SonarQube

SonarQube is a code quality and vulnerability solution.

Overall rating

4,6 /5
(55)
Value for Money
4,4/5
Features
4,4/5
Ease of Use
4,3/5
Customer Support
4,1/5

96%
recommended this app
Sort by

55 Reviews

Sachin
Sachin
Overall rating
  • Industry: Computer Software
  • Company size: 10 000+ Employees
  • Used Daily for 6-12 months
  • Review Source

Overall rating

  • Value for Money
  • Ease of Use
  • Customer Support
  • Likelihood to recommend 9.0 /10

Code Analysis and ensuing security against threats

Reviewed on 2022/05/23

Overall experience with Sonarqube is pretty wholesome integration came handy with my CI/CD tools...

Overall experience with Sonarqube is pretty wholesome integration came handy with my CI/CD tools such as Azure Devops and Jenkins. Provides insights against vulnerabilities and common threats so that necessary actions can be taken by developers to ensure the security and good coding practices to follow. Features like PR decoration allows to get results in CI/CD tools itself if passed then only commit happens to master branch.

Pros

Feature like Code Analysis and publishing those analysis report to end user. You can use default Quality Gates and Quality Profiles for scanning of your code. In case you want to modify these you can do that and define your own rule. Whenever there's commit in repo you just need to configure the task in your continuous integration pipeline if it passed the parameter only then commit will happens the master/main branch otherwise it will not. With these features you can eliminate the security threats and ensure that developers are following good practices while developing their code. I have integrated it with Azure DevOps.

Cons

Only thing which I can think can be improved is logging of events. Sometime it becomes hard to debug the issues. Other then that, I think over all this fulfills all the requirements.

Verified Reviewer
Overall rating
  • Industry: Information Technology & Services
  • Company size: 501–1 000 Employees
  • Used Daily for 1+ year
  • Review Source

Overall rating

  • Value for Money
  • Ease of Use
  • Customer Support
  • Likelihood to recommend 9.0 /10

Best Code Quality check Tool

Reviewed on 2022/08/25

We are really taking help of SonarQUbe in maintaining code quality. Doing code scanning on each ...

We are really taking help of SonarQUbe in maintaining code quality. Doing code scanning on each JIRA story completion. It also helps our developers to improve their code quality. Coding standards are better now. Reports are very useful.

Pros

1. Calculate the quality of code and also helps to improve the quality by providing the solution
2. Highlight the vulnerabilities , repetitive line of code
3. Developer Friendly tool as it provides recommendations on the line of code which needs an improvement.
4. Create Scan reports on demand
5. Option to add exception in code

Cons

1. Report Generation sometime take long time.
2. User Interface should be enhanced.
3. Lack custom rule set
4. As per cost, it is little bit expensive.

Alternatives Considered

Embold, Coverity and CodeScan

Reasons for Choosing SonarQube

SOnarQube is better in terms of quality percentage, provide more insights.

Switched From

Coverity
Verified Reviewer
Overall rating
  • Industry: Information Technology & Services
  • Company size: 201–500 Employees
  • Used Daily for 6-12 months
  • Review Source

Overall rating

  • Ease of Use
  • Likelihood to recommend 9.0 /10

Elevate your code quality to the next level

Reviewed on 2024/03/30

The development process has been a bit slower than usual after SonarQube integration, but the...

The development process has been a bit slower than usual after SonarQube integration, but the quality and readability of the code is much better.

Pros

The main feature of SonarQube is that it detects code complexities within the code so that the developer can optimize it. It also detects accessibility and security issues; code smells and suggests changes.

Cons

It is a bit difficult to integrate with existing services and the quality checks may also conflict with other integrations.

Chandramouli
Overall rating
  • Industry: Hospital & Health Care
  • Company size: 501–1 000 Employees
  • Used Daily for 6-12 months
  • Review Source

Overall rating

  • Value for Money
  • Ease of Use
  • Customer Support
  • Likelihood to recommend 7.0 /10

Great tool to drive Coding Quality standards

Reviewed on 2021/08/12

PR analysis and Integration with Bitbucket are most in avoiding the new issues.
The tool needs a...

PR analysis and Integration with Bitbucket are most in avoiding the new issues.
The tool needs a lot of improvements
1. Number of rules should be increased.
2. Few rules should have custom exclusions. Ex: Naming conventions => Organisation-specific words will be there which should be in Capital.
3. Generating a lot of false positives
4. Executive reports should generate based on scheduled triggers. We have 20 projects which are assigned to a Portfolio. if you are going to generate a report and send an email for the first portfolio calculation then the rest of the 19 projects info for that day will be missed. Higher management will think that the generated report is the latest but it is not.
5. PR analysis reports should be generated Quickly

Pros

PR analysis and Integration with Bitbucket are most helpful.

Cons

1. Number of rules should be increased.
2. Few rules should have custom exclusions. Ex: Naming conventions => Organisation-specific words will be there which should be in Capital.
3. Generating a lot of false positives
4. Executive reports should generate based on scheduled triggers. We have 20 projects which are assigned to a Portfolio. if you are going to generate a report and send an email for the first portfolio calculation then the rest of the 19 projects info for that day will be missed. Higher management will think that the generated report is the latest but it is not.
5. PR analysis reports should be generated Quickly

Response from SonarSource

Thank you for your review, Chandramouli. We appreciate your feedback, and invite you to join the SonarSource Community Forum.

SonarSource Community Forum: https://community.sonarsource.com/

Posting to the Forum will allow there to be transparency to the community, and allow our product managers & users to understand any issues you are facing.

To better assist you, please indicate what language(s), and how long the PR analysis is actually taking; as well as, examples of the false positives.

Thanks!

Verified Reviewer
Overall rating
  • Industry: Banking
  • Company size: 10 000+ Employees
  • Used Weekly for 2+ years
  • Review Source

Overall rating

  • Ease of Use
  • Likelihood to recommend 8.0 /10

Code Quality Assurance

Reviewed on 2024/03/21

Overall, impressed by this tool that supports multiple languages, monitoring code quality, bugs and...

Overall, impressed by this tool that supports multiple languages, monitoring code quality, bugs and vulnerability detection. Also, integrates well with Jenkins, GitHub, etc.

Pros

- It supports almost all commonly used languages like JAVA, Python, Javascript, etc.
- Integrates well with CI/CD pipeline established in tools like Jenkins and GitHub.
- Detects code duplication, bugs and vulnerabilities in code.

Cons

- May be complex to understand the reports for new users.
- May block delivery/deployment if hard gates are enabled by DevOps team which may delay project delivery.

Verified Reviewer
Overall rating
  • Industry: Higher Education
  • Company size: 1 001–5 000 Employees
  • Used Monthly for 6-12 months
  • Review Source

Overall rating

  • Value for Money
  • Ease of Use
  • Customer Support
  • Likelihood to recommend 8.0 /10

SonarQube is Great for Developers!

Reviewed on 2022/12/23

We could identify many code related issues that are presented in our code and improve the quality...

We could identify many code related issues that are presented in our code and improve the quality of the application that we are developing. As a overall, SonarQube tool is able to add a value to our applications.

Pros

It is simple for developers to recognize their code smells, unused lines of code, errors, problems with the third-party libraries they are using, etc. information and the precise location of the issue. It also offers answers to those problems. As a result, figuring out the problems and fixing them is simple. This will be a terrific tool for developers. Except that, we can introduce our own rules for checking the code quality. It could identify the code issues that are vulnerable to cyber attacks such as XSS, SQL Injection, etc.

Cons

It was difficult to use the SonarQube on-premise application. Once we pushed a new code section, the server needed to restart in order for the application to work.

Alternatives Considered

GitGuardian

Reasons for Switching to SonarQube

Higher number of facilities are available in SonarQube and suggesting the options for fixing the issues.
Mo
Mo
Overall rating
  • Industry: Legal Services
  • Company size: 501–1 000 Employees
  • Used Daily for 2+ years
  • Review Source

Overall rating

  • Value for Money
  • Ease of Use
  • Customer Support
  • Likelihood to recommend 10.0 /10

Developer friendly SAST

Reviewed on 2022/12/07

Pros

We really like the IDE tool called SonarLint which makes it easy for developers to integrate with most IDEs and lint their code even before committing it to the repos. Another advantage was that we were able to self host our own instance on our Kubernetes cluster and keep the versions based on the containers we specify to pull.

Cons

Other engines tend to scan the same code base faster. Not too much of a con since this is all automated.

Alternatives Considered

Snyk
Flor
Flor
Overall rating
  • Industry: Computer Software
  • Company size: 11–50 Employees
  • Used Daily for 1+ year
  • Review Source

Overall rating

  • Value for Money
  • Ease of Use
  • Customer Support
  • Likelihood to recommend 10.0 /10

A free tool for source code analysis

Reviewed on 2023/04/10

It helped me to be able to do my job in improving the code, giving me possible solutions and saving...

It helped me to be able to do my job in improving the code, giving me possible solutions and saving me time.

Pros

What I find most useful in this software is the code analysis, which gives detailed reports of the errors found and then suggests possible solutions. This saves time in software development.In addition, their large community helps solve problems that arise along the way.

Cons

Sometimes the reports can give false positives, which requires that the personnel in charge of handling the software carefully review the results to avoid false positives.

Susan
Overall rating
  • Industry: Airlines/Aviation
  • Company size: 201–500 Employees
  • Used Daily for 6-12 months
  • Review Source

Overall rating

  • Value for Money
  • Ease of Use
  • Customer Support
  • Likelihood to recommend 8.0 /10

Great product!

Reviewed on 2023/07/11

Pros

This product has actually improved productivity within my team by making sure there’s no duplicate code and by making code easily understandable.

Cons

Code maintenance is actually a difficult part.

Ie
Overall rating
  • Industry: Computer Software
  • Company size: 1 001–5 000 Employees
  • Used Weekly for 1+ year
  • Review Source

Overall rating

  • Value for Money
  • Ease of Use
  • Customer Support
  • Likelihood to recommend 10.0 /10

Popular tool for code smell search in the organisation's repositories

Reviewed on 2023/08/08

Pros

Easy-to-administer tool, with good functionality to monitor security part of your code (using SAST methodology), with ability to integrate with Jenkins, GitHub and other tools. You are able to fail the build if the code doesn't meet percentage score.

Cons

When new repository is added - there should be pop-up suggestion to create SonarQube project for it, coming from SonarQube. At the moment the user/administrator must watch out for new repositories in the organisation, without a note from the system itself that there is a new repository which you might want to add for scanning.

Verified Reviewer
Overall rating
  • Industry: Information Technology & Services
  • Company size: Self Employed
  • Used Daily for 2+ years
  • Review Source

Overall rating

  • Value for Money
  • Ease of Use
  • Likelihood to recommend 10.0 /10

Measure the quality of your software

Reviewed on 2022/12/24

Pros

I like sonarqube dashboard and the flexibility that quality gates provide to measure your software quality. You can set up you own thresholds for maintenance, reliability, security, code coverage and many other metrics, and allow only versions passing this quality gate to be deployed.

Cons

Unfortunately it lacks an easy way to see trends and go deep into which developers are the best/the worst. Also, it is paid if you need to analyse software in some languages, available only on the cloud.

Alternatives Considered

CAST Highlight, Kiuwan, Jenkins and Azure DevOps Services

Switched From

CAST Highlight
Carlos
Overall rating
  • Industry: Banking
  • Company size: 51–200 Employees
  • Used Daily for 2+ years
  • Review Source

Overall rating

  • Ease of Use
  • Likelihood to recommend 8.0 /10

Sonarqube essential code quality analysis tool

Reviewed on 2023/03/12

In short, it is an indispensable tool and should be mandatory in all software development companies.

In short, it is an indispensable tool and should be mandatory in all software development companies.

Pros

The ability to analyze the quality of the code in each deployment or integration, together with the possibility of modifying the rules to allow deployment or not (quantity or criticality of errors or defects), as well as vulnerability analysis allows for better software, always keeping in mind of the developers the quality and security of the code.

Cons

Like everything, the time it takes to leave it well configured and integrated with the rest of the systems, as well as the maintenance and updating of the standards, rules and vulnerabilities depending on the programming language and the news that are published at the level of security.

Verified Reviewer
Overall rating
  • Industry: Information Technology & Services
  • Company size: 1 001–5 000 Employees
  • Used Weekly for 2+ years
  • Review Source

Overall rating

  • Value for Money
  • Ease of Use
  • Likelihood to recommend 10.0 /10

The least you can do for software quality

Reviewed on 2022/11/30

Pros

Sonarqube allows anyone to run a scan for code smells, bugs or vulnerabilities. There is no reason not to use it or integrate it into your CI/CD pipelines. Even if you do not enforce passing the quality gate, it helps a lot in tracking and highlighting where are your weaknesses. Code duplication and Code coverage are very useful tools to understand the overall quality of your development.

Cons

It is hard to view historic data, and once you run a new analysis you cannot see the previous ones anymore from the same unified dashboard, you have to enter into each metric and check the history link. Please bring back the history dashboard from sonar 5!

Alternatives Considered

CAST Highlight and Kiuwan
Verified Reviewer
Overall rating
  • Industry: Computer Software
  • Company size: 10 000+ Employees
  • Used Daily for 2+ years
  • Review Source

Overall rating

  • Ease of Use
  • Likelihood to recommend 9.0 /10

Excellent code assurance tool

Reviewed on 2023/01/15

It's a great tool and be understood by experienced people more easily.

It's a great tool and be understood by experienced people more easily.

Pros

Sonarqube helps me find out if there are any repetitive lines in my code. Since the code sometimes get lengthy or at times missed by me to recheck. It is added in continuous integration in jenkins which when runs code smells, coverage and quality will be detected.

Cons

At times we need to precisely set all the settings for the issues to be detected. If any small mistake happens then no result can be seen. We use traditional sonarqube where we install and integrate rather then plugin in jenkins. So the traditional method needs to be more careful in installing and running it.

Daniel
Overall rating
  • Industry: Real Estate
  • Company size: 201–500 Employees
  • Used Daily for 2+ years
  • Review Source

Overall rating

  • Value for Money
  • Ease of Use
  • Customer Support
  • Likelihood to recommend 6.0 /10

Review

Reviewed on 2021/08/16

It have been a mixed ride overall. The actualy code analysis is really great, the rest is so so.

It have been a mixed ride overall. The actualy code analysis is really great, the rest is so so.

Pros

The amount of errors it catches and that developers code look somewhat similar in mindset after using it for some time.

Cons

The setup with CodeCoverage is a nightmare and it seems is not working equallty well all the time. We also have a solution where it doesn't even work.

Response from SonarSource

Hi Daniel. Thank you for your review of SonarQube. We appreciate your feedback! Regarding your code coverage issues, have you checked out our Community Forum? There may be a solution/fix already identified and if not, you can easily start a new thread and provide us with the details around your workflow, language(s), etc. Thanks!

Community Forum: https://community.sonarsource.com/

Marcin
Overall rating
  • Industry: Information Technology & Services
  • Company size: 10 000+ Employees
  • Used Daily for 6-12 months
  • Review Source

Overall rating

  • Value for Money
  • Ease of Use
  • Customer Support
  • Likelihood to recommend 7.0 /10

Staple in the CI/CD pipelined quality gate solutions

Reviewed on 2022/12/11

It allows our dev teams to keep consistent level of code quality and known issues proof in code and...

It allows our dev teams to keep consistent level of code quality and known issues proof in code and used target platforms so as to provide to end users/customers highest quality products delivered in CI/CD methodology.

Pros

Easily add source code analysis for potential bugs and pitfalls to warrant against developers' errors or just not efficient coding by novices, projects dependencies on vulnerable platforms and potential long-term support issues due to how your code is structured. Simple deployment of binaries needed for scans for major target build environments OSes, plus easy to use APIs, all for the benefit of easy integration into CI/CD pipelines.

Cons

Caps and limits on key server instance component required when obtaining config for project and preset rules, when sending analysis results or getting quality gate results may make the pipelines seem to fail without easier discerning real reasons.

Gaurav
Overall rating
  • Industry: Automotive
  • Company size: 10 000+ Employees
  • Used Daily for 6-12 months
  • Review Source

Overall rating

  • Value for Money
  • Ease of Use
  • Customer Support
  • Likelihood to recommend 8.0 /10

Sonarqube a static code analysis for quality and security of the code

Reviewed on 2022/07/17

We have been using sonarqube in our cicd pipeline for static code analysis and its been very...

We have been using sonarqube in our cicd pipeline for static code analysis and its been very helpful identifying the bugs early in the stages. This tool is best in the market but still missing on some functionalities, mainly in dashboards.

Pros

1. Ensures that only quality, bugfree and vulnerabilities free code goes into production and improves developer’s skills.
2. Supports 24+ languages.
3. Open source version.
4. Developer workflow integration
5. Detect the bugs early in development and send alerts to developers to have a look into suspicious code snippets.
6. The results are faster and can get integrated within pipeline.

Cons

1. Integration with the third party apps could be improved.
2. Dashboards could be better and code security features can be added more.
3. Sometimes false positive results

kiruthiga
Overall rating
  • Industry: Information Technology & Services
  • Company size: 5 001–10 000 Employees
  • Used Daily for 2+ years
  • Review Source

Overall rating

  • Value for Money
  • Ease of Use
  • Customer Support
  • Likelihood to recommend 8.0 /10

SonarQube Usage review

Reviewed on 2021/04/08

Cheap and good for Code Vulnerability scans.

Cheap and good for Code Vulnerability scans.

Pros

The vulnerability scans that it uses encompasses a lot of languages. It also has ability where user can define custom profiles and rules. Dashboards created are easy to use and decipher.

Cons

Technical support is very expensive and need to use their community forums to get support.

Response from SonarSource

Thank you for your review, kiruthiga!

Verified Reviewer
Overall rating
  • Industry: Information Technology & Services
  • Company size: 10 000+ Employees
  • Used Daily for 2+ years
  • Review Source

Overall rating

  • Value for Money
  • Ease of Use
  • Customer Support
  • Likelihood to recommend 10.0 /10

Great tool to drive Coding Quality standards

Reviewed on 2021/07/11

Driving code quality standards across enterprise and inducing code quality gates in the continuous...

Driving code quality standards across enterprise and inducing code quality gates in the continuous integration workflow

Pros

Static code analysis, support for Java, .Net, JavaScript, typescript, html, CSS, etc. Helps you set custom quality gates and rules as well

Cons

Community version does not support high availability. You need to pay for this feature, would have preferred it to be free. Tools upgrade process can be improved as we have to take down the tool instance.

Response from SonarSource

Thank you for your review!

Thenappan
Overall rating
  • Industry: Information Technology & Services
  • Company size: 51–200 Employees
  • Used Daily for 2+ years
  • Review Source

Overall rating

  • Ease of Use
  • Customer Support
  • Likelihood to recommend 8.0 /10

Keeps ur code intact with less grammar mistake

Reviewed on 2022/01/24

Pros

it allows us to correct the grammatically wrong code , unused imports ,variables etc. It Helps us to optimize the code with the rules specified for that project. Allows us to remove the duplicate code as well.

Cons

Integration with visual studio code and binding with project is tad difficult . Duplicate code block appears only after the build , so we have to wait till the build is completed to view whether any duplicate is present in our code.

Vishvesh
Vishvesh
Overall rating
  • Industry: Computer Software
  • Company size: 201–500 Employees
  • Used Weekly for 6-12 months
  • Review Source

Overall rating

  • Value for Money
  • Ease of Use
  • Customer Support
  • Likelihood to recommend 10.0 /10

Loved using SonarQube!!!

Reviewed on 2022/04/27

We primarily need to perform some static analyses. Everyone sends a pool request while they're...

We primarily need to perform some static analyses. Everyone sends a pool request while they're coding. We must guarantee that the code is up to date before committing it to the main branch. That's basically how we work to make sure that whatever rules we've set up, whatever gates we've set up, are followed before we commit the code to the main branch. I had a lot of fun with the powerful tool.

Pros

The way it evaluates all of the code generated and reports on any violations of standard coding help us optimize the written code, ensuring that the smallest number of lines are created to properly cover the functionality. It offers a lovely user interface with distinct groups of infractions ranging from small to large, and it involves fixing the code's needless complexity. It also aids in the removal of duplicate code that has been used several times and the upkeep of method standards.

Cons

Integrating Sonarqube into CI/CD Pipelines takes time, and it may take even longer if the developer is newer. More real-time solutions could be included in the available guide, making it easier to handle issues and complete the integration.

Tolgay
Overall rating
  • Industry: Telecommunications
  • Company size: 10 000+ Employees
  • Used Daily for 2+ years
  • Review Source

Overall rating

  • Value for Money
  • Ease of Use
  • Customer Support
  • Likelihood to recommend 8.0 /10

A great tool to improve Code Quality

Reviewed on 2022/04/28

Tool really fulfills our needs on code quality improvements and security perspectives.

Tool really fulfills our needs on code quality improvements and security perspectives.

Pros

First of all, The tool has a great user interface highlighting all of the errors and bugs. It also shows how much effort is needed to fix those as well. We integrated it with our CI/CD pipelines in GitLab.

Cons

Enterprise licensing cost is a bit expensive. We faced rarely memory issues running the CI/CD pipelines.

Verified Reviewer
Overall rating
  • Industry: Computer Software
  • Company size: 51–200 Employees
  • Used Daily for 6-12 months
  • Review Source

Overall rating

  • Ease of Use
  • Likelihood to recommend 9.0 /10

powerful code quality tool

Reviewed on 2023/02/23

Pros

SonarQube can integrate with CI/CD tools such as Jenkins, GitLab, and Travis CI, making it easy to automate code analysis as part of the development process. SonarQube allows developers to customize the rules and profiles used for code analysis.SonarQube provides a dashboard and reporting features that allow developers to track the progress of code quality metrics and identify areas that require attention. This feature can help developers stay on top of code quality issues and make data-driven decisions about where to focus their efforts.

Cons

Improving documentation could help users better understand how to use the tool effectively.

Verified Reviewer
Overall rating
  • Industry: Computer Software
  • Company size: 1 001–5 000 Employees
  • Used Daily for 1+ year
  • Review Source

Overall rating

  • Ease of Use
  • Likelihood to recommend 8.0 /10

Check your developers code quality

Reviewed on 2022/08/04

Great experience I loved it. It will track all the lines in code and gives us the quality report...

Great experience I loved it. It will track all the lines in code and gives us the quality report according to rule set.

Pros

Great tool to check the code quality like unit test cases, number of repetitive lines and other checks for coments and other. This helps us to set the rules which should be followed by the developer which maintains the consistency of the software for customers.

Cons

I don't have any much cons on this. But we need little good knowledge to handle this. It is little tricky to manage the application.

Flavio
Flavio
Overall rating
  • Industry: Telecommunications
  • Company size: 10 000+ Employees
  • Used Daily for 2+ years
  • Review Source

Overall rating

  • Ease of Use
  • Customer Support
  • Likelihood to recommend 10.0 /10

The best bugs exterminator

Reviewed on 2022/05/29

We can't live anymore without Sonarqube. When we started using it 5 years ago, the teams adoption...

We can't live anymore without Sonarqube. When we started using it 5 years ago, the teams adoption was very fast.

Pros

Code review could be more focused on the new features implementation than trying to identify silly basic faults.

Cons

The Eclipse Sonarqube plugin was not easy to make it work in the same manner was it was setup in the CI/CD machines.