How do you or your organization use this solution?
Please share with us so that your peers can learn from your experiences.
SonarQube is used for in-production scanning of applications. We are only doing unit testing to improve the overall quality of the code.
We use SonarQube to scan SAS code for quality control in mostly mobile applications, such as iOS and Android applications.
We use it as a gatekeeper for our external developers to follow the rules. If they don't comply with the rules within the source code, they cannot commit.
I'm a software development engineer and we are customers of SonarQube.
SonarQube can be used to analyze application code. We are testing SonarQube with some of our other products. We use the Sonar Link plugin with Teamscale, which is then applied to the main product we are using.
We are using SonarQube for many different reasons, but I was interested more in the security metrics based on the new updates for more particular rules.
I use this solution for our staging environment to review the security issues before going live or into production.
We generally use the solution in order to do static code analysis.
We are a $4 billion valuation large company and we use the solution for status security, scanning, and code quality. I am currently in the process of building a pipeline for one of my customers and for that we are utilizing this solution for the static analysis.
We are using the solution for code quality and security.
We use it for the static analysis of the source code to find issues or vulnerabilities.
We use SonarQube to scan our security protection.
We use SonarQube for testing and quality assurance. We use this in banks for testing. We also use SonarQube for security static testing.
There are two versions: a free, open-source community version, and a subscription-based version.We use the community version, not the enterprise version. We are a very small organization. In total, there are four of us who use this solution. We will keep using SonarQube, with some additions, in the future. Firstly, we use SonarQube to evaluate code for M&A projects. Secondly, we use it to detect vulnerabilities while performing security audits. Our third use case is the detection of violation of programming practices towards code refactoring and code maintenance.
We use SonarQube to help with our software development and testing. At the moment, we're mainly using it for static analysis and code inspection. We have an on-premises server and we connect to it from there. Our main use case is testing software for security weaknesses, but we also use it to help eliminate code smells and to make sure our code is compliant with established coding standards.
We decided to implement the solution to keep up to date with testing, security, and other issues with developments, such as bugs.
We usually do the development in Java, and when we finish the development, we usually run the SonarQube tests and review the critical level, bugs, and security issues. We also review the license and the web issues and try to solve them, and then pass again through SonarQube. We usually deploy it in the cloud, but sometimes we also have on-premises solutions.
We are using this solution for analyzing sales, profit, and FI documents. We are using the HR section as well.
We are using it for scanning our web applications, some internal applications and using it for code reviews.
I have used SonarQube for static code analysis. I am using it to assess my internal applications.
I'm a user also, but I'm also responsible for information security. I am the principal of security in the office. I'm the one that actually advises people about enhancing or incorporating information security aspects. Right now, we are using a community version. We have yet to subscribe for the enterprise license because we need more disciplined developers first. Within our organization, there are roughly 14 people using this solution. We use it to find the scoop, or the use, for peer review for the developers. It will require more time, to get used to it and to get trained. My team is very small and I am part of the development team — I'm in the security team but I'm also part of the development team. I am helping to build this along with the team.
SonarQube can be used for any missing components or component vulnerabilities.
We use this solution for auditing our system.
We are a security organization, and we deploy security solutions and applications related to network for our clients. We mostly focus on open source products because clients don't like to have proprietary products because of the available budget for their different projects. We try to find the possible solution, and then we deploy the solution for them. Deployments are done on the AWS cloud as well as on-premises. I came to know that there is a SonarQube solution that is used for clean and secure coding purposes and bug fixes in a large DevOps team. That's why I have deployed SonarQube. Currently, I'm testing SonarQube to demonstrate to my higher department what this tool can do. We are testing this solution for one of our clients, who may use it for two or three use cases during static code analysis and the software development life cycle.
We are using the free version of the SonarQube product. Be warned if you choose this version because it is lacking some of the capabilities and support. It is for this reason that we are currently considering migrating to a commercial solution.
Our software developers use SonarQube to catch any issues that can be found by using static code analysis. My understanding is that it checks the core complexity by evaluating the coding rules to make sure of things such as the correct classes are private.
The primary use case of this solution is for static code analysis, and benchmarking our code standards according to our preferences. Our builds process through SonarQube and if it passes the required set of requirements we have set, it will then go through to production.
We use it to check the code quality, and the code review to find out the vulnerabilities about the central codes like simplifications and codes. We also use it for security management.
I was using SonarQube to scan my code for vulnerabilities as part of the DevOps process.
Our primary use case is to analyze source code for software bugs, technical debt, vulnerabilities, and test coverage. It provides an automated gated procedure to ensure that engineers are able to deliver great, secure code to production. We plug this process into our process right from the start enabling the IDE integrations so that engineers can scan their code before submission. Following on from that we run the scans on every change that has been submitted for review. This way we ensure that no core/fundamental issues are added to our codebases.
We use SonarQube for determining code coverage, finding bugs, and searching for security-related issues in our development environment.
I work for a government agency and we use this tool. It is lightweight and very cost effective as compared to IBM AppScan, but I wouldn't say it's a very good tool for vulnerability assessment. The dashboard is neat and easy to operate and the information on the dashboard makes it easy for the developers to work on. You can have it automated and set up for you to have an automated process every time the code is checked in.
We use this SonarQube solution for code quality and as a basic security issues solution for our clients.
We are working on a payment system, and we need it to be secure. We use this solution to analyze our code to ensure that it is clean, easy to understand and maintain, and secure.
Our primary use for this solution is to improve code quality and reduce technical debt.
My primary use for this solution is to perform static code analysis.
We primarily use this solution for code quality purposes. We have a CICD environment, without a lot of manual steps.
We're collecting code quality metrics.
We use this solution in the development of our travel programs.
Our primary use is for coding best practice management and quality. Aside from that, we also use it for security. I'm getting involved in moving this solution forward and positioning it in our enterprise so I haven't gotten to the point where we're nailing down the configuration and release controls yet.
Our primary use case is to provide more coverage and reduce the reliance on code reviews alone. It also provides confidence and helps begin a path towards continuous improvement.
Our primary use case for this solution is security testing using the FindSecBugs plugin.
Primary use is code standards, or code quality. It's worked out okay. I find it is light on the security side though. We brought into our CI pipeline to see if we could help our developers fix issues and identify issues sooner.
Which is better?
Let the community know what you think. Share your opinions now!