SonarQube

RATING:

4.6

(54)

About SonarQube

SonarQube is a self-managed open-source platform that helps developers create code devoid of quality and vulnerability issues. By integrating seamlessly with the top DevOps platforms in the Continuous Integration (CI) pipeline, SonarQube continuously inspects projects across multiple programming languages, providing immediate status feedback while coding.

SonarQube Pricing

SonaQube offers a free and open-source version, after which it is available across three paid plans based on the number of lines of codes. Details include: Community Edition - Free & open-source; Developer Edition - starts at $160; Enterprise Edition - starts at $21,000; Data Center Edition - starts at $136,000.

Starting price: 

$160.00 per year

Free trial: 

Available

Free version: 

Available

Project homepage

SonarQube Reviews

Overall Rating

4.6

Ratings Breakdown

Secondary Ratings

Ease-of-use

4.5

Customer Support

4

Value for money

4.5

Functionality

4.5

Most Helpful Reviews for SonarQube

1 - 5 of 54 Reviews

User Profile

Sachin

Verified reviewer

Computer Software, 10,000+ employees

Used daily for less than 12 months

Review Source: Capterra
This review was submitted organically. No incentive was offered

OVERALL RATING:

5

EASE OF USE

5

VALUE FOR MONEY

5

CUSTOMER SUPPORT

4

FUNCTIONALITY

5

Reviewed May 2022

Code Analysis and ensuing security against threats

Overall experience with Sonarqube is pretty wholesome integration came handy with my CI/CD tools such as Azure Devops and Jenkins. Provides insights against vulnerabilities and common threats so that necessary actions can be taken by developers to ensure the security and good coding practices to follow. Features like PR decoration allows to get results in CI/CD tools itself if passed then only commit happens to master branch.

PROS

Feature like Code Analysis and publishing those analysis report to end user. You can use default Quality Gates and Quality Profiles for scanning of your code. In case you want to modify these you can do that and define your own rule. Whenever there's commit in repo you just need to configure the task in your continuous integration pipeline if it passed the parameter only then commit will happens the master/main branch otherwise it will not. With these features you can eliminate the security threats and ensure that developers are following good practices while developing their code. I have integrated it with Azure DevOps.

CONS

Only thing which I can think can be improved is logging of events. Sometime it becomes hard to debug the issues. Other then that, I think over all this fulfills all the requirements.

Anonymous

501-1,000 employees

Used daily for less than 2 years

Review Source: Capterra
This review was submitted organically. No incentive was offered

OVERALL RATING:

5

EASE OF USE

5

VALUE FOR MONEY

5

CUSTOMER SUPPORT

4

FUNCTIONALITY

5

Reviewed August 2022

Best Code Quality check Tool

We are really taking help of SonarQUbe in maintaining code quality. Doing code scanning on each JIRA story completion. It also helps our developers to improve their code quality. Coding standards are better now. Reports are very useful.

PROS

1. Calculate the quality of code and also helps to improve the quality by providing the solution 2. Highlight the vulnerabilities , repetitive line of code 3. Developer Friendly tool as it provides recommendations on the line of code which needs an improvement. 4. Create Scan reports on demand 5. Option to add exception in code

CONS

1. Report Generation sometime take long time. 2. User Interface should be enhanced. 3. Lack custom rule set 4. As per cost, it is little bit expensive.

Reasons for switching to SonarQube

SOnarQube is better in terms of quality percentage, provide more insights.

Anonymous

10,000+ employees

Used weekly for more than 2 years

Review Source: Capterra
This reviewer was invited by us to submit an honest review and offered a nominal incentive as a thank you.

OVERALL RATING:

4

EASE OF USE

4

FUNCTIONALITY

5

Reviewed March 2024

Code Quality Assurance

Overall, impressed by this tool that supports multiple languages, monitoring code quality, bugs and vulnerability detection. Also, integrates well with Jenkins, GitHub, etc.

PROS

- It supports almost all commonly used languages like JAVA, Python, Javascript, etc. - Integrates well with CI/CD pipeline established in tools like Jenkins and GitHub. - Detects code duplication, bugs and vulnerabilities in code.

CONS

- May be complex to understand the reports for new users. - May block delivery/deployment if hard gates are enabled by DevOps team which may delay project delivery.

Chandramouli

Hospital & Health Care, 501-1,000 employees

Used daily for less than 12 months

Review Source: Capterra

OVERALL RATING:

3

EASE OF USE

3

VALUE FOR MONEY

3

CUSTOMER SUPPORT

2

FUNCTIONALITY

3

Reviewed August 2021

Great tool to drive Coding Quality standards

PR analysis and Integration with Bitbucket are most in avoiding the new issues. The tool needs a lot of improvements 1. Number of rules should be increased. 2. Few rules should have custom exclusions. Ex: Naming conventions => Organisation-specific words will be there which should be in Capital. 3. Generating a lot of false positives 4. Executive reports should generate based on scheduled triggers. We have 20 projects which are assigned to a Portfolio. if you are going to generate a report and send an email for the first portfolio calculation then the rest of the 19 projects info for that day will be missed. Higher management will think that the generated report is the latest but it is not. 5. PR analysis reports should be generated Quickly

PROS

PR analysis and Integration with Bitbucket are most helpful.

CONS

1. Number of rules should be increased. 2. Few rules should have custom exclusions. Ex: Naming conventions => Organisation-specific words will be there which should be in Capital. 3. Generating a lot of false positives 4. Executive reports should generate based on scheduled triggers. We have 20 projects which are assigned to a Portfolio. if you are going to generate a report and send an email for the first portfolio calculation then the rest of the 19 projects info for that day will be missed. Higher management will think that the generated report is the latest but it is not. 5. PR analysis reports should be generated Quickly

Vendor Response

Thank you for your review, Chandramouli. We appreciate your feedback, and invite you to join the SonarSource Community Forum. SonarSource Community Forum: https://community.sonarsource.com/ Posting to the Forum will allow there to be transparency to the community, and allow our product managers & users to understand any issues you are facing. To better assist you, please indicate what language(s), and how long the PR analysis is actually taking; as well as, examples of the false positives. Thanks!

Replied August 2021

Anonymous

1,001-5,000 employees

Used monthly for less than 12 months

Review Source: Capterra
This reviewer was invited by us to submit an honest review and offered a nominal incentive as a thank you.

OVERALL RATING:

5

EASE OF USE

4

VALUE FOR MONEY

5

CUSTOMER SUPPORT

5

FUNCTIONALITY

4

Reviewed December 2022

SonarQube is Great for Developers!

We could identify many code related issues that are presented in our code and improve the quality of the application that we are developing. As a overall, SonarQube tool is able to add a value to our applications.

PROS

It is simple for developers to recognize their code smells, unused lines of code, errors, problems with the third-party libraries they are using, etc. information and the precise location of the issue. It also offers answers to those problems. As a result, figuring out the problems and fixing them is simple. This will be a terrific tool for developers. Except that, we can introduce our own rules for checking the code quality. It could identify the code issues that are vulnerable to cyber attacks such as XSS, SQL Injection, etc.

CONS

It was difficult to use the SonarQube on-premise application. Once we pushed a new code section, the server needed to restart in order for the application to work.

Reason for choosing SonarQube

Higher number of facilities are available in SonarQube and suggesting the options for fixing the issues.