We changed our name from IT Central Station: Here's why
2018-07-30T09:01:00Z

What advice do you have for others considering SonarQube?


If you were talking to someone whose organization is considering SonarQube, what would you say?

How would you rate it and why? Any other tips or advice?

ITCS user
Guest
5353 Answers

author avatar
Top 20Real User

I rate SonarQube an eight out of ten. To those looking to implement SonarQube, I would advise you not to run it manually—integrate it with tools like Bitbucket and Jenkins, and make it automatic. If you change one line of code, the SonarQube should run automatically and give you the report. Don't go and run it manually and check the reports and all—it should run automatically to the entire code base, not to your particular module. So you need to configure that, as well as your project requirements and what code quality metrics will be achievable—like 85% or 95%—because you want code quality for a better product, without loopholes. You need to configure these things before starting to work with SonarQube.

2021-12-10T13:48:52Z
author avatar
Top 20Real User

I rate SonarQube an eight out of ten. To anyone who is looking into implementing SonarQube, I would recommend they look at what their requirements are, with regards to languages. If it's just Java, then the Community Edition is fine, but if there are any additional languages, then I would recommend Enterprise.

2021-12-10T13:11:09Z
author avatar
Top 20MSP

It is pretty straightforward, but if you don't intend to use it as a gate, it would just be a waste of time. You should invest in implementing such tools only when you have a clear understanding of how their results are going to be a part of a business process. I would rate it a 10 out of 10. I've never had any kind of problems with it. I have some products because of which I have had a bad day, but I never had a bad day because of it.

2021-11-11T06:09:33Z
author avatar
Top 20Real User

We already linked with the CI/CD pipeline, and everything is working really smoothly. We already got the additional language support also, which was not available in the open-source version. In the developer version, we have six-plus additional language support onboard. That is actually helpful for us. Overall, it's going really well. The overall look and feel, the way of presenting the information, is really nice - including the way we can assign items. Everything looks okay. I also already integrated the APA of SonarQube in my external system and that really works. I don't see any integration problems so far. I would suggest those considering the solution simply go for SonarQube as it works really well for any integration of any software or with any third-party tools, including Azure DevOps. I'd rate the solution at a nine out of ten.

2021-11-03T20:00:00Z
author avatar
Top 20Real User

This solution is a good static test tool for developers. It helps keep the maintainability and security of software. I rate SonarQube an eight out of ten.

2021-10-08T20:35:29Z
author avatar
Top 5LeaderboardReal User

SonarQube is a very nice tool and people can learn to code better from the analysis it provides. We needed to make sure our code is maintained properly and has high quality and this tool helped. The solution has made the developers have more confidence in their code because from the scanning they can fix bugs and problems easily. I rate SonarQube a seven out of ten.

2021-09-08T22:55:59Z
author avatar
Top 5LeaderboardReal User

I rate SonarQube a nine out of ten.

2021-09-07T14:07:28Z
author avatar
Top 5LeaderboardReal User

I would recommend this solution to others. I would rate SonarQube a nine out of 10.

2021-08-10T12:55:11Z
author avatar
Real User

I would suggest looking at the pipelines and understanding usage scenarios in terms of what the customer is looking for. For instance, the mitigation persistence through the life cycle of a project is not there. For me, it's like a lack of tracking records of what to mitigate. It's something that you thought would be a part of the basics, but it's not there. I think there's about 40% of the features I'd like to see that are missing in SonarQube, so I'd rate it a six out of 10.

2021-08-04T16:48:03Z
author avatar
Top 20Real User

I rate SonarQube a six out of ten.

2021-08-03T13:53:03Z
author avatar
Top 5LeaderboardReal User

Not everybody uses SonarQube. However, if they do use SonarQube and they're trying to look for functionality, then an extension into SonarQube is the way to go. We, for example, love how we can have Fortify functionality via this product. I can't speak for all the other shops, right. That's just our workflow. I'd rate the solution at a perfect ten out of ten. For what it does as far as static code analysis, it's pretty good.

2021-07-13T17:41:51Z
author avatar
Top 5LeaderboardReseller

I rate SonarQube an eight out of ten.

2021-07-09T14:33:24Z
author avatar
Real User

I rate SonarQube a ten out of ten.

2021-07-08T23:21:08Z
author avatar
Top 5LeaderboardReal User

SonarQube is a very good tool for code quality. I rate this solution a seven out of 10.

2021-06-17T10:22:05Z
author avatar
Top 20Reseller

On a scale from one to ten, I would give SonarQube an eight.

2021-06-03T16:08:51Z
author avatar
Top 20Real User

We are just a customer and an end-user. While we installed the solution on the cloud, we host it on our machines. I would recommend the product to the companies or the teams who are building from scratch, and they don't have anything for doing the scanning of their products. That is something where SonarQube can be pretty helpful. It's good for a very small company with a limited number of products, which do not have a lot of compliance and security-related requirements that big enterprises might have. I would rate the solution at a six out of ten.

2021-04-29T13:02:30Z
author avatar
Real User

I would recommend to those wanting to implement this solution to read the documentation, they are clear and easy to follow. I rate SonarQube a nine out of ten.

2021-04-05T15:27:37Z
author avatar
Top 20Real User

For those wanting to implement this solution, I would suggest it is the best tool. It has a big open-source community where you learn any language. There are many extra plugins you can apply to scan in your code. It has support for Android, iOS, COBOL, Java, JavaScript databases, and more. It has everything you need. I rate SonarQube a nine out of ten.

2021-03-31T04:33:12Z
author avatar
Top 20Real User

The enterprise version comes with many features. I have not been able to test it all because I am using the evaluation version. After three months of using this solution, I will have a better understanding of it. We plan to continue using SonarQube. Some feel that it is unfair to compare SonarQube with other solutions as it has so many features. I would rate this solution a seven out of ten.

2021-02-26T22:22:56Z
author avatar
Top 20Real User

I would recommend this solution. I would rate SonarQube an eight out of ten.

2021-02-10T14:34:34Z
author avatar
Top 20Real User

For the units of architecture, we have tried to find the newest technology that would benefit the manifest of their orientation. It has been very difficult. Last year many projects stopped. I would rate SonarQube a six out of ten.

2021-02-02T10:26:08Z
author avatar
Top 5LeaderboardReal User

I would recommend this solution to others. It easily outperforms other static code tools — It's perfect as a static code analysis tool. Overall, on a scale from one to ten, I would give SonarQube a rating of eight.

2021-01-08T15:43:25Z
author avatar
Top 20Real User

Personally, I can't compare it to other similar solutions like Fortify, but SonarQube does a good job when it comes to making sure our code is compliant with standards and free of any obvious security weaknesses. I would rate SonarQube a six out of ten.

2021-01-06T10:11:58Z
author avatar
Top 20Reseller

I do recommend SonarQube because it is an easy tool that you can deploy and configure. After that you can measure the history of your obligation and integrate it with other tools like GitLab or GitHub or Azure DevOps to do quality code analysis. On a scale of one to ten, I would give SonarQube an eight. To give it a 10 and not an eight, I would like to see architecture development and the QA area improved.

2021-01-06T06:31:00Z
author avatar
Real User

I would recommend SonarQube. It is a good deal compared to all other tools on the market. It certainly helped us, it is a good tool and should be definitely used. I rate SonarQube a nine out of ten.

2020-12-24T15:03:00Z
author avatar
Top 20Real User

I would rate SonarQube a nine out of ten.

2020-12-09T00:59:35Z
author avatar
Top 10Real User

Before implementing, they should have more knowledge about the performance, and the features. It will be helpful in learning the hardware also. If you have good resources for the performance, you won't worry about it. It will also be dependent on your information, and how much knowledge you have. I would rate SonarQube an eight out of ten.

2020-12-07T17:49:08Z
author avatar
Top 20Real User

I would rate SonarQube an eight out of 10.

2020-11-27T22:37:00Z
author avatar
Top 20Real User

This product is leading its class in the open-source community. It is absolutely a product that I can recommend. I think that digital organizations that have budget constraints should look at this technology, and then they can evolve it as per their needs. In the future, I may look into deploying SonarQube in a hybrid model. I would rate this solution an eight out of ten.

2020-10-28T21:08:07Z
author avatar
Top 5LeaderboardReal User

There are so many qualitative tools other than SonarQube, but I think it's the only platform that is open-source; however, it doesn't cover you end-to-end — from the static, dynamic, and interactive source. Once we're done with SonarQube, we will switch to a proprietary tool, like Qualys — something that provides more end-to-end — but before we can do that, we need more people who know how to properly run the software. Overall, I would recommend SonarQube for your initial software quality. On a scale from one to ten, I would give this solution a rating of eight.

2020-10-27T06:39:00Z
author avatar
Top 20Real User

We're just customers. We don't have a business relationship with the company. I believe we are using the latest version of the solution, however, I don't know the exact number. I would advise others considering the solution to consider the level of security they need. If they are very concerned about security and the application is very sensitive, then SonarQube may not be the best option and they should seek out other products. Overall, I would rate the solution seven out of ten.

2020-10-26T15:25:32Z
author avatar
Top 5LeaderboardReal User

I am a user of SonarQube and I am responsible for the information security. I'm the principle of security in the office. I advise others of enhancing and incorporating security aspects into the IP. We are currently using the community version. We are not quite ready for the licensed version as we need more discipline for our developers to do it correctly. Our team is growing, now we will need behavior discipline of security, and then we can upgrade the license. We have passed the ISO certificate and encourage the use of tools for peer reviews for the developers. It is better to have a technical review before deployment to production. Developers must review before going into production. It's a great tool but you have to have a good project plan before being introduced to the tools. For us, it is unfortunate that SonarQube was introduced at the end of the project phase, and the team is still having to learn it. Before introducing any application tools, know the visibility of the project. I would recommend using the SonarQube open-source version to get used to it before purchasing the license. Before we go with an enterprise product, we have to know the terms and how things are done to run software quality. We had reached out to sales support and asked for the enterprise license as a trial but unfortunately, we had to halt the program. It's also a part of corporate policy to know everything before it is published into the CI pipeline. There are other alternatives that provide end-to-end analysis from the static, dynamic, interactive, and SaaS. I would recommend SonarQube to be on your initial plan for perfect quality. I would rate SonarQube an eight out of ten.

2020-09-06T08:04:35Z
author avatar
Top 20Consultant

I would absolutely recommend this solution to another company. On a scale from one to ten, I would give this solution a rating of eight. I would give it a higher rating if the technical debt computation was improved.

2020-09-03T07:49:00Z
author avatar
Top 5LeaderboardReal User

I always talk in favor of secure programming, secure coding. SonarQube is easy for me. I am recruiting buggy code with this, and it is reporting. It shows that this code should not be like this and the reason for it. For example, it shows that you should declare a static function, or why you should or should not initialize a variable. This is an amazing feature. I am enjoying testing SonarQube, but I don't know what is the feedback from a developer's point of view. I highly recommend SonarQube. I would rate this solution a ten out of ten.

2020-09-01T05:25:12Z
author avatar
Top 20Real User

Anyone considering SonarQube should initially start with a free trial and then start doing an evaluation. If you have a list of target requirements which you are looking for and you can accomplish these things with Sonar, then you can go ahead and use Sonar. If you are looking for something for diving more deeply into your application security, then you can possibly start with it and scale it or use some other complementary tools. If you want to see your reports, and how your development is performing, Sonar is the best tool, I think. On a scale from one to ten, where one is the worst and ten is the best, I would rate SonarQube as a seven-out-of-ten.

2020-08-30T08:33:32Z
author avatar
Top 20MSP

This product is regularly updated by the open-source community, although the changes are often project-specific and may not help in the general case. I would rate this solution a five out of ten.

2020-08-20T07:50:18Z
author avatar
Top 20Real User

The community edition is quite informative for engineers. The actual code analysis is not conducted on the GitLab flow, but the build pipeline would show the core quantity steps which is part of the criteria. The trial gives you a way to implement the POC and check if it can be integrated with your own stack. Once the trial expires, you can continue with the same setup for getting the license. I would rate this solution a six out of ten.

2020-07-28T06:50:14Z
author avatar
Top 20Real User

Awareness about how to use the product is important. It's a very good product for developers because it gives you timely notifications about where the tool has gone wrong or what could go wrong in the future. That's popular for developers. It's very good for the stats about the product for architects The metrics are how the budgeting should be done et cetera. These are the things that they can find out from the dashboard based on the lines of codes. In the next release, I would like to have notifications because now, it is a bit difficult. I think that's a feature which we could add there and it would benefit the users as well. For every full request, they should be able to see their bugs or vulnerability directly on the surface. I would rate it an eight out of ten.

2020-07-15T07:11:00Z
author avatar
Top 20Real User

I would rate this solution a seven out of ten.

2020-07-14T08:15:51Z
author avatar
Top 5LeaderboardReal User

Security analysis is a MUST.

2020-07-06T14:59:00Z
author avatar
Top 20Real User

In general, I am very satisfied with SonarQube and I highly recommend it. If you are looking for full coverage and quality improvement then it is the best product to use. I would rate this solution a nine out of ten.

2020-06-25T10:49:25Z
author avatar
Real User

SonarQube is a very good tool. It is lightweight and very cost effective as compared to IBM AppScan. The dashboard is really neat and easy to operate. It gives a lot of information that makes it very easy for the developers. You can get it set up as an automated process every time the code is checked in. I would say, however, that it is not a vulnerability assessment tool. The dev and security team use this solution very closely. Fifteen to twenty people in total use it. I would rate this solution an eight out of ten.

2019-06-16T07:23:00Z
author avatar
Real User

I would rate this product somewhere between six and seven. It works for many clients, but if the user need and application is super critical, people should go with commercial products like Micro Focus. If the deployment is less critical, they can go with that as SonarQube, or another open source software solution.

2019-06-11T11:10:00Z
author avatar
Real User

My advice is to focus on quality, not on tools. Work on the quality of your code and get a quality culture, but don't require the use of a tool. SonarQube is an okay tool. I'd suggest it as a default tool, but I wouldn't rave about it. In all of my previous jobs, there has been somebody using SonarQube. They're usually very positive. I don't share that positiveness, but the reasons for that are that I don't believe you can have metrics of code quality based upon code analysis. I don't think it's possible for a computer to do it. I don't rate any tool higher than a five or six, ever. JUnit is the only tool that gets a rating of ten. On a scale of one to ten, where ten is JUnit, I would rate SonarQube as about a five or a six.

2019-06-02T09:20:00Z
author avatar
Real User

This is a very nice product and I would recommend it. It is one of the best tools on the market to analyze your code. If more rules for security were added then we would not have to use Checkmarx or other tools. SonarQube is very nice, but just missing some security rules. I would rate this solution a seven out of ten.

2019-05-30T08:12:00Z
author avatar
Real User

My advice for anybody interested in implementing this solution is to start with the community version and try it out. It doesn't take long to see value in it, and it's very straightforward, easy, and intuitive to use. There are add-ons that are available for purchase that we have not tried, although we're quite content with what we have right now. I would rate this solution an eight out of ten.

2019-05-28T07:45:00Z
author avatar
Real User

We advise all of our developers to have this solution in place. That way, whenever they are developing, the will get live tracking with respect to the quality of their code. I would rate this solution a seven out of ten.

2019-05-23T06:09:00Z
author avatar
Real User

This product is good but it is not meant to be a single solution for all issues. If you want to have your code scanned and timed then this is a good tool. If you want security to be part of it then you may need multiple tools. Overall, my advice is to use this tool in areas where it is strong. I would rate this solution a six out of ten.

2019-05-22T07:18:00Z
author avatar
Real User

I would rate SonarQube as a nine out of ten. Once you start drilling down through the menus, it tells you a lot of stuff about your code in one view. That's really quite neat. That shows you a view of maintainability. They have a maintainability view that shows bubbles for all the different code modules, and yours is beside the bubble. This represents the amount of "code smells," which is actually kind of a common definition. The bigger the bubble, the more your code smells. This shows where more attention is needed or it's a bubble that's kind of drifting out of control. I have one graph here where there are probably 50 bubbles. There's one axis that shows technical death, meaning the amount of work that it's going to take to get the smells under control. The other axis is lines of code, which is obviously a very common thing to look at. On this particular graph, there are a whole bunch of bubbles down in the lower-left corner, which means you have a lot of small manageable things. If you hover over the bubble, it tells you what module it is. How many lines of code. Technical death and manpower estimate, things like that.

2019-05-20T07:59:00Z
author avatar
Real User

I would suggest trying the product. I like its useability because it has a simple approach. We use this solution in conjunction with Jenkins, and we have a two-week deployment cycle. I would rate this solution a seven out of ten.

2019-05-16T07:47:00Z
author avatar
Real User

From experience, you should just size the scale of what you're trying to do to the maturity of the organization.

2019-05-15T05:16:00Z
author avatar
Real User

On a scale from one to ten with ten being the best, I would rate this product around an 8. If SonarQube makes some improvements with the security features, I would also probably use the product much more.

2019-04-17T08:37:00Z
author avatar
Real User

We are looking at using another product to compliment it for security reasons. Most important criteria when selecting a vendor: * Usability of the product * Responsiveness when we have issues.

2018-07-30T09:01:00Z
Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: January 2022.
564,997 professionals have used our research since 2012.