SonarQube Review

Ensures compliance with corporate coding standards and reduces technical debt

What is our primary use case?

Our primary use for this solution is to improve code quality and reduce technical debt.

How has it helped my organization?

This solution is part of our pipeline. We use GitLab for source control and Jenkins to build management. Jenkins kicks off our SonarQube scans, we use Checkmarx for static code analysis, UrbanCode Deploy, and UrbanCode Release.

Using SonarQube has helped us to identify areas of technical debt to work on, resulting in better code, fewer vulnerabilities, and fewer bugs.

What is most valuable?

The most valuable feature is that it lays everything out and breaks it down, making it very easy to find and identify issues.

SonarQube is really good for finding coding standards when people deviate from what we have set corporately.

What needs improvement?

I find that some of the graphs around the measures are too fancy, and they do not mean a whole lot to me.

The solution is a bit lacking on the security side, in terms of finding and identifying vulnerabilities. By comparison, we run the same piece of code through both SonarQube and Checkmarx and there is no comparison between the vulnerabilities that each finds. Checkmarx may find fifty, whereas SonarQube will only find fifteen or twenty.

For how long have I used the solution?

Three years.

What do I think about the stability of the solution?

I haven't had any issues with stability and we see it as quite stable.

The only time we had an issue was because we used a third-party plugin for it to integrate with another piece of software and there was a versioning issue. Other than that, we haven't had any trouble. We've had to integrate it with our LDAP and everything seems to run quite smoothly.

What do I think about the scalability of the solution?

We are in the process of bringing on more projects right now. We are running probably forty-five right now, and we haven't had an issue.

We have approximately one hundred users. There are some developers, but mainly product managers who are using it to track the numbers, and see if they're moving in the right direction or not. We have it integrated with some of our IDEs that we use corporately, and the developers are using it to check for bugs before they check code in.

Right now it's a small subset of the company that is using this solution, and there are plans to increase it. They are already starting to onboard more teams. Our DevOps manager is starting to push it upon more and more projects.

How are customer service and technical support?

We haven't really had any issues, so I can't speak much about technical support. There is also a large community out there who uses it.

Which solution did I use previously and why did I switch?

We were not using another solution prior to this one. As we've evolved, this is one of the tools that we decided to go with.

How was the initial setup?

The initial setup was fairly straightforward. It's well documented and the documentation is easy to read.

We rolled it out to one server that was used as a POC, which was later moved into a production environment. We then rolled out a second one for Dev to test doing upgrades, which we do on a regular basis. Every time a new LTS (Long Term Support) version comes out then we run an upgrade.

Only one person is required in order to handle the maintenance. It is easy to maintain.

What about the implementation team?

We handled the deployment in-house.

What was our ROI?

I do not know the metrics, but they are being tracked for the projects. Better code is being built with fewer defects, bugs, and issues. Our DevOps manager is increasing its usage, so he definitely sees value in it. 

What other advice do I have?

My advice for anybody interested in implementing this solution is to start with the community version and try it out. It doesn't take long to see value in it, and it's very straightforward, easy, and intuitive to use.

There are add-ons that are available for purchase that we have not tried, although we're quite content with what we have right now.

I would rate this solution an eight out of ten.

Which version of this solution are you currently using?

**Disclosure: I am a real user, and this review is based on my own experience and opinions.
More SonarQube reviews from users
...who work at a Computer Software Company
...who compared it with Fortify Application Defender
Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: August 2021.
534,299 professionals have used our research since 2012.
Add a Comment
ITCS user