We use it to check the code quality of our software.
Software Developer at BKWI
Allows for real-time feedback on code quality and highly stable solution
Pros and Cons
- "We've configured it to run on each commit, providing feedback on our software quality. ]"
- "During the setup process, we only had one issue related to the number of available files. To perform the analysis, you have quite a lot of available file handles, so we had to increase that limit."
What is our primary use case?
What is most valuable?
We've configured it to run on each commit, providing feedback on our software quality. The solution works quite well remotely.
What needs improvement?
We would appreciate having PNC checking, though that's only available in a more expensive license type.
There is also room for improvement in the installation process.
For how long have I used the solution?
I have been using this solution for a couple of years.
Buyer's Guide
SonarQube
November 2023

Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: November 2023.
744,865 professionals have used our research since 2012.
What do I think about the stability of the solution?
It is a stable solution. So, no issues with stability.
What do I think about the scalability of the solution?
We haven't had much requirement for scalability. We had a single-node instance, and that is sufficient for our needs.
We have around 13 developers using this solution.
Which solution did I use previously and why did I switch?
How was the initial setup?
Another department handled the installation. We only had one issue related to the number of available files. To perform the analysis, you have quite a lot of available file handles, so we had to increase that limit.
However, maintenance is actually quite easy. It requires a couple of people.
Which other solutions did I evaluate?
We used some main code quality tools before, along with certain plugins. SonarQube is better due to its integrated nature and easier management. There is no hassle to keep everything up to date.
What other advice do I have?
I would definitely recommend using the solution.
Overall, I would rate the solution an eight out of ten. While I'm satisfied with the product, there's always room for improvement.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Aug 29, 2023
Flag as inappropriate
Application Security Architect at Banco Votorantim
An affordable and stable solution that has a variety of features that enable users to improve their products
Pros and Cons
- "There are many options and examples available in the tool that help us fix the issues it shows us."
- "The product must improve security analysis."
What is our primary use case?
I work on vulnerability management. I use the security features in SonarQube. I also use Veracode. I use both solutions to verify each other’s results.
How has it helped my organization?
We see the security issues in our solutions with the help of the product. It helps us improve the solutions.
What is most valuable?
There are many options and examples available in the tool that help us fix the issues it shows us.
What needs improvement?
The product must improve security analysis. It must introduce software composition analysis in future releases.
For how long have I used the solution?
I have been using the solution for three years or more. I am using the latest version of the solution.
What do I think about the stability of the solution?
I rate the tool’s stability a nine out of ten.
What do I think about the scalability of the solution?
I rate the tool’s scalability a seven out of ten.
How was the initial setup?
The solution is deployed on the cloud.
What was our ROI?
We have seen an ROI because we are avoiding rework. The product helps us to fix security and quality.
What's my experience with pricing, setup cost, and licensing?
The product’s price is lower than Veracode’s price.
Which other solutions did I evaluate?
Veracode is more efficient in security analysis. It also has software composition analysis features. So, it would be difficult for SonarQube to compete with Veracode.
What other advice do I have?
There are a lot of functions and features in SonarQube. I would recommend the product to others. Overall, I rate the tool an eight out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Aug 25, 2023
Flag as inappropriateBuyer's Guide
SonarQube
November 2023

Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: November 2023.
744,865 professionals have used our research since 2012.
Lead Security Architect at a comms service provider with 1,001-5,000 employees
Code quality assurance solution that supports many coding languages
Pros and Cons
- "This solution has helped with the integration and building of our CICD pipeline."
- "For improvement, this solution could be offered on Docker and the cloud and the support for this solution could be improved. Customizing rules could also be made simpler."
What is our primary use case?
We use this solution to configure our pipeline using Jenkins. From an integration perspective, it encompasses many languages and this is very useful.
How has it helped my organization?
This solution has helped with the integration and building of our CICD pipeline. Without any scans or assessments, the pipeline and build are not complete. One of the good features of SonarQube is the many languages it supports including Java, dotNET, Typescript and HTML CSS. It also allows us to set custom quality gates and rules.
What needs improvement?
This solution could be offered on Docker and the cloud. The support for this solution could be improved and the customization rules could also be made simpler.
For how long have I used the solution?
I have used this solution for three years.
What do I think about the stability of the solution?
This is a stable solution.
What do I think about the scalability of the solution?
This solution could be scalable, specifically from a reporting perspective.
How are customer service and support?
I would rate the customer support for this solution a seven out of ten.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
I have previously used Checkmarx, Blackbelt and WhiteSource.
What was our ROI?
We have experienced a good return on investment using this solution.
What other advice do I have?
This is a good solution if you are looking for good coverage, quality, and vulnerabilities to be highlighted. That being said, there are better solutions in the market when it comes to SAST scanning.
I would rate this solution an eight out of ten.
Which deployment model are you using for this solution?
Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Head of IT Security Department at a tech services company with 501-1,000 employees
Simple implementation, effective scanning, and tracking
Pros and Cons
- "SonarQube is useful for controlling all of our Azure task tracking and scanning."
- "SonarQube could improve by adding automatic creation of tasks after scanning and more support for the Czech language."
What is our primary use case?
We are using SonarQube for static analyzing and finding vulnerabilities in our code.
What is most valuable?
Easy installation. Very accurate finding of vulnerabilities and a minimum of false positives.
What needs improvement?
SonarQube could improve by adding automatic creation of tasks after scanning and more supported languages.
For how long have I used the solution?
I have been using SonarQube for approximately two years.
What do I think about the stability of the solution?
SonarQube is a highly stable solution.
What do I think about the scalability of the solution?
I have found SonarQube to be scalable.
We have 20 to 25 specialists using SonarQube in my organization.
We have plans to increase the usage of the solution.
How are customer service and support?
We search Google for solutions to any problems we may face.
How was the initial setup?
The solution is easy to implement in our process of continuous integration, continuous delivery, and continuous deployment(CI/CD).
What about the implementation team?
We did the implementation of the solution ourselves.
We have assigned each project one DevOps, and each DevOps is deploying SonarQube in their project and we have in total about 20 projects.
What's my experience with pricing, setup cost, and licensing?
The free version of SonarQube does everything that we need it to.
Licenses of this solution can be purchased annually. We plan to buy the maximum license enterprise edition of the solution.
What other advice do I have?
I highly recommend this solution to others.
I rate SonarQube a nine out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Security Information Manager at a tech services company with 10,001+ employees
Reliable with a nice web interface but needs better reporting
Pros and Cons
- "The solution offers a very good community edition."
- "There isn't a very good enterprise report."
What is most valuable?
We find it very similar to Fortify and has the same advantages.
The web interface is very good.
We have found the solution to be stable.
The solution offers a very good community edition.
What needs improvement?
There isn't a very good enterprise report. They also do not have an application report. We'd like for them to work on this aspect.
For how long have I used the solution?
I've used the solution for three years. I've used it for a while now.
What do I think about the stability of the solution?
In terms of stability, the solution is reliable and the performance is good. There are no bugs. It's not glitchy. It doesn't crash or freeze.
How are customer service and support?
I've never used technical support. I can't talk about how helpful they are, never spoken with them personally.
If I do need to troubleshoot, I tend to rely on the community and search for answers there.
Which solution did I use previously and why did I switch?
We've also used Fortify.
How was the initial setup?
I didn't participate in the installation process. I can't speak to how easy or difficult the process was.
What's my experience with pricing, setup cost, and licensing?
I use the community version of the product.
What other advice do I have?
We are a customer and an end-user.
I'd rate the solution at a seven out of ten. It's mostly reliable.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Product Manager | Senior Software Developer at RedShift II - Solutions
Coding quality assurance tool that comes with good DevOps implementation
Pros and Cons
- "This solution has the capability to analyze source code in almost all the languages in the market."
- "This is a well-rounded solution, however, some features could be made available on the free version. The price of the solution could be reduced."
What is our primary use case?
This solution has the capability to analyze source code in almost all the languages in the market.
What needs improvement?
This is a well-rounded solution, however, some features could be made available on the free version. The price of the solution could be reduced.
For how long have I used the solution?
I have used this solution for ten years.
What do I think about the stability of the solution?
This is a stable solution.
What do I think about the scalability of the solution?
This is a scalable solution. We have been using it for all of our critical projects.
What was our ROI?
I have never made the calculations to understand the real value of this solution but I know that the return of investment is very good. If not, we wouldn't have continued to use it for the past 10 years.
What's my experience with pricing, setup cost, and licensing?
As a user and a consumer of this solution, it can be pricey for my company to support and use, even though there are many benefits. For this reason, we use the free version. In the future, as our product cycles develop and evolve at a more steady pace, we hope to invest in the licensing for this tool.
What other advice do I have?
This solution has evolved a lot in the last ten years.
It comes with good DevOps implementation and security, which is a big problem today.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Product Manager at a financial services firm with 10,001+ employees
Less false positive scans, covers entire developer community, but support could improve
Pros and Cons
- "When comparing other static code analysis tools, SonarQube has fewer false-positive issues being reported. They have a lot of support for different tech stacks. It covers the entire developer community which includes Salesforce or it could be the regular Java.net project. It has actually sufficed all the needs in one tool for static code analysis."
- "SonarQube needs to improve its support model. They do not work 24/7, and they do not provide weekend support in case things go wrong. They only have a standard 8:00 am to 5:00 pm support model in which you have to raise a support ticket and wait. The support model is not effective for premium customers."
What is our primary use case?
SonarQube delivers a continuous inspection of code quality.
What is most valuable?
When comparing other static code analysis tools, SonarQube has fewer false-positive issues being reported. They have a lot of support for different tech stacks. It covers the entire developer community which includes Salesforce or it could be the regular Java.net project. It has actually sufficed all the needs in one tool for static code analysis.
For how long have I used the solution?
I have been using SonarQube for approximately two years.
What do I think about the stability of the solution?
The stability of SonarQube is good.
What do I think about the scalability of the solution?
I have found SonarQube to be scalable.
How are customer service and support?
SonarQube needs to improve its support model. They do not work 24/7, and they do not provide weekend support in case things go wrong. They only have a standard 8:00 am to 5:00 pm support model in which you have to raise a support ticket and wait. The support model is not effective for premium customers.
How was the initial setup?
SonarQube is very user-friendly and it works for all tech stacks. It should be easy for any kind of integrations that you need to build. Additionally, SonarQube comes with a lot of in-house APIs.
What other advice do I have?
I rate SonarQube a seven out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Retail Sales Manager at Pine Labs
An affordable and scalable solution with excellent features
Pros and Cons
- "All the features of the solution are quite good."
- "New plug-ins should be integrated into SonarCloud to give more flexibility to the product."
What is our primary use case?
I use the solution for static code analysis and to identify vulnerabilities and code smells.
What is most valuable?
All the features of the solution are quite good.
What needs improvement?
New plug-ins should be integrated into SonarCloud to give more flexibility to the product.
For how long have I used the solution?
I have been using the solution for the last couple of years.
What do I think about the stability of the solution?
I rate the stability an eight out of ten.
What do I think about the scalability of the solution?
I rate the product’s scalability as an eight out of ten. Currently, not many teams are using the product. We are trying to increase the number of users.
How was the initial setup?
The first time, the initial setup was complicated. It got easier once we got used to it.
What about the implementation team?
The deployment took around one to two hours.
What's my experience with pricing, setup cost, and licensing?
The solution is cheaper than other products.
What other advice do I have?
We have not been able to use the product extensively. I would recommend the solution to others. It'll really help the developers to increase their development speed. Overall, I rate the solution an eight out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: May 15, 2023
Flag as inappropriate
Buyer's Guide
Download our free SonarQube Report and get advice and tips from experienced pros
sharing their opinions.
Updated: November 2023
Product Categories
Application Security Tools Application Security Testing (AST) Software Development Analytics Application Security Posture Management (ASPM)Popular Comparisons
Veracode
Checkmarx
GitLab
Tricentis Tosca
Coverity
OWASP Zap
Sonatype Lifecycle
OpenText UFT One
Fortify on Demand
Mend.io
PortSwigger Burp Suite Professional
Acunetix
SonarCloud
HCL AppScan
Buyer's Guide
Download our free SonarQube Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Is SonarQube the best tool for static analysis?
- Which gives you more for your money - SonarQube or Veracode?
- What Is The Biggest Difference Between Fortify on Demand And SonarQube?
- What is the biggest difference between Checkmarx and SonarQube?
- Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
- How does SonarQube instance relate to the license?
- Which software is ideal for code quality and security?
- What is the difference between Coverity and SonarQube?
- What is the biggest difference between Coverity and SonarQube?
- How would you decide between Coverity and Sonarqube?