Some users have reported the inconvenience of having to restart the server every second time in order to rerun it, which disrupts their workflow and wastes time.

Slow Report Generation and Updating: Several reviewers have mentioned that generating a new report on SonarQube takes a significant amount of time. Additionally, they have experienced delays in updating the details of the new report, as it continues to display information from previous reports instead.

Based on user feedback, here are the most common recommendations for using SonarQube:

Consider using SonarQube if your team size is above 10. For smaller groups, it is recommended to use the community version or integrate Sonarlint with IDE for free.

Integrate SonarQube with CI servers like Cloudbees and Jenkins, as well as version control and testing tools like UFT. This will make the development process smoother and more efficient.

Leverage SonarQube's features, such as code coverage analysis, testing, and code health monitoring. Users find these features valuable for understanding code conventions, maintaining code quality, and identifying security issues or code smells in applications.

Attribute Ratings

Reviews

(1-24 of 24)
Companies can't remove reviews or game the system. Here's why
Score 9 out of 10
Vetted Review
Verified User
Incentivized
Jenkins and GitLab are not exact alternatives for SonarQube, however, they do provide functionality for running and executing build pipelines for various languages and generating reports. However, they are not extensible, have no integration with IDEs and not suitable for static code analysis and detecting software vulnerabilities. SonarQube is much suitable for these usecases.
Score 7 out of 10
Vetted Review
Verified User
SonarQube deployment worked well with our pipeline and had the right integrations with our IDE as well as it worked well with analyzing .NET frameworks when compared to GitHub and GitLab which has some of the functionality and can do some checks, but SonarQube made more sense given our existing DevOps pipeline.
Score 9 out of 10
Vetted Review
Verified User
Incentivized
SonarQube identifies significant more thing compared to the built-in suggestions in IntelliJ IDEA. The suggestions how to correct issues are also a lot better with SonarQube. IntelliJ IDEA provides great refactoring support to make it easy to refactor the code to solve issues. We use these tools together and they really complement each other.
Score 8 out of 10
Vetted Review
Verified User
Incentivized
Getting SonarQube instead of the other tools we tested was an easy choice. Snyk was way too much limited to only Docker images and dependency analysis at that time. And Checkmarx was very hard to adapt to our needs : configuring custom quality gates was way too much of a hassle. Sonar was the much more adapted tool for the job : the scans were fruitful, and it was much easier to customize to our needs. The core of Sonar is also open source, which is a big Plus in our company
Score 10 out of 10
Vetted Review
Verified User
Incentivized
We decided to use SonarQube for the following reasons:
  1. Multi-language support: SonarQube supported all the languages used in our codebase while some of the other tools did not.
  2. Customizable quality profiles: SonarQube allowed teams to create custom quality profiles that aligned with their specific coding standards and best practices. Other tools did not provide the option or was cumbersome to do so.
  3. Integration with CI tools: SonarQube integrated easily Jenkins and Azure DevOps. Other tools were harder to integrate.
  4. Detailed reporting and visualization: SonarQube provided a wide range of reports and visualizations that provided the level of detail needed from developers to upper management. Other tools did not not have such reports or were limited to a certain audience.
  5. Large community support: SonarQube has a large and active community of users and contributors, which means that it benefits from a wide range of plugins and integrations, as well as a wealth of knowledge and best practices.
  6. Access control and security: SonarQube provides role-based access control that was not present in other tools or was harder to setup.
Score 8 out of 10
Vetted Review
Verified User
Incentivized
I have used GitHub more that fortify so I am more familiar with GitHub for checking for vulnerabilities. I have noticed GitHub is good for checking different packages within your project but as far as checking code Quality and coverage Sonar is the better one in my opinion. Fortify is not used much in my org as we do proof of concepts and fortify is more expensive for us so it is rarely used
Score 8 out of 10
Vetted Review
Verified User
Incentivized
Visual Studio has some nice code analysis tools, most which can be activated at development time.
But they have some shortcomings and using an external tool allows catching issues that were not seen during development.
Using this dual approach makes for a more robust application production environment, thus making everyone more confident in the chain of production.
Score 8 out of 10
Vetted Review
Verified User
Incentivized
I have used other tools like SoapUI and Postman, but their working and use case are totally different from the SonarQube, so basically cannot compare SonarQube with them. We use SonarQube in our project to basically calculate the code quality report mostly. In that report, we test for the bugs, vulnerabilities, code smells, code issues, criticals, blockers, and major & minor issues and also calculate the code coverage of junits. But with the help of Postman, we send the API request to the server, and with SoapUI, we create the mock data in our local the create the server calls in our local.
Debobrata Bose | TrustRadius Reviewer
Score 7 out of 10
Vetted Review
Verified User
Incentivized
SonarQube is an open-source. It's a scalable product. The costs for this application, for the kind of job it does, are pretty descent. Pipeline scan is more secured in SonarQube. Its a very good tool and its support multiple languages. Its main core competency is of static code analysis and that is why SonarQube exists and it does it exceedingly well. The quality of scan on code convention, best practices, coding standards, unit test coverage etc makes them one of the best competent tool in the market
Daniel Anjos | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
Verified User
Incentivized
I personally evaluated klocwork in a previous company and it worked well for Static Code Analysis for C++ applications but the Java support was not as good as SonarQube.

Also the overall tooling and integrations provided by SonarQube is stellar and very other competitors can provide such services and IDE integrations.

The output results from SonarQube tests can be easily read, including by other services for automation purposes, and creating reports for audits or other teams is nice and easy.
Prathamesh Sawant | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User
Incentivized
Codacy:
  1. Pros
    1. Code quality tests
    2. Code quality trending
    3. Security analysis
    4. Claims integrations with BitBucket, JIRA, Slack, although hard to find detail on their web page.
      1. https://www.codacy.com/products/bitbucket-code-review
      2. https://support.codacy.com/hc/en-us/sections/201760869-Integrations
  2. Cons
    1. Website is light on technical details
    2. Relatively new product from a small startup. https://www.crunchbase.com/organization/codacy
    3. No BitBucket code review integration
    4. $15/per user/per month, no free tier
WhiteSource
  1. Pros
    1. BitBucket code review integration.
    2. Open source license and vulnerability testing.
  2. Cons
    1. No code analysis, just open source dependency checking.
Arush Soel | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User
Incentivized
SonarQube contains all of their features. Findbugs has very limited capabilities. It is just a static code analyser and does not check for a continous code quality and also not possible to integrate its plugin azure devops .net pipelines and more importantly SonarQube ui is quite user friendly and highlighted.
Score 9 out of 10
Vetted Review
Verified User
Incentivized
Sonar Qube doesn't do as good of a job of finding security vulnerabilities as dedicated SAST software, but it does more for code quality that the developers want to see. A comparison of Sonar Qube to something like Veracode or Fortify isn't apples to apples since they're not focused on the same things.
Score 9 out of 10
Vetted Review
Verified User
Incentivized
We found SonarQube right at the beginning of our research process and found that it met most of our needs. SonarQube fit very nicely into our TFS continuous integration process. We seamlessly integrated the SonarQube steps into our TFS process via the Microsoft Marketplace. Since this was such an easy integration process, we didn't need to look any further.
Score 8 out of 10
Vetted Review
Verified User
Incentivized
Gitlab, if you have the right license, ships with a static analysis tool. It integrates better with Gitlab, but didn't seem to have the same quality output that Sonarqube did. Sonarqube's community version is plenty suitable for day to day analysis operations.
Return to navigation