Hello,

We are an organization that was evaluating SonarQube for static code analysis. We’re in the 1M-5M LoC neighborhood. Hybrid SCM: on-premise TFS using TeamCity, and Azure DevOps (both repo and CI/CD).

As part of our DD, we initially ruled out SonarCloud but with a long-term strategy to migrate to Azure DevOps for everything, discovered we can still utilize SonarCloud in the way we need using TeamCity and the CMD line as if it we’re crunching on local builds.

Asked our sales representative about SonarCloud, and he cautioned its usage due to it being multi-tenant, and because customer segregation is handled at the application level. Moreover, he mentioned that it does not have any “security certification yet.”

We’d probably be okay with that, but had a couple of questions that the rep wouldn’t/couldn’t answer and referred us to here:

1. Are there “big” customers out there using SonarCloud successfully now (I know the answer is “yes” for SonarQube)?
2. What security certification(s)?

If someone on the SonarSource team can help, I’d appreciate it.

Hey there.

Keep in mind that important features like PR Decoration will not work if your code is not hosted in a cloud ALM. SonarQube well supports both on-prem DevOps platforms and cloud DevOps Platforms while SonarCloud exclusively supports the latter.

In the 1-5M LoC neighborhood, definitely.

We (SonarSource) recently received our ISO 27001 certification.