SonarQube Experience

It is one of the components within the gateway to get products into production. We have over 700 projects and just over 20m lines of code.

We have been using it since 2018.

We focus currently on vulnerabilities with required gates and stepped options with temporary "get well plans". The more advanced teams are focusing on quality aspect and self-manage their maturity. But there is currently no hard lines for quality at this time except for team agreed upon minimum complexity and duplication standards on new code.

Regarding helm charts and kubernetes... this was long awaited and welcomed! Making our deployments easier. Concern was on testing and such, there was a mistep in the last 10.6.0 push which caused a slight concern, but SonarSource was very quick at getting 10.6.1 out and distributing the information.

The only other concern we had, that we hadn't experienced in that past (at least not like this), the change of JDKs at minor versions, scanners, linters, especially without backwards compatibility where pipelines must actively change from JDK 11 to JDK 17 might be tough for groups who have large amounts of pipelines. **Pipelines which support templates that inject SAST requirements help a bunch to reduce the scope of pipeline changes, but still caught us by surprise. This sort of change is expected at major versions, right... But still, very stable... this hiccup didn't sway our thoughts about the product overall.

We're still trying to figure out how we can reduce costs... although value is very tangible tangible to some, the significant overhead is often questioned. Prompts us into discussions that force decisions on which code bases to remove, even if temporarily, for code that is relatively static for long periods.

We really appreciate the engagement of the SonarSource Community site. We use it to stay informed and to get quick insights and responsive support. Great folks out there--appreciate them and the engagement and they represent SonarSource well.