SonarQube Overview

SonarQube is the #1 ranked solution in our list of application security tools. It is most often compared to Veracode: SonarQube vs Veracode

What is SonarQube?

SonarQube is the leading tool for continuously inspecting Code Quality and Code Security, and guiding development teams during code reviews. SonarQube provides clear remediation guidance for 27 languages so developers can understand and fix issues, and so teams can deliver better and safer software. SonarQube integrates into your workflow to provide the right feedback at the right time: in-IDE with SonarLint, in pull requests, and in SonarQube itself. With over 225,000 deployments helping small development teams and global organizations, SonarQube provides the means for teams and companies around the world to own and impact their Code Quality and Code Security.

SonarQube is also known as Sonar.

SonarQube Buyer's Guide

Download the SonarQube Buyer's Guide including reviews and more. Updated: April 2021

SonarQube Customers

Bank of America, Siemens, Cognizant, Thales, Cisco, eBay

SonarQube Video

Filter Archived Reviews (More than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Technical Architect at Dwr Cymru Welsh Water
Real User
Top 5Leaderboard
Ensures that quality is not compromised between builds

What is our primary use case?

Our primary use case is to provide more coverage and reduce the reliance on code reviews alone. It also provides confidence and helps begin a path towards continuous improvement.

Pros and Cons

  • "The most valuable features are the wide array of languages, multiple languages per project, the breakdown of bugs, and the description of vulnerabilities and code smells (best practices)."
  • "A robust credential scanner would be a huge bonus as it would remove the need for yet another niche product."
SM
Manager at Dassault Systèmes
Real User
The FindSecBugs plugin has helped to solve our security vulnerability issues

What is our primary use case?

Our primary use case for this solution is security testing using the FindSecBugs plugin.

How has it helped my organization?

This has improved our organization because it has helped to find security vulnerabilities.

What is most valuable?

The most valuable feature is the FindSecBugs (Find Security Bugs) plugin, which finds security vulnerabilities.

What needs improvement?

The product's user documentation can be vastly improved.

For how long have I used the solution?

Still implementing.
Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: April 2021.
502,104 professionals have used our research since 2012.
CR
Senior Architect Information Security & Privacy at a tech services company with 501-1,000 employees
Real User
Protection That Detects Bugs and Provides Code Security

What needs improvement?

I would like to see SonarQube implement a good amount of improvements to the product's security features. Another aspect of SonarQube that could be improved is the search functionality.

What do I think about the stability of the solution?

The stability is good.

What do I think about the scalability of the solution?

The scalability of SonarQube is good. The number of people required for deployment and maintenance depends on our requirements for different client projects.

What's my experience with pricing, setup cost, and licensing?

We purchased the solution; it's not on a monthly or annual contract.

What other advice do I have?

On a scale from one to ten with ten being the best, I would rate this product around an 8. If SonarQube makes some…
JI
Automation Tool Specialist at a comms service provider with 1,001-5,000 employees
Real User
It easily ties into our continuous integration pipeline, but it is light on the security side

What is our primary use case?

Primary use is code standards, or code quality. It's worked out okay. I find it is light on the security side though. We brought into our CI pipeline to see if we could help our developers fix issues and identify issues sooner.

Pros and Cons

  • "It is very good at identifying technical debt."
  • "It easily ties into our continuous integration pipeline."
  • "I find it is light on the security side."

What other advice do I have?

We are looking at using another product to compliment it for security reasons. Most important criteria when selecting a vendor: * Usability of the product * Responsiveness when we have issues.
Technical Architect and Software Engineer at a tech services company
Real User
Provides holistic overview of all quality issues in a project and enables easy drill down into particular problems

Pros and Cons

  • "With SonarQube's web interface, it is easy to drill down to see the individual problems, but also to look at the project from above and get the big picture, with possible larger problem areas."
    Senior Java Developer at a financial services firm
    Real User
    Code convention ensures consistency and graphing tool gives overall view of code changes over time

    Pros and Cons

    • "Code Convention: Using the tool to implement some sort of coding convention is really useful and ensures that the code is consistent no matter how many contributors."
    • "An improvement is with false positives. Sometimes the tool can say there is an issue in your code but, really, you have to do things in a certain way due to external dependencies, and I think it's very hard to indicate this is the case."

    What other advice do I have?

    I would advise to get it done sooner rather than later. The sooner you have a better understanding of the state of your code base, the sooner you can make better business decisions based on that information. Also, even though you may be a sole developer, I think it's still useful to use this tool and have these metrics at your finger tips. It's like version control, even if you are the only developer, I think it should be used for everything you do.
    Service Line Leader at a tech services company with 10,001+ employees
    Consultant
    It's enabled us to improve software quality and help us to disseminate best practices, but it needs better design of the interface.

    How has it helped my organization?

    It's enabled us to improve software quality and help us to disseminate best practices.

    What is most valuable?

    This product is open source and very convenient.

    What needs improvement?

    A better design of the interface and add some new rules.

    What do I think about the stability of the solution?

    Only common issues have been experienced.

    What do I think about the scalability of the solution?

    Only common issues have been experienced.

    How are customer service and technical support?

    Customer Service: I can't rate because there was no customer service. Technical Support: The technical documentation is really good and the community is great and active.

    Which solution did I use previously and why did I switch?

    Nothing was…
    Devops Engineer at a healthcare company with 10,001+ employees
    Vendor
    Ensures A Good Quality Of Code Is Released To Customers

    Pros and Cons

    • "I follow Quality Gate's graduation model within organization, and it is extremely helpful for me to benchmark products."
    • "When we have a thousand products published over it, we expect it to be more efficient in terms of serving requests from the browser."

    What other advice do I have?

    SonarQube provides easy upgrade mechanisms, and I rarely found any issues. Use a good VM for hosting, which can serve large requests on the fly with Oracle DB, etc.
    Director at a consultancy with 10,001+ employees
    Consultant
    the tool was implemented in a pilot, and successfully scaled to the enterprise.

    Pros and Cons

    • "The customizable dashboard and ability to include results and coverage from unit test and other static analysis code tools."
    • "Ease of use/interface."

    What other advice do I have?

    Do your research to make sure the tool is a good fit for your organization. Also, give the development teams some time to adapt to the standards - set the thresholds lower to begin with, and then gradually raise it to desired levels, rewarding compliance and good behavior.
    Senior Software Developer at a tech vendor
    Vendor
    Provides automated rules for determining if a project is above or below a quality threshold.

    Pros and Cons

    • "Issue Explanations: Documentation with detailed samples. Helps in growing technical knowledge and re-writing logic to conforming solutions."
    • "It requires advanced heuristics to recognize more complex constructs that could be disregarded as issues."

    What other advice do I have?

    Try it, get used to it, configure, and fine-tune it. Make it part of your everyday quality pipeline as gates necessary to pass before the green light to production deployment. While annoying occasionally with its issue reports, it is actually an invaluable source of better knowledge and applying it in practice to your solutions. Saves you bunch of headaches and debugging/fixing sessions at production, which is ten times as costly than using the help of this.
    SW Automation Team Leader at a tech services company with 201-500 employees
    Consultant
    An actual RuntimeException bug was discovered and immediately fixed.

    Pros and Cons

    • "SonarQube: Recording of issues over a period of time, with an indication of the addition in the new issues or the reduction of existing issues (which were fixed)."
    • "There is need for support for the additional languages and ease of use in adding new rules for detecting issues."

    What other advice do I have?

    I would recommend adopting the usage of SonarLint at the very least for Java development since it is a very good tool for helping to ensure high code quality.
    DevOps at a tech company with 10,001+ employees
    MSP
    Keep source code well tested using SonarQube

    How has it helped my organization?

    Quality Gate helps us to merge code that was not covered with tests.

    What is most valuable?

    We can create a Quality Gate in order to fail Jenkins jobs where the code coverage is lower than the set percentage. We can review possible faults in JavaScript code.

    What needs improvement?

    We had some issues where the Quality Gate check sometimes gets stuck and it is unclear.

    What do I think about the stability of the solution?

    We had some stability issues where the Quality Gate check sometimes got stuck and it was unclear. This seldom happens.

    What do I think about the scalability of the solution?

    There were no scalability issues.

    How are customer service and technical support?

    The technical support team has experts on it. They are…
    DevOps Engineer at Trantor Software Private Limited
    Consultant
    It's changed the attitude of our developers as they can see their code exceptions at compile time, but it would be great if it also covered XML code.

    What other advice do I have?

    I would advise you to implement SonarQube if they are facing any performance related issues in their products.
    Technical Authority Digital at a insurance company with 1,001-5,000 employees
    Vendor
    It enables Technical Leads to monitor and measure the effectiveness of delivery teams, but it needs better integration with JIRA.

    What other advice do I have?

    If you are looking at SonarQube you already realize the importance of software quality and it’s value proposition. Sometimes you just want to discover the types and severity of issues you have especially for legacy or inherited code bases (i.e. as a result of a merger). You should definitely follow best practice of not trying to cover every metric all at the same time, but instead pick out the two or three (at most) that are most critical to you right now (recognizing that this will change over time). Time based metrics are especially useful to help you understand if you are getting better or…
    Java Developer at a tech consulting company with 51-200 employees
    Consultant
    the API documentation is poor, when it exists at all, but it does easily integrate with Jenkins.

    What other advice do I have?

    Product is good, but the API documentation is poor, when it exists at all.
    Software Engineer, Agile/Lean Evangelist, Scrum Master at a tech services company with 51-200 employees
    Consultant
    My team's code bases have gotten better, with about 25% less issues since we began using it. However, they removed the design libraries and dependencies-checking features from v5.2.

    What other advice do I have?

    Just keep following their online installation and plugin development guide.
    Assistant Director Implementation Services at a financial services firm with 5,001-10,000 employees
    Vendor
    It's helped with best practices in writing test cases, and each test should pass given all numbers are highlighted on it.

    What is most valuable?

    The rich graphical representation of numbers which are meaningful to dev leads/managers and top management .

    How has it helped my organization?

    It was brought in to help with best practices in writing test cases, and each test should pass given all numbers are highlighted on SonarQube. Executing sonar analysis on a big chunk of code - with an Oracle database does take up a lot of time.

    What needs improvement?

    Widgets - as the world of development expands, SonarQube should have plug-ins to cater to different technologies.

    For how long have I used the solution?

    I've used it for three years.

    What was my experience with deployment of the solution?

    No issues encountered.

    What do I think about the stability of the solution?

    No issues encountered. …
    Web Developer/DevOps Engineer with 501-1,000 employees
    Vendor
    It allows for code exploration on the front-end as well as the ability to import from Fortify.
    QA Engineer at a tech services company with 51-200 employees
    Consultant
    It helps us to determine the maturity and quality of the coding of our software customers, preventing future crashes in the software.
    Software Developer at a tech services company with 501-1,000 employees
    Consultant
    It supports over 20 programming languages and allows me to create custom coding rules.

    What other advice do I have?

    I would advise you to think a lot before acting.
    Buyer's Guide
    Download our free SonarQube Report and get advice and tips from experienced pros sharing their opinions.