1K
1.2K
+ 1
29

What is SonarQube?

SonarQube provides an overview of the overall health of your source code and even more importantly, it highlights issues found on new code. With a Quality Gate set on your project, you will simply fix the Leak and start mechanically improving.
SonarQube is a tool in the Code Review category of a tech stack.
SonarQube is an open source tool with 5.6K GitHub stars and 1.4K GitHub forks. Here’s a link to SonarQube's open source repository on GitHub

Who uses SonarQube?

Companies
283 companies reportedly use SonarQube in their tech stacks, including Alibaba Travels, Craftbase, and Immowelt AG.

Developers
685 developers on StackShare have stated that they use SonarQube.

SonarQube Integrations

Jenkins, Bitbucket, Travis CI, Gradle, and Apache Maven are some of the popular tools that integrate with SonarQube. Here's a list of all 11 tools that integrate with SonarQube.
Pros of SonarQube
16
Tracks code complexity and smell trends
9
IDE Integration
4
Complete code Review
Decisions about SonarQube

Here are some stack decisions, common use cases and reviews by companies and developers who chose SonarQube in their tech stack.

Joshua Dean KĂĽpper
CEO at Scrayos UG (haftungsbeschränkt) · | 2 upvotes · 32.7K views

We use SonarQube because of the big inbuilt database of code-smells, pitfalls and best-practices. We were already using Checkstyle, PMD and SpotBugs before, but decided that an "in-depth" analysis – after those three tools already submitted their reports – would be a welcomed addition for the presentation of found issues. The blame-feature of SonarQube is brilliant for internal communication and the integration of the already generated reports of the other tools saves time and speeds up build pipelines.

See more
Simon Reymann
Senior Fullstack Developer at QUANTUSflow Software GmbH · | 28 upvotes · 2.2M views

Our whole DevOps stack consists of the following tools:

  • GitHub (incl. GitHub Pages/Markdown for Documentation, GettingStarted and HowTo's) for collaborative review and code management tool
  • Respectively Git as revision control system
  • SourceTree as Git GUI
  • Visual Studio Code as IDE
  • CircleCI for continuous integration (automatize development process)
  • Prettier / TSLint / ESLint as code linter
  • SonarQube as quality gate
  • Docker as container management (incl. Docker Compose for multi-container application management)
  • VirtualBox for operating system simulation tests
  • Kubernetes as cluster management for docker containers
  • Heroku for deploying in test environments
  • nginx as web server (preferably used as facade server in production environment)
  • SSLMate (using OpenSSL) for certificate management
  • Amazon EC2 (incl. Amazon S3) for deploying in stage (production-like) and production environments
  • PostgreSQL as preferred database system
  • Redis as preferred in-memory database/store (great for caching)

The main reason we have chosen Kubernetes over Docker Swarm is related to the following artifacts:

  • Key features: Easy and flexible installation, Clear dashboard, Great scaling operations, Monitoring is an integral part, Great load balancing concepts, Monitors the condition and ensures compensation in the event of failure.
  • Applications: An application can be deployed using a combination of pods, deployments, and services (or micro-services).
  • Functionality: Kubernetes as a complex installation and setup process, but it not as limited as Docker Swarm.
  • Monitoring: It supports multiple versions of logging and monitoring when the services are deployed within the cluster (Elasticsearch/Kibana (ELK), Heapster/Grafana, Sysdig cloud integration).
  • Scalability: All-in-one framework for distributed systems.
  • Other Benefits: Kubernetes is backed by the Cloud Native Computing Foundation (CNCF), huge community among container orchestration tools, it is an open source and modular tool that works with any OS.
See more
Bryan Dady
SRE Manager at Subsplash · | 3 upvotes · 174.2K views

I'm beginning to research the right way to better integrate how we achieve SCA / shift-left / SecureDevOps / secure software supply chain. If you use or have evaluated WhiteSource, Snyk, Sonatype Nexus, SonarQube or similar, I would very much appreciate your perspective on strengths and weaknesses and how you selected your ultimate solution. I want to integrate with GitLab CI.

See more

SonarQube's Features

  • Multi-language
  • Detect tricky issues
  • Security analysis
  • Enhance your workflow

SonarQube Alternatives & Comparisons

What are some alternatives to SonarQube?
ReSharper
It is a popular developer productivity extension for Microsoft Visual Studio. It automates most of what can be automated in your coding routines. It finds compiler errors, runtime errors, redundancies, and code smells right as you type, suggesting intelligent corrections for them.
Checkmarx
It is a provider of state-of-the-art application security solution: static code analysis software, seamlessly integrated into development process.
FindBugs
It detects possible bugs in Java programs. Potential errors are classified in four ranks: scariest, scary, troubling and of concern. This is a hint to the developer about their possible impact or severity.
Codacy
Codacy automates code reviews to improve and standardize code quality across large enterprises. It identifies issues through static code analysis. Integrates with GitLab, GitHub & Bitbucket.
Veracode
It seamlessly integrates application security into the software lifecycle, effectively eliminating vulnerabilities during the lowest-cost point in the development/deployment chain, and blocking threats while in production.
See all alternatives

SonarQube's Followers
1178 developers follow SonarQube to keep up with related blogs and decisions.