SonarQube Overview

SonarQube is the #1 ranked solution in our list of application security tools. It is most often compared to Veracode: SonarQube vs Veracode

What is SonarQube?
SonarQube is the central place to manage code quality, offering visual reporting on and across projects and enabling to replay the past to follow metrics evolution

SonarQube is also known as Sonar.

SonarQube Buyer's Guide

Download the SonarQube Buyer's Guide including reviews and more. Updated: January 2021

SonarQube Customers
Bank of America, Siemens, Cognizant, Thales, Cisco, eBay

Pricing Advice

What users are saying about SonarQube pricing:
  • "We're using their free Community Edition version."
  • "There is both a free and licensed version. The free version has limitations on development languages and support."
  • "We are using the open-source community version, but there are enterprise licenses available."
  • "The developer edition is based on cost per lines of code."

SonarQube Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Steven Gomez
Lead Engineer at bioMerieux, Inc.
Real User
Top 5Leaderboard
May 20, 2019
Great birds-eye view dashboard with detailed code metrics in the drill-down

What is our primary use case?

We're collecting code quality metrics.

Pros and Cons

  • "We have the software metrics that SonarQube gives us, which is something we did not have before. This helps us work towards aiming coding standards to empower us to move in the direction of better code quality. SonarQube provides targets and metrics for that."
  • "We've been using the Community Edition, which means that we get to use it at our leisure, and they're kind enough to literally give it to us. However, it takes a fair amount of effort to figure out how to get everything up and running. Since we didn't go with the professional paid version, we're not entitled to support. Of course that could be self-correcting if we were to make the step to buy into this and really use it. Then their technical support would be available to us to make strides for using it better."

What other advice do I have?

I would rate SonarQube as a nine out of ten. Once you start drilling down through the menus, it tells you a lot of stuff about your code in one view. That's really quite neat. That shows you a view of maintainability. They have a maintainability view that shows bubbles for all the different code modules, and yours is beside the bubble. This represents the amount of "code smells," which is actually kind of a common definition. The bigger the bubble, the more your code smells. This shows where more attention is needed or it's a bubble that's kind of drifting out of control. I have one graph here…
reviewer1407126
Team Lead at a computer software company with 10,001+ employees
Real User
Top 10Leaderboard
Aug 31, 2020
This is a very capable analysis tool for development projects but the free version has limitations

What is our primary use case?

We are using the free version of the SonarQube product. Be warned if you choose this version because it is lacking some of the capabilities and support. It is for this reason that we are currently considering migrating to a commercial solution.

Pros and Cons

  • "It is a very good tool for analysis despite its limitations."
  • "There is a free version."
  • "There are limitations to the free version that limit development options as far as languages."

What other advice do I have?

Anyone considering SonarQube should initially start with a free trial and then start doing an evaluation. If you have a list of target requirements which you are looking for and you can accomplish these things with Sonar, then you can go ahead and use Sonar. If you are looking for something for diving more deeply into your application security, then you can possibly start with it and scale it or use some other complementary tools. If you want to see your reports, and how your development is performing, Sonar is the best tool, I think. On a scale from one to ten, where one is the worst and ten…
Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: January 2021.
457,459 professionals have used our research since 2012.
Hilman Tehrani
Information Technology Technical Architect at a insurance company with 51-200 employees
Real User
Top 5Leaderboard
Sep 9, 2020
Open-Source, easy to use interface with minimal coding required

What is our primary use case?

SonarQube can be used for any missing components or component vulnerabilities.

Pros and Cons

  • "The product has a friendly UI that is easy to use and understand."
  • "The documentation is not clear and it needs to be updated."

What other advice do I have?

I am a user of SonarQube and I am responsible for the information security. I'm the principle of security in the office. I advise others of enhancing and incorporating security aspects into the IP. We are currently using the community version. We are not quite ready for the licensed version as we need more discipline for our developers to do it correctly. Our team is growing, now we will need behavior discipline of security, and then we can upgrade the license. We have passed the ISO certificate and encourage the use of tools for peer reviews for the developers. It is better to have a…
Gustavo Lugo
Chief Solutions Officer at CleverIT B.V.
Reseller
Top 20
Jan 10, 2021
Easy to deploy and applicable for various uses

What is our primary use case?

I am now working in a consultancy company and I work with different clients in different industries. For this reason I implement, for example, a delivery pipeline with the process whereby we need to validate the quality gate of the quality code. Meaning, the developer creates the unit testing and the code coverage, but grants the code coverage for a specific person. In other cases, we used to see what the technical depth was to see if if there are any bugs in the applications - the web application, mobile application and different languages, like, C-Sharp, JavaScript or Java, et cetera. We… more »

Pros and Cons

  • "It is an easy tool that you can deploy and configure. After that you can measure the history of your obligation and integrate it with other tools like GitLab or GitHub or Azure DevOps to do quality code analysis."
  • "In terms of what can be improved, the areas that need more attention in the solution are its architecture and development."

What other advice do I have?

I do recommend SonarQube because it is an easy tool that you can deploy and configure. After that you can measure the history of your obligation and integrate it with other tools like GitLab or GitHub or Azure DevOps to do quality code analysis. On a scale of one to ten, I would give SonarQube an eight. To give it a 10 and not an eight, I would like to see architecture development and the QA area improved.
Phil Denomme
Manager at a wireless company with 11-50 employees
Real User
May 16, 2019
Checks code against server-based audit version but QA audit controls need better automation

What is our primary use case?

Our primary use is for coding best practice management and quality. Aside from that, we also use it for security. I'm getting involved in moving this solution forward and positioning it in our enterprise so I haven't gotten to the point where we're nailing down the configuration and release controls yet.

Pros and Cons

  • "Integrate it into the developers' workbench so that they can bench check their code against what will be done in the server-based audit version."
  • "We're in the process of figuring out how to automate the workflow for QA audit controls on it. I think that's perhaps an area that we could use some buffing. We're a Kubernetes shop, so there are some things that aren't direct fits, which we're struggling with on the component Docker side. But nothing major."

What other advice do I have?

From experience, you should just size the scale of what you're trying to do to the maturity of the organization.
Yash Brahmani
Devops Engineer at a financial services firm with 10,001+ employees
Real User
Jul 26, 2020
Security hotspot feature identifies where your code is prone to have security issues

What is our primary use case?

We use it to check the code quality, and the code review to find out the vulnerabilities about the central codes like simplifications and codes. We also use it for security management.

Pros and Cons

  • "The most valuable feature is the security hotspot feature that identifies where your code is prone to have security issues."
  • "In the next release, I would like to have notifications because now, it is a bit difficult. I think that's a feature which we could add there and it would benefit the users as well. For every full request, they should be able to see their bugs or vulnerability directly on the surface."

What other advice do I have?

Awareness about how to use the product is important. It's a very good product for developers because it gives you timely notifications about where the tool has gone wrong or what could go wrong in the future. That's popular for developers. It's very good for the stats about the product for architects The metrics are how the budgeting should be done et cetera. These are the things that they can find out from the dashboard based on the lines of codes. In the next release, I would like to have notifications because now, it is a bit difficult. I think that's a feature which we could add there and…
Jeff Ingalls
Automation Tool Specialist at a comms service provider with 1,001-5,000 employees
Real User
May 28, 2019
Ensures compliance with corporate coding standards and reduces technical debt

What is our primary use case?

Our primary use for this solution is to improve code quality and reduce technical debt.

Pros and Cons

  • "Using SonarQube has helped us to identify areas of technical debt to work on, resulting in better code, fewer vulnerabilities, and fewer bugs."
  • "The solution is a bit lacking on the security side, in terms of finding and identifying vulnerabilities."

What other advice do I have?

My advice for anybody interested in implementing this solution is to start with the community version and try it out. It doesn't take long to see value in it, and it's very straightforward, easy, and intuitive to use. There are add-ons that are available for purchase that we have not tried, although we're quite content with what we have right now. I would rate this solution an eight out of ten.
reviewer1390020
Engineer at a pharma/biotech company with 201-500 employees
Real User
Aug 1, 2020
Good static code analysis and benchmarking but the library could support more languages

What is our primary use case?

The primary use case of this solution is for static code analysis, and benchmarking our code standards according to our preferences. Our builds process through SonarQube and if it passes the required set of requirements we have set, it will then go through to production.

Pros and Cons

  • "The most valuable features are the segregation containment and the suspension of product services."
  • "I would like to see improvements in defining the quality sets of rules and the quality to ensure code with low-performance does not end up in production."

What other advice do I have?

The community edition is quite informative for engineers. The actual code analysis is not conducted on the GitLab flow, but the build pipeline would show the core quantity steps which is part of the criteria. The trial gives you a way to implement the POC and check if it can be integrated with your own stack. Once the trial expires, you can continue with the same setup for getting the license. I would rate this solution a six out of ten.
See 25 more SonarQube Reviews
Buyer's Guide
Download our free SonarQube Report and get advice and tips from experienced pros sharing their opinions.