Overview
Product Information on SonarQube
What is SonarQube?
SonarQube Pricing
SonarQube Product Images
Overall experience with SonarQube
“SonarQube Enables Transparent Software Quality Tracking and Customizable Coding Rules”
“SonarQube Integrates Security in Development but Lacks Depth for Complex Needs”
About Company
Company Description
Sonar is an automated code review platform serving as the trust and verification layer for AI code. Integrating code quality and code security into a single platform, Sonar delivers deterministic, repeatable, and actionable code verification at scale, analyzing over 750 billion lines of code daily to ensure software is reliable, maintainable, and secure. Originally built by the open-source community, it is now used by over 7 million developers globally.
Company Details
Do You Manage Peer Insights at SonarSource?
Access Vendor Portal to update and manage your profile.
Key Insights
A Snapshot of What Matters - Based on Validated User Reviews
Reviewer Insights for: SonarQube
Deciding Factors: SonarQube Vs. Market Average
Performance of SonarQube Across Market Features
SonarQube Likes & Dislikes
I like the capability to have various rulesets and be able to customize rules that are relevant to my specific domain. I liked the possibility to push these rules as settings for my developers IDE so that they had an early indication when coding rules were violated.
I like its strong focus on developer experience and seamless integration into CI/CD pipelines. It ticks the box of shifting left by making security analysis an integral part of every commit, providing clear, actionable feedback directly to developers.
- SonarQube PyCharm plug-in's code recommendations help to optimize code and make it more clean; - SonarQube server shows test coverage level on the new and overall code; - All found alerts and warnings could be assigned to the team members to remediate
I have never achieved good results on C repos, however this may be due to inherent difficulties in analysing C/C code. Maintaining custom coding rules becomes tedious when there are a lot of changes in the underlying rulesets.
For more advanced / nuanced security scenarios, its depth of analysis and true security focused findings can sometimes fall short compared to dedicated enterprise-grade SAST solutions. While it's excellent for code quality and many OWASP Top 10 items, we've found it occasionally misses more subtle or complex vulnerabilities, or generates a higher rate of false positives for certain security patterns.
- the default settings provide a lot of unnecessary warnings and should be tweaked to have more sense; - it is hard to exclude or partially exclude files and code blocks from scan - it is slower than expected analyzing the large projects
Top SonarQube Alternatives
Peer Discussions
SonarQube Reviews and Ratings
- Security Architect10B+ USDMediaReview Source
SonarQube Integrates Security in Development but Lacks Depth for Complex Needs
SonarQube is a solid foundational asset for our testing capability, making it easy to integrate basic security checks directly into development workflows. However, for organisations with more stringent security requirements or complex attack surfaces, it often serves as a beneficial first layer, rather than a comprehensive, standalone solution when compared to more specialised competitors. Its ease of adoption and developer-centric reporting were key factors in our decision to use it. - Chief Architect10B+ USDConsumer GoodsReview Source
SonarQube Enables Transparent Software Quality Tracking and Customizable Coding Rules
I set up and used SonarQube for several years in CI/CD pipelines to ensure software quality goals in my teams were clearly defined and met at each commit. The results of the scans were important for handover of software products between teams and different devops partners, as we had a very transparent state of the software quality. - IT OPS SPECIALIST10B+ USDBankingReview Source
SonarQube Enhances Python Code Quality With Customizable Checks And Assignable Alerts
SonarQube provides an additional layer of checks and optimizations during my Python development. It helps keeping my code clean and properly covered by the tests. Some checks could be annoying though, but they could be commented out in place or turned off at all - Director Enterprise Architecture50M-1B USDBankingReview Source
SonarQube Enables Fast Issue Identification and Seamless Integration in Build Pipelines
SonarQube is a true value-add for many organizations. Not only does it help identify various quality issues, it does it at speed in the build pipeline. Additionally, smart engineers will use the IDE extension to get feedback while the code is being written, without waiting on the CI/CD build to complete. - IT Manager10B+ USDIT ServicesReview Source
Intuitive Dashboard for SAST and Seamless Azure DevOps Integration by SonarQube
SonarQube seemed to be a very good tool for code coverage analysis and finding vulnerabilities in code. The dashboard gives a very good view of the analysis results. Pricing seemed to be optimal with respect to other vendors providing similar features. Open API of SonarQube is also very helpful for preparing custom reports.