SonarQube Server

It is one of the components within the gateway to get products into production. We have over 700 projects and just over 20m lines of code.

We have been using it since 2018.

We focus currently on vulnerabilities with required gates and stepped options with temporary "get well plans". The more advanced teams are focusing on quality aspect and self-manage their maturity. But there is currently no hard lines for quality at this time except for team agreed upon minimum complexity and duplication standards on new code.

Regarding helm charts and kubernetes... this was long awaited and welcomed! Making our deployments easier. Concern was on testing and such, there was a mistep in the last 10.6.0 push which caused a slight concern, but SonarSource was very quick at getting 10.6.1 out and distributing the information.

The only other concern we had, that we hadn't experienced in that past (at least not like this), the change of JDKs at minor versions, scanners, linters, especially without backwards compatibility where pipelines must actively change from JDK 11 to JDK 17 might be tough for groups who have large amounts of pipelines. **Pipelines which support templates that inject SAST requirements help a bunch to reduce the scope of pipeline changes, but still caught us by surprise. This sort of change is expected at major versions, right... But still, very stable... this hiccup didn't sway our thoughts about the product overall.

We're still trying to figure out how we can reduce costs... although value is very tangible tangible to some, the significant overhead is often questioned. Prompts us into discussions that force decisions on which code bases to remove, even if temporarily, for code that is relatively static for long periods.

We really appreciate the engagement of the SonarSource Community site. We use it to stay informed and to get quick insights and responsive support. Great folks out there--appreciate them and the engagement and they represent SonarSource well.

We use SonarQube as part of the CICD pipeline running on Azure DevOps. Mostly .Net projects, and currently integrating with react native.

It's used as a quality gate for software development in the feature implementation, as well as a security barrier for bugs and good practices enforcer.

As service based and product based organisation we are dealing with variety of products and projects so in order to maintain the Code Quality and also improve the coding structure by following the suggestions given by SonarQube Analysis and also checking the Code Coverage so we get to know that our code has fully passed through the Sonar Analysis. As a part of DevOps team we integrate SonarQube checks in CI(continuous integration part) so its an part of continuous code quality and we have also created custom Quality Gates in order to prevent the false or unimproved code from going into any environments.

It's always best to catch bugs and other code issues as soon as possible, especially when people from different teams and time zones touch the same code. While code reviews are obviously still necessary, SonarQube does filter the code seamlessly so that obvious issues are immediately detected and resolved. In some cases, there is customisation required for the general best practice rules and SonarQube accommodates this.