Is SonarQube the best tool for static analysis?

  • 11
  • 3273
PeerSpot user
Get the report
Helped 767,496 peers since 2012

10 Answers

Jul 24, 2020

I am not very familiar with SonarQube and their solutions, so I can not answer.

But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have  a look at the Gartner Maqic Quadeant for Application Security Testing (AST) .

In the latest Gartner Quadrant for AST (Static and Dynamic App Security testing) these are the "Leaders" as per April 2020 according to Gartner ranking:

1. Synopsys

2. Checkmarx

3. MicroFocus  (Fortify)

4. Veracode

5. WhiteHat Security

I used to work as a Fortify Sales Specialist in HP before Fortify was acquired by MicroFocus a few years ago.

I can strongly recommend Fortify because they have both the Static and Dynamic testing - and you can even choose to have the solution(-s) deployed as an "on-premise " or "Cloud" solution . In fact you can even have a "hybrid" between Cloud and On-Prem if you want depending on your organisations need and need for automation in different countries. 

I can see you work for ACCENTURE? That is a big WW org. with different requirements for app testing accross different countries, I imagine? 

So you can decide to have e.g. a Fortify "on-premise" version in one country and in another country you can have the solution deployed as a "Cloud service" so you get full freedom and the flexibility for automation and continous AppSec testing of the development teams coding. 

This will also educate the Developer teams into becoming better coders because they will learn from the corrections in the coding done by Fortify.

And remember that you can also use this in your Sales advertising, because you can get a report to document that your coding and DevOps has been Security tested and analysed by the Fortify solution and therefore you can advertise your services are proved and documented as  " Secure by design" by the Fortify solution.

I can help connect you directly with my old collegue from HP. He is today Fortify EMEA Global Head of Sales (based in UK).

Let me know if you want me to connect you or if you want to look at some other AppSec (AST) solution from the Gartner AST MQ report I mentioned above instead? 

Search for a product comparison in Application Security Tools
Real User
Jun 17, 2021

SonarQube is one of the widely used and easy-to-use tools. 

With some easy plug-ins, it would provide some very good insights into code quality, code coverage, static security, pattern-based errors, and performance engineering lapses in code. 

But it is not a comprehensive static security-focused tool, like Veracode or Fortify. Also, the usability depends on whether you are using the free version or the enterprise edition (It has some associated cost) but not to the extent of other commercial tools. Hope this helps.

Real User
Top 5Leaderboard
Jun 17, 2021

We have been using SonarQube and SonarLint (IDE) for quite some time on multiple projects and it is one of the best if not the best. 

It can handle multiple tech stacks, gives a good view of the static code in terms of vulnerabilities, hotspots, code smells, bugs, etc. Allows adding plugins, integrate with CI/CD even with the community edition. Developer and Enterprise additions allow branch-level integration as well for pull requests.

Community Manager
Jun 17, 2021

@reviewer1572348 thank you for your reply!

PeerSpot user
Real User
Jul 24, 2020

The static tool we can use is Fortify or IBM Appscan.

SonarQube is widely used for coding standards.

Mar 2, 2021

If you stop at ‘static analysis’ and leave off the Security Testing part. I don’t even view this tool as a security tool, it’s much more about code quality.

Sep 24, 2020

Please have a look at the TICS framework, offered by www.tiobe.com, it is heavily used in the embedded industry, like Philips, ASML, Porsche, etc, to check the quality of the code. This framework also combines various other tools, like Coverity, Fortify and others.

Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
767,496 professionals have used our research since 2012.
Anshuman Kishore - PeerSpot reviewer
Real User
Top 5Leaderboard
Jul 27, 2020

Veracode will work with it & give value on complimentary way ..

Real User
Jun 17, 2021

SonarQube is not the best SAST, is a SAST but like any other open-source SAST, the best SAST is from the leader of "Gartner Quadrant for AST".

Jun 16, 2021

There are many tools that can work for static code analysis, both in open source as well as in-licensed segments. It would be good to know your requirements for the tool. Are you just looking to have a static code analyzer and integrate it in the DevOps pipeline?

It is also important to know which programming language/code has been used for your application. 

Additionally, SCA functionality is also important, if you are working for a big corporation, wherein open source libraries/components are not allowed.

Rony_Sklar - PeerSpot reviewer
Community Manager
Jul 20, 2020

@Anshuman Kishore @TibinLukose @Donovan Greeff you've recently written reviews for SonarQube - do you have some insight to help @Manoj Kumar Kemisetty with this question? 

SonarQube is a self-managed open-source platform that helps developers create code devoid of quality and vulnerability issues. By integrating seamlessly with the top DevOps platforms in the Continuous Integration (CI) pipeline, SonarQube continuously inspects projects across multiple programming languages, providing immediate status feedback while coding. SonarQube’s quality gates become part of your release pipeline, displaying pass/fail results for new code based on quality profiles you...
Download SonarQube ReportRead more

Related Q&As

Application Security Tools experts

Adrian Cambronero - PeerSpot reviewer
Diana Alvarado - PeerSpot reviewer
Jonathan Ramos G. - PeerSpot reviewer
Prateek Agarwal - PeerSpot reviewer
Nagendra Nekkala - PeerSpot reviewer
Hugo Alexis Espinoza Naranjo - PeerSpot reviewer
Edwin Solano Salmeron - PeerSpot reviewer
Nadeem Syed - PeerSpot reviewer