Sign in
Categories
Your Saved List Become a Channel Partner Sell in AWS Marketplace Amazon Web Services Home Help

SonarQube Cloud

Sonar | 1

Reviews from AWS customer

0 AWS reviews
  • 5 star
    0
  • 4 star
    0
  • 3 star
    0
  • 2 star
    0
  • 1 star
    0

External reviews

9 reviews
from

External reviews are not included in the AWS star rating for the product.


    reviewer933816

Setting up code inspection and managing technical debt have improved code quality

  • April 18, 2025
  • Review provided by PeerSpot

What is our primary use case?

The use case involves setting up code inspection, identifying security vulnerabilities, ensuring adherence to coding standards, and managing technical debt. I have established a quality gate in the CI/CD pipeline to ensure a minimum quality percentage is achieved for the build to pass. This is integrated within CI/CD pipelines.

What is most valuable?

The most valuable features of SonarQube Cloud (formerly SonarCloud) include code inspection, addressing technical debt, and identifying security vulnerabilities. These features help me ensure high-quality code and improve security posture via vulnerability checks, particularly on Java applications. SonarQube Cloud’s integration with CI/CD tools is also a significant benefit. The product offers a good user interface which enhances usability.

What needs improvement?

SonarQube Cloud needs improvements in dynamic code analysis. Static code analysis is good, but the product lacks dynamic code scanning capabilities, an area where Veracode excels.

For how long have I used the solution?

I have extensive work experience with SonarQube Cloud, exceeding five years.

What do I think about the stability of the solution?

I would rate the stability a nine out of ten. The product is quite stable and reliable.

What do I think about the scalability of the solution?

I would rate it eight out of ten for scalability. There is room for improvement, but SonarQube Cloud is generally reliable. It has been used in multiple projects and performs well.

Which solution did I use previously and why did I switch?

The major benefit of SonarQube Cloud over other solutions is its integration with CI/CD tools and support for various languages and platforms. Its user interface is also superior compared to traditional code inspection and SAST tools.

How was the initial setup?

The initial setup for SonarQube Cloud is straightforward. This applies to both in-house server setup and integration.

What was our ROI?

The product has had a positive impact by identifying gaps in application code related to technical debt and coding standards.

What's my experience with pricing, setup cost, and licensing?

We used the open-source version of SonarQube Cloud for its minimum features and did not license its extensive capabilities.

What other advice do I have?

I would recommend SonarQube Cloud to other development teams. Overall, I rate the solution eight out of ten.

Which deployment model are you using for this solution?

On-premises


    René Gamom

Regular integration into pipelines for effective quality checks

  • April 09, 2025
  • Review provided by PeerSpot

What is our primary use case?

I use SonarQube Cloud (formerly SonarCloud) for scanning code quality checks.

What is most valuable?

I use SonarQube Cloud (formerly SonarCloud) to check the quality of developer code and identify vulnerabilities. It is the best product we use for easy integration into YAML pipelines for scanning.

What needs improvement?

I need a solution that can bring together three key areas: vulnerabilities, static scanning, and misarchitecture. Currently, to achieve our expectations, we have to use more than one product, as some products excel at scanning for vulnerabilities but are poor at checking code quality. Others are best at enumerating dependencies as SBOM. To improve SonarQube Cloud (formerly SonarCloud), it should excel in all these domains.

For how long have I used the solution?

I have used SonarQube Cloud (formerly SonarCloud) for over two years.

What do I think about the stability of the solution?

I think it is a very stable product.

What do I think about the scalability of the solution?

I haven't had to test the scalability yet.

How are customer service and support?

I have not required support for SonarQube Cloud (formerly SonarCloud), as integrating it into different solutions is straightforward. Documentation, however, is not very good.

How would you rate customer service and support?

Positive

How was the initial setup?

The setup of SonarQube Cloud (formerly SonarCloud) is not very complicated.

What about the implementation team?

The infrastructure team deployed the product. I work with CI/CD, using SonarQube Cloud (formerly SonarCloud) to scan different solutions and provide vulnerability dashboards to IT teams.

What was our ROI?

The product is designed for bigger clients, while smaller companies are often put aside.

What's my experience with pricing, setup cost, and licensing?

From my experience, SonarQube Cloud (formerly SonarCloud) is very expensive for small companies. It would be a great improvement if the price for smaller companies were reduced, as I do not have the financial capability to use it in my own company.

Which other solutions did I evaluate?

I have experience with NDepend and some experience on SonarCloud.

What other advice do I have?

The main strength of SonarQube Cloud (formerly SonarCloud) is detecting the quality of code, and in the quality area, I rate it nine out of ten.


    Archana Verma

Provides valuable insights on code vulnerabilities and integrates seamlessly with CI/CD pipelines

  • February 24, 2025
  • Review provided by PeerSpot

What is our primary use case?

I run SonarQube Cloud every day to conduct security checks on our daily builds and code.

What is most valuable?

I find SonarQube Cloud to be very user-friendly with an easy-to-use interface. It provides detailed code smell reports and insights on hotspots, which can later represent security vulnerabilities. It gives precise reports compared to Coverity and has a slightly lower number of false positives. It is integrated easily with the CI/CD pipeline, saving time and cost. It provides information on upcoming vulnerability details and loopholes that might turn into vulnerabilities.

What needs improvement?

The UI can be improved. Additionally, in future updates, I would like to see SonarQube Cloud provide more detailed solutions for fixing code issues, especially solutions related to CVEs. Currently, the suggestions are not very elaborate.

For how long have I used the solution?

I have been using SonarQube Cloud for more than a year.

What do I think about the stability of the solution?

I rate the stability of SonarQube Cloud at eight out of ten. It is a quite stable solution.

What do I think about the scalability of the solution?

SonarQube Cloud is a scalable product, and I rate its scalability at seven out of ten.

How are customer service and support?

The customer service and support for SonarQube Cloud are responsive and helpful. It ensures accurate reporting and is beneficial in terms of triggering daily scans without manual oversight.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

Previously, I have used Coverity but I am currently not using it.

What was our ROI?

After implementing SonarQube Cloud, I have observed cost savings and time savings. It is easily integrable with the CI/CD pipeline and supports multiple projects with its extensive plugin options.

Which other solutions did I evaluate?

I have evaluated Coverity.

What other advice do I have?

I rate the overall solution eight out of ten. 

I am exploring leveraging AI to enhance code analysis with SonarQube Cloud. I recommend SonarQube Cloud to other users as it is seamless and provides precise results. It shows upcoming vulnerability details and loopholes which can turn into vulnerabilities or configuration risks.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?


    reviewer2356089

Integration is simple and effective, but detection capabilities need enhancement

  • February 18, 2025
  • Review provided by PeerSpot

What is our primary use case?

We mainly use SonarQube Cloud for code analysis, specifically static code analysis.

What is most valuable?

I find SonarQube Cloud very easy to use and simple to integrate initially. Our development teams find it very easy to integrate into their workflow. New team members immediately know how to use it. 

What needs improvement?

SonarQube Cloud could improve its vulnerability detection compared to Veracode. Additionally, it has fewer capabilities, which prompted us to use Veracode.

For how long have I used the solution?

We have been using SonarQube Cloud for about two to three years.

What do I think about the stability of the solution?

I find SonarQube Cloud to be relatively stable. From my team's feedback, it is almost an eight out of ten.

What do I think about the scalability of the solution?

I am uncertain about SonarQube Cloud's scalability. There are limitations, and it seems to have fewer capabilities than Veracode, which is why we also use Veracode.

How are customer service and support?

I did not have much interaction with customer support. When I did contact them, the experience was very good, however, I didn't have any technical questions.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

I am mainly focusing on Veracode, and we also use SonarQube Cloud. In contrast, I find Veracode to be more complex. Veracode is considered to have better detection capabilities than SonarQube Cloud.

How was the initial setup?

SonarQube Cloud was much easier to install compared to Veracode. One person is enough to handle the installation.

What was our ROI?

I have not done any ROI calculations on SonarQube Cloud.

What's my experience with pricing, setup cost, and licensing?

From what I understand, SonarQube Cloud is roughly equivalent in cost to Veracode, maybe a little cheaper.

What other advice do I have?

I rate SonarQube Cloud as a whole solution about seven out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other


    Diego Moreo

Enhanced code quality with data consolidation needs and good pipeline integration

  • October 07, 2024
  • Review provided by PeerSpot

What is our primary use case?

We have SonarCloud integrated into our pipeline. It is used as a tool for checking code quality, clean code, bugs, and security issues. It acts as a quality gate for production, helping decide if our code can be applied.

How has it helped my organization?

SonarCloud aids us in checking major issues in legacy systems and helps prioritize solutions based on this data.

What is most valuable?

The SaaS solution for checking code without execution and dealing with security issues is valuable. It fulfills our needs.

What needs improvement?

Reporting features are missing in SonarCloud. We do not have a way to consolidate data within the tool, requiring us to extract data and use Power BI for reports.

For how long have I used the solution?

I have used SonarCloud for the past three years.

What do I think about the stability of the solution?

SonarCloud has been stable except for an instance last month where it was unavailable for about four to six hours. Other than that, I am unaware of any unavailability issues.

What do I think about the scalability of the solution?

It's very scalable with no issues. We can add as many projects as we want. The only restriction is the number of lines scanned, which affects billing. On a scale of one to ten, I rate scalability at eight out of ten.

How are customer service and support?

I have not used their technical support or dealt directly with their customer service.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

We were already using SonarQube, the on-premises version, before transitioning to SonarCloud.

How was the initial setup?

The initial setup was done by a previous team around three or four DevOps engineers. The transition took approximately one to two months.

What about the implementation team?

Another team conducted the initial setup with about three or four DevOps engineers.

What was our ROI?

It's really hard to measure ROI. Previously, the low cost ensured it wasn't a concern, but now, with increasing costs, the need to measure ROI more accurately is arising.

What's my experience with pricing, setup cost, and licensing?

Previously, the pricing was 17,000 euros for five million lines analyzed. However, they now charge $15,000 per one million lines, significantly increasing the cost.

Which other solutions did I evaluate?

We are evaluating Veracode as a possible replacement. I also checked resources like Forest Work and Gartner for other potential tools.

What other advice do I have?

I would recommend SonarCloud to other development teams. While the cost might be a concern, it is a good tool and maintains an updated list of security issues. It is sufficient for most projects.

I'd rate the solution eight out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other


    Huzaifa Asif

A comprehensive code quality management offering all-in-one functionality, including static code analysis, security assessments, and code optimization, while providing valuable insights for developers

  • December 12, 2023
  • Review provided by PeerSpot

What is our primary use case?

It serves as our primary tool for static code analysis, addressing various aspects such as code duplication, code smells, and security concerns. It stands out as an all-encompassing solution and it excels in security analysis and offers robust features for code optimization and duplication detection.

How has it helped my organization?

Through SonarCloud, we gain insights, especially in a microservices environment with product-based products. It provides valuable guidance in scenarios where I might not be well-versed in optimizing security for a particular service. It highlights areas for improvement, such as ensuring proper handling of headers and advising on changes needed in the codebase. Moreover, it offers suggestions for code enhancements, pointing out more efficient methods in languages like JavaScript.

What is most valuable?

Recently, they introduced support for mono reports and microservices, which is a noteworthy development as it provides a more detailed view of each service. Now, we can easily assess which services have more code and identify areas with potential issues. This addition has proven to be the most beneficial feature for our current use case.

What needs improvement?

There's room for improvement in the configuration process, particularly during the initial setup phase. Setting up features like mono reports can be challenging, and the existing documentation could use improvement in providing clearer instructions. I found myself needing to engage with support multiple times to navigate through certain aspects. Additionally, it would be beneficial if it could streamline the integration process for new features. Enhancing documentation on how to integrate these features seamlessly would go a long way in improving user experience. The introduction of an auto-commit functionality would be a valuable addition. Some other tools offer this feature, allowing for the automatic creation of pull requests to address identified issues. This functionality significantly reduces the manual effort required.

What do I think about the stability of the solution?

I would rate its stability capabilities ten out of ten.

What do I think about the scalability of the solution?

I would rate it a ten out of ten because I haven't encountered any scalability-related issues. In my current company, we have around fifty users distributed across various organizations, including some smaller groups with around five to six individuals. In my previous job, the user count was higher, ranging from one fifty to two hundred people.

How are customer service and support?

I find the support to be effective. Upon reaching out to them, they responded promptly, actively engaged in addressing the issue, and made efforts to resolve it. I would rate it ten out of ten.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We have experimented with other solutions simultaneously, but we consistently find this one to be more effective. It possesses an all-in-one capability, which is noteworthy. Typically, one might need separate software for security, another for static code analysis, and so on, but having everything in a single platform makes it advantageous.

How was the initial setup?

The initial setup was challenging. Incorporating an auto-commit function would be a valuable enhancement and would markedly decrease the need for manual intervention and effort. I would rate it seven out of ten.

What about the implementation team?

The deployment process is typically quick, taking about twenty to thirty minutes. For regular services, the setup is straightforward, involving the creation of a client account, installation of the SonarCloud app in GitHub, and linking it to the specific repository. In the case of microservices, the process involves having the GitHub action ready. Once the action is prepared, it's a matter of pasting it, and everything is set up. Updating and creating projects in SonarCloud are the next steps for microservices. The platform also offers the option to create multiple projects simultaneously. The main challenge users encounter when setting up microservices architecture on SonarCloud is the need to create their own GitHub action. The issue arises from inaccuracies in the GitHub action documentation provided by SonarCloud. Ultimately, to resolve the problem, users often have to create their own GitHub action independently, as the documentation does not offer a straightforward solution. Typically, a single individual, whether a DevOps professional or a Cloud Engineer, is sufficient for managing it.

What was our ROI?

The return on investment is positive as it not only aids in identifying issues but also helps developers gain a better understanding of the code. When facing particular challenges, developers often introspect and subsequently modify their coding practices, making it highly beneficial in that regard. I would rate it ten out of ten.

What's my experience with pricing, setup cost, and licensing?

I would rate the price an eight out of ten because it's reasonable. While not extremely cheap, it aligns well with market standards and offers good value. It's an all-inclusive package where you pay a fixed price.

Which other solutions did I evaluate?

We examined options such as AWS CodeGuru, Snyk, and DeepScan recently. Despite considering the possibility of switching to another tool for a specific product, none of these options seemed suitable, leading us to retain our current choice.

What other advice do I have?

Opting for SonarCloud is advantageous as it offers a complete package, including static code analysis, security assessments, and code optimization, all within a single tool. Overall, I would rate it nine out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other


    reviewer1992327

Offers stability and comprehensive feedback on code quality, including code optimization and duplication detection, which aids in improving user code practices

  • December 11, 2023
  • Review provided by PeerSpot

What is most valuable?

SonarCloud's user interface integrates with version control tools like GitLab, showing code smells and commits for code reviews. Within these code reviews, we gain a complete analysis of things like code flow, which was a particularly helpful feature.

SonarCloud is overall a good tool for identifying code smells, bugs, and code duplication, but we've found that using Android Lint is more effective for our needs.

The main advantage of using Android Lint over SonarCloud is its ease of integration. It was a bit tricky to integrate SonarCloud, inside the CI/CD pipeline, which had some integration challenges. No proper documentation existed, making it tough. 

Specifically, when pushing code and creating merge requests, SonarCloud wouldn't generate the merge request or run itself. This felt clunky and required extra configuration. The documentation just wasn't sufficient for integrating with our cloud and Android Lint. Ultimately, it took too long to integrate SonarCloud, leading us to explore other options like Android lint for improving code quality.

So, adding better documentation on integrating SonarCloud's pipeline within GitLab CI/CD would definitely be a valuable addition from my perspective. That's the key takeaway they should work on.

For how long have I used the solution?

We've been using SonarCloud for a while, inside TruckITAM, stopping about four months ago. We established our pipeline for seamless build sharing with stakeholders, using Android Lint to optimize the pipeline process and costs.

What do I think about the stability of the solution?

SonarCloud is well-stable. It's a good system. Whenever I used to commit, it gave proper feedback about our code, like duplication or optimization suggestions. 

Overall, the product is stable, but a few features need addressing to improve the user experience. The integration process and overall flow feel a bit clunky. They need to optimize the user experience. 

It requires a bit of work on the user side. It is difficult for non-trained users. If someone untrained reads their documentation, integrating with SonarCoud should be easy. That's the tricky part. They need a good onboarding process and a support team for communication. We're the clients, so they should provide daily updates on new features and address any integration issues on our cloud.

There should be an open-source community available so that they can target small queries. Our cloud community feels a bit small and not very active. I searched for workarounds and how to cancel merge requests, which took forever.

Also, on the GitLab side, working on CI/CD pipeline automation was challenging. Improving the build time of the application was a pain. We had to write XML files and run scripts.

The documentation needs improvement on optimizing build time for seamless CI/CD integration with our Android apps. That's something I noticed for GitLab and researched for a while. We integrated it successfully for the driver side, but the other application timed out. We used BigRise as an alternative, and it optimized the build time to 10 minutes. That's how we successfully integrated our CI/CD pipeline at TaxRise.

How are customer service and support?

Technical support as a whole, it was a while ago, like three months after we stopped using their services, that they emailed us. They should approach users proactively and try to ensure a smooth integration process. 

We already have a lot on our plates, so we don't have time to chase them. Even if we email them and they respond, we have other tasks in the pipeline. They should take ownership and manage the integration. Our SonarCloud integration ended up getting put on the back burner.

So, in terms of technical support, if you're providing a service, you need to be quick to respond to users and grab their attention. These are a few things SonarCloud could improve.

I wouldn't want to discourage their efforts, so I won't rate them a very bad rating. The product itself is still good, so I'd rate their technical support around six and a half out of ten.

And one other thing you can tell the SonarCloud team: they can improve their open-source community. A strong open-source community can significantly reduce the need for technical support. 

If they have good documentation for integrating with various platforms like web applications, back-end applications, server-side applications, Android, iOS, etc., and also GitLab pipelines, their rating could easily go up to eight and a half, maybe even nine.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

I currently work with the Android Lint. It's a built-in tool in Android Studio, used for checking errors in the code, code duplication, code smells, and improving code reusability. 

It helps in identifying spelling mistakes, unused variables, and imports, optimizing the code. We chose Android Lint over SonarCloud for similar functionalities, allowing us to improve code quality without relying on a third-party app. 

As an alternative to improve our code quality, we migrated the same functionality to our own cloud environment. This allows us to utilize Android lint for code improvements internally, eliminating reliance on any third-party app.

Some of the good features we found in SonarCloud that were valuable include the user interface integration with version control tools like GitLab. This lets us see code smells and track commits associated with specific code portions for code reviews.

Within these code reviews, we gain a complete analysis of things like code flow, which was a particularly helpful feature. Additionally, we can integrate Android lint directly into our CI/CD pipeline, allowing us to run critical lint checks automatically within the pipeline. This further automates our system and streamlines the development process.

What's my experience with pricing, setup cost, and licensing?

The current pricing is quite cheap. The thousand-line package costs only ten euros per month, which is much cheaper compared to competitors like Veracode, which charge around a hundred or even ninety-nine dollars per month. So, the pricing is good as it is, but if they add features like AI-powered algorithms and core data optimization, they could easily see significant growth.

What other advice do I have?

Overall, I would rate this product around nine out of ten. They're putting a lot of effort into developing the product, and it compares favorably to other options available. Plus, it's free initially with a set limit, making it quite accessible.

One thing SonarCloud could add is a separate AI for comprehensive code analysis. They already suggest improvements and urge users to adopt specific practices, but it could go further. 

For example, imagine using Android Studio and writing some code. SonarCloud's AI could analyze it and suggest algorithm or coding structure improvements.

There are also some application crashes and concurrency issues we encounter due to shared multi-threaded environments. So, another AI check they could offer would be analyzing how to optimize the application's algorithms for better performance. That would be another great improvement for SonarCloud.


    Sagar Mody

Integrates well with other tools and has efficient dashboard features

  • December 06, 2023
  • Review provided by PeerSpot

What is our primary use case?

We use the product for code-based security scanning.

What is most valuable?

The platform has fewer false positives. It helps efficient code duplication concentration and integrates well with coverage tooling for generating reports. Its dashboard provides a unified view of various code quality metrics, including code duplication, unit test coverage, and security hotspots.

What needs improvement?

SonarCloud's UI needs enhancement.

For how long have I used the solution?

We have been using SonarCloud for five years.

What do I think about the stability of the solution?

I rate the product's stability a ten out of ten.

What do I think about the scalability of the solution?

We have more than 1000 SonarCloud users in our organization. It scales as per our project requirements. I rate its scalability a nine out of ten.

What about the implementation team?

We have ten dedicated engineers working on the product's deployment and maintenance.

What's my experience with pricing, setup cost, and licensing?

I rate the pricing a five out of ten. It has an expensive on-premise version and a community version as well.

What other advice do I have?

I recommend SonarCloud and rate it an eight out of ten. Sometimes, the updates for the product's beta version are simple.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure


    Uzma Noreen

Offers continuous code analysis which can improve the code quality

  • June 27, 2023
  • Review provided by PeerSpot

What is most valuable?

The solution provides continuous code analysis which has improved the quality of our code. It can raise alarms on vulnerabilities with immediate reports on the dashboard. Few things are false positives and we can customize the rules. 

What needs improvement?

The solution needs to improve its customization and flexibility. 

For how long have I used the solution?

I have been using the solution for ten days. 

What do I think about the stability of the solution?

I would rate the product's stability an eight out of ten. 

How are customer service and support?

We have received instant replies from the support but not actual answers. We contacted support regarding upgrading the edition.  

How was the initial setup?

The tool's setup is not complex. Our engineers were not experienced and they took time to implement the product. 

What other advice do I have?

The tool is simple and I would rate it an eight out of ten. 


showing 1 - 9