1. Home
  2. Static Application Security Testing (SAST) Tools
  3. SonarQube Reviews
  4. User Review of SonarQube
SonarQube: The go-to tool for code quality
June 20, 2021

SonarQube: The go-to tool for code quality

Prathamesh Sawant | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User

Overall Satisfaction with SonarQube

SonarQube is currently used in silos in our organizations. One of our departments is using it full-time for all their code repositories whereas in the other department we are slowly ramping up from a POC to full-blown organization-wide usage. For us it solves the problems of Code quality, figuring out static code issues, bad coding practices, and mostly enabling toll-gating on our side to prevent bad code from making it to the production environments.
  • Ability to provide static code coverage in integration with Jenkins CI/CD pipeline.
  • Ability to define custom rule sets, based on our organizational requirements.
  • Ability to add custom toll-gating for different applications.
  • Enterprise license is very costly.
  • Runs only on Java 11.
  • Another major issue is the way elastic search is used in Sonarqube, it makes it slightly challenging to run on a cloud environment like AWS.
  • Code quality determination.
  • Ease of integration with Jenkins CI/CD.
  • Integration with Github and code review process.
  • Improved code quality.
  • Bad coding practices/static code issues are caught in the Dev phase itself.
Codacy:
  1. Pros
    1. Code quality tests
    2. Code quality trending
    3. Security analysis
    4. Claims integrations with BitBucket, JIRA, Slack, although hard to find detail on their web page.
      1. https://www.codacy.com/products/bitbucket-code-review
      2. https://support.codacy.com/hc/en-us/sections/201760869-Integrations
  2. Cons
    1. Website is light on technical details
    2. Relatively new product from a small startup. https://www.crunchbase.com/organization/codacy
    3. No BitBucket code review integration
    4. $15/per user/per month, no free tier
WhiteSource
  1. Pros
    1. BitBucket code review integration.
    2. Open source license and vulnerability testing.
  2. Cons
    1. No code analysis, just open source dependency checking.

Do you think SonarQube delivers good value for the price?

Yes

Are you happy with SonarQube's feature set?

Yes

Did SonarQube live up to sales and marketing promises?

Yes

Did implementation of SonarQube go as expected?

Yes

Would you buy SonarQube again?

Yes

SonarQube is well suited for the following:
  1. Code scanning & determining static code issues and bad practices.
  2. Customizing these rules and blockers at the application/module level.
  3. Easy integration with Jenkins CI/CD pipeline.
  4. Enterprise version provides the ability to integrate the scanning results with the code review process.
It's less appropriate, if:
  1. If you are a small organization & can't afford the enterprise license costs. You can go ahead with a free community version in this case albeit with limited features.
  2. Needs Java 11 & PostgresSQL database, which are not very common in most companies.