We just raised a $30M Series A: Read our story

SonarCloud OverviewUNIXBusinessApplication

SonarCloud is the #21 ranked solution in our list of AST tools. It is most often compared to Veracode: SonarCloud vs Veracode

What is SonarCloud?

SonarCloud is the leading online service to catch Bugs and Security Vulnerabilities in your Pull Requests and throughout your code repositories. Totally free for open-source projects (paid plan for private projects), SonarCloud pairs with existing cloud-based CI/CD workflows, and provides clear resolution guidance for any Code Quality or Code Security issue it detects. With more than 1 billion lines of code analyzed every week, SonarCloud empowers development teams of all sizes to write cleaner and safer code, across 24 programming languages.

Buyer's Guide

Download the Application Security Testing (AST) Buyer's Guide including reviews and more. Updated: October 2021

SonarCloud Customers

Microsoft, Apache, Wikimedia foundation, Brave

SonarCloud Reviews

Filter by:
Filter Reviews
Filter Unavailable
Company Size
Filter Unavailable
Job Level
Filter Unavailable
Filter Unavailable
Filter Unavailable
Order by:
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Showingreviews based on the current filters. Reset all filters
Hans Teffer
Senior Security Consultant at Tafhar IT Services
Top 20
Well priced, good for basic needs, but is too limited

Pros and Cons

  • "For what it is meant to do, it works pretty well."
  • "I've been told by the developers that the solution is too limited. It's not testing enough within the containers."

What is our primary use case?

The solution is a static code analysis tool. That's basically what we use it for in our organization.

What is most valuable?

We bought the solution due to the fact that it was the lowest price. 

For what it is meant to do, it works pretty well. 

It's good for analysis.

What needs improvement?

I've been told by the developers that the solution is too limited. It's not testing enough within the containers. For instance, it only checks for obvious code errors. They should work to improve this.

At that moment we needed to scan the codes that the developers are producing, we found out that we needed more features.

For how long have I used the solution?

I've been using the solution for six months or so now. It's been less than a year.

Which solution did I use previously and why did I switch?

The former product we used was Twistlock.

How was the initial setup?

I haven't had much experience with the initial setup. I can't speak to what the deployment or setup was like.

What's my experience with pricing, setup cost, and licensing?

The pricing is very good.

Which other solutions did I evaluate?

We're currently looking into other options.

We're either looking for an integrated product for the whole CICB pipeline, such as StackRox, or we're looking at Fishman from Palo Alto. We're also looking at individual products for the whole CICB pipeline. In fact, this afternoon we are having a meeting to further discuss what tools we will use, or what can we use for dependency decks in the whole CICB pipeline, and for us to get a container image.

What other advice do I have?

We're a customer and an end-user of the product. We don't have a business relationship with them. 

I'm not sure which version of the solution we're using.

I'd advise potential users to first check all the features to see if what they need is there and then check them off to ensure that SonarCloud fills all your needs.

It's a good product for its purpose.

I'd rate the solution at a seven out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate