SonarCloud Reviews

We have several development streams, so we want to standardize our tooling and not necessarily restrict each tool to one specific purpose. We have CI/CD pipelines, with cloud solutions on one side and solutions like GitHub and Jenkins on the other.  

We use SonarCloud to scan code for vulnerabilities. The idea is to have that in a plan-do-check-act iterative way. Some development teams work in sprints with a scope of two weeks. For example, they define and finish their own user stories. 

Others work in Kanban, which means they work on one user story and only go on to the next when that one is finished. But the underlying thing is we are continuously using SonarCloud to clean out vulnerabilities in software that has been developed in-house.
+

CI/CD pipeline is part of a whole chain of design, development, and production, and it's becoming increasingly crucial to optimize the various tools across different stages. However, it's still a silo approach because the full integration is missing. This isn't just an issue with SonarCloud. It's a general problem with tooling.

We've used SonarCloud for nearly nine months, but we're slowly using it more and more.

The services are small, so scalability is not relevant. If you say that the service is an application, then the functionality of the application is, by definition, small and fit for purpose. The scalability of having lots of increased functionality within a service is not an issue. 

Scalability has more to do with the number of services or the full set of applications. A big company has multiple types of development going on that require SonarCloud. There are several services and applications that need to be scanned on a regular basis completely independently of each other. That's the issue. We're not hitting this threshold at the moment, so that's something we'll discover in the future as we add more to SonarCloud.

I'm not implementing the solutions. However, I've talked to the people who deploy the tools, and they are happy with how easy setting up SonarCloud is.

I can't say what it costs off the top of my head, but I believe the license is based on the number of users and services. Generally, it's considered inexpensive. 

The price is also based on the lines of code scanned. We use another solution instead of SonarCloud to scan third-party software. One thing is unclear. If you want to use SonarCloud for third-party software, you will reuse it for more services, but you only need to scan the latest version. 

You only need to scan once to cover all services that you're developing to minimize the cost of the scans. It doesn't make sense to redo the same scan for the third-party library version, which is used by many services. You only need to do it once.

I rate SonarCloud seven out of 10. That rating is more of an intuitive sense of the product based on many years of experience.

SonarCloud is used for application security testing. The use cases you can bring into the pull request level, you can eliminate the problem into the developer's feature branch itself. The largest use case is if developers are writing a code and if the code has any vulnerabilities or problems, you can receive the feedback at the pull request level.

The most valuable features of SonarCloud are the ability to discover vulnerabilities, security weak points, security hotspots, and all the feedback that comes into the feature branch. You can deploy the code with the security, you can eliminate the problem at the developer level rather than identifying the problem in the productions.

Having SonarCloud on the cloud there is no maintenance because they patch everything. It's easy to maintain, but it may be a problem with very large organizations because of some of the false-positive and you may need to be very cautious on very large enterprises. The solution is best suited for startups and mid-size companies.

It is supporting the mono and multi report and overall they're always improving. Initially, they did not support the mono report, now they started supporting the mono report approach, when is a benefit.

SonarCloud can improve the false positives. Sometimes the gates sometimes act a little weird. We then need to manually go and mark the false positive. 

I have used SonarCloud for approximately five years.

SonarCloud is very stable, it does not go down.

Having SonarCloud in the cloud gives us a lot of scalabilities.

We have approximately 100 to 150  developers and others at the management level using this solution. Now we educate at the management level. Even they take a look and they see what gates are failing because it's a nice UI. Anybody can easily see what's going on with the solution, in terms of many aspects, such as security and reliability.

SonarCloud has community support, but not technical support. They frequently reach out to us and ask if we are happy or if we have any problems, if so, they can escalate it to the account manager. They have good support.

The price of SonarCloud is not expensive, it goes by the lines of code. 1 million lines per code are approximately 4,000 USD per year. If you need 2 million lines of code you would double the annual cost.

My advice to others would be to work out the appropriate gate that is meaningful and if your project has many problems. You can set the bar on high, in a way the gate forms are the same and you can lower the threshold as you progress.

I rate SonarCloud an eight out of ten.

The solution is a static code analysis tool. That's basically what we use it for in our organization.

We bought the solution due to the fact that it was the lowest price. 

For what it is meant to do, it works pretty well. 

It's good for analysis.

I've been told by the developers that the solution is too limited. It's not testing enough within the containers. For instance, it only checks for obvious code errors. They should work to improve this.

At that moment we needed to scan the codes that the developers are producing, we found out that we needed more features.

I've been using the solution for six months or so now. It's been less than a year.

The former product we used was Twistlock.

I haven't had much experience with the initial setup. I can't speak to what the deployment or setup was like.

The pricing is very good.

We're currently looking into other options.

We're either looking for an integrated product for the whole CICB pipeline, such as StackRox, or we're looking at Fishman from Palo Alto. We're also looking at individual products for the whole CICB pipeline. In fact, this afternoon we are having a meeting to further discuss what tools we will use, or what can we use for dependency decks in the whole CICB pipeline, and for us to get a container image.

We're a customer and an end-user of the product. We don't have a business relationship with them. 

I'm not sure which version of the solution we're using.

I'd advise potential users to first check all the features to see if what they need is there and then check them off to ensure that SonarCloud fills all your needs.

It's a good product for its purpose.

I'd rate the solution at a seven out of ten.

We use SonarCloud tools for all our 20 repositories and we are connecting the SonarCloud, from the Bitbucket pipeline.

The reports from SonarCloud are very good.

We had some issues with the scanner.

I have been using SonarCloud for approximately three weeks.

The solution is stable.

SonarCloud is scalable.

We plan to increase our package to the enterprise edition and decrease the lines of code in the future.

We have not needed the support at this time.

We previously used Codacy. We switch to SonarCloud because of their good reputation and we compared reports from both of them. SonarCloud seems to be more accurate. However, Codacy has a simpler installation. SonarCloud has more steps involved.

The solution is straightforward to implement. Some of the implementations can be quick.

The installation of the framwork was a bit difficult, it could be improved.

The price of SonarCloud could be less expensive. We are using the community version and the price should be more reasonable.

We have purchased a license for 2 million lines of code. However, we have 10 million lines of code but it would be too costly for us to have a license for all the amount.

I would recommend SonarCloud to others.

I rate SonarCloud a nine out of ten.

We are customers of SonarCloud.

I like that the solution can be installed locally. 

I'd like them to include an alert for a third person. Sometimes there are very big problems that come up, possibly a large bug report, and it would be helpful if a notification could go out to an extra person. 

I've been using this solution for about three years. 

The solution is stable. 

I believe the solution is scalable. For now, we have 20 users but we are planning to expand usage. 

I wasn't involved in the setup but I believe it was relatively easy. 

I rate this solution nine out of 10.