Skip to main content
TrustRadius

Overview

What is SonarQube?

SonarQube is a code quality and vulnerability solution for development teams that integrates with CI/CD pipelines to ensure the software you produce is secure, reliable, and maintainable.

Read more

Learn from top reviewers

Awards

Products that are considered exceptional by their customers based on a variety of criteria win TrustRadius awards. Learn more about the types of TrustRadius awards to make the best purchase decision. More about TrustRadius Awards

Reviewer Pros & Cons

View all pros & cons
Return to navigation

Pricing

View all pricing

Community

Free

On Premise

Developer EDITION

Starts at $160

On Premise
per year per installation

Enterprise EDITION

Starts at $21,000

On Premise
per year per installation

Entry-level set up fee?

  • No setup fee
For the latest information on pricing, visithttps://www.sonarsource.com/plans-and…

Offerings

  • Free Trial
  • Free/Freemium Version
  • Premium Consulting/Integration Services

Starting price (does not include set up fee)

  • $160 per year per installation
Return to navigation

Product Demos

Understanding Issues with Multiple Locations

YouTube

SonarQube analysis with Jenkins

YouTube

GitHub: Block the Merge of a Pull Requests

YouTube
Return to navigation

Product Details

What is SonarQube?

SonarQube is a self-managed open-source platform that helps developers create code devoid of quality and vulnerability issues. By integrating with DevOps platforms in the Continuous Integration (CI) pipeline, SonarQube continuously inspects projects across multiple programming languages, providing immediate status feedback while coding. SonarQube’s quality gates become part of the release pipeline, displaying pass/fail results for new code based on quality profiles that can be customized to a company's standards. Following Sonar’s Clean as You Code methodology guarantees that only software of the highest quality makes it to production. At its core, SonarQube includes a static code analyzer that identifies bugs, security vulnerabilities, hidden secrets, and code smells. The platform guides the user through issue resolution, fostering a culture of continuous improvement. SonarQube’s reporting helps dev teams to monitor their codebase's overall health and quality across multiple projects in their portfolio. UltimatelySonarQube aims to enable users to achieve a state of Clean Code, leading to secure, reliable, and maintainable software.

SonarQube Screenshots

Screenshot of Application Status.Screenshot of Portfolio Overview.Screenshot of Taint Analysis.

SonarQube Technical Details

Deployment TypesOn-premise, Software as a Service (SaaS), Cloud, or Web-Based
Operating SystemsWindows, Linux, Mac, Cloud
Mobile ApplicationNo
Supported CountriesGlobal
Supported LanguagesCommunity localization plugins support several languages.

Frequently Asked Questions

SonarQube is a code quality and vulnerability solution for development teams that integrates with CI/CD pipelines to ensure the software you produce is secure, reliable, and maintainable.

SonarQube starts at $160.

Veracode, Checkmarx, and Fugue, part of Snyk are common alternatives for SonarQube.

The most common users of SonarQube are from Enterprises (1,001+ employees).
Return to navigation

Comparisons

View all alternatives
Return to navigation

Reviews and Ratings

(92)

Community Insights

TrustRadius Insights are summaries of user sentiment data from TrustRadius reviews and, when necessary, 3rd-party data sources. Have feedback on this content? Let us know!

SonarQube has proven to be invaluable for software engineering companies looking to ensure code quality and prevent the release of faulty software. Users have utilized SonarQube for a wide range of use cases, including generating code quality reports, detecting bugs, vulnerabilities, and code smells, and analyzing code coverage for JUnit tests. The software serves as a static application security tool, helping to identify and fix security issues and vulnerabilities in code. It is seamlessly integrated into Azure DevOps Continuous Integration pipelines, providing detailed issue descriptions and code highlights to identify vulnerabilities. With its comprehensive analysis of the codebase, SonarQube helps in enforcing good practices and preventing bugs, serving as a quality gate for software development. By utilizing static code analysis, SonarQube helps developers create bug-free code and detect vulnerabilities early on, saving valuable time in the development process. Additionally, SonarQube aids in maintaining code quality, improving coding structure, and ensuring code reliability and security. Beyond these primary use cases, users have found value in using SonarQube to check code coverage, follow coding suggestions, manage technical debt, monitor unit test coverage for C++ projects, track bugs and code quality while the security team focuses on vulnerability scanning, and adhere to industry standards. Its customization options allow users to tailor the rules to their specific needs and enable toll-gating to prevent bad code from reaching production. The plugin-based framework of SonarQube ensures extensibility for new use cases and has been highly regarded by users who find it easy to integrate with existing tools and infrastructure. Whether it's identifying design flaws before committing or merging code or tracking legacy code issues and offering solutions for improvement, SonarQube plays a crucial role in improving the overall quality of software development projects across various industries.

Efficient and Precise Code Quality Reports: Multiple users have praised SonarQube for its highly efficient and precise code quality reports. This feature has allowed them to gain a comprehensive understanding of their code's quality, identify areas for improvement, and enhance the overall quality of their code.

Detection of Bugs and Vulnerabilities: Reviewers have found SonarQube's ability to highlight bugs and vulnerabilities in the codebase to be a valuable asset. This feature has helped them identify potential issues early on, enabling them to take proactive measures to improve the code's quality and security.

Valuable Code Remediation Suggestions: Many users have expressed appreciation for SonarQube's suggestions for code remediation and resolution. These suggestions have proven extremely valuable in helping them make their code cleaner, more maintainable, and ultimately improving long-term code quality.

Tricky Importing of Custom Quality Profile: Reviewers have found that importing a new custom quality profile on SonarQube can be challenging and tricky, causing frustration during the setup process.

Inconvenient Server Restart Requirement: Some users have reported the inconvenience of having to restart the server every second time in order to rerun it, which disrupts their workflow and wastes time.

Slow Report Generation and Updating: Several reviewers have mentioned that generating a new report on SonarQube takes a significant amount of time. Additionally, they have experienced delays in updating the details of the new report, as it continues to display information from previous reports instead.

Based on user feedback, here are the most common recommendations for using SonarQube:

Consider using SonarQube if your team size is above 10. For smaller groups, it is recommended to use the community version or integrate Sonarlint with IDE for free.

Integrate SonarQube with CI servers like Cloudbees and Jenkins, as well as version control and testing tools like UFT. This will make the development process smoother and more efficient.

Leverage SonarQube's features, such as code coverage analysis, testing, and code health monitoring. Users find these features valuable for understanding code conventions, maintaining code quality, and identifying security issues or code smells in applications.

Reviews

(1-25 of 35)
Companies can't remove reviews or game the system. Here's why

SonarQube: The mandatory tool to elevate your code quality quality

Rating: 10 out of 10
February 06, 2023
Verified User
Vetted Review
Verified User
SonarQube
3 years of experience
- The SonarQube analysis provides good suggestions to improve our project's health
- The default rules "Sonar Way" are pretty good and provide good insights
- I consider it a mandatory tool for any serious project.
- You can use offline tools like error-prone, spotbugs, or PMD, but Sonar analysis is more complete and it has more features.

Code Quality is a Must!

Rating: 9 out of 10
February 03, 2023
AC
Vetted Review
Verified User
SonarQube
4 years of experience
SonarQube allows automatic static analysis of source code, looking for patterns with errors, bad practices or incidents.
In addition, it performs a calculation of the technical debt. It can be used in any scenario.
In order to use SonarQube, you need to install a server component, where the engine that performs the analysis and stores the results is located, and the analysis must be invoked in some way, which can be done with a client called SonarQube Scanner.
You can also integrate the analysis into the IDE you are using, with a plugin called SonarLint!.

Sonarqube - The ultimate tool for end to end code analysis

Rating: 9 out of 10
February 01, 2023
Verified User
Vetted Review
Verified User
SonarQube
3 years of experience
You should buy: If you need static analysis for multiple languages in your teams If static analysis integration with IDEs is an important requirement If you need custom quality gates for code quality analysis If highly detailed test coverage reports is important for your organization Do not buy if you cannot afford a dedicated team to manage the SonarQube instance for your organization

SonarQube- A perfect QC for Reviewers

Rating: 9 out of 10
January 24, 2023
SJ
Vetted Review
Verified User
SonarQube
3 years of experience
As we were having multiple projects in multiple languages to support our product, A team of 20 developers was working with the various level of experience. To maintain the code integrity and its Sanity SonarQube helped a lot to place the quality gates, Some of the rules were pre-defined and required very minor tweaking. It really made life easy for the reviewers as it supports multiple integration with gitlab, confluence and Jenkins.

SonarQube: Helper of Dev and organisation for better code quality and security practices.

Rating: 10 out of 10
January 20, 2023
AM
Vetted Review
Verified User
SonarQube
2 years of experience
When we have a big projects/products and also there are multiple tech stacks involved in project and also there's an dedicated team working of multiple tech stack is working so there we need to ensure the uniformity in coding structures and also its has support for many languages out there in market. Its not suitable for small projects where the user base, internet traffic is not much. because in that use case we have more headache on maintaining SonarQube servers

Easy to use DecSecOps application

Rating: 8 out of 10
January 20, 2023
Verified User
Vetted Review
Verified User
SonarQube
1 year of experience
Well suited:
- Easy to Integrate with different DevOps platforms for CI/CD automation
- To detect application security vulnerabilities
- For automation static code checks / analysis in order to detect bugs
- Can be used for variety of programming language applications
Improvement areas:
- Better documentation
- More programming language specific examples

SonarQube - solid static code analysis tool

Rating: 7 out of 10
January 19, 2023
Verified User
Vetted Review
Verified User
SonarQube
2 years of experience
Overall it's a nice check to incorporate into the devOps pipeline as another sanity check on the code that's being checked in and the codebase in general. It's good as a supplemental tool, but not if an org is looking for a complete view into code quality or security. Basically SonarQube is able to give you some flagged issues to look into and a metric that reflects the number of issues with the code it identifies, but still requires developers to take a second look and adequately triage which of the SonarQube issues are high impact and need to be addressed.

Easy to use DevSecOps tool

Rating: 10 out of 10
January 19, 2023
PC
Vetted Review
Verified User
SonarQube
1 year of experience
Using docker, we were able to setup sonarqube and ran our first scan in about a day's time. It was quick to create different projects and linking source code to scan.
It clearly segregates issues under Reliability, Security and Maintainability buckets.
It also suggests solutions to fix issues with the code with up to date standards.

Cost effective way to find and correct issues early

Rating: 9 out of 10
January 18, 2023
Verified User
Vetted Review
Verified User
SonarQube
5 years of experience
SonarQube is excellent if you start using it at the beginning when developing a new system, in this situation you will be able to fix things before they become spread and expensive to correct. It’s a bit less suitable to use on existing code with bad design as it’s usually too expensive to fix everything and only allows you to ensure the situation doesn’t get worse.

Don't Skip Static Analysis with Sonar!

Rating: 8 out of 10
January 18, 2023
Verified User
Vetted Review
Verified User
SonarQube
6 years of experience
Honestly, a tool like SonarQube should be always used all the time for any project that uses a supported language (there are lots of them)
When developers produce applications and source code, it's easy for them to miss critical quality and security issues in their Pull Requests.
Sonar makes it much easier to detect those kind of issues, and allows the builds to fail if the quality threshold are not respect for some reason.
It's easy for those kind of issues to end up in production if they are not detected early within the CI/CD steps.

SonarQube your free & friendly DevSecOps tool

Rating: 8 out of 10
January 18, 2023
RV
Vetted Review
Verified User
SonarQube
2 years of experience
SonarQube is a good tool for DevSecOps, it has been with us for years, it's free and it's helping on the security pipeline of many popular and critical development nowadays (Apache struts, Brave, ...). SonarQube is community maintained but fairly up-to-date against recent threats also integrates very quick with most of the common DevOps tools such as Jenkins, Azure DevOps and GitHub

SonarQube Must in Code Pipeline

Rating: 8 out of 10
January 18, 2023
Verified User
Vetted Review
Verified User
SonarQube
34 years of experience
SonarQube is the one of best tool to integrate for code pipeline that improves the code quality of developers and making to follow the best practice. It must be integrated with all repositories.

SonarQube: A great solution for code quality management and analysis

Rating: 10 out of 10
January 18, 2023
Verified User
Vetted Review
Verified User
SonarQube
7 years of experience
Scenarios where SonarQube is well suited:
  1. Large codebase: The tool's static analysis capabilities can help teams quickly identify and fix bugs, vulnerabilities, and code smells in large codebases.
  2. Compliance and security: The tool can check the code against industry standards or regulations, such as OWASP and CWE, and identify any issues that need to be addressed.
  3. Agile development: SonarQube can be integrated with CI/CD pipelines allowing teams to continuously monitor and improve code quality throughout the development process.
  4. Teams using multiple languages: Teams that use multiple programming languages can benefit from using SonarQube, as the tool supports a wide range of languages and can be integrated with a variety of development tools.

Scenarios where SonarQube may be less appropriate:
  1. Small codebase: Organizations with a small codebase may not see the full benefits of using SonarQube, as the tool's static analysis capabilities may be overkill for a smaller codebase.
  2. Limited resources: Organizations with limited resources may find it difficult to set up and configure SonarQube, as the tool can be complex and may require specialized expertise.
  3. Limited integration: Organizations that use development tools or IDEs that are not supported by SonarQube may find it difficult to integrate the tool into their existing development workflow.
  4. Limited scalability: Large organizations with millions of lines of code may find SonarQube's performance and scalability to be an issue. It may take longer for the analysis to finish and the results may not be as accurate.

Great Code Analysis Tool

Rating: 9 out of 10
January 18, 2023
GF
Vetted Review
Verified User
SonarQube
3 years of experience
A scenario that is particularly useful is integrating SonarQube into a Github Actions pipeline so that before any new Pull Request is reviewed and/or merged, you know whether the new code is clean of bugs or major issues.
It is also useful to create custom Quality Profiles to educate new developers that join the company.

SonarQube to make your project secure

Rating: 8 out of 10
January 18, 2023
Verified User
Vetted Review
Verified User
SonarQube
2 years of experience
I think having SonarQube in your project is a big bonus as it can spot small vulnerabilities that you might not think of. This also will improve your overall skill in coding securely. They also update regularly so that it can spot new vulnerabilities which may not be known. As package updates there can be more vulnerabilities deep in your project that you may not know about

A very thorough code analysis tool that helps improve overall quality

Rating: 8 out of 10
January 18, 2023
Verified User
Vetted Review
Verified User
SonarQube
2 years of experience
Whenever you are doing C# based development, you will want to do some static analysis. While Visual Studio comes with some tools, SonarQube is much more advanced and targets more than just C#
There are cases, however, when it is not very suited : when trying to use it on languages that it does not support natively. For instance, we'd love to use it on pascal flavored languages, but without official support, this proved to be impractical.

SonarQube, the best choice for a Static Code Analysis tool leveraging application security at large

Rating: 7 out of 10
April 26, 2022
DB
Vetted Review
Verified User
SonarQube
2 years of experience
SonarQube has a friendly UI that is easy to use and understand. The admin's control panel is very good and It's not really difficult to get through the settings. Its possible to build many rules that apply for each programming language, for example, .NET, and Java. You can easily set up rules and even with the community version. It's a great tool but you have to have a good project plan before being introduced to the tools. I would recommend using the SonarQube open-source version to get used to it before purchasing the license. Before we go with an enterprise product, we have to know the terms and how things are done to run software quality

Using SonarQube professionally for more than 7 years and fully recommend it to any Software Engineer

Rating: 10 out of 10
November 05, 2021
DA
Vetted Review
Verified User
SonarQube
7 years of experience
There's no other tool in the market that is as reliable and trust worthy than SonarQube for Static Analysis. They are the industry standard for software quality analysis and should be part of any company that requires audits on software quality and vulnerability (like financial institutions). Of course SonarQube doesn't replace application testing and security testing by specialists, but their automated testing should be baseline for any engineers that values their time, by pointing problems automatically before they are reviewed by other specialist, or even released to production. Don't waste your company's most valuable resource (engineer time and attention) and make sure to invest in automated software quality and static code review tools like SonarQube from the start. You will regret having to retroactively fit such tools in your development process.

Code Quality Improvements Made Easy

Rating: 8 out of 10
November 04, 2021
Verified User
Vetted Review
Verified User
SonarQube
1 year of experience
We only use SonarQube for Java development, so this review can't speak to its effectiveness for other programming languages, of which SonarQube has coverage for many. There are a plethora of CI/CD integrations, so chances are you can put in an automated code quality check in your process to squash bugs before they are deployed.

SonarQube wins!

Rating: 8 out of 10
October 14, 2021
Verified User
Vetted Review
Verified User
SonarQube
2 years of experience
Well suited for code analysis. OWASP top 10 are pretty much covered.NOT suited for third party tools used in code.
Return to navigation