SonarQube leads automated code review, enhancing code quality and security in AI-driven SDLCs. It analyzes pull requests, providing developers with actionable feedback and AI-driven fixes before code merges. Trusted by top enterprises, it supports SaaS and self-managed deployments.
| Product | Mindshare (%) |
|---|---|
| SonarQube | 12.7% |
| Checkmarx One | 8.3% |
| Snyk | 5.0% |
| Other | 74.0% |
| Title | Rating | Mindshare | Recommending | |
|---|---|---|---|---|
| Snyk | 4.1 | 5.0% | 100% | 51 interviewsAdd to research |
| Checkmarx One | 3.9 | 8.3% | 88% | 81 interviewsAdd to research |
| Company Size | Count |
|---|---|
| Small Business | 36 |
| Midsize Enterprise | 20 |
| Large Enterprise | 60 |
| Company Size | Count |
|---|---|
| Small Business | 1224 |
| Midsize Enterprise | 776 |
| Large Enterprise | 2924 |
SonarQube supports a wide range of programming languages and integrates seamlessly with CI/CD tools like Jenkins. It is renowned for its static code analysis, code coverage, and security vulnerability detection. While its open-source foundation and scalability are praised, users seek enhanced integration across multiple languages, better security features, and improved documentation. Despite challenges, its ability to automate code inspections and ensure compliance with coding standards makes it essential in software development processes, facilitating continuous improvement.
What are the most important features?In industries like finance, healthcare, and automotive, SonarQube is leveraged for static code analysis, automating code inspections, and ensuring compliance with stringent standards. Teams integrate it into their CI/CD pipelines to maintain high-quality code, identify security vulnerabilities, and enhance code maintainability.
SonarQube was previously known as Sonar, SonarQube Cloud .
Snowflake, Booking.com, Deutsche Bank, AstraZeneca, and Ford Motor Company.
| Author info | Rating | Review Summary |
|---|---|---|
| IT Officer (Solution Architect) at World Bank | 4.0 | I rely on SonarQube for static code analysis, review, and unit test coverage, valuing its tailored metrics. Generally satisfied (9/10), I seek improved daily portfolio reporting and more AI integration, despite easy deployment and good DevOps integration. |
| Sr Software Engineering Supervisor at Mozarc Medical | 4.5 | I use SonarQube for static code analysis, valuing its rule control. While stable and scalable, I wish for better control over continuous vulnerability scanning, as new issues constantly appear. Overall, it's a valuable, FDA-approved tool. |
| Head of Software Engineering at ronaldmariah@gmail.com | 4.5 | I rely on SonarQube for static analysis, improving code quality and security, and reducing technical debt. I value its stability, scalability, and code suggestions, despite wishing for more generative AI features for code fixing. |
| Security Analyst at Dover Corporation | 4.0 | I value SonarQube Cloud's user-friendly interface and precise vulnerability reports, which save time and cost. While I recommend it, the UI could improve, and more detailed solutions for CVEs would be beneficial. |
| DevOps Lead at CODVO | 3.5 | I use SonarQube Cloud in CI/CD for vulnerability and code quality, appreciating its tracking. It needs improved automatic ticket creation for critical issues and lacks DAST/SCA, which limits its overall utility. |
| Independent Professional at Studio Dott. Ing. Angelo Quaglia | 4.5 | I appreciate SonarQube's effective Jira and IDE integrations, as we've used it for years. However, I'd like more in-depth training resources, similar to Fortify's Code Warrior integration, to help developers understand issues better. |
| Architect at sigpsc inc | 4.5 | I use SonarQube Cloud for code quality checks, finding it stable and easy to integrate into YAML pipelines. However, I need a single comprehensive solution for vulnerabilities, static scanning, and architecture, as it's expensive for small companies. |
| CEO at a computer software company with 1-10 employees | 3.5 | I use SonarQube Cloud for static code analysis, finding it easy to use, integrate, and stable. However, its vulnerability detection and capabilities are weaker than Veracode's, leading me to use both solutions. |
| Software Quality Coordinator at a retailer with 10,001+ employees | 4.0 | I use SonarCloud for code quality and security, valuing its SaaS model. While stable and scalable, reporting features are missing, and increased costs make ROI evaluation critical. I recommend it despite pricing concerns, rating it eight out of ten. |
| Senior Manager Product Engineering at GlobalLogic | 4.5 | I use SonarQube for static analysis, unit test coverage, and vulnerability detection. I appreciate its comprehensive information, easy setup, and cost-effectiveness. However, its thoroughness sometimes leads to false alarms. I rate it 9/10. |
The primary use cases of SonarQube Server (formerly SonarQube) in my system include static code analysis, code review, unit test coverage, and similar functionalities.
I use its multi-dimensional analysis for code quality inspection because the product comes with its own features and capabilities, which are sufficient for us at this point in time.
The most valuable features in SonarQube Server (formerly SonarQube) are static code analysis, code review, and unit test coverage, with heavy usage of all three.
I have used SonarQube Server (formerly SonarQube)'s centralized management and visualization of code quality metrics. This feature helps me in understanding and improving code quality trends over time because we are able to set a standard.
The ability to tailor metrics tracking with SonarQube Server (formerly SonarQube) has been beneficial to my team and stakeholders as we are able to get portfolio reports and project-wise reports, though there are areas for improvement.
SonarQube Server (formerly SonarQube) could be improved on the reporting front. Instead of grouping, I would prefer to scan the code as part of development and then generate a report on a daily basis among different units or projects, which is currently complicated. We need to change it to more of a portfolio report, where configuring or setting up things on the portfolio requires tagging at the ADO level.
I have been working with SonarQube Server (formerly SonarQube) for six or seven years. Our organization is structured with an enterprise security team which handles all primary security and other matters. From the application standpoint, we wanted to explore something within our unit. That is where we were exploring this solution, and for peer review we have been using a couple of tools during this time.
Since it is a web application, it doesn't take much time to deploy.
I haven't had much interaction with technical support because I rarely needed it. I reached out to them once or twice in the last five years, and the support was satisfactory.
Positive
I cannot provide many details on which other solutions I evaluated before choosing SonarQube Server (formerly SonarQube).
The deployment process was easy.
It is challenging to determine the return on investment because it requires substantial effort in tracking. I am satisfied overall because it's more about maintaining standards and being able to prevent issues before they occur. I am unable to extract specific data to calculate value gained because there are many moving elements, and some of the costs saved by developers are difficult to quantify.
I am still exploring new solutions while using the current one.
I have been generally satisfied with this tool, rating it 9 out of 10. With the emergence of AI, I am exploring that aspect as well.
I assess the impact of SonarQube Server (formerly SonarQube)'s integration with DevOps pipelines on my development workflow as quite good. The only area that could be improved is SonarLint for IDE integration.
Regarding additional features for the next release, I would suggest improvements in the AI area.
My usual use cases for SonarQube Server (formerly SonarQube) are for static code analysis to detect any build vulnerabilities, and we use it only for this reason.
The most valuable features of SonarQube Server (formerly SonarQube) for us include having control of the rules, enabling and disabling them. This feature was very helpful. However, I see a problem because the vulnerability assessment is continuous; if I fix some vulnerabilities today, they reappear in the next scan, and there will be completely different issues that need to be fixed. So, there should be a way for me to control when SonarQube can scan or when it should not scan.
I see a problem with SonarQube Server (formerly SonarQube) because the vulnerability assessment is continuous; if I fix some vulnerabilities today, they reappear in the next scan, and there will be completely different issues that need to be fixed. So, there should be a way for me to control when SonarQube can scan or when it should not scan.
I have been working with SonarQube Server (formerly SonarQube) in my current organization for about 2 to 3 years, and in my previous organization, overall, it has been more than 10 years.
I think SonarQube Server (formerly SonarQube) is stable, and we did not face any problems unless there was a power outage or if the LAN cable was plugged out. Apart from that, I do not see issues with the SonarQube instance coming down, so it is reliable. I would give it a mark of 10 out of 10.
I would rate the scalability of SonarQube Server (formerly SonarQube) as a 10 because we can configure the server to scan multiple projects based on the number of lines, and it is not an issue for us to integrate many projects into SonarQube.
I would rate the technical support for SonarQube Server (formerly SonarQube) as a 10 because we have not faced any specific issues that required us to contact tech support, which is a very rare case. It was a long time back since we connected with tech support, but I do not remember the specific reason.
Before using SonarQube Server (formerly SonarQube), I was using Coverity.
I decided to switch from Coverity to SonarQube Server (formerly SonarQube) about a year back. We are making use of both because, in the medical devices space, SonarQube recently got FDA approval, which means it is now capable, and the FDA accepts the report from SonarQube. Previously, the FDA had restrictions on SonarQube and accepted reports only from Coverity, which was a certified tool. Since SonarQube obtained this certification, we are slowly switching from Coverity to SonarQube.
I would rate my experience with the initial setup of SonarQube Server (formerly SonarQube) as an 8 or 9, considering 10 as easy. It is all documented, and we get enough support even from the online community, making it easy to configure SonarQube once we receive the license.
Two people were involved in the deployment process of SonarQube Server (formerly SonarQube).
Now, I need one person for the maintenance of SonarQube Server (formerly SonarQube).
I have seen a return on the investment from SonarQube Server (formerly SonarQube) because the value it adds relates to static code analysis and vulnerability assessments needed for our FDA approval process. It is a must for us to generate these reports.
I would rate the pricing for SonarQube Server (formerly SonarQube) as an 8, where 1 is very cheap and 10 is very expensive, because Coverity is very expensive, and while SonarQube is not cheap, it is still less expensive than Coverity. Since there are not many players in this space with FDA regulation approvals, I find the pricing justifiable.
I decided to go with SonarQube Server (formerly SonarQube) because it is a good solution.
The deployment process took me about 2 or 3 hours to deploy SonarQube Server (formerly SonarQube), although I do not remember exactly since it was done about 2 years back.
Currently, about 10 of my developers are using SonarQube Server (formerly SonarQube) in my company.
I do not have plans to increase the usage of SonarQube Server (formerly SonarQube) in the future as there will not be any requirement to increase.
I am a senior software engineer and supervisor at Mozark Medical.
My corporate email address is karthik.k.a.r.t.h.i.k.h.a.r.p.a.n.h.a.l.l.i@mozarkmedical.com.
Overall, I would rate SonarQube Server (formerly SonarQube) as a 9 out of 10.
My main use cases for SonarQube Server (formerly SonarQube) are mostly focused on static code analysis. We use it at the development level to improve the quality of the code and to analyze the technical debt of the current systems.
The features of SonarQube Server (formerly SonarQube) that I find most useful are the suggestions received from reviewing the code. When they review the code, they provide suggestions on how to fix it, and we find those very useful from a development perspective.
We use SonarQube Server's (formerly SonarQube) centralized management and visualization of code quality metrics on the dashboard because that's the executive dashboard that we send to the executives to show where we are in terms of quality, security, and where the company can improve. We use that for organizational improvement purposes.
The ability to tailor metrics tracking in SonarQube Server (formerly SonarQube) has been beneficial to my team. There are team-specific dashboards which are related to specific repositories they utilize, and we have that aggregative dashboard that shows the whole organization's performance. We can drill down per specific repository, which makes it easier for the team to improve specific things.
I think SonarQube Server (formerly SonarQube) should improve by integrating a new feature that includes AI. As soon as I see that they've got a new feature that integrates AI that is not as generative as other GenAI platforms that actually generate the code and help developers develop faster, I believe that capability is lacking. Currently, it should also be able to analyze the code and generate and fix the code for specific developers or features that the developers are tracking.
I have been working with SonarQube Server (formerly SonarQube) for more than five years.
SonarQube Server (formerly SonarQube) is very stable. I have never experienced any crashes at all.
I find SonarQube Server (formerly SonarQube) very scalable because we're able to create a new repository and integrate all the tools on that project and it just works.
The technical support for SonarQube Server (formerly SonarQube) is great. It was only once when we wanted to extract some reports, and they showed us where we can actually get those granular level reporting extracted for Excel, which was a quick guide. I would give it a nine. The reason for giving a nine is that the developers could have informed us about other features that are outside of what we see.
Positive
We previously decided to use AppScan before SonarQube Server (formerly SonarQube). AppScan had many features that were not available that SonarQube Server (formerly SonarQube) was offering. The code suggestion was one of those features we were looking for, so we opted for SonarQube Server (formerly SonarQube) after AppScan.
The initial setup experience with SonarQube Server (formerly SonarQube) is quite straightforward. The adaptation in the current organization when we introduced SonarQube Server (formerly SonarQube) was a bit difficult for the developers, but with my experience from a developer perspective, it helped drive the adoption. I would rate it probably nine. We implemented it ourselves with a DevOps team that was handling it in our space, and there was no difficulty at all.
During these years of usage, I see that the return on investment with SonarQube Server (formerly SonarQube) is mostly implicit because there are costs. We see productivity increasing based on the fact that the code review is mostly automated, allowing the developer to fix the code themselves before assigning it to someone else to review, thus receiving that ROI.
The price of SonarQube Server (formerly SonarQube) is reasonable for my company, but it's actually per organizational infrastructure. We pay about 1.2 million rand in terms of South African rands per year. They always offer around a two-year contract, but we always take a one-year contract because it's expensive.
There are no additional costs apart from the license cost. That's the whole cost of enterprise SonarQube Server (formerly SonarQube).
We definitely use SonarQube Server (formerly SonarQube) for vulnerabilities and the security aspect of it. It's very effective because we've managed to address issues such as code that was exposing passwords, so we had to restructure the code to mask security passwords.
The integration of SonarQube Server (formerly SonarQube) with DevOps pipelines on my development workflow is very good. We use both GitHub and Azure DevOps, and it integrates well with both repositories that we utilize. In my previous company, we were using GitLab, and it integrated with GitLab without any issues at all.
The main benefits from using SonarQube Server (formerly SonarQube) are improvements in handling security and vulnerabilities. In our space, there have been huge improvements. Some teams had almost 1,000 plus issues with security, but now we're sitting at around 50. That has helped us quite a bit, and also the automated code review process speeds up the process of reviewing code.
The flexibility of deploying SonarQube Server (formerly SonarQube) both in cloud and on-prem has adapted to our organization's infrastructure needs. We've never used the cloud version of it. We use on-premises because of the reporting facilities that SonarCloud didn't have.
I rate SonarQube Server (formerly SonarQube) a nine out of ten. I recommend it as it can integrate with any repository tool, making it quite easy to integrate with your code. If you want to reduce your technical debt, you should look no further than SonarQube Server (formerly SonarQube).
I find SonarQube Cloud to be very user-friendly with an easy-to-use interface. It provides detailed code smell reports and insights on hotspots, which can later represent security vulnerabilities. It gives precise reports compared to Coverity and has a slightly lower number of false positives. It is integrated easily with the CI/CD pipeline, saving time and cost. It provides information on upcoming vulnerability details and loopholes that might turn into vulnerabilities.
The UI can be improved. Additionally, in future updates, I would like to see SonarQube Cloud provide more detailed solutions for fixing code issues, especially solutions related to CVEs. Currently, the suggestions are not very elaborate.
I have been using SonarQube Cloud for more than a year.
I rate the stability of SonarQube Cloud at eight out of ten. It is a quite stable solution.
SonarQube Cloud is a scalable product, and I rate its scalability at seven out of ten.
The customer service and support for SonarQube Cloud are responsive and helpful. It ensures accurate reporting and is beneficial in terms of triggering daily scans without manual oversight.
Positive
After implementing SonarQube Cloud, I have observed cost savings and time savings. It is easily integrable with the CI/CD pipeline and supports multiple projects with its extensive plugin options.
I have evaluated Coverity.
I rate the overall solution eight out of ten.
I am exploring leveraging AI to enhance code analysis with SonarQube Cloud. I recommend SonarQube Cloud to other users as it is seamless and provides precise results. It shows upcoming vulnerability details and loopholes which can turn into vulnerabilities or configuration risks.
Once integrated with the pipeline for the organization, we would be able to fetch vulnerabilities and code smells. We can have quality gates installed in the pipeline so that the pipeline should only be moved and processed further if the quality gates are passed.
This product is used with the deployment cycles. We have multiple CI/CD pipelines.
When we push our code to the repo, while in continuous integration, it will run a few tests. Based on the vulnerability data set it has, it has multiple tests. We can also have multiple unit tests along with this for code coverage. It has multiple offerings, not only the quality check and the vulnerability check. It also has code coverage, indicating how much code is covered by all the unit tests, integration tests, and those sorts of things. It has a complete database by itself and depending on that, it needs to be regularly updated so that we can track the vulnerabilities in the code. If it is not connected to the data source, for example, it has 10 versions, so if we are using a very old version, it would not be able to track the vulnerabilities which have the latest release.
We can track the vulnerabilities if our code is updated. If we are using the cloud version, then it is automatically upgraded because it is a paid version. We can track the vulnerabilities, where the vulnerability is, and at which code line we need to improve our code. We can have all the tracks only after we push our code to the repo.
SonarQube Cloud (formerly SonarCloud) has two offerings: cloud and server. We can use either of these. One is a paid version, and another one is a free version.
I have used the SonarQube Cloud (formerly SonarCloud)'s code analysis feature.
Sometimes, there are tracking issues. It has its own graphical GUI where we can track everything.
Since most of our projects are open source, there are multiple features which can be improved. For example, while creating a PR, the automatic runs from SonarQube Cloud (formerly SonarCloud) should also be run, but this is a feature which was in the previous version, but not with this version. You need to spend some money to buy that feature.
SonarQube Cloud (formerly SonarCloud) is one of the first of its kind which supports all these functionalities. I do not have any perception of documentation or support because once it is integrated with the pipeline, most of the task is done. The people who are developers need automatic bug creation and everything is done. This feature can be improved where, once it tracks the criticals and highs, it should create automatic tickets and assign them to the user who has pushed the code.
I have used the SonarQube Cloud (formerly SonarCloud)'s code analysis feature.
We use other products because SonarQube Cloud (formerly SonarCloud) only offers SAST. It doesn't cover DAST, SCA, or those sorts of testing. Also, performance-based testing is not covered.
SonarQube Cloud (formerly SonarCloud) doesn't offer notifications, but we have some features in the pipeline which send notifications to the team leads or the assigned users to review the code.
SonarQube Cloud (formerly SonarCloud) is one of the first of its kind which supports all these functionalities. I do not have any perception of documentation or support because once it is integrated with the pipeline, most of the task is done. The people who are developers need automatic bug creation and everything is done. This feature can be improved where, once it tracks the criticals and highs, it should create automatic tickets and assign them to the user who has pushed the code.
On a scale of one to ten, I would give SonarQube Cloud (formerly SonarCloud) a rating of six.
We still use SonarQube, Nexus Lifecycle or Sonatype Lifecycle, and Fortify. We are still using the same tools. There should be about four or five tools in total.
The integration with Atlassian Jira is very useful and it works very well. The plugins to connect to the instance from your IDE such as IntelliJ work very well.
It's very effective for that.
The support is managed by another department, so I don't deal with that. However, there could be an improvement in providing additional training resources. SonarQube is very good at explaining everything, but we have another tool called Fortify where our division of IT managed to put a link to a Code Warrior site where our developers can learn about a specific type of issue, understand it fully, and learn. This I'm not seeing in our instance of SonarQube.
It's actually training for the developers. If there is a specific issue, such as cross-site request forgery, SonarQube is very clear in explaining what the issue is and how to fix it. However, there is another website called Code Warrior that really takes you through the entire journey, so you can truly understand what the issue is along with some actual coding examples. It's very effective. In the Fortify dashboard, we can actually click on a link that will open Code Warrior in the correct context. I think it would be a nice improvement for SonarQube as well.
We have been using this for years.
Positive
I find SonarQube Cloud very easy to use and simple to integrate initially. Our development teams find it very easy to integrate into their workflow. New team members immediately know how to use it.
SonarQube Cloud could improve its vulnerability detection compared to Veracode. Additionally, it has fewer capabilities, which prompted us to use Veracode.
We have been using SonarQube Cloud for about two to three years.
I find SonarQube Cloud to be relatively stable. From my team's feedback, it is almost an eight out of ten.
I am uncertain about SonarQube Cloud's scalability. There are limitations, and it seems to have fewer capabilities than Veracode, which is why we also use Veracode.
I did not have much interaction with customer support. When I did contact them, the experience was very good, however, I didn't have any technical questions.
Neutral
I am mainly focusing on Veracode, and we also use SonarQube Cloud. In contrast, I find Veracode to be more complex. Veracode is considered to have better detection capabilities than SonarQube Cloud.
SonarQube Cloud was much easier to install compared to Veracode. One person is enough to handle the installation.
I have not done any ROI calculations on SonarQube Cloud.
From what I understand, SonarQube Cloud is roughly equivalent in cost to Veracode, maybe a little cheaper.
I rate SonarQube Cloud as a whole solution about seven out of ten.
We have SonarCloud integrated into our pipeline. It is used as a tool for checking code quality, clean code, bugs, and security issues. It acts as a quality gate for production, helping decide if our code can be applied.
SonarCloud aids us in checking major issues in legacy systems and helps prioritize solutions based on this data.
The SaaS solution for checking code without execution and dealing with security issues is valuable. It fulfills our needs.
Reporting features are missing in SonarCloud. We do not have a way to consolidate data within the tool, requiring us to extract data and use Power BI for reports.
I have used SonarCloud for the past three years.
SonarCloud has been stable except for an instance last month where it was unavailable for about four to six hours. Other than that, I am unaware of any unavailability issues.
It's very scalable with no issues. We can add as many projects as we want. The only restriction is the number of lines scanned, which affects billing. On a scale of one to ten, I rate scalability at eight out of ten.
I have not used their technical support or dealt directly with their customer service.
Neutral
The initial setup was done by a previous team around three or four DevOps engineers. The transition took approximately one to two months.
Another team conducted the initial setup with about three or four DevOps engineers.
It's really hard to measure ROI. Previously, the low cost ensured it wasn't a concern, but now, with increasing costs, the need to measure ROI more accurately is arising.
Previously, the pricing was 17,000 euros for five million lines analyzed. However, they now charge $15,000 per one million lines, significantly increasing the cost.
We are evaluating Veracode as a possible replacement. I also checked resources like Forest Work and Gartner for other potential tools.
I would recommend SonarCloud to other development teams. While the cost might be a concern, it is a good tool and maintains an updated list of security issues. It is sufficient for most projects.
I'd rate the solution eight out of ten.
My company is a product engineering company, and we work for different clients. The majority of the projects use SonarQube, and some projects use Checkmarx. SonarQube is primarily used for static code analysis and checking the overall unit test coverage and vulnerabilities.
SonarQube's unit test coverage and exhaustive information at the module, project, and overall code repo levels are quite good.
One of the disadvantages of SonarQube is that it is quite comprehensive, which is both good and bad. Depending on the tool's configuration, sometimes you get false alarms that are unimportant to you.
We also work with Checkmarx.
My experience with the solution’s initial setup was quite good. The solution's deployment doesn't take much time. It can be done in a few hours or so.
The solution's shiftless approach allows you to pay attention during the unit testing phase rather than relying on your external testing, manual test cases, or automated test cases. You think about the use cases or test cases for the test-driven development (TDD) approach and then realize that you don't have that code written for those test cases.
You write the code and keep on complementing. Once the build is handed over to QA, SonarQube helps find most bugs during testing. Suppose on a BDD (business-driven development) level, I am a product manager who wants some functionality on my login page.
After I write those use cases in simple language, SonarQube can find out whether the corresponding unit test cases are in my codebase. This is a feature enhancement I would be interested in seeing by employing a fusion of AI and traditional ways of scanning.
SonarQube is a cost-effective solution.
SonarQube provides valuable information regarding vulnerability detection, but it depends on your configuration.
Overall, I rate the solution a nine out of ten.
