+ 1

What is SonarQube?

SonarQube provides an overview of the overall health of your source code and even more importantly, it highlights issues found on new code. With a Quality Gate set on your project, you will simply fix the Leak and start mechanically improving.
SonarQube is a tool in the Code Review category of a tech stack.
SonarQube is an open source tool with 7.4K GitHub stars and 1.8K GitHub forks. Here’s a link to SonarQube's open source repository on GitHub

Who uses SonarQube?

391 companies reportedly use SonarQube in their tech stacks, including Bitpanda, Alibaba Travels, and deleokorea.

971 developers on StackShare have stated that they use SonarQube.

SonarQube Integrations

Jenkins, Bitbucket, Gradle, Travis CI, and Apache Maven are some of the popular tools that integrate with SonarQube. Here's a list of all 19 tools that integrate with SonarQube.
Pros of SonarQube
Tracks code complexity and smell trends
IDE Integration
Complete code Review
Decisions about SonarQube

Here are some stack decisions, common use cases and reviews by companies and developers who chose SonarQube in their tech stack.

Joshua Dean Küpper
CEO at Scrayos UG (haftungsbeschränkt) · | 2 upvotes · 47.9K views

We use SonarQube because of the big inbuilt database of code-smells, pitfalls and best-practices. We were already using Checkstyle, PMD and SpotBugs before, but decided that an "in-depth" analysis – after those three tools already submitted their reports – would be a welcomed addition for the presentation of found issues. The blame-feature of SonarQube is brilliant for internal communication and the integration of the already generated reports of the other tools saves time and speeds up build pipelines.

See more
Simon Reymann
Senior Fullstack Developer at QUANTUSflow Software GmbH · | 29 upvotes · 5.1M views

Our whole DevOps stack consists of the following tools:

  • GitHub (incl. GitHub Pages/Markdown for Documentation, GettingStarted and HowTo's) for collaborative review and code management tool
  • Respectively Git as revision control system
  • SourceTree as Git GUI
  • Visual Studio Code as IDE
  • CircleCI for continuous integration (automatize development process)
  • Prettier / TSLint / ESLint as code linter
  • SonarQube as quality gate
  • Docker as container management (incl. Docker Compose for multi-container application management)
  • VirtualBox for operating system simulation tests
  • Kubernetes as cluster management for docker containers
  • Heroku for deploying in test environments
  • nginx as web server (preferably used as facade server in production environment)
  • SSLMate (using OpenSSL) for certificate management
  • Amazon EC2 (incl. Amazon S3) for deploying in stage (production-like) and production environments
  • PostgreSQL as preferred database system
  • Redis as preferred in-memory database/store (great for caching)

The main reason we have chosen Kubernetes over Docker Swarm is related to the following artifacts:

  • Key features: Easy and flexible installation, Clear dashboard, Great scaling operations, Monitoring is an integral part, Great load balancing concepts, Monitors the condition and ensures compensation in the event of failure.
  • Applications: An application can be deployed using a combination of pods, deployments, and services (or micro-services).
  • Functionality: Kubernetes as a complex installation and setup process, but it not as limited as Docker Swarm.
  • Monitoring: It supports multiple versions of logging and monitoring when the services are deployed within the cluster (Elasticsearch/Kibana (ELK), Heapster/Grafana, Sysdig cloud integration).
  • Scalability: All-in-one framework for distributed systems.
  • Other Benefits: Kubernetes is backed by the Cloud Native Computing Foundation (CNCF), huge community among container orchestration tools, it is an open source and modular tool that works with any OS.
See more
Bryan Dady
SRE Manager at Subsplash · | 5 upvotes · 334.1K views

I'm beginning to research the right way to better integrate how we achieve SCA / shift-left / SecureDevOps / secure software supply chain. If you use or have evaluated WhiteSource, Snyk, Sonatype Nexus, SonarQube or similar, I would very much appreciate your perspective on strengths and weaknesses and how you selected your ultimate solution. I want to integrate with GitLab CI.

See more
Shared insights
SonarQubeSonarQubeBlack DuckBlack Duck

Is it possible to integrate Black Duck, SonarQube and Coverity with Fortify SSC?

See more
Shared insights

We have heavy Oracle ERP customizations in the company and some amount of Java/JSP customizations, for which the QA team has to do code review manually. For Java code review SonarQube may be good, but is it the best? And for PL/SQL, Oracle Forms/Oracle reports which tool can do Code review automation?

Please suggest.

See more
Shared insights
SonarQubeSonarQubeCoverity ScanCoverity Scan

Coverity Scan or SonarQube which is better on and how

See more

Jobs that mention SonarQube as a desired skillset

United States of America Texas Dallas
United States of America Texas Richardson
United States of America Texas Dallas
United States of America Texas Richardson
See all jobs

SonarQube's Features

  • Multi-language
  • Detect tricky issues
  • Security analysis
  • Enhance your workflow

SonarQube Alternatives & Comparisons

What are some alternatives to SonarQube?
It is a popular developer productivity extension for Microsoft Visual Studio. It automates most of what can be automated in your coding routines. It finds compiler errors, runtime errors, redundancies, and code smells right as you type, suggesting intelligent corrections for them.
It is a provider of state-of-the-art application security solution: static code analysis software, seamlessly integrated into development process.
Codacy automates code reviews and monitors code quality on every commit and pull request on more than 40 programming languages reporting back the impact of every commit or PR, issues concerning code style, best practices and security.
It detects possible bugs in Java programs. Potential errors are classified in four ranks: scariest, scary, troubling and of concern. This is a hint to the developer about their possible impact or severity.
It seamlessly integrates application security into the software lifecycle, effectively eliminating vulnerabilities during the lowest-cost point in the development/deployment chain, and blocking threats while in production.
See all alternatives

SonarQube's Followers
1767 developers follow SonarQube to keep up with related blogs and decisions.