We changed our name from IT Central Station: Here's why
Head Innovation Hub at a tech services company with 201-500 employees
Real User
Helps in improving the coding style and allows us to customize the rules
Pros and Cons
  • "It assists during the development with SonarLint and helps the developer to change his approach or rather improve his coding pattern or style. That's one advantage I've seen. Another advantage is that we can customize the rules."
  • "Their dashboarding is very limited. They can improve their dashboards for multiple areas, such as security review, maintainability, etc. They have all this information, so they should publish all this information on the dashboard so that the users can view the summary and then analyze it further. This is something that I would like to see in the next version."

What is our primary use case?

I have used it in my previous company. In my current company, which I have joined recently, we don't use any of these tools. That's why I want to implement something for the company. I have the Community Edition of SonarQube. I am using one version prior to the latest one.

It was integrated with our build pipeline, and we had also customized the rules for the quality gate. For each release that got through SonarQube, it gave the results in terms of whether it was releasable or not. 

SLA was another use case. We internally had a rule that in case there are severity defects, they need to be fixed. If there is a false positive, it needs to be justified. That's the way it was used.

What is most valuable?

It assists during the development with SonarLint and helps the developer to change his approach or rather improve his coding pattern or style. That's one advantage I've seen. Another advantage is that we can customize the rules. 

I did an evaluation of the Enterprise Edition. It has the Portfolio view, which means you can roll up all your projects to the Portfolio level, and then it gives a visualization of each and every project's state in terms of security and other vulnerabilities.

What needs improvement?

It is very expensive. That's something that can be improved. 

I'm not sure if the latest vulnerabilities are being updated. When I compare it with Fortify on Demand (FoD), every now and then, they get all the latest and greatest versions for all these vulnerabilities as a rule pack. I'm not very sure about how that works in SonarQube, and how frequently they are updating the vulnerability databases and other things.

Their dashboarding is very limited. They can improve their dashboards for multiple areas, such as security review, maintainability, etc. They have all this information, so they should publish all this information on the dashboard so that the users can view the summary and then analyze it further. This is something that I would like to see in the next version. 

The portfolio-level dashboard is currently available only in the Enterprise Edition. They can have a similar dashboard in the Community Edition or at least in the Developer Edition. The portfolio-level dashboard is also very limited currently. There is hardly one report.

For how long have I used the solution?

I have been using this solution for four years. 

What do I think about the stability of the solution?

It looks stable. So far, we haven't found any issues.

How are customer service and technical support?

I contacted them once or twice. I am very satisfied with their support. I didn't have any concerns in terms of support.

How was the initial setup?

It is straightforward. It takes very little time as compared to the other solutions.

What's my experience with pricing, setup cost, and licensing?

It is very expensive. Its price should be improved.

What other advice do I have?

I have worked on only two tools: one is Fortify on Demand, and the other one is SonarQube. Comparing these two, I would rate SonarQube an eight out of 10.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
Sirish Reddy
Technology Manager at Publicis Sapient
Real User
Top 20
Supports multiple program languages, highly scalable, and has open-source version
Pros and Cons
  • "The solution has a wide variety of features and an open-source community that you are able to learn Java, JavaScript, or any other programing language."
  • "There are times that we have the database crash. However, this might be an issue with how we have configured it and not a software issue. Apart from this, I do not see any issues with the solution."

What is our primary use case?

We are using the solution for code quality and security.

What is most valuable?

The solution has a wide variety of features and an open-source community that you are able to learn Java, JavaScript, or any other programing language. The quality profile rules that it provides based on the architect are set across the board, this provides continuity. Being able to fix all the application vulnerabilities before it reaches production is a huge benefit.

What needs improvement?

There are times that we have the database crash. However, this might be an issue with how we have configured it and not a software issue. Apart from this, I do not see any issues with the solution.

For how long have I used the solution?

I have been using the solution for approximately eight years.

What do I think about the scalability of the solution?

The scalability depends on the use case. You cannot install it with minimal resources and expect it to run thousands of jobs. It is scalable based on your environment. How big is your project? How many APIs do you want to scan? How many APIs per minute, etc. Based on that information you need to first decide upfront how much memory or how much storage you want to give to it. You need to have clear data with you and then use the resources to design accordingly. I think it is highly scalable and can operate seamlessly if you give it the environment that is sufficient. You cannot expect magic from it.

We have some projects that have 150 users with ten teams using the solution.

How are customer service and technical support?

We had to contact technical support back several years ago because we had an issue with one of the new SQL plugins which ended up being resolved. The support is not required anymore because they have very good documentation that meets our needs.

How was the initial setup?

The initial setup is straightforward.

What's my experience with pricing, setup cost, and licensing?

I do not know the price of the solution since I have not been involved in purchasing licenses. However, this solution requires a license and we have enterprise-level licenses for our organization and for our client.

The beauty of this solution is the free open-source version is capable enough in doing pretty much what an enterprise-level version can do. The enterprise-level has only a few more options, such as better reporting and generating PDFs. If you have a small-scale project or if you do not have a high budget, I think open-source will do wonders.

What other advice do I have?

For those wanting to implement this solution, I would suggest it is the best tool. It has a big open-source community where you learn any language. There are many extra plugins you can apply to scan in your code. It has support for Android, iOS, COBOL, Java, JavaScript databases, and more. It has everything you need.

I rate SonarQube a nine out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: January 2022.
564,997 professionals have used our research since 2012.
Web Developer at a tech services company with 51-200 employees
Real User
Top 20
Secures our code against threats and bugs, but needs better pipeline integration
Pros and Cons
  • "Apart from the security point of view, I like that it makes it easy to detect code smells and other issues in terms of code quality and standards."
  • "From a reporting perspective, we sometimes have problems interpreting the vulnerability scan reports. For example, if it finds a possible threat, our analysts have to manually check the provided reports, and sometimes we have issues getting all the data needed to properly verify if it's accurate or not."

What is our primary use case?

We use SonarQube to help with our software development and testing. At the moment, we're mainly using it for static analysis and code inspection. We have an on-premises server and we connect to it from there.

Our main use case is testing software for security weaknesses, but we also use it to help eliminate code smells and to make sure our code is compliant with established coding standards.

How has it helped my organization?

SonarQube lets us find security issues during development and testing so that we can release more secure and higher quality applications.

What is most valuable?

Apart from the security point of view, I like that it makes it easy to detect code smells and other issues in terms of code quality and standards.

What needs improvement?

From a reporting perspective, we sometimes have problems interpreting the vulnerability scan reports. For example, if it finds a possible threat, our analysts have to manually check the provided reports, and sometimes we have issues getting all the data needed to properly verify if it's accurate or not.

This is especially important when considering false positives, and often we have issues getting all the necessary information from SonarQube in order to determine whether it is a true vulnerability or a false positive.

Another suggestion for improvement is that SonarQube could be better when it comes to integration with different development pipelines for continuous monitoring. For example, whether you are scanning manually or on-demand, we would like more ways to integrate SonarQube into our pipeline so that we can get reports quickly and automatically as we work.

For how long have I used the solution?

I have been using SonarQube for about two years now.

What do I think about the stability of the solution?

I have not run into major issues or bugs and it works well when it comes to stability.

What do I think about the scalability of the solution?

I don't think we have had any problem with traffic or things like that. 

How are customer service and technical support?

I don't have experience with SonarQube support because we do it all ourselves. 

Which solution did I use previously and why did I switch?

I have not used any other similar solutions in the past. SonarQube is the first of its kind in my experience.

How was the initial setup?

It's quite easy to set up, not too complex.

What's my experience with pricing, setup cost, and licensing?

The development license cost is reasonable, and we've had no concerns about SonarQube when it comes to cost.

What other advice do I have?

Personally, I can't compare it to other similar solutions like Fortify, but SonarQube does a good job when it comes to making sure our code is compliant with standards and free of any obvious security weaknesses. 

I would rate SonarQube a six out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Mohanraj Vellingiri
Tools manager at a retailer with 10,001+ employees
Real User
It supports 29 languages
Pros and Cons
  • "SonarQube is one of the more popular solutions because it supports 29 languages."
  • "I would also like SonarQube to be able to write custom scanning rules. More documentation would be helpful as well because some of our guys were struggling with the customization script."

What is our primary use case?

SonarQube is a code-scanning tool that ensures people follow the right coding standard. It detects any memory leaks or unwanted functions that have been written so developers can optimize the code for better performance. We don't know too much about how our customers use SonarQube because we just set it up for them. We show them how the reporting works and what to do to fix common issues. 

What is most valuable?

SonarQube is one of the more popular solutions because it supports 29 languages.

What needs improvement?

SonarQube supports most database languages, like SQL queries, PL/SQL, etc., but some newer programming languages are not there. For example, it's missing some more popular languages like Apache Groovy. I would like to see some support for scanning these new popular languages.

I would also like SonarQube to be able to write custom scanning rules. More documentation would be helpful as well because some of our guys were struggling with the customization script. 

For how long have I used the solution?

I've been using SonarQube for the past eight years or so. I am a DevOps consultant who helps the end-users set up their environments. My clients operate in various industries, including the service industry. 

How was the initial setup?

SonarQube takes five to 10 minutes to install, and I train people on this technology, so I install it for them and teach them how to use it. On Linux, it maybe takes another five or 10 minutes, but it is straightforward.

We first try it out with a limited number of users, so four or five users will run it, but the report is shared with multiple users. The report generated will go to thousands of users. You run the report from the DevOps point of view, then share it with everyone.

What's my experience with pricing, setup cost, and licensing?

I'm involved in the price discussions, so I'm unaware of the cost. However, I don't see any other competitors in the same space. There are one or two, but they're not popular. SonarQube is free for one user, so people can explore it, but if they need enterprise support, they can buy licenses, and we can go forward.

Which other solutions did I evaluate?

SonarQube is the only code scanning software I've tried, but I've also seen Nexus Scanner. However, it's not for binary scanning and so forth. It won't scan your source code. It's just an artifact scanner. 

What other advice do I have?

I rate SonarQube eight out of 10. I always recommend SonarQube because it is also available in an open-source version, so people can understand the power of this tool and how it can help in an IT setting. 

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
David Alaga
Sr DevOps Engineer at incatech
Real User
Top 5Leaderboard
Open-source with great extensions and great for identifying bugs
Pros and Cons
  • "It helps our developers work more efficiently as we can identify things in a code prior to it being pushed to where it needs to go."
  • "You may need to purchase add-ons to get the useability you desire."

What is our primary use case?

We use the product in our pipeline. We primarily use it for development testing tool.

How has it helped my organization?

We can see what's being flagged by whatever requirements in the environment that we're going to. SonarCube has these rules that you set up. You can set the rules and adjust them. It allows us to either be at 80% or whatever the case may be. If you set up these conditions that can tighten down the developer's coding.

What is most valuable?

It's convenient due to the fact that it's open-source. 

We're able to identify bugs and those kinds of things before we actually push anything into a staging or production area. It helps our developers work more efficiently as we can identify things in a code prior to it being pushed to where it needs to go. It's a great little loop. You see this, fix it, take it back. Versus, putting something into an environment and then everything is all broken. It's a good development test tool. 

Nowadays you can add extensions, similar to what you can do with the Jenkins tool, the CICB tool, the build tool. Jenkins can have a lot of plugins that interface with a lot of vendors or it can do a lot of things. Just like Google Chrome where you can bring in an extension, you can do the same here. In SonarQube, you can add something by just adding an extension that you may have to pay extra for, However, that add-on has additional functionality that the base software may not necessarily have in its core.

For example, Fortify has some kind of special capability that they have for checking and SonarQube has created an extension that allows the Fortify extensions. Right now, I have Fortify, however, it's in this product at a very modular level.

What needs improvement?

The solution is still maturing a bit.

You may need to purchase add-ons to get the useability you desire.

For how long have I used the solution?

We've been using the solution for about two years at this point.

What's my experience with pricing, setup cost, and licensing?

The solution is open-source. It's free to use. 

What other advice do I have?

Not everybody uses SonarQube. However, if they do use SonarQube and they're trying to look for functionality, then an extension into SonarQube is the way to go. We, for example, love how we can have Fortify functionality via this product. I can't speak for all the other shops, right. That's just our workflow.

I'd rate the solution at a perfect ten out of ten. For what it does as far as static code analysis, it's pretty good.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Jayashree Acharyya
Executive Manager at PepsiCo
Real User
Top 5Leaderboard
Scalable, good technical support, but multiple application project option needed
Pros and Cons
  • "We have worked with the support from SonarQube and we have had good experiences."
  • "We had some issues scanning the master branch but when we upgraded to version 7.9 we noticed it does scan the master branch but we had to do a workaround for it to happen. This process could be improved in a future release."

What is our primary use case?

SonarQube is used for in-production scanning of applications. We are only doing unit testing to improve the overall quality of the code.

How has it helped my organization?

The developers have responsibility for unit testing, but it is very important that we check what they have been doing. SonarQube allows us to see the result directly in the pipeline.

What needs improvement?

We had some issues scanning the master branch but when we upgraded to version 7.9 we noticed it does scan the master branch but we had to do a workaround for it to happen. This process could be improved in a future release.

What we are seeing is for some of the Javascript projects SonarQube is not reading all the files. We had to manually configure it to accomplish what we wanted. However, we probably needed some documentation that we did not have that explained this process.

In an upcoming release, it would be beneficial to have the ability to use multiple applications under one project, and if we want to scan one of the applications we can just switch to that application, this would be really helpful.

For how long have I used the solution?

I have been using SonarQube for approximately two years.

What do I think about the scalability of the solution?

The solution is scalable. 

We have plans to increase the number of users using this solution because we have approximately 3,000 applications but only 200 are being used.

There are a lot of people using this solution in my organization because they are able to scan directly from their IDs.

How are customer service and technical support?

We have worked with the support from SonarQube and we have had good experiences.

How was the initial setup?

The initial setup was simple. When we did the upgrade and it took our team approximately two hours.

What about the implementation team?

Our internal team did the implementation of the solution.

What's my experience with pricing, setup cost, and licensing?

We are using the community version of the solution and we plan on purchasing licenses for the upgraded version soon. There is a limitation on how many lines of code can be scanned and this is why we are going to purchase a license for an increased amount.

What other advice do I have?

SonarQube is a very nice tool and people can learn to code better from the analysis it provides. We needed to make sure our code is maintained properly and has high quality and this tool helped.

The solution has made the developers have more confidence in their code because from the scanning they can fix bugs and problems easily.

I rate SonarQube a seven out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Development Team Lead at a financial services firm with 1,001-5,000 employees
Real User
Top 20
IDE plugins are easy to use and integrate
Pros and Cons
  • "Some of the most valuable features have been the latest up-to-date of the OWASP, the monitoring, the reporting, and the ease of use with the IDE plugins, in terms of integration."
  • "SonarQube's detail in the security could be improved. It may be helpful to have additional details, with regards to Oracle PL/SQL. For example, it's neither as built nor as thorough as Java. For now, this is the only additional feature I would like to see."

What is our primary use case?

I use SonarQube for Google's web services, from a security perspective, as well as Oracle Forms, HTML Forms, and script. 

SonarQube is deployed on-premises. 

What is most valuable?

Some of the most valuable features have been the latest up-to-date of the OWASP, the monitoring, the reporting, and the ease of use with the IDE plugins, in terms of integration.

What needs improvement?

SonarQube's detail in the security could be improved. It may be helpful to have additional details, with regards to Oracle PL/SQL. For example, it's neither as built nor as thorough as Java. For now, this is the only additional feature I would like to see. 

For how long have I used the solution?

I have been working with the Community Edition for at least ten years, and I have been working with the Enterprise version for about a year. 

What do I think about the stability of the solution?

So far, we are happy and haven't had any issues with stability.

The only maintenance this product needs, for now, is just updates and patches. 

SonarQube is an auditing requirement from our side and for our SDLC, so it is a gate in our SDLC. 

What do I think about the scalability of the solution?

SonarQube is easy to scale. As we've opted for the Docker builds, we haven't had issues yet. 

At this point, there are at least 300 people in my company who are working with SonarQube. 

Which solution did I use previously and why did I switch?

I have minor experience with Q One. The main difference is in the licensing structure, with regards to lines of code. We have noticed that Q One has a bit more details, but support for various languages is lacking. 

How was the initial setup?

The setup process of SonarQube is straightforward. Deployment took about a week, but the integration of the multiple teams—introducing them and getting them on board—took about a month. 

What about the implementation team?

We implemented this solution through an in-house team. 

What's my experience with pricing, setup cost, and licensing?

Compared to similar solutions, SonarQube was more accessible to us and had more benefits, with regards to size of the code base and supported languages. Apart from the Enterprise licensing fee, there are no additional costs. 

What other advice do I have?

I rate SonarQube an eight out of ten. 

To anyone who is looking into implementing SonarQube, I would recommend they look at what their requirements are, with regards to languages. If it's just Java, then the Community Edition is fine, but if there are any additional languages, then I would recommend Enterprise. 

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Ahmed Elkholy
Test Expert at Saudi Telecom Company
Real User
Prevents vulnerabilities, supports most languages and built-in procedures
Pros and Cons
  • "I like that it covers most programming languages for source code review."
  • "The BPM language is important and should be considered in SonarQube."

How has it helped my organization?

It prevents some vulnerabilities in the production environment.

What is most valuable?

I like that it covers most programming languages for source code review.

I also like the procedures that are already built-in that cover most of the items that already exist.

What needs improvement?

SonarQube does not cover BPM programming language. It only covers the Java layer from BPM WebMethods. When we were faced with this issue with one of your applications, we found that we were not able to scan the BPM code for configurations generated from the WebMethod.

The BPM language is important and should be considered in SonarQube.

It utilizes a lot of resources from the servers. I think this issue should be resolved because it takes approx 20% of the CPU utilization.

Reporting related to SonarQube only exists in the enterprise edition, and not in the Community Edition.

There are no limitations in the lines of code with the Community Edition, but with the Enterprise Version, there are limitations related to the lines of code.

I don't understand why you can use an infinite line code amount with the Community Edition and the Enterprise Edition is limited.

For how long have I used the solution?

We have been dealing with SonarQube for more than one year.

What do I think about the stability of the solution?

It is stable in the system environment processes.

What do I think about the scalability of the solution?

We haven't used it with the microservices or containers to check the scalability. We have used it on a Windows Server or Linux Server.

How are customer service and technical support?

We contacted technical support about the BPM and WebMethod programming language. They supported us with a fast response and provided us with a solution that was not covered on SonarQube.

Which solution did I use previously and why did I switch?

We only use SonarQube with SonarScanner.

How was the initial setup?

The initial setup is simple and straightforward.

What about the implementation team?

I am a consultant and my team completed the system server.

What's my experience with pricing, setup cost, and licensing?

I requested this license for one million lines of code and they accepted this.

I don't know what was already paid.

Which other solutions did I evaluate?

We evaluated Micro Focus Fortify. From a cost perspective, we selected SonarQube. Now we are using the enterprise license as well. 

What other advice do I have?

We are telecommunication customers, who have purchased a license. We are the largest telecommunications company in Saudi Arabia.

I would rate SonarQube an eight out of ten.

Which deployment model are you using for this solution?

Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Buyer's Guide
Download our free SonarQube Report and get advice and tips from experienced pros sharing their opinions.