Don't Skip Static Analysis with Sonar!
January 18, 2023

Don't Skip Static Analysis with Sonar!

Anonymous | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User

Overall Satisfaction with SonarQube

In my company, we started using the SonarCloud (the SaaS version) a couple of years ago, and then quickly switched for the enterprise edition of SonarQube. This edition offered several governance features that were not available in the other types of Sonar subscription.
Since then, we made automated Sonar scanning mandatory for all projects, integrated directly in our CI/CD pipelines

Pros

  • Scanning source code for a defined set of quality gates and rules
  • Reporting security issues with static scans
  • Managing portfolios application in the enterprise edition

Cons

  • The scanner is a bit heavy and can be rewritten in a lighter language (like Go or rust)
  • Scans can take a bit of time
  • Some languages like C++ are much harder to scan than others
  • Portfolio management in the enterprise edition
  • Custom quality gates depending on the application and teams
  • Security vulnerability detection
  • Extensibility to adapt to many different technical landscapes
  • Scanned application are more secure for sure
  • Developed application are much more maintainable
  • Scanned Apps are much more secure
Getting SonarQube instead of the other tools we tested was an easy choice. Snyk was way too much limited to only Docker images and dependency analysis at that time. And Checkmarx was very hard to adapt to our needs : configuring custom quality gates was way too much of a hassle. Sonar was the much more adapted tool for the job : the scans were fruitful, and it was much easier to customize to our needs. The core of Sonar is also open source, which is a big Plus in our company

Do you think SonarQube delivers good value for the price?

Yes

Are you happy with SonarQube's feature set?

Yes

Did SonarQube live up to sales and marketing promises?

Yes

Did implementation of SonarQube go as expected?

Yes

Would you buy SonarQube again?

Yes

Honestly, a tool like SonarQube should be always used all the time for any project that uses a supported language (there are lots of them)
When developers produce applications and source code, it's easy for them to miss critical quality and security issues in their Pull Requests.
Sonar makes it much easier to detect those kind of issues, and allows the builds to fail if the quality threshold are not respect for some reason.
It's easy for those kind of issues to end up in production if they are not detected early within the CI/CD steps.

Comments

More Reviews of SonarQube