Item: SonarQube
Rating: 8
Author: Randy Varela

Use Cases and Deployment Scope

SonarQube is our primary DevSecOps tool, helping us and our customers to create a secure development program for our applications and changes in infrastructure.

SonarQube is easy to use once installed and recently we've been using the cloud version (SonarCloud) even easier to integrate with our current tools and infrastructure.

Pros and Cons

SAST
DEVSECOPS
BUGS
SECURITY BEST PRACTICES

Not easy to install
No support on free version
Community Support

Most Important Features

SAST
Security Rules
DevOps integration

Return on Investment

It's Free so no big impact on investment
Nice reporting
Up-to-date rules

Alternatives Considered

Azure DevOps Services

Key Insights

Do you think SonarQube delivers good value for the price?

Yes

Are you happy with SonarQube's feature set?

Yes

Did SonarQube live up to sales and marketing promises?

Did implementation of SonarQube go as expected?

Yes

Would you buy SonarQube again?

Yes

Likelihood to Recommend

SonarQube is a good tool for DevSecOps, it has been with us for years, it's free and it's helping on the security pipeline of many popular and critical development nowadays (Apache struts, Brave, ...). SonarQube is community maintained but fairly up-to-date against recent threats also integrates very quick with most of the common DevOps tools such as Jenkins, Azure DevOps and GitHub

SonarQube your free & friendly DevSecOps tool

Overall Satisfaction with SonarQube