And our take is no – Sonar is not meant to replace manual code reviews. No matter how advanced our technology gets – we think that nothing replaces meaningful interactions and conversations between developers about a codebase.
That said, Sonar is certainly expected to help guide Code Reviews, and handle the repetitive/tricky stuff (style and maintainability issues, tricky bugs, and complex vulnerabilities) so that manual code reviews can focus on more important things: like your business logic, the technical debt you might. be accruing, discussing the decisions you’re making for your codebase, etc.
Sonar is a guide and a mentor for Clean Code, but not a replacement for manual code review, and that’s not our goal.
Is your team still performing manual code reviews (we are!)
SonarQube is a great tool for code analysis and also for learning and improfing coding.
But for the semantic part of the code, manual code review is still needed, if in a method called Add a multiplication is done by accident - that is beyound the scope of automatic tooling.
Unless it becomes backed by pretty advanced AI (much more advanced than the likes of chatGPT) I don’t see any checks tool being able to fully replace a human review. Sure it will catch obvious errors and some not so obvious but it can’t replace a proper manual review where the reviewer can check if the implementation matches both the intent and the need for the change. Code that is bug free, can completely miss the mark for the intended feature, can be uselessly slow and memory hungry, etc…
Agreed human reviews are still needed.
It is depressing however when the human review is essentially telling the coder to fix the issues that Sonar found - they can already see them and should have fixed them pre-review!!!
@tbutler What do you think can help the users catch the issues sooner? SonarLint should catch a lot of these issues, which if developers get in the habit of using should reduce the number of issues that ever get pushed.
I think the point you make is very important – tools like Sonar should help humans review the important stuff (business logic, architecture) while not taking away energy focusing on the stuff tools can catch.
@Colin SonarLint can help in some circumstances yes, but as I have posted elsewhere, not something we can recommend.
Probably the biggest issue is for large mature code bases, you cannot differentiate between new issues you have introduced and the 20k code smells that exist in the code already.
SonarLint aside, the devs can create draft PRs and work on issues reported there before requesting a review from a human. Not as fast feedback as you get locally with SonarLint but better than nothing :}