We changed our name from IT Central Station: Here's why
Anshuman Kishore
Director Product Development at Mycom Osi
Real User
Top 20
Reasonably priced, provides good code coverage and improves quality
Pros and Cons
  • "The code coverage feature is very good."
  • "If the product could assist us with fixing issues by giving us more pointers then it would help to resolve more of the warnings without such a commitment in terms of time."

What is our primary use case?

We use SonarQube for determining code coverage, finding bugs, and searching for security-related issues in our development environment.

What is most valuable?

The code coverage feature is very good.

What needs improvement?

When performing the code coverage function, there are a lot of warnings that come up and you may not have time to solve them. You need to have the ability to overrule warnings or issues because it may not be possible to commit the time to resolve them immediately. If the product could assist us with fixing issues by giving us more pointers then it would help to resolve more of the warnings without such a commitment in terms of time.

SonarQube needs some improvement in its ability to find security-related issues.

For how long have I used the solution?

I have been using SonarQube for the past seven or eight years.

What do I think about the stability of the solution?

We have not found any bugs or had trouble with stability. We have had some minor hiccups, here and there, but otherwise, we are fine.

What do I think about the scalability of the solution?

We have not found any issues with respect to scalability. 

How are customer service and technical support?

I have not personally been in contact with technical support. I believe that our team recently had contact with them when we migrated to the newer version, and we received help from their support agent.

Which solution did I use previously and why did I switch?

I have also used Veracode and when comparing the two, I find that Veracode is better at finding security-related issues during the static code analysis. At the same time, during my PoC with Veracode, they did not claim to be able to provide everything that SonarQube does. 

How was the initial setup?

I was not involved in the initial setup. However, I do know that it can be set up within one or two days.

What about the implementation team?

We have an in-house team for deployment and maintenance.

What's my experience with pricing, setup cost, and licensing?

I am satisfied with the pricing.

What other advice do I have?

In general, I am very satisfied with SonarQube and I highly recommend it. If you are looking for full coverage and quality improvement then it is the best product to use.

I would rate this solution a nine out of ten.

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Systems Analyst at a manufacturing company with 5,001-10,000 employees
Real User
Frees up time to focus on daily tasks, meet delivery requirements and deliver more reliable code
Pros and Cons
  • "SonarQube is a fantastic tool which saves us precious time."
  • "We did have some trouble with the LDAP integration for the console."

What is our primary use case?

We use the solution to do quality code analysis for keeping track of security hotspots. We also use it to avoid the delivery of problems as the result of new code from our partners who may be developing software for systems, making improvements and carrying out bug corrections. These are the features of SonarQube of which I am aware. 

What is most valuable?

SonarQube is a fantastic tool which saves us precious time. Prior to using the solution, all our code analysis was manual and this was very time consuming. The increase in the number of projects, including those involving the development team, meant that it was becoming increasingly challenging to keep up with our delivery schedules. SonarQube helped a lot in this regard. So too, the wonderful tool from Eclipse, SonarLint, was very helpful. These solutions allow the partners who develop our system, our code, to receive on-the-fly analysis of their computers. This affords delivery of a much more reliable code, something which allows us to focus our work on more aggregated value operations.

What needs improvement?

I am struggling to come up with an area needing improvement. I am a big fan of SonarQube. I do have familiarity with the solution, but not extensively on a daily basis in respect of development. 

This said, we did have some trouble with the LDAP integration for the console. 

For how long have I used the solution?

As our company is not primarily IT-related we are late comers when it comes to adopting new technology. As such, we started using the community version of SonarQube around eight to ten months ago. 

What about the implementation team?

I have limited personal experience working with the solution. I have a colleague who works with me and she is actually engaged in its operation. My role is to provide guidance in how to implement products. 

She works more in implementing the installation of the solution, in deploying the projects on SonarQube. But, I have a little more context with this tool.

What other advice do I have?

I am a customer of SonarQube. 

At the moment, SonarQube is deployed on-premises. We have an installation running in one of our servers.

When we deploy on-cloud, we normally use Amazon Web Services. 

I rate SonarQube as a ten out of ten, easily. I think its fantastic, a wonderful tool. Even if I don't use it directly, it frees me up to focus on other tasks in my daily routine. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: January 2022.
564,997 professionals have used our research since 2012.
Digital Solutions Architect at a tech services company with 1,001-5,000 employees
Real User
Effective security scanning, uncomplicated installation , and reliable
Pros and Cons
  • "The fact that the solution does security scanning is valuable."
  • "Having performance regression would be a helpful add on or ability to be able to do during the scan."

What is our primary use case?

We are a $4 billion valuation large company and we use the solution for status security, scanning, and code quality. I am currently in the process of building a pipeline for one of my customers and for that we are utilizing this solution for the static analysis.

What is most valuable?

The fact that the solution does security scanning is valuable. This is primarily why we use it. For code quality, we could utilize other tools, such as unit test coverage, which it gives you too, but having a more comprehensive tool is useful.

What needs improvement?

Having a tool that is comprehensive in nature is very useful because otherwise, we have to run through multiple tools in order to get the entire viewpoint of a particular set of code. For example, we use SonarQube in combination with Nexus, which is another product that gives us some other information. I guess when it comes to the gamut of things that we are looking for including static code quality, static testing, and dynamic testing of security. Having performance regression would be a helpful add on or ability to be able to do during the scan. 

In an upcoming release, I would like to see the dynamic security testing feature available. I would like to point out that they could already offer this feature but I have not been that deep into the solution to know yet.

For how long have I used the solution?

I have been using the solution for approximately one year.

What do I think about the stability of the solution?

I have not run into any bugs or glitches. However, I have only been using it for a short time.

What do I think about the scalability of the solution?

The pipeline that I am currently building is being used by the platforms team, which is approximately three people. We use the solution as part of the automated code review process. As far as a larger perspective of who is actually benefiting from it, the development team is about 35 people.

How are customer service and technical support?

I have not needed to use technical support.

How was the initial setup?

The set up was very easy.

What other advice do I have?

I would recommend to those wanting to implement this solution to read the documentation, they are clear and easy to follow.

I rate SonarQube a nine out of ten.

Which deployment model are you using for this solution?

Private Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Senior Security Engineer at a financial services firm with 10,001+ employees
Real User
Useful depth features, stable, but more programming languages needed
Pros and Cons
  • "The depth features I have found most valuable. You receive a quick comprehensive comparison overview regarding the current release and the last release and what type of depths dependency or duplication should be used. This is going to help you to make a more readable code and have more flexibility for the engineers to understand how things should work when they do not know."
  • "If there was an official Docker image of SonarQube that could easily integrate into the pipeline would help the user to plug in and plug out and use it directly without any custom configuration. I am not sure if this is being offered already in an update but it would be very helpful."

What is our primary use case?

We are using SonarQube for many different reasons, but I was interested more in the security metrics based on the new updates for more particular rules.

What is most valuable?

The depth features I have found most valuable. You receive a quick comprehensive comparison overview regarding the current release and the last release and what type of depths dependency or duplication should be used. This is going to help you to make a more readable code and have more flexibility for the engineers to understand how things should work when they do not know.

What needs improvement?

I was more focused on the security aspects and not on quality. SonarQube focuses a lot on security and is going to provide some visibility around that area, but if there could be more focus on team management. For example, what type of remediation is going to be provided when the types of scans are being applied based on different rule sets at the SonarQube level, from the security point of view, this would be helpful.

If there was an official Docker image of SonarQube that could easily integrate into the pipeline would help the user to plug in and plug out and use it directly without any custom configuration. I am not sure if this is being offered already in an update but it would be very helpful.

In an upcoming release of the solution, I would like to see more types of programming languages added and improvement in their SaaS offering to compete better with other enterprise solutions, such as Fortify.

For how long have I used the solution?

I have been using this SonarQube for approximately four years.

What do I think about the stability of the solution?

We are not relying on this solution as a go-to application security scanning tool. We use it for some minor enhancement regarding security, but we are using it actively in other departments for the code quality scanning. I have not had any problems using the solution, it has been stable.

What do I think about the scalability of the solution?

We have approximately 15,000 engineers in my company and many of them are using this solution.

Which other solutions did I evaluate?

I have evaluated Fortify.

What other advice do I have?

I rate SonarQube a six out of ten.

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Manager, Software Development Engineering at a computer software company with 51-200 employees
Real User
Does well in scanning and vulnerability; lacking in some specific SAST capabilities
Pros and Cons
  • "Provides local scanning for developers."
  • "Dynamic scanning is missing and there are some issues with security scanning."

What is our primary use case?

I'm a software development engineer and we are customers of SonarQube. 

What is most valuable?

SonarQube does SAST and SCAs pretty well. One of the important things for me, something that is different from a solution like Checkmarx, was that SonarQube had SonarLint that we can use for local scanning for developers. The product does well in scanning and vulnerability.  

What needs improvement?

SonarQube is missing specific SAST capabilities. In addition, when we have security issues we want to mitigate those and it seems that SonarQube doesn't persist with the mitigation. Each time it discovered a new scan it wiped out all the persistence that we had mitigated for previous vulnerabilities. Dynamic scanning is missing and there are issues with security scanning in terms of failing projects where it didn't pass a scan.

For how long have I used the solution?

I've been using this solution for three years. 

What do I think about the stability of the solution?

The solution is quite stable. 

How are customer service and technical support?

We don't have contact with technical support, any issues are solved by our operation team.

How was the initial setup?

The initial setup wasn't too complicated. We have a number of teams of developers and around 150 users together with an operations team who maintain the infrastructure. From a user perspective we scan at least once a day. 

Which other solutions did I evaluate?

I looked at Checkmarx but it wasn't as straightforward as SonarQube because it's only supporting Linux and maybe Windows, but I wasn't able to find any local scanning support for Mac computers, and that was an issue. I'd like to learn more about Checkmarx. 

What other advice do I have?

I would suggest looking at the pipelines and understanding usage scenarios in terms of what the customer is looking for. For instance, the mitigation persistence through the life cycle of a project is not there. For me, it's like a lack of tracking records of what to mitigate. It's something that you thought would be a part of the basics, but it's not there.

I think there's about 40% of the features I'd like to see that are missing in SonarQube, so I'd rate it a six out of 10.  

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Director IT Security, CISO at a transportation company with 10,001+ employees
Real User
Top 20
Cost-effective with good out-of-the-box features
Pros and Cons
  • "I like the by-default policies that are they, as they seem to cover most of what I need."
  • "The interface could be a little better and should be enhanced."

What is our primary use case?

I have used SonarQube for static code analysis. I am using it to assess my internal applications.

What is most valuable?

I like the by-default policies that are they, as they seem to cover most of what I need. I see that as an essential feature.

What needs improvement?

The interface could be a little better and should be enhanced.

More support for integration with third-party products would be an improvement.

For how long have I used the solution?

I have been using SonarQube for more than five years.

What do I think about the stability of the solution?

I have not faced any bugs or glitches in SonarQube.

How are customer service and technical support?

I have not been in contact with technical support, although my teams would have definitely reached out.

How was the initial setup?

I would not say that the initial setup was complex, although it was not smooth enough. This was a mixed, hybrid set up because every environment has its own applications to deploy. That said, it was not so critical that we were no able to manage it.

What about the implementation team?

We have an in-house team in charge of maintenance. I have four people who are on payroll and an augmented staff of three more.

What's my experience with pricing, setup cost, and licensing?

SonarQube is an open-source product that can be used free of charge. It is a cost-effective solution.

Which other solutions did I evaluate?

You cannot really compare this product to commercial solutions. However, the features that it provides out of the box are very good.

When it comes to other technologies, such as the Checkmarx of the world, they are better than SonarQube. This is something that they should look at as this project evolves.

What other advice do I have?

This product is leading its class in the open-source community. It is absolutely a product that I can recommend. I think that digital organizations that have budget constraints should look at this technology, and then they can evolve it as per their needs.

In the future, I may look into deploying SonarQube in a hybrid model.

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Independent Professional at Studio Dott. Ing. Angelo Quaglia
Real User
Useful dashboard, user-friendly, and effective drill down ability
Pros and Cons
  • "The most valuable features are the dashboard, the ability to drill down to the code, user-friendly, and the technical debt estimation."
  • "The implementation of the solution is straightforward. However, we did have some initial initialization issues at the of the projects. I don't think it was SonarQube's fault. It was the way it was implemented in our organization because it's mainly integrated with many software, such as Jira, Confluence, and Butler."

What is our primary use case?

We have many developers and we use SonarQube to ensure that we don't have badly written code. We must have a way to write code that can be understood by different people.

How has it helped my organization?

Our developers are learning how to improve their code.

What is most valuable?

The most valuable features are the dashboard, the ability to drill down to the code, the technical debt estimation and the overall user-friendliness of the user interface.

What needs improvement?

The Enterprise edition has the additional features we need, but of course we have to pay for that.

For how long have I used the solution?

I have been using SonarQube for approximately three months.

What do I think about the stability of the solution?

SonarQube is a reliable solution.

What do I think about the scalability of the solution?

I have not tried to scale the solution. I am looking to integrate SonarQube with the 45 secure solutions.

How are customer service and support?

I have not needed to contact technical support.

I found the user interface messages quite explanatory about issues. I didn't have to look up many issues elsewhere.

Which solution did I use previously and why did I switch?

No.

How was the initial setup?

The implementation of the solution is straightforward and it is well integrated with Atlassian software, i.e. Jira, Confluence, Bamboo and Butler.

What about the implementation team?

We have a different group that is managing the SonarQube installation and setup.

What's my experience with pricing, setup cost, and licensing?

SonarQube enterprise, I am not sure of the price but from what I understand they are charging a fee. It's is not clear if it is an annual fee or a one-off. 

I don't know the global figure but they are asking each director general approximately a lump sum of $5,000, which doesn't sound like a lot for what the solution does.

Which other solutions did I evaluate?

No.

What other advice do I have?

My advice to others would be to take a look at the community edition of the SonarQube because it might be enough for their use case.

I rate SonarQube a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
DevSecOps Lead at a tech services company with 11-50 employees
MSP
Top 20
Detects problems before source code is even compiled, but improvements are needed to reduce the false positives
Pros and Cons
  • "Before you even compile, it can catch known vulnerability issues or patterns."
  • "Our developers have complained about the Quality Gates and the number of false positives that this product reports."

What is our primary use case?

Our software developers use SonarQube to catch any issues that can be found by using static code analysis. My understanding is that it checks the core complexity by evaluating the coding rules to make sure of things such as the correct classes are private.

How has it helped my organization?

The developers are rejecting the idea that this product is useful.

What is most valuable?

Before you even compile, it can catch known vulnerability issues or patterns.

What needs improvement?

Our developers have complained about the Quality Gates and the number of false positives that this product reports. Their older code is breaking and with the Quality Gate on the pipeline, they are not able to safely release at this point. This means that they have to add a lot of things to the whitelist, so there is room for improvement in this regard.

For how long have I used the solution?

We have been using SonarQube for less than six months. We have not yet onboarded it for production.

What do I think about the stability of the solution?

I have not seen any problems in terms of stability, although it has not been onboarded yet. Once that happens, we may see more problems.

What do I think about the scalability of the solution?

We have not tried to scale yet.

How was the initial setup?

The initial setup involved downloading the open-source code and installing it in a container. 

What about the implementation team?

I was responsible for setting up this tool in our company.

What's my experience with pricing, setup cost, and licensing?

We are using the open-source version, which is available free of cost.

Which other solutions did I evaluate?

We evaluated other open-source products and found that SonarQube was the best one of the set.

What other advice do I have?

This product is regularly updated by the open-source community, although the changes are often project-specific and may not help in the general case.

I would rate this solution a five out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free SonarQube Report and get advice and tips from experienced pros sharing their opinions.