Item: SonarQube
Rating: 8
Author: Verified User

Use Cases and Deployment Scope

Excellent static analysis tool for identifying potential issues with your code. Sonarqube is easily integrated with your CI/CD workflow, including a containerized version. Once implemented, it scans code every time we push it and reports back any issues that need to be addressed. Customization is available to fine tune the reports, identifying what's really important to you and your team.

Pros and Cons

Core competency of static analysis. This is why SonarQube exists and it does it exceedingly well.
Customized quality settings let you tailor the tool for your specific needs.
Support for many languages including C, C++, Python, and more.

Ability to set automated alerts. For instance, when code hasn't been scanned in a long period of time.
Tighter integration with issue tracking systems such as jira and Gitlab.

Return on Investment

More secure code
Reduced security issues over time

Alternatives Considered

Gitlab

Gitlab, if you have the right license, ships with a static analysis tool. It integrates better with Gitlab, but didn't seem to have the same quality output that Sonarqube did. Sonarqube's community version is plenty suitable for day to day analysis operations.

Other Software Used

Skype for Business (formerly Lync), Slack

Likelihood to Recommend

Any modern-day CI/CD tool chain should include a static analyzer such as SonarQube. Using such a tool helps enhance the overall security of your application and helps train developers along the way. SonarQube does this exceedingly well and is lightweight enough to deploy quickly and easily. Definitely a great addition to your toolset.

Sonarqube is a worth static analysis tool

Overall Satisfaction with SonarQube