Skip to main content
TrustRadius

Overview

What is SonarQube?

SonarQube is a code quality and vulnerability solution for development teams that integrates with CI/CD pipelines to ensure the software you produce is secure, reliable, and maintainable.

Read more
Recent Reviews

TrustRadius Insights

SonarQube has proven to be invaluable for software engineering companies looking to ensure code quality and prevent the release of faulty …
Continue reading
Read all reviews

Awards

Products that are considered exceptional by their customers based on a variety of criteria win TrustRadius awards. Learn more about the types of TrustRadius awards to make the best purchase decision. More about TrustRadius Awards

Return to navigation

Pricing

View all pricing

Community

Free

On Premise

Developer EDITION

Starts at $160

On Premise
per year per installation

Enterprise EDITION

Starts at $21,000

On Premise
per year per installation

Entry-level set up fee?

  • No setup fee
For the latest information on pricing, visithttps://www.sonarsource.com/plans-and…

Offerings

  • Free Trial
  • Free/Freemium Version
  • Premium Consulting/Integration Services

Starting price (does not include set up fee)

  • $160 per year per installation
Return to navigation

Product Demos

Understanding Issues with Multiple Locations

YouTube

SonarQube analysis with Jenkins

YouTube

GitHub: Block the Merge of a Pull Requests

YouTube
Return to navigation

Product Details

What is SonarQube?

SonarQube is a self-managed open-source platform that helps developers create code devoid of quality and vulnerability issues. By integrating with DevOps platforms in the Continuous Integration (CI) pipeline, SonarQube continuously inspects projects across multiple programming languages, providing immediate status feedback while coding. SonarQube’s quality gates become part of the release pipeline, displaying pass/fail results for new code based on quality profiles that can be customized to a company's standards. Following Sonar’s Clean as You Code methodology guarantees that only software of the highest quality makes it to production. At its core, SonarQube includes a static code analyzer that identifies bugs, security vulnerabilities, hidden secrets, and code smells. The platform guides the user through issue resolution, fostering a culture of continuous improvement. SonarQube’s reporting helps dev teams to monitor their codebase's overall health and quality across multiple projects in their portfolio. UltimatelySonarQube aims to enable users to achieve a state of Clean Code, leading to secure, reliable, and maintainable software.

SonarQube Screenshots

Screenshot of Application Status.Screenshot of Portfolio Overview.Screenshot of Taint Analysis.

SonarQube Technical Details

Deployment TypesOn-premise, Software as a Service (SaaS), Cloud, or Web-Based
Operating SystemsWindows, Linux, Mac, Cloud
Mobile ApplicationNo
Supported CountriesGlobal
Supported LanguagesCommunity localization plugins support several languages.

Frequently Asked Questions

SonarQube is a code quality and vulnerability solution for development teams that integrates with CI/CD pipelines to ensure the software you produce is secure, reliable, and maintainable.

SonarQube starts at $160.

Veracode, Checkmarx, and Fugue, part of Snyk are common alternatives for SonarQube.

The most common users of SonarQube are from Enterprises (1,001+ employees).
Return to navigation

Comparisons

View all alternatives
Return to navigation

Reviews and Ratings

(89)

Community Insights

TrustRadius Insights are summaries of user sentiment data from TrustRadius reviews and, when necessary, 3rd-party data sources. Have feedback on this content? Let us know!

SonarQube has proven to be invaluable for software engineering companies looking to ensure code quality and prevent the release of faulty software. Users have utilized SonarQube for a wide range of use cases, including generating code quality reports, detecting bugs, vulnerabilities, and code smells, and analyzing code coverage for JUnit tests. The software serves as a static application security tool, helping to identify and fix security issues and vulnerabilities in code. It is seamlessly integrated into Azure DevOps Continuous Integration pipelines, providing detailed issue descriptions and code highlights to identify vulnerabilities. With its comprehensive analysis of the codebase, SonarQube helps in enforcing good practices and preventing bugs, serving as a quality gate for software development. By utilizing static code analysis, SonarQube helps developers create bug-free code and detect vulnerabilities early on, saving valuable time in the development process. Additionally, SonarQube aids in maintaining code quality, improving coding structure, and ensuring code reliability and security. Beyond these primary use cases, users have found value in using SonarQube to check code coverage, follow coding suggestions, manage technical debt, monitor unit test coverage for C++ projects, track bugs and code quality while the security team focuses on vulnerability scanning, and adhere to industry standards. Its customization options allow users to tailor the rules to their specific needs and enable toll-gating to prevent bad code from reaching production. The plugin-based framework of SonarQube ensures extensibility for new use cases and has been highly regarded by users who find it easy to integrate with existing tools and infrastructure. Whether it's identifying design flaws before committing or merging code or tracking legacy code issues and offering solutions for improvement, SonarQube plays a crucial role in improving the overall quality of software development projects across various industries.

Efficient and Precise Code Quality Reports: Multiple users have praised SonarQube for its highly efficient and precise code quality reports. This feature has allowed them to gain a comprehensive understanding of their code's quality, identify areas for improvement, and enhance the overall quality of their code.

Detection of Bugs and Vulnerabilities: Reviewers have found SonarQube's ability to highlight bugs and vulnerabilities in the codebase to be a valuable asset. This feature has helped them identify potential issues early on, enabling them to take proactive measures to improve the code's quality and security.

Valuable Code Remediation Suggestions: Many users have expressed appreciation for SonarQube's suggestions for code remediation and resolution. These suggestions have proven extremely valuable in helping them make their code cleaner, more maintainable, and ultimately improving long-term code quality.

Tricky Importing of Custom Quality Profile: Reviewers have found that importing a new custom quality profile on SonarQube can be challenging and tricky, causing frustration during the setup process.

Inconvenient Server Restart Requirement: Some users have reported the inconvenience of having to restart the server every second time in order to rerun it, which disrupts their workflow and wastes time.

Slow Report Generation and Updating: Several reviewers have mentioned that generating a new report on SonarQube takes a significant amount of time. Additionally, they have experienced delays in updating the details of the new report, as it continues to display information from previous reports instead.

Based on user feedback, here are the most common recommendations for using SonarQube:

Consider using SonarQube if your team size is above 10. For smaller groups, it is recommended to use the community version or integrate Sonarlint with IDE for free.

Integrate SonarQube with CI servers like Cloudbees and Jenkins, as well as version control and testing tools like UFT. This will make the development process smoother and more efficient.

Leverage SonarQube's features, such as code coverage analysis, testing, and code health monitoring. Users find these features valuable for understanding code conventions, maintaining code quality, and identifying security issues or code smells in applications.

Attribute Ratings

Reviews

(1-25 of 34)
Companies can't remove reviews or game the system. Here's why
Score 10 out of 10
Vetted Review
Verified User
Incentivized
  • Code complexity detection
  • Code smell detection
  • Provides good default rules
  • Huge language support
  • Easy setup
  • Easy integration with common build tools
  • Great fix proposals, and issues description
  • It doesn't provide automatic pull request with fixes
  • It doesn't provide insights about the libraries of the projects
  • The administration management user interface could be simplified
  • It doesn't provide an order to fix issues, like archives with more and frequent commits have top priority
February 03, 2023

Code Quality is a Must!

Ariel Cabeza | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User
Incentivized
  • Ongoing code quality management
  • Increase developer skills.
  • Detect and report problems.
  • Scale with business needs
  • Optimize the quality
  • it is sustainable
  • The main “disadvantage” is code maintenance, being more expensive, it also takes more time, as well as producing “false positives”.
Score 9 out of 10
Vetted Review
Verified User
Incentivized
  • Easy integration with all coding languages
  • Plugin integration ensures easy extensibility
  • Detects code smells and vulnerabilities
  • Generate test coverage reports
  • Custom quality gates to ensure no bad code is merged
  • Learning curve is steep
  • Report generation is often very time consuming
  • Works particularly well for Java, but not so good for Python and R
  • Initial setup is quite complicated
Sérgio Cagica | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User
Incentivized
  • Easily setup quality gate for code analysis and tests.
  • Quick reports for vulnerabilities and good practices.
  • Easy setup of vulnerabilities level requirements.
  • Credentials manager, like managing users, groups and permissions is complex.
  • UI for code review can be improved, feels old but is useful nonetheless.
  • The ticket management system can also be improved.
Sayam Jain | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User
Incentivized
  • You can set your own rules for almost all the languages
  • Most of the rules are already defined you just need to use them
  • It helps us on Security aspects too.
  • you can place a gate on Code coverage too.
  • UI part of reporting needs more improvement.
  • Simple tooltips can be there for the users to understand better instead of reading documents.
  • For report extraction in Excel or Pdf you need Enterprise version
Aman Makwana | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
Verified User
Incentivized
  • Static Code Scanning
  • Code Coverage reports, User Friendly Dashboard
  • Integration with various tools in order to maintain code quality
  • Pre-built as well as Custom Quality Gates
  • Detect Bugs & Vulnerabilities, Review Security Hotspots, Track Code Smells
  • Also has many plugins to interact with
  • As in SonarQube community edition they should enable the after scanning report generation
  • other security reports like, vulnerability with preferred solution
  • Guide on scalability, backups, resiliency as well
  • small report type UI on other tools as well like Jenkins
Score 7 out of 10
Vetted Review
Verified User
  • Works well with .Net
  • Has a nice extension that allows us to run it in our IDE (visual studio)
  • Is customizable in the sense that you can write your own rule set that you want SonarQube to analyze the code against
  • Often it finds errors that aren't really errors that have impact, takes a lot of time to sort through those cases
  • It's a good screener, but by no means can it catch all bugs or be the sole predictor of code quality, so the metrics that it provides need to be caveated when reporting to leadership, etc
Score 9 out of 10
Vetted Review
Verified User
Incentivized
  • Gives advice on coding practices
  • Rates our code over time
  • Highlights worst offending code to make prioritization easier
  • Helps improve our code over time
  • Notifications based on findings needs a lot of work. Options are extremely basic so far.
  • Integration of Dependency Check is very basic and could use some UX love.
  • Making it easier to turn down the noise of problems so teams can focus on the highest priority first without getting bogged down.
Score 9 out of 10
Vetted Review
Verified User
Incentivized
  • Identify bugs in code
  • Identify bad design choices in the code
  • Give suggestions how to solve bad design choices
  • Could provide more configuration templates for suitable warning levels
  • Improved possibility to escalate repeated errors to architects and management
  • Easy way to deactivate a warning in a specific file
Score 8 out of 10
Vetted Review
Verified User
Incentivized
  • Scanning source code for a defined set of quality gates and rules
  • Reporting security issues with static scans
  • Managing portfolios application in the enterprise edition
  • The scanner is a bit heavy and can be rewritten in a lighter language (like Go or rust)
  • Scans can take a bit of time
  • Some languages like C++ are much harder to scan than others
Score 8 out of 10
Vetted Review
Verified User
Incentivized
  • For finding the code smell
  • For finding the code threat
  • Helping in improving code quality
  • Mandate to follow best practices
  • some code smell identification algo can be improved
  • Best practices should be upto date
Score 10 out of 10
Vetted Review
Verified User
Incentivized
  • Detecting bugs and vulnerabilities: SonarQube can identify a wide range of bugs and vulnerabilities in code, such as null pointer exceptions, SQL injection, and cross-site scripting (XSS) attacks. It uses static analysis to analyze the code and identify potential issues, and it can also integrate with dynamic analysis tools to provide even more detailed analysis.
  • Measuring code quality: SonarQube can measure a wide range of code quality metrics, such as cyclomatic complexity, duplicated code, and code coverage. This can help teams understand the quality of their code and identify areas that need improvement.
  • Providing actionable insights: SonarQube provides detailed information about issues in the code, including the file and line number where the issue occurs and the severity of the issue. This makes it easy for developers to understand and address issues in the code.
  • Integrating with other tools: SonarQube can be integrated with a wide range of development tools and programming languages, such as Git, Maven, and Java. This allows teams to use SonarQube in their existing development workflow and take advantage of its powerful code analysis capabilities.
  • Managing technical debt: SonarQube provides metrics and insights on the technical debt on the codebase, enabling teams to better prioritize issues to improve the quality of the code.
  • Compliance with coding standards: SonarQube can check the code against industry standards like OWASP, CWE and more, making sure the code is compliant with security and coding standards.
  • Complexity of setup and configuration: SonarQube can be quite complex to set up and configure, especially for organizations that have a large codebase or use a variety of different programming languages. This can make it difficult for teams to get started with the tool and may require specialized expertise.
  • Limited support for certain languages: While SonarQube supports a wide range of programming languages, it may not have full support for some languages, particularly newer or less common languages. This can limit the tool's usefulness for teams that use these languages.
  • Lack of integration with certain development tools: While SonarQube can be integrated with a wide range of development tools, it may not have integration with certain IDEs or build tools. This can make it difficult for teams to use SonarQube in their existing development workflow.
  • False-positive and False-negative issues: As with any static code analysis tool, SonarQube can generate a number of false positives, where it reports an issue that is not actually a problem, or false negatives, where it fails to report an issue that is actually a problem. This can make it difficult for teams to trust the tool's analysis results and may require manual review.
  • Limited scalability: For large codebase, SonarQube's performance and scalability can be an issue. It may take longer for the analysis to finish and the results may not be as accurate.
  • Limited collaboration capabilities: While SonarQube allows teams to view and track code quality issues, it has limited capabilities to collaborate and discuss those issues.
Score 8 out of 10
Vetted Review
Verified User
Incentivized
  • Code coverage
  • Shows potential fixes
  • Speed
  • Sometimes the messages can be long and for someone's first time seeing this it can be hard to find what to look for
  • Sometimes potential fixes are not available
  • Documentation on setting up with Jenkins was hard to follow at some parts
Score 8 out of 10
Vetted Review
Verified User
Incentivized
  • Generating code quality report
  • Calculates junit coverage of the codebase very efficiently and precisely
  • Highlights the bugs and vulnerabilities in our codebase
  • Informs the user of the improvements which can be done to the code to make it cleaner
  • SonarQube also suggests remediation and resolution of the problems it highlights
  • Importing a new custom quality profile on SonarQube is a bit tricky, it can be made easier
  • Every second time when we want to rerun the server, we have to restart the whole system, otherwise, the server stops and closes automatically
  • When we generate a new report a second time and try to access the report, it shows details of the old report only and takes a lot of time to get updated with the details of the new and fresh report generated
Debobrata Bose | TrustRadius Reviewer
Score 7 out of 10
Vetted Review
Verified User
Incentivized
  • Identify Security Vulnerabilities and highlights the code
  • Highlight suspicious code snippets that developers should review
  • Providing security feedback during code review
  • Identify technical debts in code
  • The community version have some issues, example Integrating with Azure or Single Sign On
  • Automation scripts can be improved. At times you have to configure some of the rules in the detection
  • It takes time to configure and create profiles
Daniel Anjos | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
Verified User
Incentivized
  • Static Code Analysis
  • Security Vulnerabilities Scan
  • Multi software language support
  • Configurable quality gates for PR analysis
  • Better IDE integration and support
  • Easier GitHub actions integration and support
  • Better support and integration for dynamic code analysis during automated tests
October 14, 2021

SonarQube wins!

Score 8 out of 10
Vetted Review
Verified User
Incentivized
  • Static code analysis
  • Code coverage
  • Scan security vulnerability
  • Technical support
  • Better documentation
  • Scan for third party tools
Return to navigation