SonarQube

Feature like Code Analysis and publishing those analysis report to end user. You can use default Quality Gates and Quality Profiles for scanning of your code. In case you want to modify these you can do that and define your own rule. Whenever there's commit in repo you just need to configure the task in your continuous integration pipeline if it passed the parameter only then commit will happens the master/main branch otherwise it will not. With these features you can eliminate the security threats and ensure that developers are following good practices while developing their code. I have integrated it with Azure DevOps.

Only thing which I can think can be improved is logging of events. Sometime it becomes hard to debug the issues. Other then that, I think over all this fulfills all the requirements.

1. Calculate the quality of code and also helps to improve the quality by providing the solution
2. Highlight the vulnerabilities , repetitive line of code
3. Developer Friendly tool as it provides recommendations on the line of code which needs an improvement.
4. Create Scan reports on demand
5. Option to add exception in code

1. Report Generation sometime take long time.
2. User Interface should be enhanced.
3. Lack custom rule set
4. As per cost, it is little bit expensive.

PR analysis and Integration with Bitbucket are most helpful.

1. Number of rules should be increased.
2. Few rules should have custom exclusions. Ex: Naming conventions => Organisation-specific words will be there which should be in Capital.
3. Generating a lot of false positives
4. Executive reports should generate based on scheduled triggers. We have 20 projects which are assigned to a Portfolio. if you are going to generate a report and send an email for the first portfolio calculation then the rest of the 19 projects info for that day will be missed. Higher management will think that the generated report is the latest but it is not.
5. PR analysis reports should be generated Quickly