SonarQube, the best choice for a Static Code Analysis tool leveraging application security at large
Updated April 26, 2022

SonarQube, the best choice for a Static Code Analysis tool leveraging application security at large

Debobrata Bose | TrustRadius Reviewer
Score 7 out of 10
Vetted Review
Verified User
Review Source

Overall Satisfaction with SonarQube

SonarQube is being used in my organization as an Static Application Security tool which will detect the security issues in code and will try to fix the vulnerabilities that compromises the app. It is being currently used in all the projects in my department.
It being used in our Azure devops Continuous Integration pipeline to identify the vulnerabilities in code and provides detailed issue descriptions and code highlights that explain why your code is at risk.
  • Identify Security Vulnerabilities and highlights the code
  • Highlight suspicious code snippets that developers should review
  • Providing security feedback during code review
  • Identify technical debts in code
  • The community version have some issues, example Integrating with Azure or Single Sign On
  • Automation scripts can be improved. At times you have to configure some of the rules in the detection
  • It takes time to configure and create profiles
  • Jenkins, Bitbucket, Gradle and Travis CI etc are some of the popular tools that integrate with SonarQube i.e. CI-CD Integrations
  • Getting feedback during code review
  • Identify Technical Debts
  • Identify and fix application vulnerabilities in code
  • Faster detection and identification of bugs
  • Faster feedback to developers to improve code quality
  • Integration with IDE
SonarQube is an open-source. It's a scalable product. The costs for this application, for the kind of job it does, are pretty descent. Pipeline scan is more secured in SonarQube. Its a very good tool and its support multiple languages. Its main core competency is of static code analysis and that is why SonarQube exists and it does it exceedingly well. The quality of scan on code convention, best practices, coding standards, unit test coverage etc makes them one of the best competent tool in the market

Do you think SonarQube delivers good value for the price?

Yes

Are you happy with SonarQube's feature set?

Yes

Did SonarQube live up to sales and marketing promises?

Yes

Did implementation of SonarQube go as expected?

Yes

Would you buy SonarQube again?

Yes

SonarQube has a friendly UI that is easy to use and understand. The admin's control panel is very good and It's not really difficult to get through the settings. Its possible to build many rules that apply for each programming language, for example, .NET, and Java. You can easily set up rules and even with the community version. It's a great tool but you have to have a good project plan before being introduced to the tools. I would recommend using the SonarQube open-source version to get used to it before purchasing the license. Before we go with an enterprise product, we have to know the terms and how things are done to run software quality