We changed our name from IT Central Station: Here's why
Head of IT Security Department at a tech services company with 501-1,000 employees
Real User
Top 20
Simple implementation, effective scanning, and tracking

What is our primary use case?

We are using SonarQube for static analyzing and finding vulnerabilities in our code.

What is most valuable?

Easy installation. Very accurate finding of vulnerabilities and a minimum of false positives.

What needs improvement?

SonarQube could improve by adding automatic creation of tasks after scanning and more supported languages.

For how long have I used the solution?

I have been using SonarQube for approximately two years.

What do I think about the stability of the solution?

SonarQube is a highly stable solution.

What do I think about the scalability of the solution?

I have found SonarQube to be scalable. We have 20 to 25 specialists using SonarQube in my organization. We have plans to increase the usage of the solution.

How

What is our primary use case?

We are using SonarQube for static analyzing and finding vulnerabilities in our code.

What is most valuable?

Easy installation. Very accurate finding of vulnerabilities and a minimum of false positives.

What needs improvement?

SonarQube could improve by adding automatic creation of tasks after scanning and more supported languages.

For how long have I used the solution?

I have been using SonarQube for approximately two years.

What do I think about the stability of the solution?

SonarQube is a highly stable solution.

What do I think about the scalability of the solution?

I have found SonarQube to be scalable.

We have 20 to 25 specialists using SonarQube in my organization.

We have plans to increase the usage of the solution.

How are customer service and support?

We search Google for solutions to any problems we may face.

How was the initial setup?

The solution is easy to implement in our process of continuous integration, continuous delivery, and continuous deployment(CI/CD). 

What about the implementation team?

We did the implementation of the solution ourselves.

We have assigned each project one DevOps, and each DevOps is deploying SonarQube in their project and we have in total about 20 projects.

What's my experience with pricing, setup cost, and licensing?

The free version of SonarQube does everything that we need it to.

Licenses of this solution can be purchased annually. We plan to buy the maximum license enterprise edition of the solution.

What other advice do I have?

I highly recommend this solution to others.

I rate SonarQube a nine out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Software Engineer at a tech services company with 11-50 employees
Real User
Top 20
Beneficial testing tool, helps developer become sharper, and makes software more secure
Pros and Cons
  • "The solution can verify vulnerabilities, code smells, and hotspots. It makes the software more secure and it helps make a junior or novice developer sharper."
  • "The software testing tool capability could improve. It does not always integrate well. You have to use a specific plugin and the plugin does not always go in Apple's applications."

What is our primary use case?

I use SonarQube for testing software.

What is most valuable?

The solution can verify vulnerabilities, code smells, and hotspots. It makes the software more secure and it helps make a junior or novice developer sharper.

What needs improvement?

The software testing tool capability could improve. It does not always integrate well. You have to use a specific plugin and the plugin does not always go in Apple's applications.

In the next release, they should add the ability to analyze containers.

For how long have I used the solution?

I have been using SonarQube for approximately three years.

What do I think about the scalability of the solution?

We have mostly software developers using this solution are there are approximately 50 using it.

Which solution did I use previously and why did I switch?

I have used Snyk and it is more catered to a different audience than SolarQube.SolarQube is more for software developers.

How was the initial setup?

The installation is straightforward, especially with the new Docker implementation.

What about the implementation team?

I did the implementation of the solution myself.

What's my experience with pricing, setup cost, and licensing?

The process of purchasing the solution could improve.

What other advice do I have?

This solution is a good static test tool for developers. It helps keep the maintainability and security of software.

I rate SonarQube an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: January 2022.
564,599 professionals have used our research since 2012.
Security Engineer at a computer software company with 201-500 employees
Real User
Free, scalable, but documentation needs improvement

What is our primary use case?

I use this solution for our staging environment to review the security issues before going live or into production.

What needs improvement?

I have found this solution creates more noise than competitors.  The documentation and reporting extract can improve because other solutions are far more advanced.

For how long have I used the solution?

I have been using this solution for approximately two years.

What do I think about the stability of the solution?

The solution is stable.

What do I think about the scalability of the solution?

The solution is scalable. However, we do not use it as a SaaS solution, we use it for our staging environment at a minimum scale.  We have approximately 10 people using this solution in my organization.

Which

What is our primary use case?

I use this solution for our staging environment to review the security issues before going live or into production.

What needs improvement?

I have found this solution creates more noise than competitors. 

The documentation and reporting extract can improve because other solutions are far more advanced.

For how long have I used the solution?

I have been using this solution for approximately two years.

What do I think about the stability of the solution?

The solution is stable.

What do I think about the scalability of the solution?

The solution is scalable. However, we do not use it as a SaaS solution, we use it for our staging environment at a minimum scale. 

We have approximately 10 people using this solution in my organization.

Which solution did I use previously and why did I switch?

Previously I worked with Fortify and Veracode and I have found those tools provided much better because they are from a commercial solution.

What about the implementation team?

Our development team did the implementation of this solution.

What's my experience with pricing, setup cost, and licensing?

This solution is free.

What other advice do I have?

My advice to others is this solution is one of the best in the free market in the industry and it is a good one to use.

I rate SonarQube a seven out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
RakeshPal
Senior Manager at Digichorus Technologies
Real User
Top 20
Good code review and reporting of basic vulnerabilities in your applications
Pros and Cons
  • "SonarQube is good in terms of code review and to report on basic vulnerabilities in your applications."
  • "It does not provide deeper scanning of vulnerabilities in an application, on a live session. This is something we are not happy about. Maybe the reason for that is we are running the community edition currently, but other editions may improve on that aspect."

What is our primary use case?

We are using it for scanning our web applications, some internal applications and using it for code reviews.

What is most valuable?

SonarQube is good in terms of code review and to report on basic vulnerabilities in your applications. The code writing standard of SonarQube is good. It may be better in other editions but as we don't use those we're not able to find out with SonarQube. We are using the community, developer version for 14 days. If this version is successful we will go to the full version. We're using it on-premises.

What needs improvement?

It does not provide deeper scanning of vulnerabilities in an application, on a live session. This is something we are not happy about. Maybe the reason for that is we are running the community edition currently, but other editions may improve on that aspect.

For how long have I used the solution?

We have been using SonarQube for one year.

What do I think about the stability of the solution?

It is stable.

What do I think about the scalability of the solution?

SonarQube is scalable.

How was the initial setup?

SonarQube was easy to setup.

Which other solutions did I evaluate?

We considered using Fortify.

What other advice do I have?

I would rate SonarQube an eight out of 10.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Founder at a tech services company with 11-50 employees
Real User
Top 5Leaderboard
Works fine and provides good value for money

What is our primary use case?

We use it as a gatekeeper for our external developers to follow the rules. If they don't comply with the rules within the source code, they cannot commit. 

What is most valuable?

It is working fine. It provides good value for money.

What needs improvement?

One thing to improve would be the integration. There is a steep learning curve to get it integrated.

For how long have I used the solution?

I have been using this solution for maybe two years.

What do I think about the stability of the solution?

It is stable.

What do I think about the scalability of the solution?

It is definitely scalable. Currently, we have six users.

How are customer service and technical support?

We didn't contact them.

Which solution did I use previously and

What is our primary use case?

We use it as a gatekeeper for our external developers to follow the rules. If they don't comply with the rules within the source code, they cannot commit. 

What is most valuable?

It is working fine. It provides good value for money.

What needs improvement?

One thing to improve would be the integration. There is a steep learning curve to get it integrated.

For how long have I used the solution?

I have been using this solution for maybe two years.

What do I think about the stability of the solution?

It is stable.

What do I think about the scalability of the solution?

It is definitely scalable. Currently, we have six users.

How are customer service and technical support?

We didn't contact them.

Which solution did I use previously and why did I switch?

This was our first one.

How was the initial setup?

Its initial setup is okay. It is not too difficult. It probably took a couple of hours.

One developer is enough for its deployment.

What's my experience with pricing, setup cost, and licensing?

We pay €10 per month for this solution, which is good. It provides good value for money.

What other advice do I have?

I would recommend this solution to others. I would rate SonarQube a nine out of 10.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Project Manager, Senior Architect at a computer software company with 1,001-5,000 employees
Real User
Well featured, easily manageable, identifies production issues

What is our primary use case?

We decided to implement the solution to keep up to date with testing, security, and other issues with developments, such as bugs.

What is most valuable?

In regards to features, overall the product is good. It minimizes the difficulty or issues that we encountered during the production. We are using the open-sourced version and issues can easily be resolved.

For how long have I used the solution?

I have been using the solution for four to five years.

What do I think about the stability of the solution?

We are using everything that is open-source and this allows us when we have the regular day to day issues, our team works on them directly to identifying their causes and they resolve them quickly.

What about the implementation team?

We have our…

What is our primary use case?

We decided to implement the solution to keep up to date with testing, security, and other issues with developments, such as bugs.

What is most valuable?

In regards to features, overall the product is good. It minimizes the difficulty or issues that we encountered during the production. We are using the open-sourced version and issues can easily be resolved.

For how long have I used the solution?

I have been using the solution for four to five years.

What do I think about the stability of the solution?

We are using everything that is open-source and this allows us when we have the regular day to day issues, our team works on them directly to identifying their causes and they resolve them quickly.

What about the implementation team?

We have our internal team that is very knowledgeable, experienced, and have extreme abilities that handle our needs.

What's my experience with pricing, setup cost, and licensing?

I think comparing the product to competitors it should be less expensive.

What other advice do I have?

I would recommend SonarQube. It is a good deal compared to all other tools on the market.  It certainly helped us, it is a good tool and should be definitely used.

I rate SonarQube a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Independent Consultant at Klusener Consultancy
Consultant
Top 20
Reliable inspection with a quality indication system
Pros and Cons
  • "The overall quality of the indicator is good."
  • "I am not very pleased with the technical debt computation."

What is our primary use case?

We use this solution for auditing our system.

What is most valuable?

The overall quality of the indicator is good.

What needs improvement?

I am not very pleased with the technical debt computation, it's a bit arbitrary.

The codification metrics could also be improved.

For how long have I used the solution?

I have been using the open-source version, on and off, for the past few years. 

What do I think about the scalability of the solution?

The scalability is ok, but if you want to process large portfolios, it breaks down. 

How are customer service and technical support?

The technical support is reasonable.

How was the initial setup?

The initial setup was reasonable.

What's my experience with pricing, setup cost, and licensing?

There is a licensing fee, but I don't know the exact cost because I use this solution in partnership with other companies.

Which other solutions did I evaluate?

I have experience with Parasoft and other similar tools. 

What other advice do I have?

I would absolutely recommend this solution to another company.

On a scale from one to ten, I would give this solution a rating of eight. I would give it a higher rating if the technical debt computation was improved.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Software Engineering Manager at a computer software company with 10,001+ employees
Real User
Top 20
A stable solution for analysis and security vulnerability checking
Pros and Cons
  • "It is a very good tool for analysis and security vulnerability checking."
  • "The scanning part could be improved in SonarQube. We have used Coverity for scanning, and we have the critical issues reported by Coverity. When we used SonarQube for scanning and looked at the results, it seems that some of them have incorrect input. This part can be improved for C and C++ languages."

What is our primary use case?

We use SonarQube to scan our security protection.

What is most valuable?

It is a very good tool for analysis and security vulnerability checking.

What needs improvement?

The scanning part could be improved in SonarQube. We have used Coverity for scanning, and we have the critical issues reported by Coverity. When we used SonarQube for scanning and looked at the results, it seems that some of them have incorrect input. This part can be improved for C and C++ languages.

For how long have I used the solution?

I have been using this solution for a couple of weeks.

What do I think about the stability of the solution?

It is stable.

What do I think about the scalability of the solution?

We haven't evaluated its scalability.

How are customer service and technical support?

I just use our internal IT to get support for SonarQube. That is enough for me.

Which solution did I use previously and why did I switch?

We were previously using Coverity. We used it for three years or so.

How was the initial setup?

We just use the Enterprise SonarQube instance provided by our company.

What other advice do I have?

I would recommend this solution. I would rate SonarQube an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free SonarQube Report and get advice and tips from experienced pros sharing their opinions.