We changed our name from IT Central Station: Here's why

Is SonarQube the best tool for static analysis?

Hi community members,

Is SonarQube is the best tool for static analysis? Are there any good tools that compete with SonarQube?

ITCS user
1013 Answers

author avatar
LeaderboardReal User

SonarQube is one of the widely used and easy-to-use tools. 

With some easy plug-ins, it would provide some very good insights into code quality, code coverage, static security, pattern-based errors, and performance engineering lapses in code. 

But it is not a comprehensive static security-focused tool, like Veracode or Fortify. Also, the usability depends on whether you are using the free version or the enterprise edition (It has some associated cost) but not to the extent of other commercial tools. Hope this helps.

author avatar
Top 5LeaderboardReal User

We have been using SonarQube and SonarLint (IDE) for quite some time on multiple projects and it is one of the best if not the best. 

It can handle multiple tech stacks, gives a good view of the static code in terms of vulnerabilities, hotspots, code smells, bugs, etc. Allows adding plugins, integrate with CI/CD even with the community edition. Developer and Enterprise additions allow branch-level integration as well for pull requests.

author avatarEvgeny Belenky
Community Manager

@reviewer1572348 Have you been using it for multiple programming languages?  If so, for which ones?  
Have you had a sense of equal coverage for each of them? 
Thank you!

author avatarreviewer1572348 (Chief Architect at a computer software company with 10,001+ employees)
Top 5LeaderboardReal User

@Evgeny Belenky Yes. We have used it for typescript, java, .NET, SQL. Coverage depends on the rules available for each language. It is possible to import more rules if required. My experience has been great till now. 

author avatarEvgeny Belenky
Community Manager

@reviewer1572348 thank you for your reply!

author avatar

The static tool we can use is Fortify or IBM Appscan.

SonarQube is widely used for coding standards.

author avatar

There are many tools that can work for static code analysis, both in open source as well as in licensed segments. It would be good to know your requirements for the tool. Are you just looking to have a static code analyzer and integrate it in the DevOps pipeline?

It is also important to know which programming language, code is being written with for application. Additionally, SCA functionality is also important, if you are working for a big corporation, wherein open source libraries/components are not allowed.

author avatar
Top 5Vendor

If you stop at ‘static analysis’ and leave off the Security Testing part. I don’t even view this tool as a security tool, it’s much more about code quality.

author avatar
Top 20Consultant

Please have a look at the TICS framework, offered by www.tiobe.com, it is heavily used in the embedded industry, like Philips, ASML, Porsche, etc, to check the quality of the code. This framework also combines various other tools, like Coverity, Fortify and others.

author avatar
Top 20Real User

Veracode will work with it & give value on complimentary way ..

author avatar
Real User

SonarQube is not the best SAST, is a SAST but like any other open-source SAST, the best SAST is from the leader of "Gartner Quadrant for AST".

author avatar
Community Manager

@Anshuman Kishore @TibinLukose @Donovan Greeff you've recently written reviews for SonarQube - do you have some insight to help @Manoj Kumar Kemisetty with this question? 

Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: January 2022.
563,208 professionals have used our research since 2012.