We just raised a $30M Series A: Read our story
AJ
DevOps Lead at a marketing services firm with 1,001-5,000 employees
Real User
Top 20
Very stable and easy to integrate, but is a bit expensive

Pros and Cons

  • "The reporting and the results are quick. It gets integrated within the pipeline well."
  • "The pricing could be reduced a bit. It's a little expensive."

What is our primary use case?

We generally use the solution in order to do static code analysis.

What is most valuable?

What I like about SonarQube is the integration of the pipelines. It is pretty easy. 

The reporting and the results are quick. It gets integrated within the pipeline well.

The solution is very stable.

The scalability is very good.

We found the initial setup to be straightforward.

What needs improvement?

The solution has a very shallow SAST scanning. That is something that can be improved. 

I'm not sure if there is any plan for having DAST, as well, which is the dynamic scanning. If they offered that in SonarQube that would be ideal. I'd like to know if there is a plan or roadmap for Sonar to have that included. However, right now, at least, from the SAST perspective, it can improve.

The pricing could be reduced a bit. It's a little expensive.

For how long have I used the solution?

We've been using the solution for the past two years or so. It's been a while.

What do I think about the stability of the solution?

The solution is pretty much stable. Sometimes we have observed some issues when there are a lot of services getting deployed together. We have noticed some resource constraints sometimes. Occasionally the CPU and memory get affected. That was the only thing. It could be due to the resources that we have provided and maybe not the fault of the product itself.

What do I think about the scalability of the solution?

I don't have the user count, however, from the application perspective, we have around 30 to 50 applications, which are on SonarQube. All of the teams that are managing those applications have access to that.

It is integrated within our pipelines. It gets used every day.

Right now we are not scaling the solution. It is just one server that we have. It is static of sizing and we do not scale it.

How are customer service and technical support?

We do have an enterprise version, however, that does not include the support right now.

If we have any issues we're trying to resolve them on your own. So far, that has been sufficient.

Which solution did I use previously and why did I switch?

We are also onboarding Checkmarx. We use both solutions.

We are not replacing anything. Maybe we will use both in conjunction. Checkmarx provides DAST, whereas this product does not. 

How was the initial setup?

The initial setup is pretty simple.

I do not recall the exact amount of time it took to deploy the solution.

It does not require a lot of maintenance. It's just that whenever any latest version is coming in, we just have to upgrade it.

What about the implementation team?

We did the installation on our own. We did not need the assistance of any outside resources such as consultants or integrtors. It was all handled in-house.

What's my experience with pricing, setup cost, and licensing?

What we are looking at in the future is a bit of a price reduction. The pricing that we have been quoted for the next version is a little expensive. The pricing could be also a bit reduced.

What other advice do I have?

We are just a customer and an end-user.

While we installed the solution on the cloud, we host it on our machines.

I would recommend the product to the companies or the teams who are building from scratch, and they don't have anything for doing the scanning of their products. That is something where SonarQube can be pretty helpful.

It's good for a very small company with a limited number of products, which do not have a lot of compliance and security-related requirements that big enterprises might have.

I would rate the solution at a six out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
TS
Security consultant at a tech services company with 1,001-5,000 employees
Real User
Top 5Leaderboard
Enables the developers to code securely and comes with a free community edition

Pros and Cons

  • "It's a great product. If you are in a hurry and just want to focus on the functional requirements of any kind of project, SonarQube is highly helpful. It enables the developers to code securely. SonarQube has a Community edition, which is open source and free. There are also three proprietary or paid versions: Enterprise edition, Data Center edition, and Developer edition."
  • "If I configure a project in SonarQube, it generates a token. When we're compiling our code with SonarQube, we have to provide the token for security reasons. If IP-based connectivity is established with the solution, the project should automatically be populated without providing any additional token. It will be easy to provide just the IP address. It currently supports this functionality, but it makes a different branch in the project dashboard. From the configuration and dashboard point of view, it should have some transformations. There can be dashboard integration so that we can configure the dashboard for different purposes."

What is our primary use case?

We are a security organization, and we deploy security solutions and applications related to network for our clients. We mostly focus on open source products because clients don't like to have proprietary products because of the available budget for their different projects. We try to find the possible solution, and then we deploy the solution for them. Deployments are done on the AWS cloud as well as on-premises.

I came to know that there is a SonarQube solution that is used for clean and secure coding purposes and bug fixes in a large DevOps team. That's why I have deployed SonarQube. Currently, I'm testing SonarQube to demonstrate to my higher department what this tool can do. We are testing this solution for one of our clients, who may use it for two or three use cases during static code analysis and the software development life cycle. 

What is most valuable?

It's a great product. If you are in a hurry and just want to focus on the functional requirements of any kind of project, SonarQube is highly helpful. It enables the developers to code securely. 

SonarQube has a Community edition, which is open source and free. There are also three proprietary or paid versions: Enterprise edition, Data Center edition, and Developer edition. 

What needs improvement?

If I configure a project in SonarQube, it generates a token. When we're compiling our code with SonarQube, we have to provide the token for security reasons. If IP-based connectivity is established with the solution, the project should automatically be populated without providing any additional token. It will be easy to provide just the IP address. It currently supports this functionality, but it makes a different branch in the project dashboard.

From the configuration and dashboard point of view, it should have some transformations. There can be dashboard integration so that we can configure the dashboard for different purposes. 

For how long have I used the solution?

It has been just three days since I deployed this solution. I have just configured the Community edition of SonarQube, and now I am searching for some Java products to test the solution. 

Which solution did I use previously and why did I switch?

I have previously created a report comparing SonarQube with other products such as Micro Focus Fortify. SonarQube is way ahead than Micro Focus Fortify because SonarQube has a cloud solution. Micro Focus Fortify does not support cloud-based hosting.

How was the initial setup?

The initial setup was simple for me. It was very straightforward and to the point. The documentation was also very much to the point and perfectly explained.

There are open source solutions for the Linux environment that let you automatically deploys everything in the new environment by using a specific file, but SonarQube doesn't have that file. That would be a plus point.

What about the implementation team?

I deployed it myself. Because of our Linux environment, it took me around three hours. I was reading the documentation and learning about configuration-related parameters while deploying this solution.  

What's my experience with pricing, setup cost, and licensing?

For the Community edition, there is no extra cost. It's totally free. The Enterprise edition, Data Center edition, and Developer edition are the paid versions. 

Which other solutions did I evaluate?

We have already used SonarLint. I am considering both SonarLint and SonarQube.

What other advice do I have?

I always talk in favor of secure programming, secure coding. SonarQube is easy for me. I am recruiting buggy code with this, and it is reporting. It shows that this code should not be like this and the reason for it. For example, it shows that you should declare a static function, or why you should or should not initialize a variable. This is an amazing feature. I am enjoying testing SonarQube, but I don't know what is the feedback from a developer's point of view.

I highly recommend SonarQube. I would rate this solution a ten out of ten. 

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: November 2021.
555,139 professionals have used our research since 2012.
CV
CTO at a computer software company with 11-50 employees
Real User
Top 5Leaderboard
An open-source platform for the continuous inspection of code quality

Pros and Cons

  • "The good thing with SonarQube is it covers a lot of issues, it's a very robust framework."
  • "The exporting capabilities could be improved. Currently, exporting is fully dependent on the SonarQube environment."

What is our primary use case?

There are two versions: a free, open-source community version, and a subscription-based version.We use the community version, not the enterprise version.

We are a very small organization. In total, there are four of us who use this solution. We will keep using SonarQube, with some additions,  in the future.

Firstly, we use SonarQube to evaluate code for M&A projects. Secondly, we use it to detect vulnerabilities while performing security audits. Our third use case is the detection of violation of programming practices towards code refactoring and code maintenance. 

What needs improvement?

The results of exporting capability could be improved. Currently, exporting is a bit messy and fully dependent on the SonarQube environment. Sonar Qube offers REST API and you could export the results programmatically, but the process is quite slow and limited. You could extract the maximum 10000 results per query, which increases the overall execution process tremendously. I guess the majority of the users are based on Sonar Qube presentation capabilities, which is very restrictive for some use cases.

For how long have I used the solution?

I have been using SonarQube, every day, for more than two years. 

What do I think about the stability of the solution?

SonarQube is stable.

What do I think about the scalability of the solution?

I wouldn't say that isn't fully scalable. It's damn slow. It takes a lot of time parsing an average size codebase. If you'd like to scale up and deploy it on a cloud environment, it's a completely different scale of difficulty. We have done this but it's really hard.

How are customer service and technical support?

As we are using the community version, there is no technical support.

Which solution did I use previously and why did I switch?

I have used a wide variety of tools.SonarQube covers a wide variety of issues and it is well well designed robust framework.

How was the initial setup?

To be honest, for me, the initial setup was a piece of cake; however, other colleagues and clients of mine have said that it's damn difficult to install it and extract the results, at least the first time. Initially, It took me some time to go through the process. It is not straightforward at all, it's quite complicated — it's a tool developed by developers for developers. If you are not a core developer, and I am not, it's super difficult to figure out the installation process thanks to the multiple steps involved. The autogenerated script, isn't functional, it needs some tweaking.

My clients report that it takes about a week to install it properly, and you need about two weeks more to configure it, let alone the performance optimization.

The installation should be much simpler. There are competitive tools that come with a self-contained installation and configuration process. It requires a time investment to configure it properly. . In short, it should come with a self-contained functional configuration set.

Overall, the initial setup should be easier.

What about the implementation team?

Currently, I could configure SonarQube by myself. Only one person, knowledgeable enough, is required to deploy it.

What's my experience with pricing, setup cost, and licensing?

Unless you use a tech stack that is not supported, use the community version; there are no hidden costs or licensing required.

Which other solutions did I evaluate?

Yes, we have evaluated plenty of alternatives nothing really comparable.

What other advice do I have?

I would recommend this solution to others. It easily outperforms other static code tools — It's perfect as a static code analysis tool.

Overall, on a scale from one to ten, I would give SonarQube a rating of eight.

Which deployment model are you using for this solution?

On-premises

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Donovan Greeff
Head of Software Delivery at a tech services company with 51-200 employees
Real User
Top 5Leaderboard
Provides an automated gated procedure to ensure that engineers are able to deliver great, secure code to production

Pros and Cons

  • "Engineers have also learned from the results and have improved themselves as engineers. This will help them with their careers."

    What is our primary use case?

    Our primary use case is to analyze source code for software bugs, technical debt, vulnerabilities, and test coverage. It provides an automated gated procedure to ensure that engineers are able to deliver great, secure code to production. 

    We plug this process into our process right from the start enabling the IDE integrations so that engineers can scan their code before submission. Following on from that we run the scans on every change that has been submitted for review. 

    This way we ensure that no core/fundamental issues are added to our codebases. 

    How has it helped my organization?

    It has helped many of the organizations that I have worked at to improve overall security, quality, and test confidence within the codebases. It also provides this in a speed efficient way. Engineers now feel much more proud of their solution as they gain confidence from these scans and their results. 

    Engineers have also learned from the results and have improved themselves as engineers. This will help them with their careers. 

    We are also able to get reports on our suite and generate a quality rating for ourselves utilizing this data and more. 

    What is most valuable?

    By far the quality gate controls. Without this, there would be no way to really utilize the power of this tool. We are able to automatically ensure that no code is delivered to production when it contains severe bugs or vulnerabilities. 

    The tight integration to source control also helps us to keep the engineers in the loop with any follow-up actions for issues reported. 

    Finally, the historical trend analysis gives us great insight into how we are improving based on our decisions, which are now driven by clear data.

    What needs improvement?

    It should keep up with newer technologies. As this is primarily open-source, it does require updates from the community. As such, there is sometimes a delay for new technologies to be covered by this too. 

    Particularly around the languages that the webpages state they support. The big benefit of Sonar is that it handles so many different languages, problems, and static analysis in one place. 

    When that one place has a low coverage for the most basic rules (OWASP top 10 for example) it starts to lose its value add. 

    For how long have I used the solution?

    I have been using SonarQube for five years.

    What do I think about the stability of the solution?

    Good, I have not really had many issues with it. No major ones either. 

    What do I think about the scalability of the solution?

    It all depends on where/how you are hosting it. The tool itself scales well. 

    Which solution did I use previously and why did I switch?

    I have used Checkmarx and also tried a demo of Veracode. 

    Checkmarx was far too heavy-handed and only handled security concerns for a VERY large price tag. 

    Veracode is very good, however, the price vs a free solution was a deciding factor in many cases. 

    How was the initial setup?

    It's very straightforward for a SaaS setup. 

    For a self-hosted setup, it is documented well and fairly easy. 

    What about the implementation team?

    We implemented in-house.

    What's my experience with pricing, setup cost, and licensing?

    SonarQube will incur hosting costs. There are SaaS options available at competitive prices too. 

    Self-hosting SonarQube is subject to its open-source licenses documented on their website. 

    Which other solutions did I evaluate?

    We also evaluated Checkmarx, Veracode and open source solutions specific to each programming language. 

    What other advice do I have?

    Security analysis is a MUST. 

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    AdhamEnaya
    Senior System Analyst at a non-profit with 10,001+ employees
    Real User
    Open-source, feature-rich, integrates well, and has good community support but the user experience could be better

    Pros and Cons

    • "It provides you with many features, as it does with the premium model, but there are still extra features that can be purchased if needed."
    • "The security in SonarQube could be better."

    What is most valuable?

    There is a large support system in the community. When we have issues we can get answers quickly and easily.

    It provides you with many features, as it does with the premium model, but there are still extra features that can be purchased if needed.

    It's very flexible.

    I am from the application development team and for me, it is very good because it offers a lot of features in terms of code review, quality check, and more.

    What needs improvement?

    In discussions with the security team, there are many other products that are available that perform better. The security in SonarQube could be better.

    SonarQube is more about the quality checks of the source code. It allows us to do a code review but it lacks security. It could perform better.

    I would like to have better support for CI/CD as DevOps appliances, in terms of reporting on the issue and to be integrated with the pipeline. 

    It integrates well but there is always room in this area to improve and to provide reports on the results. 

    The user experience for the on-premises installation, creating a new project, defining the quality gate, and the user interface could be improved. It wasn't a simple experience.

    For how long have I used the solution?

    I have been using SonarQube for six months. We implemented it in September of last year.

    What do I think about the stability of the solution?

    It is very stable. We are still new to this product and learning, but there are times where SonarQube disconnects from the server with no alert or notification, and we have to run it again.

    It can be managed by running different scripts. From time to time we have claims that SonarQube is not running on the server and discovered that the server was restarted but SonarQube did not restart.

    I don't know if it is a flaw in the product itself or if we can manage it from our infrastructure.

    It's stable but could be improved.

    What do I think about the scalability of the solution?

    I believe that it is scalable, but this is an area that we have not yet explored.

    I know that there is an option to add a new rule. For example, if we are creating an application using Java, there is a list of predefined rules to check the quality against.

    It's expandable at least in terms of code quality checks.

    For now, I am the only user of this solution.

    How was the initial setup?

    The initial setup wasn't straightforward, but still, it was manageable.

    This is an area that can also be improved to make it easier to install and setup. There are many other products that are easy to set up and install.

    What about the implementation team?

    I called an expert or a technical person who could work on it and manage it.

    What's my experience with pricing, setup cost, and licensing?

    SonarQube is a free, open-source product.

    There are many different packages with different pricing options available. We are able to try what we have and if we need extra features we can upgrade the license.

    What other advice do I have?

    We will be using this solution for the next year, but we are considering migrating to the cloud.

    From my experience, I would rate SonarQube a seven out of ten.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    Hilman Tehrani
    Information Technology Technical Architect at a insurance company with 51-200 employees
    Real User
    Top 5Leaderboard
    Provides continuous inspection of code quality

    Pros and Cons

    • "The product itself has a friendly UI."
    • "We could use some team support, but since we are using the community version, it's not available."

    What is our primary use case?

    I'm a user also, but I'm also responsible for information security.

    I am the principal of security in the office. I'm the one that actually advises people about enhancing or incorporating information security aspects. Right now, we are using a community version. We have yet to subscribe for the enterprise license because we need more disciplined developers first.

    Within our organization, there are roughly 14 people using this solution.

    We use it to find the scoop, or the use, for peer review for the developers. It will require more time, to get used to it and to get trained. My team is very small and I am part of the development team — I'm in the security team but I'm also part of the development team. I am helping to build this along with the team.

    What is most valuable?

    The product itself has a friendly UI. It's easy to use and we understand how to manage the admin control panel, it's really quick. It's really easy to perform admin jobs using the control panel. 

    The tools are really easy to use. With the coding, we can build a bunch of rules that apply for each programming language, for example, CSS, Java, and more. Even with the community version, we can still set up rules. We accommodate them and they give us the best quality. It's been a great experience so far.

    What needs improvement?

    We could use some team support, but since we are using the community version, it's not available.

    Also, because we are using the community version, we have some problems from time to time regarding the SSO logins.

    Sometimes you need more time to configure things, to edit some profiles.

    SonarQube has come to the end of the project phase. The development team doesn't really utilize this because it's in the product development phase. They need more paths and delivery — they don't really care about security. But now, since we are also certified technical security, we can go ahead and provide that for them.

    In short, communication needs to be better.

    Automation could be better. Sometimes by default, you need to configure some rules regarding detection. You need to have some parameters set regarding false-positive risk. 

    For how long have I used the solution?

    We have had SonarQube for over a year, but we have only been using it for the past two months.

    How are customer service and technical support?

    With the use of community version, we already have utilized and carried out our needs to fulfil application security at the earlier stage with small medium SDLC Team.

    How was the initial setup?

    The initial setup was very straightforward. Overall, deployment took roughly one week.

    What other advice do I have?

    There are so many qualitative tools other than SonarQube, but I think it's the only platform that is open-source; however, it doesn't cover you end-to-end — from the static, dynamic, and interactive source.

    Once we're done with SonarQube, we will switch to a proprietary tool, like Qualys — something that provides more end-to-end — but before we can do that, we need more people who know how to properly run the software.

    Overall, I would recommend SonarQube for your initial software quality.

    On a scale from one to ten, I would give this solution a rating of eight.

    Which deployment model are you using for this solution?

    Public Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    RT
    Technical Architect at a insurance company with 1,001-5,000 employees
    Real User
    An open-source platform for the continuous inspection of code quality with a useful code security feature

    Pros and Cons

    • "I like that it helps us maintain our work quality and code security."
    • "Code security could be better. They are already focusing on it, but I see a lot of improvement opportunities over there. I can see a lot of false positives in terms of security. They need to make the tests more accurate so that the false positives are not detected so frequently. It would also help if they provided us with an installer."

    What is our primary use case?

    We are application support vendors, and we develop applications for our clients. To maintain code quality, we were using SonarQube, and then we presented that to our clients in order to purchase that. That's where this whole thing got started. 

    One thing that we were using it majorly for was our work quality. It usually helped us in automating the review and making it more gate-oriented. Recently we were able to see the latest features like security hotspots and all that.

    We were trying to serve two purposes; work quality and code security, with one tool. That's where our inclination was more towards Sonar because other tools generally target code security only.

    What is most valuable?

    I like that it helps us maintain our work quality and code security.

    What needs improvement?

    Code security could be better. They are already focusing on it, but I see a lot of improvement opportunities over there. I can see a lot of false positives in terms of security. They need to make the tests more accurate so that the false positives are not detected so frequently. It would also help if they provided us with an installer. 

    For how long have I used the solution?

    I have been using SonarQube for about three or four years. However, in this organization, we have been using it for the last year or so.

    What do I think about the scalability of the solution?

    In Community Edition, I don't think that we have enough scalability options because it runs only on one instance, plus it runs only one scan at a time. It doesn't even provide a settings capability where multiple scans are running simultaneously. That's why we want to move to the Enterprise Edition because it gives you a possibility of parallel analysis of reports, and that could speed up things.

    How are customer service and technical support?

    We're using the Community Edition, and I think support comes only with the paid version. But we had an initial conversation with them, and we got our answers clarified. I certainly look forward to getting in touch with somebody from SonarCloud because I hear that they are separate entities. SonarSource people don't talk about SonarCloud. We want a contact whom we can speak to regarding our security-related concerns, privacy-related concerns, and how we can secure our code in their environment.

    How was the initial setup?

    The initial setup on-premise may take a while because you have to procure all the servers and do the reconfiguration yourself. But I think they have provided their steps very elaborately, and that certainly helps. However, you need to make an effort to set it up. It doesn't come with an installer, and you have to download it, extract it, then configure it to run on your server automatically with every server system. If they could have provided us with an installer setup, it could have made it much easier.

    What's my experience with pricing, setup cost, and licensing?

    We're using the Community Edition, and we don't pay for anything.

    What other advice do I have?

    On a scale from one to ten, I would give SonarQube a nine.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PP
    Head Innovation Hub at a tech services company with 201-500 employees
    Real User
    Helps in improving the coding style and allows us to customize the rules

    Pros and Cons

    • "It assists during the development with SonarLint and helps the developer to change his approach or rather improve his coding pattern or style. That's one advantage I've seen. Another advantage is that we can customize the rules."
    • "Their dashboarding is very limited. They can improve their dashboards for multiple areas, such as security review, maintainability, etc. They have all this information, so they should publish all this information on the dashboard so that the users can view the summary and then analyze it further. This is something that I would like to see in the next version."

    What is our primary use case?

    I have used it in my previous company. In my current company, which I have joined recently, we don't use any of these tools. That's why I want to implement something for the company. I have the Community Edition of SonarQube. I am using one version prior to the latest one.

    It was integrated with our build pipeline, and we had also customized the rules for the quality gate. For each release that got through SonarQube, it gave the results in terms of whether it was releasable or not. 

    SLA was another use case. We internally had a rule that in case there are severity defects, they need to be fixed. If there is a false positive, it needs to be justified. That's the way it was used.

    What is most valuable?

    It assists during the development with SonarLint and helps the developer to change his approach or rather improve his coding pattern or style. That's one advantage I've seen. Another advantage is that we can customize the rules. 

    I did an evaluation of the Enterprise Edition. It has the Portfolio view, which means you can roll up all your projects to the Portfolio level, and then it gives a visualization of each and every project's state in terms of security and other vulnerabilities.

    What needs improvement?

    It is very expensive. That's something that can be improved. 

    I'm not sure if the latest vulnerabilities are being updated. When I compare it with Fortify on Demand (FoD), every now and then, they get all the latest and greatest versions for all these vulnerabilities as a rule pack. I'm not very sure about how that works in SonarQube, and how frequently they are updating the vulnerability databases and other things.

    Their dashboarding is very limited. They can improve their dashboards for multiple areas, such as security review, maintainability, etc. They have all this information, so they should publish all this information on the dashboard so that the users can view the summary and then analyze it further. This is something that I would like to see in the next version. 

    The portfolio-level dashboard is currently available only in the Enterprise Edition. They can have a similar dashboard in the Community Edition or at least in the Developer Edition. The portfolio-level dashboard is also very limited currently. There is hardly one report.

    For how long have I used the solution?

    I have been using this solution for four years. 

    What do I think about the stability of the solution?

    It looks stable. So far, we haven't found any issues.

    How are customer service and technical support?

    I contacted them once or twice. I am very satisfied with their support. I didn't have any concerns in terms of support.

    How was the initial setup?

    It is straightforward. It takes very little time as compared to the other solutions.

    What's my experience with pricing, setup cost, and licensing?

    It is very expensive. Its price should be improved.

    What other advice do I have?

    I have worked on only two tools: one is Fortify on Demand, and the other one is SonarQube. Comparing these two, I would rate SonarQube an eight out of 10.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    Buyer's Guide
    Download our free SonarQube Report and get advice and tips from experienced pros sharing their opinions.