May 20 2019
What is most valuable?I like the dashboard it shows by default, where you can see things at a glance. At the same time, you can also drill way down and see a lot of stuff about your code, like complexity metrics, and… more»
How has it helped my organization?We have the software metrics that SonarQube gives us, which is something we did not have before. This helps us work towards aiming coding standards to empower us to move in the direction of better… more»
What needs improvement?We've been using the Community Edition, which means that we get to use it at our leisure, and they're kind enough to literally give it to us. However, it takes a fair amount of effort to figure out… more»
If you previously used a different solution, which one did you use and why did you switch?We didn't have a previous solution other than paper systems that we never got in the habit of going back to referring to. We didn't switch, we started fresh.
What other advice do I have?I would rate SonarQube as a nine out of ten. Once you start drilling down through the menus, it tells you a lot of stuff about your code in one view. That's really quite neat. That shows you a view of… more»
Which other solutions did I evaluate?We had looked at other code quality systems. We had looked at a number of them. I don't remember them all, but Clockwork was on that list. I think it comes down to picking one and getting used to how… more»
May 16 2019
What is most valuable?There are two major use cases. One is to integrate it into the developers' workbench so that they can bench check their code against what will be done in the server-based audit version.
How has it helped my organization?SonarQube has not yet had an impact on our organization. In the past, however, I've used it to control the security vulnerabilities and establish standards for API control.
What needs improvement?I haven't really done a comparative analysis yet. We're in the process of figuring out how to automate the workflow for QA audit controls on it. I think that's perhaps an area that we could use some buffing. We're a Kubernetes shop, so there are some things that aren't direct fits, which we're… more»
What other advice do I have?From experience, you should just size the scale of what you're trying to do to the maturity of the organization.
Find out what your peers are saying about SonarQube, Veracode, Micro Focus and others in Application Security. Updated: November 2019.
378,570 professionals have used our research since 2012.
May 28 2019
What is most valuable?The most valuable feature is that it lays everything out and breaks it down, making it very easy to find and identify issues. SonarQube is really good for finding coding standards when people deviate from what we have set corporately.
How has it helped my organization?This solution is part of our pipeline. We use GitLab for source control and Jenkins to build management. Jenkins kicks off our SonarQube scans, we use Checkmarx for static code analysis, UrbanCode Deploy, and UrbanCode Release. Using… more»
What needs improvement?I find that some of the graphs around the measures are too fancy, and they do not mean a whole lot to me. The solution is a bit lacking on the security side, in terms of finding and identifying vulnerabilities. By comparison, we run the… more»
If you previously used a different solution, which one did you use and why did you switch?We were not using another solution prior to this one. As we've evolved, this is one of the tools that we decided to go with.
What other advice do I have?My advice for anybody interested in implementing this solution is to start with the community version and try it out. It doesn't take long to see value in it, and it's very straightforward, easy, and intuitive to use. There are add-ons that… more»
Jun 03 2019
What is most valuable?Code coverage of tests is their most valuable feature. Code coverage is of no value if it's high, but if it's a low number then that's of great value to me.
How has it helped my organization?We have literally thousands of rules and they are of medium effectiveness. The problem is that most people bypass the rules or turn them off. But even that is information to us. The fact that they have to turn the rules off is as much value… more»
What needs improvement?I would like to see something around mutation testing included in SonarQube. I'd like to see some mechanism of quality which has real meaning. The problem in metrics is that they're correlated. I'd like to see how they can add a feature to… more»
If you previously used a different solution, which one did you use and why did you switch?It was years ago. They probably evaluated other solutions. We're evaluating the use of different solutions at the moment, but I've just withdrawn from that task.
What other advice do I have?My advice is to focus on quality, not on tools. Work on the quality of your code and get a quality culture, but don't require the use of a tool. SonarQube is an okay tool. I'd suggest it as a default tool, but I wouldn't rave about it. In… more»
Jun 12 2019
What is most valuable?Code analyzing is very valuable for detecting vulnerabilities but it has limitations.
How has it helped my organization?It has improved our options for offering products to our clients that can better meet their needs, lower costs, and improves code quality and basic security.
What needs improvement?With the aesthetic code analyzer or dynamic code analyzer, we would like to see zero vulnerabilities. This is actually currently not available with any available code… more»
What's my experience with pricing, setup cost, and licensing?The product is basically free, so implementation is the greater cost. It will cost in man-hours for deployment and resources, or in consultation. The licensing fee is… more»
If you previously used a different solution, which one did you use and why did you switch?We service client needs so we consider all solutions we are aware of and weigh the pros and cons for deployment with a specific client.
What other advice do I have?I would rate this product somewhere between six and seven. It works for many clients, but if the user need and application is super critical, people should go with… more»
Which other solutions did I evaluate?We are constantly evaluating other products. So it might be that we will go with Micro Focus, for example, or any other tool in the future. It depends on what is offered… more»
Jun 20 2019
Easily integrates with Jenkins and the information on the dashboard makes it easy for the developers to work on
What is most valuable?The most valuable features are the dashboard reports and the ease of integrating it with Jenkins.
How has it helped my organization?It definitely helped our organization in hardening the software, the application itself. This is a part of our process now.
What needs improvement?Although it has Sonar built into it, it is still lacking. Customization features of identifying a particular attack still need to be worked on. To give you an example: if we want to scan and do a false positive analysis, those types of… more»
If you previously used a different solution, which one did you use and why did you switch?No, not that I am aware of.
What other advice do I have?SonarQube is a very good tool. It is lightweight and very cost effective as compared to IBM AppScan. The dashboard is really neat and easy to operate. It gives a lot of information that makes it very easy for the developers. You can get it… more»
May 09 2019
What is most valuable?The most valuable features are the wide array of languages, multiple languages per project, the breakdown of bugs, and the description of vulnerabilities and code smells (best practices).
How has it helped my organization?This has improved our process because it allows us to pick up on a lot of the smaller best practices that might otherwise be missed, in addition to ensuring code quality is not compromised between… more»
What needs improvement?A robust credential scanner would be a huge bonus as it would remove the need for yet another niche product with additional cost, also gives the benefit of a single pane of glass view, although we… more»
What's my experience with pricing, setup cost, and licensing?A self-hosted SonarQube on a Kubernetes cluster is very cost efficient if you already have the infrastructure and don’t need the premium features.
If you previously used a different solution, which one did you use and why did you switch?I did not use another solution prior to this one.
Which other solutions did I evaluate?We evaluated the Checkmark Software Exposure Platform and Veracode, but they were expensive for a first go.
May 25 2019
What is most valuable?The quantification and reporting features are really good.
How has it helped my organization?This solution figures out and tells you when there are code quality issues.
What needs improvement?The security portion of this solution needs to be improved. They do have a few rules, but I don't think that they are of much use because you cannot position it as a security scanner. I think that… more»
What's my experience with pricing, setup cost, and licensing?The costs for this application, for the kind of job it does, are pretty decent.
If you previously used a different solution, which one did you use and why did you switch?We were using some other products, but not on an enterprise level. There were several locally developed applications, but when we tried to consolidate all of these into an enterprise-level solution… more»
What other advice do I have?This product is good but it is not meant to be a single solution for all issues. If you want to have your code scanned and timed then this is a good tool. If you want security to be part of it then… more»
See 6 More SonarQube Reviews
User Assessments By Topic About SonarQube
Read Archived Reviews
What is SonarQube?SonarQube is the central place to manage code quality, offering visual reporting on and across projects and enabling to replay the past to follow metrics evolution
Also known asSonar
SonarQube customersBank of America, Siemens, Cognizant, Thales, Cisco, eBay