Top Rated
About TrustRadius Scoring
Score 8.2 out of 100
Top Rated


Recent Reviews

Code scanning for developers

9 out of 10
April 30, 2021
Our organization has a dedicated static security scanning tools we run against our code to check for vulnerabilities. While the security …
Continue reading
Read all reviews


Products that are considered exceptional by their customers based on a variety of criteria win TrustRadius awards. Learn more about the types of TrustRadius awards to make the best purchase decision. More about TrustRadius Awards

Reviewer Pros & Cons

View all pros & cons

Video Reviews

Leaving a video review helps other professionals like you evaluate products. Be the first one in your network to record a review of SonarQube, and make your voice heard!

Return to navigation


View all pricing



On Premise

Developer EDITION

Starts at $150

On Premise
100,000 Lines of Code

Enterprise EDITION

Starts at $20,000

On Premise
1 Million Lines of Code

Entry-level set up fee?

  • No setup fee
For the latest information on pricing, visit…


  • Free Trial
  • Free/Freemium Version
  • Premium Consulting / Integration Services
Return to navigation

Features Scorecard

No scorecards have been submitted for this product yet..
Return to navigation

Product Details

What is SonarQube?

SonarQube is a tool for continuously inspecting Code Quality and Code Security, and guiding development teams during code reviews. SonarQube provides remediation guidance for 27 languages so developers can understand and fix issues, and so teams can deliver better and safer software. SonarQube integrates into the user's workflow to provide the right feedback at the right time: in-IDE with SonarLint, in pull requests, and in SonarQube itself. Boasting over 225,000 deployments helping small development teams and global organizations, SonarQube provides a means for teams and companies around the world to own and impact their Code Quality and Code Security.

SonarQube Features

  • Supported: Code Quality and Code Security
  • Supported: Developer workflow integration
  • Supported: Deep support for the Clean as You Code methodology

SonarQube Integrations

  • GitLab
  • Bitbucket
  • ALM Integration available for GitHub
  • Azure DevOps - self-managed & in-cloud
  • CI integrations with: Jenkins
  • GitHub Actions
  • GitLab CI
  • Bitbucket Pipelines
  • Azure DevOps Pipelines
  • SCM integrations with: Git
  • Subversion
  • Authentication integrations with: GitHub
  • LDAP
  • SAML
  • HTTP headers

SonarQube Competitors

SonarQube Technical Details

Deployment TypesOn-premise, SaaS
Operating SystemsWindows, Linux, Mac, Cloud
Mobile ApplicationNo
Supported CountriesGlobal
Supported LanguagesCommunity localization plugins support several languages.

Frequently Asked Questions

SonarQube (formerly Sonar) is an open source application security solution.

Veracode, Checkmarx, and Snyk are common alternatives for SonarQube.

The most common users of SonarQube are Enterprises (1,001+ employees) from the Information Technology & Services industry.
Return to navigation


View all alternatives
Return to navigation

Reviews and Ratings




(1-15 of 15)
Companies can't remove reviews or game the system. Here's why
Score 8 out of 10
Vetted Review
Verified User
Review Source
  • Generating code quality report
  • Calculates junit coverage of the codebase very efficiently and precisely
  • Highlights the bugs and vulnerabilities in our codebase
  • Informs the user of the improvements which can be done to the code to make it cleaner
  • SonarQube also suggests remediation and resolution of the problems it highlights
  • Importing a new custom quality profile on SonarQube is a bit tricky, it can be made easier
  • Every second time when we want to rerun the server, we have to restart the whole system, otherwise, the server stops and closes automatically
  • When we generate a new report a second time and try to access the report, it shows details of the old report only and takes a lot of time to get updated with the details of the new and fresh report generated
Debobrata Bose | TrustRadius Reviewer
Score 7 out of 10
Vetted Review
Verified User
Review Source
  • Identify Security Vulnerabilities and highlights the code
  • Highlight suspicious code snippets that developers should review
  • Providing security feedback during code review
  • Identify technical debts in code
  • The community version have some issues, example Integrating with Azure or Single Sign On
  • Automation scripts can be improved. At times you have to configure some of the rules in the detection
  • It takes time to configure and create profiles
Daniel Anjos | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
Verified User
Review Source
  • Static Code Analysis
  • Security Vulnerabilities Scan
  • Multi software language support
  • Configurable quality gates for PR analysis
  • Better IDE integration and support
  • Easier GitHub actions integration and support
  • Better support and integration for dynamic code analysis during automated tests
October 14, 2021

SonarQube wins!

Score 8 out of 10
Vetted Review
Verified User
Review Source
  • Static code analysis
  • Code coverage
  • Scan security vulnerability
  • Technical support
  • Better documentation
  • Scan for third party tools
Prathamesh Sawant | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User
Review Source
  • Ability to provide static code coverage in integration with Jenkins CI/CD pipeline.
  • Ability to define custom rule sets, based on our organizational requirements.
  • Ability to add custom toll-gating for different applications.
  • Enterprise license is very costly.
  • Runs only on Java 11.
  • Another major issue is the way elastic search is used in Sonarqube, it makes it slightly challenging to run on a cloud environment like AWS.
Arush Soel | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User
Review Source
  • Best thing about it is that it offers an online instance (SonarCloud) where we can dry run an open source project by forking a github repository
  • Provides detailed analysis of the stacks that it checks for bugs and issues in code stacks.
  • Provides a good amount of documentation on how for configuration and installation and how to use it.
  • Provides a strong integration with azure devops and jenkins for creating DSL pipelines.
  • Local dashboard wont work without java installed on your machine
  • If talking about the local ui the configuration may be quite complex. Needs an experts advise
  • Its enterprise edition cost a fortune depending on a company size or users that may use it.
Score 9 out of 10
Vetted Review
Verified User
Review Source
  • Nice UI.
  • Easy to see a project status and if it is passing/failing.
  • Simple but explanatory bug descriptions.
  • Code smells could be better at reducing repeated findings.
Score 10 out of 10
Vetted Review
Verified User
Review Source
  • Finding security flaws.
  • Finding code that does not follow best practices and standards.
  • Looking for code coverage.
  • For code "smells" it would be nice to have different levels of issues.
  • It could be easier to define policies for different levels of code "smells."
  • Prioritize different types of code "smells."
Score 9 out of 10
Vetted Review
Verified User
Review Source
  • SonarQube allows us to apply our own coding stardards during the check-in process so that our code is more standardized.
  • SonarQube forces our team members to write enough unit tests to have code coverage which in turn helps us not to break existing code during check-ins.
  • One area where SonarQube is lacking is letting us know how much code coverage we have before we start our check-in process. A live code coverage percentage built into Visual Studio would be very handy.
Score 8 out of 10
Vetted Review
Verified User
Review Source
  • Core competency of static analysis. This is why SonarQube exists and it does it exceedingly well.
  • Customized quality settings let you tailor the tool for your specific needs.
  • Support for many languages including C, C++, Python, and more.
  • Ability to set automated alerts. For instance, when code hasn't been scanned in a long period of time.
  • Tighter integration with issue tracking systems such as jira and Gitlab.
Sanyam Jain | TrustRadius Reviewer
Score 7 out of 10
Vetted Review
Verified User
Review Source
  • JUnit Testing and Integration testing.
  • Easy to find bugs and track the code. Highlights the issues separately.
  • Code analytics on demand.
  • Checkup for the code and projects.
  • Easy to integrate with IDE.
  • JIRA plugin has no support forum.
  • Weak Open Source forums, this can be grown by spreading the word around the community.
  • Every IDE does not support SonarQube and vice versa, thus you have to select.
Saugandh Karan | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User
Review Source
  • Test scripts coverage data. It provides a line by line coverage stats, showing which condition is covered and which one is not
  • Checking the code quality. We have a particular coding standard which we need to adhere, so it helps in detecting if the code is written in that standard or not
  • Code smells
  • In terms of security of the code, it can improve. It is mostly used to check for coding standards but it would have been nice if we could have got a vulnerability check as well.
Return to navigation