Code scanning for developers
April 30, 2021

Code scanning for developers

Anonymous | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User
Review Source

Overall Satisfaction with SonarQube

Our organization has a dedicated static security scanning tools we run against our code to check for vulnerabilities. While the security team runs this, the development team is running Sonar Qube to track bugs, code quality, and and code.
  • Nice UI.
  • Easy to see a project status and if it is passing/failing.
  • Simple but explanatory bug descriptions.
  • Code smells could be better at reducing repeated findings.
  • Code coverage metrics.
  • Grades for applications.
  • Code duplication metrics.
  • Free and open source.
  • Has helped our development team clean up their code.
  • Helps maintain code coverage.
Sonar Qube doesn't do as good of a job of finding security vulnerabilities as dedicated SAST software, but it does more for code quality that the developers want to see. A comparison of Sonar Qube to something like Veracode or Fortify isn't apples to apples since they're not focused on the same things.

Do you think SonarQube delivers good value for the price?

Yes

Are you happy with SonarQube's feature set?

Yes

Did SonarQube live up to sales and marketing promises?

I wasn't involved with the selection/purchase process

Did implementation of SonarQube go as expected?

I wasn't involved with the implementation phase

Would you buy SonarQube again?

Yes

I think the setup we have of using Sonar Qube as a code quality tool along side a dedicated security scanning tool makes a lot of sense. The tools scanning for security issues don't usually cover things the developers want to see like code quality metrics, but give better results for vulnerabilities. If they see security issues getting flagged in Sonar Qube and fix those too, well that's an win for security.