Interview › Security & DevSecOps
What is technical debt in SonarQube, and how is it estimated? [Basic]
Answer
Technical debt in SonarQube is an estimate of the remediation effort required to fix maintainability issues, usually expressed as time. It helps quantify how much engineering effort is needed to make the code easier and safer to change.
Technical explanation
Each rule has a remediation function or estimated effort, and SonarQube aggregates that across code smells and maintainability findings.
Debt is an estimate, not an exact project plan; teams should validate high-impact items manually.
Debt ratio and maintainability rating help compare codebases, but operational risk and business criticality should also influence prioritization.
Hands-on example
Example: a service has 20 days of estimated debt, but most new code is clean. The team agrees to spend 10 percent of each sprint on the highest-risk debt: complex payment flows, duplicated auth logic, and untested error handling.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]