SonarCloud OverviewUNIXBusinessApplication

SonarCloud is the #11 ranked solution in AST tools. PeerSpot users give SonarCloud an average rating of 8.0 out of 10. SonarCloud is most commonly compared to SonarQube: SonarCloud vs SonarQube. SonarCloud is popular among the large enterprise segment, accounting for 53% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 19% of all views.
Buyer's Guide

Download the Application Security Testing (AST) Buyer's Guide including reviews and more. Updated: December 2022

What is SonarCloud?

SonarCloud is the leading online service to catch Bugs and Security Vulnerabilities in your Pull Requests and throughout your code repositories. Totally free for open-source projects (paid plan for private projects), SonarCloud pairs with existing cloud-based CI/CD workflows, and provides clear resolution guidance for any Code Quality or Code Security issue it detects. With more than 1 billion lines of code analyzed every week, SonarCloud empowers development teams of all sizes to write cleaner and safer code, across 24 programming languages.

SonarCloud Customers

Microsoft, Apache, Wikimedia foundation, Brave

SonarCloud Pricing Advice

What users are saying about SonarCloud pricing:
  • "The price of SonarCloud is not expensive, it goes by the lines of code. 1 million lines per code are approximately 4,000 USD per year. If you need 2 million lines of code you would double the annual cost."
  • "The price of SonarCloud could be less expensive. We are using the community version and the price should be more reasonable."
  • SonarCloud Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Managing Consultant
    Consultant
    Top 20
    It helps us detect vulnerabilities, but the integration with other tools in the CI/CD pipeline could be better
    Pros and Cons
    • "I'm not implementing the solutions. However, I've talked to the people who deploy the tools, and they are happy with how easy setting up SonarCloud is."
    • "CI/CD pipeline is part of a whole chain of design, development, and production, and it's becoming increasingly crucial to optimize the various tools across different stages. However, it's still a silo approach because the full integration is missing. This isn't just an issue with SonarCloud. It's a general problem with tooling."

    What is our primary use case?

    We have several development streams, so we want to standardize our tooling and not necessarily restrict each tool to one specific purpose. We have CI/CD pipelines, with cloud solutions on one side and solutions like GitHub and Jenkins on the other.  

    We use SonarCloud to scan code for vulnerabilities. The idea is to have that in a plan-do-check-act iterative way. Some development teams work in sprints with a scope of two weeks. For example, they define and finish their own user stories. 

    Others work in Kanban, which means they work on one user story and only go on to the next when that one is finished. But the underlying thing is we are continuously using SonarCloud to clean out vulnerabilities in software that has been developed in-house.
    +

    What needs improvement?

    CI/CD pipeline is part of a whole chain of design, development, and production, and it's becoming increasingly crucial to optimize the various tools across different stages. However, it's still a silo approach because the full integration is missing. This isn't just an issue with SonarCloud. It's a general problem with tooling.

    For how long have I used the solution?

    We've used SonarCloud for nearly nine months, but we're slowly using it more and more.

    What do I think about the scalability of the solution?

    The services are small, so scalability is not relevant. If you say that the service is an application, then the functionality of the application is, by definition, small and fit for purpose. The scalability of having lots of increased functionality within a service is not an issue. 

    Scalability has more to do with the number of services or the full set of applications. A big company has multiple types of development going on that require SonarCloud. There are several services and applications that need to be scanned on a regular basis completely independently of each other. That's the issue. We're not hitting this threshold at the moment, so that's something we'll discover in the future as we add more to SonarCloud.

    Buyer's Guide
    Application Security Testing (AST)
    December 2022
    Find out what your peers are saying about Sonar, Veracode, OWASP and others in Application Security Testing (AST). Updated: December 2022.
    670,523 professionals have used our research since 2012.

    How was the initial setup?

    I'm not implementing the solutions. However, I've talked to the people who deploy the tools, and they are happy with how easy setting up SonarCloud is.

    What's my experience with pricing, setup cost, and licensing?

    I can't say what it costs off the top of my head, but I believe the license is based on the number of users and services. Generally, it's considered inexpensive. 

    The price is also based on the lines of code scanned. We use another solution instead of SonarCloud to scan third-party software. One thing is unclear. If you want to use SonarCloud for third-party software, you will reuse it for more services, but you only need to scan the latest version. 

    You only need to scan once to cover all services that you're developing to minimize the cost of the scans. It doesn't make sense to redo the same scan for the third-party library version, which is used by many services. You only need to do it once.

    What other advice do I have?

    I rate SonarCloud seven out of 10. That rating is more of an intuitive sense of the product based on many years of experience.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    SenthuranPooranananthan - PeerSpot reviewer
    Sr Director of DevOps at Asset Works
    Real User
    Top 10
    Beneficial vulnerability discovery, simple to maintain, and proactive support
    Pros and Cons
    • "The most valuable features of SonarCloud are the ability to discover vulnerabilities, security weak points, security hotspots, and all the feedback that comes into the feature branch. You can deploy the code with the security, you can eliminate the problem at the developer level rather than identifying the problem in the productions."
    • "SonarCloud can improve the false positives. Sometimes the gates sometimes act a little weird. We then need to manually go and mark the false positive."

    What is our primary use case?

    SonarCloud is used for application security testing. The use cases you can bring into the pull request level, you can eliminate the problem into the developer's feature branch itself. The largest use case is if developers are writing a code and if the code has any vulnerabilities or problems, you can receive the feedback at the pull request level.

    What is most valuable?

    The most valuable features of SonarCloud are the ability to discover vulnerabilities, security weak points, security hotspots, and all the feedback that comes into the feature branch. You can deploy the code with the security, you can eliminate the problem at the developer level rather than identifying the problem in the productions.

    Having SonarCloud on the cloud there is no maintenance because they patch everything. It's easy to maintain, but it may be a problem with very large organizations because of some of the false-positive and you may need to be very cautious on very large enterprises. The solution is best suited for startups and mid-size companies.

    It is supporting the mono and multi report and overall they're always improving. Initially, they did not support the mono report, now they started supporting the mono report approach, when is a benefit.

    What needs improvement?

    SonarCloud can improve the false positives. Sometimes the gates sometimes act a little weird. We then need to manually go and mark the false positive. 

    For how long have I used the solution?

    I have used SonarCloud for approximately five years.

    What do I think about the stability of the solution?

    SonarCloud is very stable, it does not go down.

    What do I think about the scalability of the solution?

    Having SonarCloud in the cloud gives us a lot of scalabilities.

    We have approximately 100 to 150  developers and others at the management level using this solution. Now we educate at the management level. Even they take a look and they see what gates are failing because it's a nice UI. Anybody can easily see what's going on with the solution, in terms of many aspects, such as security and reliability.

    How are customer service and support?

    SonarCloud has community support, but not technical support. They frequently reach out to us and ask if we are happy or if we have any problems, if so, they can escalate it to the account manager. They have good support.

    What's my experience with pricing, setup cost, and licensing?

    The price of SonarCloud is not expensive, it goes by the lines of code. 1 million lines per code are approximately 4,000 USD per year. If you need 2 million lines of code you would double the annual cost.

    What other advice do I have?

    My advice to others would be to work out the appropriate gate that is meaningful and if your project has many problems. You can set the bar on high, in a way the gate forms are the same and you can lower the threshold as you progress.

    I rate SonarCloud an eight out of ten.

    Which deployment model are you using for this solution?

    Public Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Buyer's Guide
    Application Security Testing (AST)
    December 2022
    Find out what your peers are saying about Sonar, Veracode, OWASP and others in Application Security Testing (AST). Updated: December 2022.
    670,523 professionals have used our research since 2012.
    Senior Security Consultant at Tafhar IT Services
    Consultant
    Top 20
    Well priced, good for basic needs, but is too limited
    Pros and Cons
    • "For what it is meant to do, it works pretty well."
    • "I've been told by the developers that the solution is too limited. It's not testing enough within the containers."

    What is our primary use case?

    The solution is a static code analysis tool. That's basically what we use it for in our organization.

    What is most valuable?

    We bought the solution due to the fact that it was the lowest price. 

    For what it is meant to do, it works pretty well. 

    It's good for analysis.

    What needs improvement?

    I've been told by the developers that the solution is too limited. It's not testing enough within the containers. For instance, it only checks for obvious code errors. They should work to improve this.

    At that moment we needed to scan the codes that the developers are producing, we found out that we needed more features.

    For how long have I used the solution?

    I've been using the solution for six months or so now. It's been less than a year.

    Which solution did I use previously and why did I switch?

    The former product we used was Twistlock.

    How was the initial setup?

    I haven't had much experience with the initial setup. I can't speak to what the deployment or setup was like.

    What's my experience with pricing, setup cost, and licensing?

    The pricing is very good.

    Which other solutions did I evaluate?

    We're currently looking into other options.

    We're either looking for an integrated product for the whole CICB pipeline, such as StackRox, or we're looking at Fishman from Palo Alto. We're also looking at individual products for the whole CICB pipeline. In fact, this afternoon we are having a meeting to further discuss what tools we will use, or what can we use for dependency decks in the whole CICB pipeline, and for us to get a container image.

    What other advice do I have?

    We're a customer and an end-user of the product. We don't have a business relationship with them. 

    I'm not sure which version of the solution we're using.

    I'd advise potential users to first check all the features to see if what they need is there and then check them off to ensure that SonarCloud fills all your needs.

    It's a good product for its purpose.

    I'd rate the solution at a seven out of ten.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    GHASSAN ODETALLAH - PeerSpot reviewer
    Head of Quality Engineers/Automation Architect at a tech company with 201-500 employees
    Real User
    Top 20
    Quick deployment, scales well, and accurate reports
    Pros and Cons
    • "The reports from SonarCloud are very good."
    • "We had some issues with the scanner."

    What is our primary use case?

    We use SonarCloud tools for all our 20 repositories and we are connecting the SonarCloud, from the Bitbucket pipeline.

    What is most valuable?

    The reports from SonarCloud are very good.

    What needs improvement?

    We had some issues with the scanner.

    For how long have I used the solution?

    I have been using SonarCloud for approximately three weeks.

    What do I think about the stability of the solution?

    The solution is stable.

    What do I think about the scalability of the solution?

    SonarCloud is scalable.

    We plan to increase our package to the enterprise edition and decrease the lines of code in the future.

    How are customer service and support?

    We have not needed the support at this time.

    Which solution did I use previously and why did I switch?

    We previously used Codacy. We switch to SonarCloud because of their good reputation and we compared reports from both of them. SonarCloud seems to be more accurate. However, Codacy has a simpler installation. SonarCloud has more steps involved.

    How was the initial setup?

    The solution is straightforward to implement. Some of the implementations can be quick.

    The installation of the framwork was a bit difficult, it could be improved.

    What's my experience with pricing, setup cost, and licensing?

    The price of SonarCloud could be less expensive. We are using the community version and the price should be more reasonable.

    We have purchased a license for 2 million lines of code. However, we have 10 million lines of code but it would be too costly for us to have a license for all the amount.

    What other advice do I have?

    I would recommend SonarCloud to others.

    I rate SonarCloud a nine out of ten.

    Which deployment model are you using for this solution?

    Public Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    VP Business Development North America at Geko
    Real User
    Top 5
    Can be installed locally, is stable and easy to implement
    Pros and Cons
    • "The solution can be installed locally."
    • "It would be helpful if notifications could go out to an extra person."

    What is our primary use case?

    We are customers of SonarCloud.

    What is most valuable?

    I like that the solution can be installed locally. 

    What needs improvement?

    I'd like them to include an alert for a third person. Sometimes there are very big problems that come up, possibly a large bug report, and it would be helpful if a notification could go out to an extra person. 

    For how long have I used the solution?

    I've been using this solution for about three years. 

    What do I think about the stability of the solution?

    The solution is stable. 

    What do I think about the scalability of the solution?

    I believe the solution is scalable. For now, we have 20 users but we are planning to expand usage. 

    How was the initial setup?

    I wasn't involved in the setup but I believe it was relatively easy. 

    What other advice do I have?

    I rate this solution nine out of 10. 

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Download our free Application Security Testing (AST) Report and find out what your peers are saying about Sonar, Veracode, OWASP, and more!
    Updated: December 2022
    Buyer's Guide
    Download our free Application Security Testing (AST) Report and find out what your peers are saying about Sonar, Veracode, OWASP, and more!