SonarQube Valuable Features
One of the most valuable features of SonarQube is its ability to detect code quality during development. There are rules that define various technologies—Java, C#, Python, everything—and these rules declare the coding standards and code quality. With SonarQube, everything is detectable during the time of development and continuous integration, which is an advantage. SonarQube also has a Quality Gate, where the code should reach 85%. Below that, the code cannot be promoted to a further environment, it should be in a development environment only. So the checks are there, and SonarQube will provide that increase. It also provides suggestions on how the code can be fixed and methods of going about this, without allowing hackers to exploit the code.
Another valuable feature is that it is tightly integrated with third-party tools. For example, we can see the SonarQube metrics in Bitbucket, the code repository. Once I raise the full request, the developer, team lead, or even the delivery lead can see the code quality metrics of the deliverable so that they can make a decision. SonarQube will also cover all of the top OWASP vulnerabilities, however it doesn't have penetration testing or hacker testing. We use other tools, like Checkmarx, to do penetration testing from the outside.View full review »
Team Lead at a computer software company with 10,001+ employees
The main factor that makes the product valuable for us is that it is free because budget is always an issue. We do not have to pay for it, but there are many cons to using a free product at times. It is a very good tool even if it is free. The dashboard and the media that it provides are all quite helpful.
We are always using SonarQube. But currently, we were trying to evaluate some more tools because Sonar in the free version has around 10 to 15 languages. If we go to the commercial version, they support 27 languages and there are a lot of limitations in the resources for traditional support which is not available for the free license users of Sonar.
Integration is there with most of the tools, but we do not have full integration with the free version. That is why we were planning to go ahead and plan to work with some other commercial tools. But as a whole, Sonar will do what we need it to.View full review »
Staff DevOps Specialist at a computer software company with 201-500 employees
My focus is mainly on the DevOps pipeline side of things, and from my perspective, the ease of use and configuration is valuable. It is pretty straightforward to take a deployment pipeline or CI/CD pipeline and integrate SonarQube into it.
The product has a friendly UI that is easy to use and understand. Especially, the admin's control panel is very good and It's not really difficult to get through the settings.
With minimal coding experience, we can build many rules that apply for each programming language, for example, CSS, and Java. You can easily set up rules. We are luckily able to do this with the community version.
With other community versions, you are not always allowed to customize the profile for example. With the SonarQube Community Edition, it's authorized.View full review »
Project Manager at a manufacturing company with 1,001-5,000 employees
I like almost all of the features. We were initially using all these techniques by using different tools.
The vulnerabilities and the code quality parameters are really important for us.
The initial setup is easy.
There's plenty of documentation available to users.
The solution is stable.
The scalability is good.
In terms of most valuable feature, when you compute SonarQube you need to install an extension. This extension depends on the version control. You need to install different extensions or work with a specific language to use as the extensions, all of which I work in with different projects.View full review »
Devops Engineer at a financial services firm with 10,001+ employees
The most valuable feature is the security hotspot feature that identifies where your code is prone to have security issues.
It also gives you a very good highlight of what's changed, and what has to be changed in the future.
Apart from that, there are many other good features as it's a code analytics platform. It also has a dashboard reporting feature, which is very good. I also like the ease of its integration with Jenkins.
Another valuable feature is the time snapshot that it provides for the code. It provides the code quality, the lagging, and the training features like what already has gone wrong and what is likely to go wrong. It's a very good feature for a project to have a dashboard where the users can find everything about their project at a single glance.
Engineer at a pharma/biotech company with 201-500 employees
The most valuable features are the segregation containment and the suspension of product services. Also, the library that SonarQube covers is good.View full review »
When it comes to security, this solution is pretty great.
The static code analysis of the solution is the most important aspect for us. When it comes to security breaches within the code, we can leverage some rules to allow us to identify the repetition in our code and the possible targets that we may have. It makes it very easy to review our code for security purposes.
The solution is quite stable.
You can scale the solution if you need to.View full review »
DevOps Lead at a marketing services firm with 1,001-5,000 employees
Security consultant at a tech services company with 1,001-5,000 employees
It's a great product. If you are in a hurry and just want to focus on the functional requirements of any kind of project, SonarQube is highly helpful. It enables the developers to code securely.
SonarQube has a Community edition, which is open source and free. There are also three proprietary or paid versions: Enterprise edition, Data Center edition, and Developer edition.View full review »
By far the quality gate controls. Without this, there would be no way to really utilize the power of this tool. We are able to automatically ensure that no code is delivered to production when it contains severe bugs or vulnerabilities.
The tight integration to source control also helps us to keep the engineers in the loop with any follow-up actions for issues reported.
Finally, the historical trend analysis gives us great insight into how we are improving based on our decisions, which are now driven by clear data.View full review »
There is a large support system in the community. When we have issues we can get answers quickly and easily.
It provides you with many features, as it does with the premium model, but there are still extra features that can be purchased if needed.
It's very flexible.
I am from the application development team and for me, it is very good because it offers a lot of features in terms of code review, quality check, and more.View full review »
The product itself has a friendly UI. It's easy to use and we understand how to manage the admin control panel, it's really quick. It's really easy to perform admin jobs using the control panel.
The tools are really easy to use. With the coding, we can build a bunch of rules that apply for each programming language, for example, CSS, Java, and more. Even with the community version, we can still set up rules. We accommodate them and they give us the best quality. It's been a great experience so far.
Technical Architect at a insurance company with 1,001-5,000 employees
I like that it helps us maintain our work quality and code security.View full review »
Head Innovation Hub at a tech services company with 201-500 employees
It assists during the development with SonarLint and helps the developer to change his approach or rather improve his coding pattern or style. That's one advantage I've seen. Another advantage is that we can customize the rules.
I did an evaluation of the Enterprise Edition. It has the Portfolio view, which means you can roll up all your projects to the Portfolio level, and then it gives a visualization of each and every project's state in terms of security and other vulnerabilities.View full review »
Web Developer at a tech services company with 51-200 employees
Apart from the security point of view, I like that it makes it easy to detect code smells and other issues in terms of code quality and standards.
SonarQube is one of the more popular solutions because it supports 29 languages.View full review »
It's convenient due to the fact that it's open-source.
We're able to identify bugs and those kinds of things before we actually push anything into a staging or production area. It helps our developers work more efficiently as we can identify things in a code prior to it being pushed to where it needs to go. It's a great little loop. You see this, fix it, take it back. Versus, putting something into an environment and then everything is all broken. It's a good development test tool.
Nowadays you can add extensions, similar to what you can do with the Jenkins tool, the CICB tool, the build tool. Jenkins can have a lot of plugins that interface with a lot of vendors or it can do a lot of things. Just like Google Chrome where you can bring in an extension, you can do the same here. In SonarQube, you can add something by just adding an extension that you may have to pay extra for, However, that add-on has additional functionality that the base software may not necessarily have in its core.
For example, Fortify has some kind of special capability that they have for checking and SonarQube has created an extension that allows the Fortify extensions. Right now, I have Fortify, however, it's in this product at a very modular level.View full review »
Development Team Lead at a financial services firm with 1,001-5,000 employees
I like that it covers most programming languages for source code review.
I also like the procedures that are already built-in that cover most of the items that already exist.View full review »
The code coverage feature is very good.View full review »
Systems Analyst at a manufacturing company with 5,001-10,000 employees
SonarQube is a fantastic tool which saves us precious time. Prior to using the solution, all our code analysis was manual and this was very time consuming. The increase in the number of projects, including those involving the development team, meant that it was becoming increasingly challenging to keep up with our delivery schedules. SonarQube helped a lot in this regard. So too, the wonderful tool from Eclipse, SonarLint, was very helpful. These solutions allow the partners who develop our system, our code, to receive on-the-fly analysis of their computers. This affords delivery of a much more reliable code, something which allows us to focus our work on more aggregated value operations.
Digital Solutions Architect at a tech services company with 1,001-5,000 employees
The fact that the solution does security scanning is valuable. This is primarily why we use it. For code quality, we could utilize other tools, such as unit test coverage, which it gives you too, but having a more comprehensive tool is useful.View full review »
Senior Security Engineer at a financial services firm with 10,001+ employees
The depth features I have found most valuable. You receive a quick comprehensive comparison overview regarding the current release and the last release and what type of depths dependency or duplication should be used. This is going to help you to make a more readable code and have more flexibility for the engineers to understand how things should work when they do not know.View full review »
Manager, Software Development Engineering at a computer software company with 51-200 employees
SonarQube does SAST and SCAs pretty well. One of the important things for me, something that is different from a solution like Checkmarx, was that SonarQube had SonarLint that we can use for local scanning for developers. The product does well in scanning and vulnerability.View full review »
Director IT Security, CISO at a transportation company with 10,001+ employees
I like the by-default policies that are they, as they seem to cover most of what I need. I see that as an essential feature.View full review »
Independent Professional at Studio Dott. Ing. Angelo Quaglia
The most valuable features are the dashboard, the ability to drill down to the code, the technical debt estimation and the overall user-friendliness of the user interface.View full review »
DevSecOps Lead at a tech services company with 11-50 employees
Before you even compile, it can catch known vulnerability issues or patterns.View full review »
The static code analysis is very good. In the banking sector, we have found several vulnerabilities and many issues in the source code.View full review »
It has very good scalability and stability.View full review »
The most important feature is the software quality gate. When that's implemented we're able to streamline the product's quality. The other good features are SonarQube's code quality scanning and code coverage. If we use it effectively, we can capture the software code bugs early in the software development. It also helps us to identify the test coverage for the code that we're writing. It's a very, very important feature for the software developers and testers.
System Quality Assurance Manager at AIS - Advanced Info Services Plc.
SonarQube is designed well making it easy to use, simple to identify issues and find solutions to problems.View full review »
Arquitecto DevOps at a financial services firm with 1,001-5,000 employees
It provides the security that is required from a solution for financial businesses.View full review »
I am only interested in the security features in SonarQube. There are plenty of features other features, such as test coverage, code anomalies, and pointer access are handled by the business logic teams. They get the reports and they have to fix them in JIRA or Bugzilla.View full review »
Head of IT Security Department at a tech services company with 501-1,000 employees
Easy installation. Very accurate finding of vulnerabilities and a minimum of false positives.View full review »
Software Engineer at a tech services company with 11-50 employees
The solution can verify vulnerabilities, code smells, and hotspots. It makes the software more secure and it helps make a junior or novice developer sharper.View full review »
SonarQube is good in terms of code review and to report on basic vulnerabilities in your applications. The code writing standard of SonarQube is good. It may be better in other editions but as we don't use those we're not able to find out with SonarQube. We are using the community, developer version for 14 days. If this version is successful we will go to the full version. We're using it on-premises.View full review »
Founder at a tech services company with 11-50 employees
It is working fine. It provides good value for money.View full review »
Project Manager, Senior Architect at a computer software company with 1,001-5,000 employees
In regards to features, overall the product is good. It minimizes the difficulty or issues that we encountered during the production. We are using the open-sourced version and issues can easily be resolved.View full review »
Independent Consultant at Klusener Consultancy
The overall quality of the indicator is good.View full review »
Senior Software Engineering Manager at a computer software company with 10,001+ employees
It is a very good tool for analysis and security vulnerability checking.View full review »
The most valuable features are code scanning and Quality Gates.View full review »
Deputy Manager Quality Assurance at eInfochips
I like that it has a better dashboard compared to Clockwork. It's also stable.View full review »
Director of consultory at a non-tech company with 1,001-5,000 employees
The most valuable features are the analysis and detection of issues within the application code.View full review »