SonarQube Reviews

SonarQube is the #1 ranked solution of our top Application Security tools. It's rated 3.8 out of 5 stars, and is most commonly compared to Veracode - SonarQube vs Veracode

Filter by:
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Steven Gomez
Real User
Lead Engineer at bioMerieux, Inc.
May 20 2019

What is most valuable?

I like the dashboard it shows by default, where you can see things at a glance. At the same time, you can also drill way down and see a lot of stuff about your code, like complexity metrics, and… more »

How has it helped my organization?

We have the software metrics that SonarQube gives us, which is something we did not have before. This helps us work towards aiming coding standards to empower us to move in the direction of better… more »

What needs improvement?

We've been using the Community Edition, which means that we get to use it at our leisure, and they're kind enough to literally give it to us. However, it takes a fair amount of effort to figure out… more »

Which solution did I use previously and why did I switch?

We didn't have a previous solution other than paper systems that we never got in the habit of going back to referring to. We didn't switch, we started fresh.

What other advice do I have?

I would rate SonarQube as a nine out of ten. Once you start drilling down through the menus, it tells you a lot of stuff about your code in one view. That's really quite neat. That shows you a view of… more »

Which other solutions did I evaluate?

We had looked at other code quality systems. We had looked at a number of them. I don't remember them all, but Clockwork was on that list. I think it comes down to picking one and getting used to how… more »
Real User
Team Lead at a computer software company with 10,001+ employees
Aug 31 2020

What is most valuable?

The main factor that makes the product valuable for us is that it is free because budget is always an issue. We do not have to pay for it, but there are many cons to using a free product at times. It is a very good tool even if it is free. The dashboard and the media that it provides are all quite… more »

What needs improvement?

Integration could be better in SonarQube in the free version. It does not have any bug tracking tool, like Jira. They are not integrated with enough additional programming tools. There is one issue with the dashboard. The dashboard which is there is okay. But sometimes if we have to work on multiple… more »

What other advice do I have?

Anyone considering SonarQube should initially start with a free trial and then start doing an evaluation. If you have a list of target requirements which you are looking for and you can accomplish these things with Sonar, then you can go ahead and use Sonar. If you are looking for something for… more »

Which other solutions did I evaluate?

We are using Sonar, and we also evaluated Checkmarx. The version of Sonar we are using is the free version of it. Checkmarx is quite a bit different and more helpful compared to Sonar. There are a lot of features missing in the free version of SonarQube that I want to have that already exist in… more »
Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: April 2020.
442,517 professionals have used our research since 2012.
Hilman Tehrani
Real User
Information Technology Technical Architect at a insurance company with 51-200 employees
Sep 09 2020

What is most valuable?

The product has a friendly UI that is easy to use and understand. Especially, the admin's control panel is very good and It's not really difficult to get through the settings. With minimal coding… more »

How has it helped my organization?

Sonarqube has improved our best practice of pair programming that aligned with the CI pipeline.

What needs improvement?

Since we are using the community version, we have had some issues. For example, we have had some difficulties with the Single Sign-On (SSO) login. We tried to integrate with our Azure ID to have… more »

What's my experience with pricing, setup cost, and licensing?

We are using the open-source community version, but there are enterprise licenses available.

Which solution did I use previously and why did I switch?

We have not used any other solution, but we did some comparisons and decided to go with SonarQube because it was open-source.

What other advice do I have?

I am a user of SonarQube and I am responsible for the information security. I'm the principle of security in the office. I advise others of enhancing and incorporating security aspects into the IP. We… more »
Phil Denomme
Real User
Manager at a wireless company with 11-50 employees
May 16 2019

What is most valuable?

There are two major use cases. One is to integrate it into the developers' workbench so that they can bench check their code against what will be done in the server-based audit version.

How has it helped my organization?

SonarQube has not yet had an impact on our organization. In the past, however, I've used it to control the security vulnerabilities and establish standards for API control.

What needs improvement?

I haven't really done a comparative analysis yet. We're in the process of figuring out how to automate the workflow for QA audit controls on it. I think that's perhaps an area that we could use some buffing. We're a Kubernetes shop, so there are some things that aren't direct fits, which we're… more »

What other advice do I have?

From experience, you should just size the scale of what you're trying to do to the maturity of the organization.
Yash Brahmani
Real User
Devops Engineer at a financial services firm with 10,001+ employees
Jul 26 2020

What is most valuable?

The most valuable feature is the security hotspot feature that identifies where your code is prone to have security issues. It also gives you a very good highlight of what's changed, and what has to be changed in the future. Apart from… more »

What needs improvement?

There are various standards that are followed. Awareness is a must. Product awareness is something that I would recommend. If the users are not aware of how to use the product, they won't understand the features.

What's my experience with pricing, setup cost, and licensing?

Everything is included in the standard licensing.

Which solution did I use previously and why did I switch?

We used Fortify, it is also another tool for static code analysis. The security team used to use that, but not in our team because ours was a newly assembled team for the work.

What other advice do I have?

Awareness about how to use the product is important. It's a very good product for developers because it gives you timely notifications about where the tool has gone wrong or what could go wrong in the future. That's popular for developers… more »
Jeff Ingalls
Real User
Automation Tool Specialist at a comms service provider with 1,001-5,000 employees
May 28 2019

What is most valuable?

The most valuable feature is that it lays everything out and breaks it down, making it very easy to find and identify issues. SonarQube is really good for finding coding standards when people deviate from what we have set corporately.

How has it helped my organization?

This solution is part of our pipeline. We use GitLab for source control and Jenkins to build management. Jenkins kicks off our SonarQube scans, we use Checkmarx for static code analysis, UrbanCode Deploy, and UrbanCode Release. Using… more »

What needs improvement?

I find that some of the graphs around the measures are too fancy, and they do not mean a whole lot to me. The solution is a bit lacking on the security side, in terms of finding and identifying vulnerabilities. By comparison, we run the… more »

Which solution did I use previously and why did I switch?

We were not using another solution prior to this one. As we've evolved, this is one of the tools that we decided to go with.

What other advice do I have?

My advice for anybody interested in implementing this solution is to start with the community version and try it out. It doesn't take long to see value in it, and it's very straightforward, easy, and intuitive to use. There are add-ons that… more »
Real User
Engineer at a pharma/biotech company with 201-500 employees
Aug 01 2020

What is most valuable?

The most valuable features are the segregation containment and the suspension of product services. Also, the library that SonarQube covers is good.

What needs improvement?

The library could have more languages that are supported. It would be helpful. There are a few clauses that are specific to our organization, and it needs to improve. It's the reason that were are… more »

What's my experience with pricing, setup cost, and licensing?

The developer edition is based on cost per lines of code.

Which solution did I use previously and why did I switch?

We have used open-source origins of the tools. PCI is an open-source solution that we used before, and we used Snyk as well.

What other advice do I have?

The community edition is quite informative for engineers. The actual code analysis is not conducted on the GitLab flow, but the build pipeline would show the core quantity steps which is part of the… more »

Which other solutions did I evaluate?

Now we are looking for a more mature solution and evaluating other products. We want a complete code analysis platform that is more mature. We will either go with the paid Developer active license or… more »
Tariq Saraj
Real User
Sr. Information Security Engineer at a tech services company with 1,001-5,000 employees
Sep 03 2020

What is most valuable?

It's a great product. If you are in a hurry and just want to focus on the functional requirements of any kind of project, SonarQube is highly helpful. It enables the developers to code securely… more »

What needs improvement?

If I configure a project in SonarQube, it generates a token. When we're compiling our code with SonarQube, we have to provide the token for security reasons. If IP-based connectivity is established… more »

What's my experience with pricing, setup cost, and licensing?

For the Community edition, there is no extra cost. It's totally free. The Enterprise edition, Data Center edition, and Developer edition are the paid versions.

Which solution did I use previously and why did I switch?

I have previously created a report comparing SonarQube with other products such as Micro Focus Fortify. SonarQube is way ahead than Micro Focus Fortify because SonarQube has a cloud solution. Micro… more »

What other advice do I have?

I always talk in favor of secure programming, secure coding. SonarQube is easy for me. I am recruiting buggy code with this, and it is reporting. It shows that this code should not be like this and… more »

Which other solutions did I evaluate?

We have already used SonarLint. I am considering both SonarLint and SonarQube.
See 15 More SonarQube Reviews

What is SonarQube?

SonarQube is the central place to manage code quality, offering visual reporting on and across projects and enabling to replay the past to follow metrics evolution
Also known as
Sonar
SonarQube customers
Bank of America, Siemens, Cognizant, Thales, Cisco, eBay
Read Archived Reviews
Buyer's Guide
Download our free SonarQube Report and get advice and tips from experienced pros sharing their opinions.