TrustRadius Insights
SonarQube has proven to be invaluable for software engineering companies looking to ensure code quality and prevent the release of faulty …
Starting at $160 per year per installation
View PricingOverview
What is SonarQube?
SonarQube is a code quality and vulnerability solution for development teams that integrates with CI/CD pipelines to ensure the software you produce is secure, reliable, and maintainable.
Recent Reviews
Awards
Products that are considered exceptional by their customers based on a variety of criteria win TrustRadius awards. Learn more about the types of TrustRadius awards to make the best purchase decision. More about TrustRadius Awards
Pricing
Community
Free
On Premise
Developer EDITION
Starts at $160
On Premise
per year per installation
Enterprise EDITION
Starts at $21,000
On Premise
per year per installation
Entry-level set up fee?
- No setup fee
For the latest information on pricing, visithttps://www.sonarsource.com/plans-and…
Offerings
- Free Trial
- Free/Freemium Version
- Premium Consulting/Integration Services
Starting price (does not include set up fee)
- $160 per year per installation
Product Demos
Understanding Issues with Multiple Locations
YouTube
SonarQube analysis with Jenkins
YouTube
GitHub: Block the Merge of a Pull Requests
YouTube
Product Details
- About
- Integrations
- Competitors
- Tech Details
- FAQs
What is SonarQube?
SonarQube is a self-managed open-source platform that helps developers create code devoid of quality and vulnerability issues. By integrating with DevOps platforms in the Continuous Integration (CI) pipeline, SonarQube continuously inspects projects across multiple programming languages, providing immediate status feedback while coding. SonarQube’s quality gates become part of the release pipeline, displaying pass/fail results for new code based on quality profiles that can be customized to a company's standards. Following Sonar’s Clean as You Code methodology guarantees that only software of the highest quality makes it to production. At its core, SonarQube includes a static code analyzer that identifies bugs, security vulnerabilities, hidden secrets, and code smells. The platform guides the user through issue resolution, fostering a culture of continuous improvement. SonarQube’s reporting helps dev teams to monitor their codebase's overall health and quality across multiple projects in their portfolio. UltimatelySonarQube aims to enable users to achieve a state of Clean Code, leading to secure, reliable, and maintainable software.
SonarQube Screenshots
SonarQube Integrations
SonarQube Competitors
SonarQube Technical Details
| Deployment Types | On-premise, Software as a Service (SaaS), Cloud, or Web-Based |
|---|---|
| Operating Systems | Windows, Linux, Mac, Cloud |
| Mobile Application | No |
| Supported Countries | Global |
| Supported Languages | Community localization plugins support several languages. |
Frequently Asked Questions
SonarQube is a code quality and vulnerability solution for development teams that integrates with CI/CD pipelines to ensure the software you produce is secure, reliable, and maintainable.
SonarQube starts at $160.
The most common users of SonarQube are from Enterprises (1,001+ employees).
Comparisons
Compare with
Reviews and Ratings
(88)
Community Insights
TrustRadius Insights are summaries of user sentiment data from TrustRadius reviews and, when necessary, 3rd-party data sources. Have feedback on this content? Let us know!
- Business Problems Solved
- Pros
- Cons
- Recommendations
SonarQube has proven to be invaluable for software engineering companies looking to ensure code quality and prevent the release of faulty software. Users have utilized SonarQube for a wide range of use cases, including generating code quality reports, detecting bugs, vulnerabilities, and code smells, and analyzing code coverage for JUnit tests. The software serves as a static application security tool, helping to identify and fix security issues and vulnerabilities in code. It is seamlessly integrated into Azure DevOps Continuous Integration pipelines, providing detailed issue descriptions and code highlights to identify vulnerabilities. With its comprehensive analysis of the codebase, SonarQube helps in enforcing good practices and preventing bugs, serving as a quality gate for software development. By utilizing static code analysis, SonarQube helps developers create bug-free code and detect vulnerabilities early on, saving valuable time in the development process. Additionally, SonarQube aids in maintaining code quality, improving coding structure, and ensuring code reliability and security. Beyond these primary use cases, users have found value in using SonarQube to check code coverage, follow coding suggestions, manage technical debt, monitor unit test coverage for C++ projects, track bugs and code quality while the security team focuses on vulnerability scanning, and adhere to industry standards. Its customization options allow users to tailor the rules to their specific needs and enable toll-gating to prevent bad code from reaching production. The plugin-based framework of SonarQube ensures extensibility for new use cases and has been highly regarded by users who find it easy to integrate with existing tools and infrastructure. Whether it's identifying design flaws before committing or merging code or tracking legacy code issues and offering solutions for improvement, SonarQube plays a crucial role in improving the overall quality of software development projects across various industries.
Efficient and Precise Code Quality Reports: Multiple users have praised SonarQube for its highly efficient and precise code quality reports. This feature has allowed them to gain a comprehensive understanding of their code's quality, identify areas for improvement, and enhance the overall quality of their code.
Detection of Bugs and Vulnerabilities: Reviewers have found SonarQube's ability to highlight bugs and vulnerabilities in the codebase to be a valuable asset. This feature has helped them identify potential issues early on, enabling them to take proactive measures to improve the code's quality and security.
Valuable Code Remediation Suggestions: Many users have expressed appreciation for SonarQube's suggestions for code remediation and resolution. These suggestions have proven extremely valuable in helping them make their code cleaner, more maintainable, and ultimately improving long-term code quality.
Tricky Importing of Custom Quality Profile: Reviewers have found that importing a new custom quality profile on SonarQube can be challenging and tricky, causing frustration during the setup process.
Inconvenient Server Restart Requirement: Some users have reported the inconvenience of having to restart the server every second time in order to rerun it, which disrupts their workflow and wastes time.
Slow Report Generation and Updating: Several reviewers have mentioned that generating a new report on SonarQube takes a significant amount of time. Additionally, they have experienced delays in updating the details of the new report, as it continues to display information from previous reports instead.
Based on user feedback, here are the most common recommendations for using SonarQube:
Consider using SonarQube if your team size is above 10. For smaller groups, it is recommended to use the community version or integrate Sonarlint with IDE for free.
Integrate SonarQube with CI servers like Cloudbees and Jenkins, as well as version control and testing tools like UFT. This will make the development process smoother and more efficient.
Leverage SonarQube's features, such as code coverage analysis, testing, and code health monitoring. Users find these features valuable for understanding code conventions, maintaining code quality, and identifying security issues or code smells in applications.
Attribute Ratings
Reviews
(1-25 of 34)Companies can't remove reviews or game the system. Here's why
February 06, 2023
SonarQube: The mandatory tool to elevate your code quality quality
We use SonarQube to analyze our codebase, the main goals are detection of code smells, security vulnerabilities, and performance issues, also to measure our test coverage. It is part of the continuous integration process. We perform analysis in different languages like Java, JavaScript, Typescript, and Python. We are planning to include new ones, like scala and PHP.
February 03, 2023
Code Quality is a Must!
We use SonarQube as part of the CICD pipeline running on Azure DevOps. Mostly .Net projects, and currently integrating with react native.
February 01, 2023
Sonarqube - The ultimate tool for end to end code analysis
SonarQube is the default choice for static analysis tools for all the projects in our organization. We use it extensively for examining code quality, detect code smells, detect security issues in code and identify complexities in code for every project. SonarQube is extremely useful since it works for almost all languages that we write our code in, including python and Java. The plugin based framework ensures extensibility and easy enhancement of functionality for new usecases.
January 26, 2023
SonarQube, you don't need to search more!
It's used as a quality gate for software development in the feature implementation, as well as a security barrier for bugs and good practices enforcer.
January 24, 2023
SonarQube- A perfect QC for Reviewers
We are a product based Company where we are using SonarQube to keep an eye on the Code quality of our all the projects. It really reduced the workload of the reviewers and helped a lot to improved our code quality and efficiency of the project. It helped us a lot where we can define our own set of rules in all the languages. It has helped us to identify the static code which reduced our deployment efforts.
January 20, 2023
SonarQube: Helper of Dev and organisation for better code quality and security practices.
As service based and product based organisation we are dealing with variety of products and projects so in order to maintain the Code Quality and also improve the coding structure by following the suggestions given by SonarQube Analysis and also checking the Code Coverage so we get to know that our code has fully passed through the Sonar Analysis. As a part of DevOps team we integrate SonarQube checks in CI(continuous integration part) so its an part of continuous code quality and we have also created custom Quality Gates in order to prevent the false or unimproved code from going into any environments.
January 20, 2023
Easy to use DecSecOps application
SonarQube is a freeware used for checking security vulnerabilities, inspection of automatic code quality checks and for CI/CD automation. In our organization we used this application as an integrated service plugin with Microsoft Azure's DevOps for CI/CD automation. It is very helpful application for inspection of applications developed using a variety of programming languages.
January 19, 2023
SonarQube - solid static code analysis tool
Score 7 out of 10
Vetted Review
Verified User
We use SonarQube in the software department in our devOps pipeline to analyze source code for our application and provide metrics on issues that it identifies within the codebase. Basically we'll run SonarQube at various steps of code check ins and merges as one of many metricsto determine code quality and alert the teams to potential issues in recently checked in codde that may need to be triaged and addressed.
January 19, 2023
Easy to use DevSecOps tool
We use SonarQube to scan our source code whenever we push changes to github. SonarQube helps in identifying code smells and security issues in the code with detailed explanation and intuitive reports.
January 19, 2023
Let the SonarQube guide your devs towards a better future.
We use SonarQube and SonarLint to improve our code and locate vulnerabilities. It helps our developers learn best practices and secure our code.
January 18, 2023
Cost effective way to find and correct issues early
We use SonarQube as a component in our development and continuous integration environment when developing IT systems. The main purpose of our usage is to be able to identify and find bad design choices and mistakes at an early development stage. Developers use it both in their development environment to be able to find things before committing code and also in the CI environment after committing code to a feature branch but before merging it to master branch.
January 18, 2023
Don't Skip Static Analysis with Sonar!
In my company, we started using the SonarCloud (the SaaS version) a couple of years ago, and then quickly switched for the enterprise edition of SonarQube. This edition offered several governance features that were not available in the other types of Sonar subscription.
Since then, we made automated Sonar scanning mandatory for all projects, integrated directly in our CI/CD pipelines
January 18, 2023
SonarQube your free & friendly DevSecOps tool
Score 8 out of 10
Vetted Review
Verified User
SonarQube is our primary DevSecOps tool, helping us and our customers to create a secure development program for our applications and changes in infrastructure.
SonarQube is easy to use once installed and recently we've been using the cloud version (SonarCloud) even easier to integrate with our current tools and infrastructure.
SonarQube is easy to use once installed and recently we've been using the cloud version (SonarCloud) even easier to integrate with our current tools and infrastructure.
January 18, 2023
SonarQube Must in Code Pipeline
We have been using it for code analysis and identifying the code smell and code threat. We have integrated in our code pipeline. Every push branch has to go through this check by SonarQube and any code smell or threat identified by SonarQube needs to be worked on by the respective developers to pass the pipeline.
The main business problem that SonarQube addresses is ensuing our software is of high quality and free of defects. We use SonarQube to identify and fix issues in our code during development and integration before they become a bigger problem, thus reducing the risk of costly bugs and vulnerabilities.
Common use cases for SonarQube include:
Common use cases for SonarQube include:
- Identifying and fixing bugs and vulnerabilities in code
- Improving code readability and maintainability
- Increasing code coverage and testing
- Measuring code quality and compliance with industry standards
- Keeping track of technical debt
January 18, 2023
Great Code Analysis Tool
It's always best to catch bugs and other code issues as soon as possible, especially when people from different teams and time zones touch the same code. While code reviews are obviously still necessary, SonarQube does filter the code seamlessly so that obvious issues are immediately detected and resolved. In some cases, there is customisation required for the general best practice rules and SonarQube accommodates this.
January 18, 2023
SonarQube to make your project secure
We use Sonar in order to ensure our code is secure. We have used it on APIs and on our Frontend. We have also used the Sonar lint for Android. We have a plug in for our Jenkins account which will check our project code coverage etc in Sonar if this fails then our code cannot go live or merged into master
January 18, 2023
Quick and easy static analysis and bug detection
- Standardized scanning tools to make sure code doesn't use obvious code smells
- Enfrocement of standardized naming conventions in code
- Identification of potentially needlessly complicated code
We are using SonarQube to do static source analysis on our C# projects. This allows us to monitor unit test coverage and discover code smells that have escaped peer review at the merge request phase.
This may not seem to be of the outmost importance, but it has saved us from publishing bogus software to our clients in a number of occasions.
May 08, 2022
SonarQube review by a Hybris Developer
We use SonarQube in our project to basically calculate the code quality report mostly, in that report we test for the bugs, vulnerabilities, code smells, code issues, criticals, blockers, major & minor issues, and also calculate the code coverage of junits. We also set the quality profile which contains the rules which we set according to the rules we follow in our project and on that basis, we generate the junit coverage report.
One business problem I mostly faced was that if we had run the server once, and tried to run it again if we closed it, then it does not run and closes automatically. To run the server again we have to restart the system, then only it works, so those issues can be resolved.
The scope of my case is to generate the code quality report for the codebase in our project according to the custom quality profile we add in SonarQube.
One business problem I mostly faced was that if we had run the server once, and tried to run it again if we closed it, then it does not run and closes automatically. To run the server again we have to restart the system, then only it works, so those issues can be resolved.
The scope of my case is to generate the code quality report for the codebase in our project according to the custom quality profile we add in SonarQube.
April 26, 2022
SonarQube, the best choice for a Static Code Analysis tool leveraging application security at large
SonarQube is being used in my organization as an Static Application Security tool which will detect the security issues in code and will try to fix the vulnerabilities that compromises the app. It is being currently used in all the projects in my department.
It being used in our Azure devops Continuous Integration pipeline to identify the vulnerabilities in code and provides detailed issue descriptions and code highlights that explain why your code is at risk.
It being used in our Azure devops Continuous Integration pipeline to identify the vulnerabilities in code and provides detailed issue descriptions and code highlights that explain why your code is at risk.
November 05, 2021
Using SonarQube professionally for more than 7 years and fully recommend it to any Software Engineer
SonarQube is used as part of the build process (Continuous Integration and Continuous Delivery) in all Java services to ensure a high quality of code and remove bugs that can be found during static analysis. The whole engineering organisation is using it, and it solves the problem of low quality code reaching to production and causing bugs and incidents due to poor reviews. With Sonar we are able to quickly identify if a new change will introduce issues in Production before it is merged and deployed. It also helps identify issues with legacy code and improve code quality in existing services, by providing solutions to known problems. I would definitively recommend Sonar to any Software Engineering company, either using Java or C++ or any other supported language.
November 04, 2021
Code Quality Improvements Made Easy
We use SonarQube to check and ensure Java code quality as part of our development process. With built in suggestions for coding improvements the rate at which we produce and deploy quality code has been a game changer. Also, it works to train developers continuously helping to adhere to best practices.
October 14, 2021
SonarQube wins!
Used across the organization for static code analysis.
September 22, 2021
An important tool to implement Secure SDLC practices
SonarQube is the static security code analysis tool used in the organization. It is integrated with Continuous Integration pipelines of multiple product lines including legacy and modern applications. It has been implemented with TeamCity, Azure DevOps and VSTS CI/CD tools. Its purpose is to ensure the builds are of the highest quality and free of security vulnerabilities.