We performed a comparison between SonarCloud and SonarQube based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.
Comparison Result: Based on the parameters we compared, SonarQube comes out ahead of SonarCloud. Although both products have valuable features and can be estimated as high-end solutions, our reviewers found that SonarCloud lacks technical support.
"The most valuable features of SonarCloud are the ability to discover vulnerabilities, security weak points, security hotspots, and all the feedback that comes into the feature branch. You can deploy the code with the security, you can eliminate the problem at the developer level rather than identifying the problem in the productions."
"Its dashboard provides a unified view of various code quality metrics, including code duplication, unit test coverage, and security hotspots."
"I'm not implementing the solutions. However, I've talked to the people who deploy the tools, and they are happy with how easy setting up SonarCloud is."
"The most valuable feature of SonarCloud is its overall performance."
"The reports from SonarCloud are very good."
"Recently, they introduced support for mono reports and microservices, which is a noteworthy development as it provides a more detailed view of each service."
"The solution provides continuous code analysis which has improved the quality of our code. It can raise alarms on vulnerabilities with immediate reports on the dashboard. Few things are false positives and we can customize the rules."
"SonarCloud is overall a good tool for identifying code smells, bugs, and code duplication, but we've found that using Android Lint is more effective for our needs."
"When comparing other static code analysis tools, SonarQube has fewer false-positive issues being reported. They have a lot of support for different tech stacks. It covers the entire developer community which includes Salesforce or it could be the regular Java.net project. It has actually sufficed all the needs in one tool for static code analysis."
"It has very good scalability and stability."
"The most valuable features are the dashboard reports and the ease of integrating it with Jenkins."
"SonarQube: Recording of issues over a period of time, with an indication of the addition in the new issues or the reduction of existing issues (which were fixed)."
"I like that it's easy to navigate not just in terms of code findings but you can actually see them in the context of your source code because it gives you a copy of your code with the items that it found and highlights them. You can see it directly in your code, so you can easily go back and make the corrections in the code. It basically finds the problems for you and tells you where they are."
"Code Convention: Using the tool to implement some sort of coding convention is really useful and ensures that the code is consistent no matter how many contributors."
"It is a very good tool for analysis and security vulnerability checking."
"I follow Quality Gate's graduation model within organization, and it is extremely helpful for me to benchmark products."
"CI/CD pipeline is part of a whole chain of design, development, and production, and it's becoming increasingly crucial to optimize the various tools across different stages. However, it's still a silo approach because the full integration is missing. This isn't just an issue with SonarCloud. It's a general problem with tooling."
"It would be helpful if notifications could go out to an extra person."
"SonarCloud can improve the false positives. Sometimes the gates sometimes act a little weird. We then need to manually go and mark the false positive."
"We had some issues with the scanner."
"The reports could improve by providing more information. We are not able to use the reports in our operation until they are improved. Additionally, if the vendor provided more customization capabilities it would be a benefit."
"The documentation needs improvement on optimizing build time for seamless CI/CD integration with our Android apps."
"There's room for improvement in the configuration process, particularly during the initial setup phase."
"I've been told by the developers that the solution is too limited. It's not testing enough within the containers."
"If you don't have any experience with the configuration or how to configure the files, it can be complicated."
"It would be better if SonarQube provided a good UI for external configuration."
"The product's user documentation can be vastly improved."
"There is no automation. You need to put the code there and test. You then pull the results and put them back in the development environment. There is no integration with the development environment. We would like it to be integrated with our development environment, which is basically the CI/CD pipeline or the IDE that we have."
"There needs to be a shareable reporting piece or something we can click and generate easily."
"The product must improve security analysis."
"There are sometimes security breaches in our code, which aren't be caught by SonarQube. In the security area, SonarCube has to improve. It needs to better compete with other products."
"I think the code security can be improved."
SonarCloud is ranked 10th in Application Security Testing (AST) with 10 reviews while SonarQube is ranked 1st in Application Security Testing (AST) with 110 reviews. SonarCloud is rated 8.4, while SonarQube is rated 8.0. The top reviewer of SonarCloud writes "Beneficial vulnerability discovery, simple to maintain, and proactive support". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". SonarCloud is most compared with Veracode, Checkmarx One, GitLab, OWASP Zap and Coverity, whereas SonarQube is most compared with Checkmarx One, Coverity, Veracode, Snyk and GitHub Advanced Security. See our SonarCloud vs. SonarQube report.
See our list of best Application Security Testing (AST) vendors.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.