IT Central Station is now PeerSpot: Here's why

Is SonarQube the best tool for static analysis?

Manoj Kumar Kemisetty - PeerSpot reviewer
Sap Advanced Business Application Programming Consultant at Accenture

Hi community members,

Is SonarQube is the best tool for static analysis? Are there any good tools that compete with SonarQube?

PeerSpot user
1013 Answers

Rama Susarla - PeerSpot reviewer
LeaderboardReal User

SonarQube is one of the widely used and easy-to-use tools. 

With some easy plug-ins, it would provide some very good insights into code quality, code coverage, static security, pattern-based errors, and performance engineering lapses in code. 

But it is not a comprehensive static security-focused tool, like Veracode or Fortify. Also, the usability depends on whether you are using the free version or the enterprise edition (It has some associated cost) but not to the extent of other commercial tools. Hope this helps.

Vishal-Goyal - PeerSpot reviewer
Top 5LeaderboardReal User

We have been using SonarQube and SonarLint (IDE) for quite some time on multiple projects and it is one of the best if not the best. 

It can handle multiple tech stacks, gives a good view of the static code in terms of vulnerabilities, hotspots, code smells, bugs, etc. Allows adding plugins, integrate with CI/CD even with the community edition. Developer and Enterprise additions allow branch-level integration as well for pull requests.

Evgeny Belenky - PeerSpot reviewerEvgeny Belenky
Community Manager

@reviewer1572348 Have you been using it for multiple programming languages?  If so, for which ones?  
Have you had a sense of equal coverage for each of them? 
Thank you!

Vishal-Goyal - PeerSpot reviewerVishal-Goyal
Top 5LeaderboardReal User

@Evgeny Belenky Yes. We have used it for typescript, java, .NET, SQL. Coverage depends on the rules available for each language. It is possible to import more rules if required. My experience has been great till now. 

Evgeny Belenky - PeerSpot reviewerEvgeny Belenky
Community Manager

@reviewer1572348 thank you for your reply!

Purushothaman K - PeerSpot reviewer
Real User

The static tool we can use is Fortify or IBM Appscan.

SonarQube is widely used for coding standards.

Curtis Yanko - PeerSpot reviewer
Top 5Vendor

If you stop at ‘static analysis’ and leave off the Security Testing part. I don’t even view this tool as a security tool, it’s much more about code quality.

Steven Klusener - PeerSpot reviewer
Top 10Consultant

Please have a look at the TICS framework, offered by, it is heavily used in the embedded industry, like Philips, ASML, Porsche, etc, to check the quality of the code. This framework also combines various other tools, like Coverity, Fortify and others.

Ricardo Oyarzo Mansilla - PeerSpot reviewer
Real User

SonarQube is not the best SAST, is a SAST but like any other open-source SAST, the best SAST is from the leader of "Gartner Quadrant for AST".

Yatender Sharma - PeerSpot reviewer

There are many tools that can work for static code analysis, both in open source as well as in-licensed segments. It would be good to know your requirements for the tool. Are you just looking to have a static code analyzer and integrate it in the DevOps pipeline?

It is also important to know which programming language/code has been used for your application. 

Additionally, SCA functionality is also important, if you are working for a big corporation, wherein open source libraries/components are not allowed.

Anshuman Kishore - PeerSpot reviewer
Top 20LeaderboardReal User

Veracode will work with it & give value on complimentary way ..

Rony_Sklar - PeerSpot reviewer
Community Manager

@Anshuman Kishore @TibinLukose @Donovan Greeff you've recently written reviews for SonarQube - do you have some insight to help @Manoj Kumar Kemisetty with this question? 

Buyer's Guide
July 2022
Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: July 2022.
622,063 professionals have used our research since 2012.