SonarQube

SonarQube

Top Rated
About TrustRadius Scoring
Score 8.2 out of 100
Top Rated
SonarQube

Overview

Recent Reviews

Code scanning for developers

9 out of 10
April 30, 2021
Our organization has a dedicated static security scanning tools we run against our code to check for vulnerabilities. While the security …
Continue reading
Read all reviews

Awards

Products that are considered exceptional by their customers based on a variety of criteria win TrustRadius awards. Learn more about the types of TrustRadius awards to make the best purchase decision. More about TrustRadius Awards

Reviewer Pros & Cons

View all pros & cons

Video Reviews

Leaving a video review helps other professionals like you evaluate products. Be the first one in your network to record a review of SonarQube, and make your voice heard!

Return to navigation

Pricing

View all pricing

Community

Free

On Premise

Developer EDITION

Starts at $150

On Premise
100,000 Lines of Code

Enterprise EDITION

Starts at $20,000

On Premise
1 Million Lines of Code

Entry-level set up fee?

  • No setup fee
For the latest information on pricing, visithttps://www.sonarsource.com/plans-and…

Offerings

  • Free Trial
  • Free/Freemium Version
  • Premium Consulting / Integration Services
Return to navigation

Features Scorecard

No scorecards have been submitted for this product yet..
Return to navigation

Product Details

What is SonarQube?

SonarQube is a tool for continuously inspecting Code Quality and Code Security, and guiding development teams during code reviews. SonarQube provides remediation guidance for 27 languages so developers can understand and fix issues, and so teams can deliver better and safer software. SonarQube integrates into the user's workflow to provide the right feedback at the right time: in-IDE with SonarLint, in pull requests, and in SonarQube itself. Boasting over 225,000 deployments helping small development teams and global organizations, SonarQube provides a means for teams and companies around the world to own and impact their Code Quality and Code Security.

SonarQube Features

  • Supported: Code Quality and Code Security
  • Supported: Developer workflow integration
  • Supported: Deep support for the Clean as You Code methodology

SonarQube Integrations

  • GitLab
  • Bitbucket
  • ALM Integration available for GitHub
  • Azure DevOps - self-managed & in-cloud
  • CI integrations with: Jenkins
  • GitHub Actions
  • GitLab CI
  • Bitbucket Pipelines
  • Azure DevOps Pipelines
  • SCM integrations with: Git
  • Subversion
  • Authentication integrations with: GitHub
  • LDAP
  • SAML
  • HTTP headers

SonarQube Competitors

SonarQube Technical Details

Deployment TypesOn-premise, SaaS
Operating SystemsWindows, Linux, Mac, Cloud
Mobile ApplicationNo
Supported CountriesGlobal
Supported LanguagesCommunity localization plugins support several languages.

Frequently Asked Questions

SonarQube (formerly Sonar) is an open source application security solution.

Veracode, Checkmarx, and Snyk are common alternatives for SonarQube.

The most common users of SonarQube are Enterprises (1,001+ employees) from the Information Technology & Services industry.
Return to navigation

Comparisons

View all alternatives
Return to navigation

Reviews and Ratings

 (60)

Ratings

Reviews

(1-15 of 15)
Companies can't remove reviews or game the system. Here's why
Debobrata Bose | TrustRadius Reviewer
Score 7 out of 10
Vetted Review
Verified User
Review Source
SonarQube has a friendly UI that is easy to use and understand. The admin's control panel is very good and It's not really difficult to get through the settings. Its possible to build many rules that apply for each programming language, for example, .NET, and Java. You can easily set up rules and even with the community version. It's a great tool but you have to have a good project plan before being introduced to the tools. I would recommend using the SonarQube open-source version to get used to it before purchasing the license. Before we go with an enterprise product, we have to know the terms and how things are done to run software quality
Daniel Anjos | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
Verified User
Review Source
There's no other tool in the market that is as reliable and trust worthy than SonarQube for Static Analysis. They are the industry standard for software quality analysis and should be part of any company that requires audits on software quality and vulnerability (like financial institutions). Of course SonarQube doesn't replace application testing and security testing by specialists, but their automated testing should be baseline for any engineers that values their time, by pointing problems automatically before they are reviewed by other specialist, or even released to production. Don't waste your company's most valuable resource (engineer time and attention) and make sure to invest in automated software quality and static code review tools like SonarQube from the start. You will regret having to retroactively fit such tools in your development process.
Score 8 out of 10
Vetted Review
Verified User
Review Source
We only use SonarQube for Java development, so this review can't speak to its effectiveness for other programming languages, of which SonarQube has coverage for many. There are a plethora of CI/CD integrations, so chances are you can put in an automated code quality check in your process to squash bugs before they are deployed.
Sharique Khan | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User
Review Source
SonarQube is well suited to implement Secure SDLC and incorporate the best secure coding practices. It would ensure adherence to the organization's coding standards and have uniform code across various development teams. It enables early identification and remediation of security flaws in the code
Prathamesh Sawant | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User
Review Source
SonarQube is well suited for the following:
  1. Code scanning & determining static code issues and bad practices.
  2. Customizing these rules and blockers at the application/module level.
  3. Easy integration with Jenkins CI/CD pipeline.
  4. Enterprise version provides the ability to integrate the scanning results with the code review process.
It's less appropriate, if:
  1. If you are a small organization & can't afford the enterprise license costs. You can go ahead with a free community version in this case albeit with limited features.
  2. Needs Java 11 & PostgresSQL database, which are not very common in most companies.
Arush Soel | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User
Review Source
It is quite a powerful code analysis tool if used by my colleagues in organisation but i would recommend a sonarcloud(cloud instance) or a community edition in order to get a demonstration or to get a quick hands on experience with its user interface and its administration along with local dashboard configuration and installation
Score 9 out of 10
Vetted Review
Verified User
Review Source
I think the setup we have of using Sonar Qube as a code quality tool along side a dedicated security scanning tool makes a lot of sense. The tools scanning for security issues don't usually cover things the developers want to see like code quality metrics, but give better results for vulnerabilities. If they see security issues getting flagged in Sonar Qube and fix those too, well that's an win for security.
Score 10 out of 10
Vetted Review
Verified User
Review Source
It should always be a part of the continuous integration. Our application is quite old and has a lot of code "smells" unfortunately. We make it a rule that if you are going to fix a problem, then you should fix the code issues found by Sonar in that part of the code also. Eventually we will have a much cleaner code base.
Score 9 out of 10
Vetted Review
Verified User
Review Source
SonarQube has been well suited for us when new devleopers start working on our projects. With SonarQube checking code smells and our custom coding stardards, new developers write better code with less errors as outlined by our development standards.

It is also very handy to have SonarQube built right into our continuous integration process. Doing it this way results in having less worry around whether our coding standards have been followed. They are automatically applied before code is checked in.
Score 8 out of 10
Vetted Review
Verified User
Review Source
Any modern-day CI/CD tool chain should include a static analyzer such as SonarQube. Using such a tool helps enhance the overall security of your application and helps train developers along the way. SonarQube does this exceedingly well and is lightweight enough to deploy quickly and easily. Definitely a great addition to your toolset.
Return to navigation