We just raised a $30M Series A: Read our story

SonarQube OverviewUNIXBusinessApplication

SonarQube is the #1 ranked solution in our list of application security tools. It is most often compared to Checkmarx: SonarQube vs Checkmarx

What is SonarQube?

SonarQube is the leading tool for continuously inspecting Code Quality and Code Security, and guiding development teams during code reviews. SonarQube provides clear remediation guidance for 27 languages so developers can understand and fix issues, and so teams can deliver better and safer software. SonarQube integrates into your workflow to provide the right feedback at the right time: in-IDE with SonarLint, in pull requests, and in SonarQube itself. With over 225,000 deployments helping small development teams and global organizations, SonarQube provides the means for teams and companies around the world to own and impact their Code Quality and Code Security.

SonarQube is also known as Sonar.

SonarQube Buyer's Guide

Download the SonarQube Buyer's Guide including reviews and more. Updated: September 2021

SonarQube Customers

Bank of America, Siemens, Cognizant, Thales, Cisco, eBay

SonarQube Video

Pricing Advice

What users are saying about SonarQube pricing:
  • "There is both a free and licensed version. The free version has limitations on development languages and support."
  • "We are using the open-source community version, but there are enterprise licenses available."
  • "The developer edition is based on cost per lines of code."
  • "For the Community edition, there is no extra cost. It's totally free. The Enterprise edition, Data Center edition, and Developer edition are the paid versions."

SonarQube Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
SR
Team Lead at a computer software company with 10,001+ employees
Real User
Top 20
This is a very capable analysis tool for development projects but the free version has limitations

Pros and Cons

  • "It is a very good tool for analysis despite its limitations."
  • "There is a free version."
  • "There are limitations to the free version that limit development options as far as languages."

What is our primary use case?

We are using the free version of the SonarQube product. Be warned if you choose this version because it is lacking some of the capabilities and support. It is for this reason that we are currently considering migrating to a commercial solution.  

What is most valuable?

The main factor that makes the product valuable for us is that it is free because budget is always an issue. We do not have to pay for it, but there are many cons to using a free product at times. It is a very good tool even if it is free. The dashboard and the media that it provides are all quite helpful.  

We are always using SonarQube. But currently, we were trying to evaluate some more tools because Sonar in the free version has around 10 to 15 languages. If we go to the commercial version, they support 27 languages and there are a lot of limitations in the resources for traditional support which is not available for the free license users of Sonar.  

Integration is there with most of the tools, but we do not have full integration with the free version. That is why we were planning to go ahead and plan to work with some other commercial tools. But as a whole, Sonar will do what we need it to.  

What needs improvement?

Integration could be better in SonarQube in the free version. It does not have any bug tracking tool, like Jira. They are not integrated with enough additional programming tools.  

There is one issue with the dashboard. The dashboard which is there is okay. But sometimes if we have to work on multiple issues the application is giving us errors. Say we have five issues. All five issues might not be very important, so in cases where there are multiple issues, we would just want it to give us a warning about the important issue. It may be we will get to work on the things of greater importance and over-all have a better solution and we do not have to fix all five. Something like that would be good to help us to prioritize things so then we do not have to go into all the issues and fix them.  

We do have this categorization for major and minor issues, but let's say, again, if there are five major issues. I would like to maybe get a score involving the prioritization of these. Out of these five major issues, we should know which issue should be fixed first. This would give us a backup for planning and organizing the prioritization. It is that kind of data that we do not get on the dashboard. If we could, that would be helpful to give priority to the correct issues.  

For how long have I used the solution?

We have been using SonarQube for maybe for a year or so. A little more than that.  

What do I think about the stability of the solution?

The stability is good. We are not having problems with the product failing.  

What do I think about the scalability of the solution?

The stability of SonarQube is good. The scaling part is the problem. We cannot scale to all the other products that we want to use and we cannot improve and scale to other languages.  

The language issue is one that we are facing. If you want to use some languages like maybe tool languages or something people want to use, they are not all available in Sonar. In the commercial version of Sonar they may be available. But the free version, there are some limitations.  

So we do understand the limitations of the scalability. The free tool comes with its own advantages and disadvantages and limitations on scalability is one of the disadvantages.  

How are customer service and technical support?

We do not really have very much contact at all with technical support because SonarQube quite user friendly and intuitive. Technical support is not actually available with the free product, but we do have access to community tools online.   

There was this one issue that we had where we had raised a question in the community. We found that if we scanned our project with SonarLint and if we scanned our project with SonarQube, it was giving some different results. SonarQube was showing some issues and SonarLint was not showing any issues at all. There was a clear difference in the report. But when we Googled this issue and looked on the support web site, we found now that SonarLint does not give you the errors around integration. When it comes to SonarQube, it automatically integrates with other processes and scans your port to that. SolarLint does not do this in the same way. This is why SonarQube might give you some errors that SolarLint does not.  

So we are not in contact the company support. When there are times when we do have an issue, we see what we can Google or the SonarQube community. Usually, we do find out our answers.  

How was the initial setup?

The initial setup is quite straightforward. The setup process is very reasonable as far as it is logical and very simple. It doesn't take much time.  

Which other solutions did I evaluate?

We are using Sonar, and we also evaluated Checkmarx. The version of Sonar we are using is the free version of it. Checkmarx is quite a bit different and more helpful compared to Sonar. There are a lot of features missing in the free version of SonarQube that I want to have that already exist in Checkmarx.  

What other advice do I have?

Anyone considering SonarQube should initially start with a free trial and then start doing an evaluation. If you have a list of target requirements which you are looking for and you can accomplish these things with Sonar, then you can go ahead and use Sonar. If you are looking for something for diving more deeply into your application security, then you can possibly start with it and scale it or use some other complementary tools. If you want to see your reports, and how your development is performing, Sonar is the best tool, I think.  

On a scale from one to ten, where one is the worst and ten is the best, I would rate SonarQube as a seven-out-of-ten.  

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Hilman Tehrani
Information Technology Technical Architect at a insurance company with 51-200 employees
Real User
Top 5Leaderboard
Open-Source, easy to use interface with minimal coding required

Pros and Cons

  • "The product has a friendly UI that is easy to use and understand."
  • "The documentation is not clear and it needs to be updated."

What is our primary use case?

SonarQube can be used for any missing components or component vulnerabilities.

How has it helped my organization?

Sonarqube has improved our best practice of pair programming that aligned with the CI pipeline.

What is most valuable?

The product has a friendly UI that is easy to use and understand. Especially, the admin's control panel is very good and It's not really difficult to get through the settings.

With minimal coding experience, we can build many rules that apply for each programming language, for example, CSS, and Java. You can easily set up rules. We are luckily able to do this with the community version.

With other community versions, you are not always allowed to customize the profile for example. With the SonarQube Community Edition, it's authorized.

What needs improvement?

Since we are using the community version, we have had some issues. For example, we have had some difficulties with the Single Sign-On (SSO) login. We tried to integrate with our Azure ID to have access to login, but it doesn't always update. We have to search for more forums, or in other communities for technical IT.

The documentation is not clear and it needs to be updated. As it is the community version we don't have team support and rely on the documentation that is available. We are creating more disciplines to do peer reviews on SonarQube. There is time spent on creating the tools but not the documentation that is needed for support.

It takes time to configure and create profiles. We need to improvise the way we introduce new tools.

We have only integrated the source code, but there are things that are not being utilized because it is product-driven and there needs to be more path and delivery.

Since we are now certified, we are utilizing more and we are creating an environment for security. We need more emphasis on the security side.

Support needs to improve with their response time.

There is a lack of local partners/vendors in our region and we are having difficulties finding vendors looking for another partner.

In the next release, I would like to see some automation scripts. At times by default, you have to configure some of the rules in the detection. You need some parameters to be set that define the source code, such as those required to eliminate a false positive.

They advance their product without addressing security or internal codes.

For how long have I used the solution?

SonarQube has been in place for one year, but we have only been using it for the last three months.

What do I think about the scalability of the solution?

It's a scalable product. We have approximately 40 users.

How are customer service and technical support?

We have contacted support but it's not mandatory operating support and takes some time to get a reply.

Which solution did I use previously and why did I switch?

We have not used any other solution, but we did some comparisons and decided to go with SonarQube because it was open-source.

How was the initial setup?

The initial setup is straightforward.

It takes a week to complete the deployment.

What's my experience with pricing, setup cost, and licensing?

We are using the open-source community version, but there are enterprise licenses available.

What other advice do I have?

I am a user of SonarQube and I am responsible for the information security.

I'm the principle of security in the office. I advise others of enhancing and incorporating security aspects into the IP.

We are currently using the community version. We are not quite ready for the licensed version as we need more discipline for our developers to do it correctly. Our team is growing, now we will need behavior discipline of security, and then we can upgrade the license. We have passed the ISO certificate and encourage the use of tools for peer reviews for the developers.

It is better to have a technical review before deployment to production. Developers must review before going into production.

It's a great tool but you have to have a good project plan before being introduced to the tools. For us, it is unfortunate that SonarQube was introduced at the end of the project phase, and the team is still having to learn it.

Before introducing any application tools, know the visibility of the project.

I would recommend using the SonarQube open-source version to get used to it before purchasing the license. Before we go with an enterprise product, we have to know the terms and how things are done to run software quality. We had reached out to sales support and asked for the enterprise license as a trial but unfortunately, we had to halt the program.

It's also a part of corporate policy to know everything before it is published into the CI pipeline.

There are other alternatives that provide end-to-end analysis from the static, dynamic, interactive, and SaaS.

I would recommend SonarQube to be on your initial plan for perfect quality.

I would rate SonarQube an eight out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: September 2021.
541,708 professionals have used our research since 2012.
Gustavo Lugo
Chief Solutions Officer at CleverIT B.V.
Reseller
Top 10
Easy to deploy and applicable for various uses

Pros and Cons

  • "It is an easy tool that you can deploy and configure. After that you can measure the history of your obligation and integrate it with other tools like GitLab or GitHub or Azure DevOps to do quality code analysis."
  • "In terms of what can be improved, the areas that need more attention in the solution are its architecture and development."

What is our primary use case?

I am now working in a consultancy company and I work with different clients in different industries. For this reason I implement, for example, a delivery pipeline with the process whereby we need to validate the quality gate of the quality code. Meaning, the developer creates the unit testing and the code coverage, but grants the code coverage for a specific person. In other cases, we used to see what the technical depth was to see if if there are any bugs in the applications - the web application, mobile application and different languages, like, C-Sharp, JavaScript or Java, et cetera.

We deploy SonarQube on-premise on a Linux server and our pipelines were created with GitLab and Azure DevOps. Meaning that Azure DevOps and GitLab are the tools that do the build and release process.

We use Microsoft Azure and Google Cloud Platform a little.

What is most valuable?

In terms of most valuable feature, when you compute SonarQube you need to install an extension. This extension depends on the version control. You need to install different extensions or work with a specific language to use as the extensions, all of which I work in with different projects.

What needs improvement?

In terms of what can be improved, the areas that need more attention in the solution are its architecture and development.

Additionally, the QA team also needs work in different aspects. When you think about the support area - when the support team has an incident they need to do a hostage. When they do that they do a commit in the version control. These commits trigger a new build process and this process needs validation from SonarQube because we need to validate the quality of the software product for different cases and different aspects.

For how long have I used the solution?

I have been using SonarQube for about four years, with different versions.

What do I think about the stability of the solution?

SonarQube works very well, but I prefer SonarCloud because the tendency of the technology world is to think less about the structure and more about the process and the value that this process provides.

What do I think about the scalability of the solution?

In terms of scalability, with proper configuration and deployment, there is higher availability.

I have companies with 20 users and I have customers with 100 users. We work with a big company in Chile and in some cases national companies, in other cases international companies. With the international companies the majority of them are more than 1,000 users.

I have a technical DevOps team. The majority of the time we implement the trial version so that we show the value of the tool to our clients and they understand about the pricing and the cost of the tool.

It depends on the maturity of the company. In some case, we have companies that don't know about SonarQube so we deploy it to show the value. In other cases we have clients with no SonarQube experience but they know the quality of the codes. In this case we provide a license. In the majority of the cases we provide the license or the subscription for SonarCloud. Other clients get access to SonarQube directly.

How are customer service and technical support?

I have never used technical support from the SonarQube support team.

I work very well with the documentation you find on the internet.

How was the initial setup?

The initial setup is straightforward the majority of time. It takes about two hours.

What about the implementation team?

I work in a consultancy company so we do the implementation. We deploy for our customers.

Which other solutions did I evaluate?

We did evaluate other options, for example Q1 and Veracode. In specific cases we created different aspects with different tools and these were the top peers that we would compare it to - Q1 and Veracode.

In terms of differences, Veracode is used more for the security of the development and you can configure the gates while thinking about software security and things like that. With Q1, the difference is the type of the license. In Q1 you have projects and you pay for the line. I know that SonarQube was changing the licensing plan. Right now, before you pay for a license, you pay for fair lines that you extend. This is the difference between these three tools.

What other advice do I have?

I do recommend SonarQube because it is an easy tool that you can deploy and configure. After that you can measure the history of your obligation and integrate it with other tools like GitLab or GitHub or Azure DevOps to do quality code analysis.

On a scale of one to ten, I would give SonarQube an eight. To give it a 10 and not an eight, I would like to see architecture development and the QA area improved.

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
YB
Devops Engineer at a financial services firm with 10,001+ employees
Real User
Top 20
Security hotspot feature identifies where your code is prone to have security issues

Pros and Cons

  • "The most valuable feature is the security hotspot feature that identifies where your code is prone to have security issues."
  • "In the next release, I would like to have notifications because now, it is a bit difficult. I think that's a feature which we could add there and it would benefit the users as well. For every full request, they should be able to see their bugs or vulnerability directly on the surface."

What is our primary use case?

We use it to check the code quality, and the code review to find out the vulnerabilities about the central codes like simplifications and codes. We also use it for security management.

What is most valuable?

The most valuable feature is the security hotspot feature that identifies where your code is prone to have security issues.

It also gives you a very good highlight of what's changed, and what has to be changed in the future.

Apart from that, there are many other good features as it's a code analytics platform. It also has a dashboard reporting feature, which is very good. I also like the ease of its integration with Jenkins.

Another valuable feature is the time snapshot that it provides for the code. It provides the code quality, the lagging, and the training features like what already has gone wrong and what is likely to go wrong. It's a very good feature for a project to have a dashboard where the users can find everything about their project at a single glance.

What needs improvement?

There are various standards that are followed. Awareness is a must.

Product awareness is something that I would recommend. If the users are not aware of how to use the product, they won't understand the features.

For how long have I used the solution?

I have been using SonarQube for three years. 

What do I think about the stability of the solution?

It is quite stable. There are no kind of issues that we face on SonarQube. It's just about the awareness where the users are not aware of a feature and that's where we need to jump in and explain some of the features about how it works.

What do I think about the scalability of the solution?

It's definitely easy to scale. 

How are customer service and technical support?

We do contact them based on the project team requirement. We contact them if they have to set up any specific kind of portfolio application and such application et cetera, internal.

Their support is good. They respond quickly. The response time is very good. They answer the queries within 24 to 48 hours. That's a plus for them. It's a very costly product, so we use the enterprise-level product. It does consume a lot of license cost for that.

Which solution did I use previously and why did I switch?

We used Fortify, it is also another tool for static code analysis. The security team used to use that, but not in our team because ours was a newly assembled team for the work. 

How was the initial setup?

The initial setup is simple. It's basically an orchestration platform on which I manage around 400 SonarQube incentives.

It's a mass production environment. I'm currently managing around 400 plus teams who are using the product. We are trying to migrate it onto Kubernetes.

The setup takes around five to ten minutes as I have created automation. 

It requires maintenance on the platform side, but not on the SonarQube side. Because there is a DB cleanup automatically inbuilt in Sonar, it does not require much to maintain within SonarQube itself.

It eats up a lot of memory. For a stack it's around 2.5GB. We use it on a daily basis. 

What's my experience with pricing, setup cost, and licensing?

Everything is included in the standard licensing. 

What other advice do I have?

Awareness about how to use the product is important. It's a very good product for developers because it gives you timely notifications about where the tool has gone wrong or what could go wrong in the future. That's popular for developers. It's very good for the stats about the product for architects

The metrics are how the budgeting should be done et cetera. These are the things that they can find out from the dashboard based on the lines of codes. 

In the next release, I would like to have notifications because now, it is a bit difficult. I think that's a feature which we could add there and it would benefit the users as well. For every full request, they should be able to see their bugs or vulnerability directly on the surface.

I would rate it an eight out of ten. 

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PC
Engineer at a pharma/biotech company with 201-500 employees
Real User
Top 20
Good static code analysis and benchmarking but the library could support more languages

Pros and Cons

  • "The most valuable features are the segregation containment and the suspension of product services."
  • "I would like to see improvements in defining the quality sets of rules and the quality to ensure code with low-performance does not end up in production."

What is our primary use case?

The primary use case of this solution is for static code analysis, and benchmarking our code standards according to our preferences. 

Our builds process through SonarQube and if it passes the required set of requirements we have set, it will then go through to production.

What is most valuable?

The most valuable features are the segregation containment and the suspension of product services. Also, the library that SonarQube covers is good.

What needs improvement?

The library could have more languages that are supported. It would be helpful.

There are a few clauses that are specific to our organization, and it needs to improve. It's the reason that were are evaluating other solutions. It creates the ability for the person who releases the authorized release, which is not good. We would like to be able to expand on our work.

MicroFocus, as an example, would be helping us with that area or creating a dependency tree of the code from where it deployed and branching it into your entire code base. This would be something that is very helpful and has helped in identifying the gaps.

It would be great to have a dependency tree with each line of your code based on an OS top ten plugin that needs to be scanned. For example, a line or branch of code used in a particular site that needs to be branched into my entire codebase, and direct integration with Jira in order to assign that particular root to a developer would be really good.

Automated patching for my library, variable audience, and support for the client in the CICD pipeline is all done with a set of different tools, but it would be nice to have it like a one-stop-shop.

I would like to see improvements in defining the quality sets of rules and the quality to ensure code with low-performance does not end up in production. We would also need the ability to edit those rules.

For how long have I used the solution?

I have been using SonarQube for approximately two years.

What do I think about the stability of the solution?

The stability is good. 

The branch advanced analysis pull request declarations, they are good and highly valuable, but they are not part of the free edition. They are only available as part of the licensed one.

What do I think about the scalability of the solution?

Currently, we have 1.2 to 1.5 million lines of code. Certainly, if that increases, so would the costs expediently. 

We have 50 developers' licenses.

There is quite a bit of maintenance that is needed. We have a couple of people from our operations team to do the maintaining.

It is integrated with our CICD department and is being used extensively.

We do have plans to increase the usage of SonarQube.

Which solution did I use previously and why did I switch?

We have used open-source origins of the tools.

PCI is an open-source solution that we used before, and we used Snyk as well.

How was the initial setup?

The initial setup is straightforward.

What about the implementation team?

We did not use a vendor team, it was done by us.

What's my experience with pricing, setup cost, and licensing?

The developer edition is based on cost per lines of code.

Which other solutions did I evaluate?

Now we are looking for a more mature solution and evaluating other products. We want a complete code analysis platform that is more mature.

We will either go with the paid Developer active license or solutions such as Checkmarx or MicroFocus.

What other advice do I have?

The community edition is quite informative for engineers. The actual code analysis is not conducted on the GitLab flow, but the build pipeline would show the core quantity steps which is part of the criteria.

The trial gives you a way to implement the POC and check if it can be integrated with your own stack. Once the trial expires, you can continue with the same setup for getting the license.

I would rate this solution a six out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
AhmedSaber
Senior/Lead Software Engineer at a government with 51-200 employees
Real User
Top 10
Stable with good static code analysis but needs better security

Pros and Cons

  • "The static code analysis of the solution is the most important aspect for us. When it comes to security breaches within the code, we can leverage some rules to allow us to identify the repetition in our code and the possible targets that we may have. It makes it very easy to review our code for security purposes."
  • "There are sometimes security breaches in our code, which aren't be caught by SonarQube. In the security area, SonarCube has to improve. It needs to better compete with other products."

What is most valuable?

When it comes to security, this solution is pretty great.

The static code analysis of the solution is the most important aspect for us. When it comes to security breaches within the code, we can leverage some rules to allow us to identify the repetition in our code and the possible targets that we may have. It makes it very easy to review our code for security purposes.

The solution is quite stable.

You can scale the solution if you need to.

What needs improvement?

In terms of solving for security breaches in the code, we are looking for different tools to help us catch things much sooner. Right now, we're not doing so well on this front.  Therefore, we are looking for some other options in the market. I'm not the one who is tasked with looking at the moment, however, we are actively seeking out a more effective option for the static code analysis. 

There are sometimes security breaches in our code, which aren't be caught by SonarQube. In the security area, SonarCube has to improve. It needs to better compete with other products.

The solution could offer some sort of alert feature. We've had an incident, where somebody removed the solution from the pipeline and there were a couple of code instances that were pushed and married with the codebase without passing through SonarQube. It would be nice if we were alerted to that. If the solution is off-line or turned off, we'd like to be able to tell so that we can decide if it should be on or if it was a mistake.

It would be great if it could support testing and configurations a bit more. 

For how long have I used the solution?

We've only been working with the solution for one year. It hasn't been that long.

What do I think about the stability of the solution?

The solution is very stable. We don't have any issues with its reliability. It's been quite good so far.

What do I think about the scalability of the solution?

The architecture that we have is not that big, however, from the scalability point of view, SonarQube supports scalability quite well.

At the moment, we have a hybrid working model on the vendor side, as well as on the in-house team. The in-house team has 5 members and the vendor has maybe 20 people, more or less. All in all, we can say we have about 25 people using the solution at any given time.

Which solution did I use previously and why did I switch?

We did not previously use a different solution. It was always manual code reviewing via the most experienced team members who would offer guidance on adjustments.

What's my experience with pricing, setup cost, and licensing?

Right now, we are not using the enterprise features of the solution. I don't know about the licensing as I was not the one who introduced SonarQube into the pipeline. I believe we are using the free community edition and therefore aren't actually paying any money for it.

Which other solutions did I evaluate?

I did an exercise a couple of months ago with my colleague. After this, I listed other products and their security aspects. I don't know if we found a solution that can offer us better features for security. I don't know if we will keep SonarQube in the pipeline or we will sell the product and get another product. I'm not sure at this point.

What other advice do I have?

We're just customers. We don't have a business relationship with the company.

I believe we are using the latest version of the solution, however, I don't know the exact number.

I would advise others considering the solution to consider the level of security they need. If they are very concerned about security and the application is very sensitive, then SonarQube may not be the best option and they should seek out other products.

Overall, I would rate the solution seven out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
AJ
DevOps Lead at a marketing services firm with 1,001-5,000 employees
Real User
Top 20
Very stable and easy to integrate, but is a bit expensive

Pros and Cons

  • "The reporting and the results are quick. It gets integrated within the pipeline well."
  • "The pricing could be reduced a bit. It's a little expensive."

What is our primary use case?

We generally use the solution in order to do static code analysis.

What is most valuable?

What I like about SonarQube is the integration of the pipelines. It is pretty easy. 

The reporting and the results are quick. It gets integrated within the pipeline well.

The solution is very stable.

The scalability is very good.

We found the initial setup to be straightforward.

What needs improvement?

The solution has a very shallow SAST scanning. That is something that can be improved. 

I'm not sure if there is any plan for having DAST, as well, which is the dynamic scanning. If they offered that in SonarQube that would be ideal. I'd like to know if there is a plan or roadmap for Sonar to have that included. However, right now, at least, from the SAST perspective, it can improve.

The pricing could be reduced a bit. It's a little expensive.

For how long have I used the solution?

We've been using the solution for the past two years or so. It's been a while.

What do I think about the stability of the solution?

The solution is pretty much stable. Sometimes we have observed some issues when there are a lot of services getting deployed together. We have noticed some resource constraints sometimes. Occasionally the CPU and memory get affected. That was the only thing. It could be due to the resources that we have provided and maybe not the fault of the product itself.

What do I think about the scalability of the solution?

I don't have the user count, however, from the application perspective, we have around 30 to 50 applications, which are on SonarQube. All of the teams that are managing those applications have access to that.

It is integrated within our pipelines. It gets used every day.

Right now we are not scaling the solution. It is just one server that we have. It is static of sizing and we do not scale it.

How are customer service and technical support?

We do have an enterprise version, however, that does not include the support right now.

If we have any issues we're trying to resolve them on your own. So far, that has been sufficient.

Which solution did I use previously and why did I switch?

We are also onboarding Checkmarx. We use both solutions.

We are not replacing anything. Maybe we will use both in conjunction. Checkmarx provides DAST, whereas this product does not. 

How was the initial setup?

The initial setup is pretty simple.

I do not recall the exact amount of time it took to deploy the solution.

It does not require a lot of maintenance. It's just that whenever any latest version is coming in, we just have to upgrade it.

What about the implementation team?

We did the installation on our own. We did not need the assistance of any outside resources such as consultants or integrtors. It was all handled in-house.

What's my experience with pricing, setup cost, and licensing?

What we are looking at in the future is a bit of a price reduction. The pricing that we have been quoted for the next version is a little expensive. The pricing could be also a bit reduced.

What other advice do I have?

We are just a customer and an end-user.

While we installed the solution on the cloud, we host it on our machines.

I would recommend the product to the companies or the teams who are building from scratch, and they don't have anything for doing the scanning of their products. That is something where SonarQube can be pretty helpful.

It's good for a very small company with a limited number of products, which do not have a lot of compliance and security-related requirements that big enterprises might have.

I would rate the solution at a six out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
TS
Security consultant at a tech services company with 1,001-5,000 employees
Real User
Top 5Leaderboard
Enables the developers to code securely and comes with a free community edition

Pros and Cons

  • "It's a great product. If you are in a hurry and just want to focus on the functional requirements of any kind of project, SonarQube is highly helpful. It enables the developers to code securely. SonarQube has a Community edition, which is open source and free. There are also three proprietary or paid versions: Enterprise edition, Data Center edition, and Developer edition."
  • "If I configure a project in SonarQube, it generates a token. When we're compiling our code with SonarQube, we have to provide the token for security reasons. If IP-based connectivity is established with the solution, the project should automatically be populated without providing any additional token. It will be easy to provide just the IP address. It currently supports this functionality, but it makes a different branch in the project dashboard. From the configuration and dashboard point of view, it should have some transformations. There can be dashboard integration so that we can configure the dashboard for different purposes."

What is our primary use case?

We are a security organization, and we deploy security solutions and applications related to network for our clients. We mostly focus on open source products because clients don't like to have proprietary products because of the available budget for their different projects. We try to find the possible solution, and then we deploy the solution for them. Deployments are done on the AWS cloud as well as on-premises.

I came to know that there is a SonarQube solution that is used for clean and secure coding purposes and bug fixes in a large DevOps team. That's why I have deployed SonarQube. Currently, I'm testing SonarQube to demonstrate to my higher department what this tool can do. We are testing this solution for one of our clients, who may use it for two or three use cases during static code analysis and the software development life cycle. 

What is most valuable?

It's a great product. If you are in a hurry and just want to focus on the functional requirements of any kind of project, SonarQube is highly helpful. It enables the developers to code securely. 

SonarQube has a Community edition, which is open source and free. There are also three proprietary or paid versions: Enterprise edition, Data Center edition, and Developer edition. 

What needs improvement?

If I configure a project in SonarQube, it generates a token. When we're compiling our code with SonarQube, we have to provide the token for security reasons. If IP-based connectivity is established with the solution, the project should automatically be populated without providing any additional token. It will be easy to provide just the IP address. It currently supports this functionality, but it makes a different branch in the project dashboard.

From the configuration and dashboard point of view, it should have some transformations. There can be dashboard integration so that we can configure the dashboard for different purposes. 

For how long have I used the solution?

It has been just three days since I deployed this solution. I have just configured the Community edition of SonarQube, and now I am searching for some Java products to test the solution. 

Which solution did I use previously and why did I switch?

I have previously created a report comparing SonarQube with other products such as Micro Focus Fortify. SonarQube is way ahead than Micro Focus Fortify because SonarQube has a cloud solution. Micro Focus Fortify does not support cloud-based hosting.

How was the initial setup?

The initial setup was simple for me. It was very straightforward and to the point. The documentation was also very much to the point and perfectly explained.

There are open source solutions for the Linux environment that let you automatically deploys everything in the new environment by using a specific file, but SonarQube doesn't have that file. That would be a plus point.

What about the implementation team?

I deployed it myself. Because of our Linux environment, it took me around three hours. I was reading the documentation and learning about configuration-related parameters while deploying this solution.  

What's my experience with pricing, setup cost, and licensing?

For the Community edition, there is no extra cost. It's totally free. The Enterprise edition, Data Center edition, and Developer edition are the paid versions. 

Which other solutions did I evaluate?

We have already used SonarLint. I am considering both SonarLint and SonarQube.

What other advice do I have?

I always talk in favor of secure programming, secure coding. SonarQube is easy for me. I am recruiting buggy code with this, and it is reporting. It shows that this code should not be like this and the reason for it. For example, it shows that you should declare a static function, or why you should or should not initialize a variable. This is an amazing feature. I am enjoying testing SonarQube, but I don't know what is the feedback from a developer's point of view.

I highly recommend SonarQube. I would rate this solution a ten out of ten. 

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Buyer's Guide
Download our free SonarQube Report and get advice and tips from experienced pros sharing their opinions.