Test Tools / Security Testing / SonarQube
Test Tools · Security Testing

SonarQube

Continuous code quality and security inspection. Automatically find bugs, vulnerabilities, and code smells in 25+ languages.

Overview

SonarQube is an open-source platform for continuous inspection of code quality and security. It performs static code analysis (SAST — Static Application Security Testing) on source code to detect bugs, vulnerabilities, code smells, and technical debt. SonarQube supports 25+ programming languages and integrates with all major CI/CD platforms.

For NZ teams, SonarQube is the standard "shift-left" security tool — catching vulnerabilities in code before they reach production. It is often the first security tool added to a CI/CD pipeline.

What it's used for

SonarQube is essential for:

  • Shift-left security: Find vulnerabilities in code before deployment.
  • Code quality gates: Block merges that introduce new bugs or security issues.
  • Technical debt tracking: Measure and monitor code quality over time.
  • Compliance: Generate reports for security audits and standards (OWASP, CWE, SANS).

Pros & Cons

Pros

  • Supports 25+ languages including Java, C#, Python, JavaScript, Go
  • Comprehensive rule set for security, bugs, and code smells
  • Excellent CI/CD integration
  • Detailed dashboards and historical trends
  • Free Community Edition covers most needs

Cons

  • Can generate false positives — requires tuning
  • Developer Edition and Enterprise Edition are expensive
  • Large projects require significant server resources
  • Not a substitute for dynamic testing (DAST) like ZAP or Burp
  • Learning curve for custom rule development

Platforms & Integrations

SonarQube runs on Windows, macOS, and Linux. It requires Java and a database (PostgreSQL, MySQL, or embedded H2). SonarCloud is the SaaS alternative.

Windows macOS Linux Java C# Python JavaScript TypeScript Go Ruby PHP Kotlin Swift Docker Jenkins GitHub Actions GitLab CI Azure DevOps Bitbucket

Pricing

TierCostIncludes
CommunityFreeSAST, code quality, basic reporting
Developer$150/yr per instancePR decoration, branch analysis, additional languages
EnterpriseCustomPortfolio management, security reports, support
SonarCloudFrom $10/moSaaS, automatic analysis, GitHub/GitLab/Bitbucket integration

NZ Context

SonarQube is widely used in NZ software teams. It is frequently mentioned in NZ job postings for developers and DevOps engineers. The NZ Government's Digital Service Standards encourage automated code quality checks, and SonarQube is the most common tool for this. For NZ teams using GitHub, SonarCloud provides zero-setup integration.

Alternatives

  • Snyk Code — SAST with better developer experience and IDE integration.
  • Checkmarx — Enterprise SAST with advanced customisation and reporting.
  • Veracode — Cloud-based SAST/DAST combined platform.

Learn more

← Back to Tools