1. Home
  2. Static Application Security Testing (SAST) Tools
  3. SonarQube Reviews
  4. User Review of SonarQube
SonarQube - solid static code analysis tool
January 19, 2023

SonarQube - solid static code analysis tool

Anonymous | TrustRadius Reviewer
Score 7 out of 10
Vetted Review
Verified User

Overall Satisfaction with SonarQube

We use SonarQube in the software department in our devOps pipeline to analyze source code for our application and provide metrics on issues that it identifies within the codebase. Basically we'll run SonarQube at various steps of code check ins and merges as one of many metricsto determine code quality and alert the teams to potential issues in recently checked in codde that may need to be triaged and addressed.
  • Works well with .Net
  • Has a nice extension that allows us to run it in our IDE (visual studio)
  • Is customizable in the sense that you can write your own rule set that you want SonarQube to analyze the code against
  • Often it finds errors that aren't really errors that have impact, takes a lot of time to sort through those cases
  • It's a good screener, but by no means can it catch all bugs or be the sole predictor of code quality, so the metrics that it provides need to be caveated when reporting to leadership, etc
  • Ease of implementation within our devOps pipeline
  • Has integration with our company's IDE of choice (Microsoft Visual Studio)
  • Works well with .NET framework
  • Positive ROI from the standpoint of flagging several issues that would have otherwise likely been unaddressed and caused more time to be spent closer to launch
  • Slightly positive ROI from time-saving perspective (it's an automated check which is nice, but depending on the issues it finds, can take developers time to investigate and resolve)
SonarQube deployment worked well with our pipeline and had the right integrations with our IDE as well as it worked well with analyzing .NET frameworks when compared to GitHub and GitLab which has some of the functionality and can do some checks, but SonarQube made more sense given our existing DevOps pipeline.

Do you think SonarQube delivers good value for the price?

Yes

Are you happy with SonarQube's feature set?

Yes

Did SonarQube live up to sales and marketing promises?

I wasn't involved with the selection/purchase process

Did implementation of SonarQube go as expected?

I wasn't involved with the implementation phase

Would you buy SonarQube again?

Yes

Overall it's a nice check to incorporate into the devOps pipeline as another sanity check on the code that's being checked in and the codebase in general. It's good as a supplemental tool, but not if an org is looking for a complete view into code quality or security. Basically SonarQube is able to give you some flagged issues to look into and a metric that reflects the number of issues with the code it identifies, but still requires developers to take a second look and adequately triage which of the SonarQube issues are high impact and need to be addressed.