Don't Skip Static Analysis with Sonar!
January 18, 2023
Don't Skip Static Analysis with Sonar!
Score 8 out of 10
Vetted Review
Verified User
Overall Satisfaction with SonarQube
In my company, we started using the SonarCloud (the SaaS version) a couple of years ago, and then quickly switched for the enterprise edition of SonarQube. This edition offered several governance features that were not available in the other types of Sonar subscription.
Since then, we made automated Sonar scanning mandatory for all projects, integrated directly in our CI/CD pipelines
- Scanning source code for a defined set of quality gates and rules
- Reporting security issues with static scans
- Managing portfolios application in the enterprise edition
- The scanner is a bit heavy and can be rewritten in a lighter language (like Go or rust)
- Scans can take a bit of time
- Some languages like C++ are much harder to scan than others
- Portfolio management in the enterprise edition
- Custom quality gates depending on the application and teams
- Security vulnerability detection
- Extensibility to adapt to many different technical landscapes
- Scanned application are more secure for sure
- Developed application are much more maintainable
- Scanned Apps are much more secure
Getting SonarQube instead of the other tools we tested was an easy choice. Snyk was way too much limited to only Docker images and dependency analysis at that time. And Checkmarx was very hard to adapt to our needs : configuring custom quality gates was way too much of a hassle. Sonar was the much more adapted tool for the job : the scans were fruitful, and it was much easier to customize to our needs. The core of Sonar is also open source, which is a big Plus in our company
Do you think SonarQube delivers good value for the price?
Yes
Are you happy with SonarQube's feature set?
Yes
Did SonarQube live up to sales and marketing promises?
Yes
Did implementation of SonarQube go as expected?
Yes
Would you buy SonarQube again?
Yes