We compared SonarQube and GitHub Advanced Security based on our user's reviews in several parameters.
SonarQube offers a comprehensive solution with versatile language support, seamless integration with DevOps pipelines, and configurable features, making it a cost-effective choice with exceptional customer service. GitHub Advanced Security focuses on effective security measures, robust vulnerability detection, and user-friendly features, providing a valuable investment with flexible pricing and customizable options. Both platforms have room for improvement in areas such as analysis speed, user interface refinement, and integration capabilities.
Features: SonarQube's valuable features emphasize comprehensive code quality parameters, multiple language support, and integration with DevOps pipelines. GitHub Advanced Security focuses on software composition analysis, code scanning, and vulnerability alerts, with robust security measures and seamless workflow integration.
Pricing and ROI: The setup cost for SonarQube is considered straightforward and easy, with users appreciating the simplicity of the process. On the other hand, GitHub Advanced Security also has a straightforward and hassle-free setup cost. Both products offer flexible and customizable licensing options to cater to different user requirements., SonarQube has been praised for its ability to improve code quality, identify issues, and enhance project efficiency. Users benefit from its vulnerability detection and code compliance tools. On the other hand, GitHub Advanced Security offers enhanced security features, comprehensive vulnerability scanning, and automated security alerts, resulting in significant ROI and eliminating the need for third-party security tools.
Room for Improvement: In terms of areas for improvement, SonarQube could benefit from enhancing analysis speed, refining the user interface, providing clearer setup instructions, improving the documentation, addressing occasional performance issues, and enhancing integration options. On the other hand, users have suggested better integration with third-party tools, more customization options, improved usability and intuitiveness of the user interface, and increased speed and responsiveness for GitHub Advanced Security.
Deployment and customer support: Users report varying durations for implementing a new tech solution with SonarQube. Some took 3 months for deployment and a week for setup, while others took a week for both. For GitHub Advanced Security, some users took 3 months for deployment and a week for setup, while others took a week for both., SonarQube's customer service has been praised for its prompt and knowledgeable assistance. Users highlight the team's willingness to address any issues. GitHub Advanced Security's customer service is highly commendable, with users appreciating the level of assistance and guidance they receive. The team is described as responsive, knowledgeable, and efficient in resolving issues.
The summary above is based on 39 interviews we conducted recently with SonarQube and GitHub Advanced Security users. To access the review's full transcripts, download our report.
"Dependency scanning is a valuable feature."
"It is a stable solution...It is a scalable solution as it can handle new applications along with the analysis part."
"It ensures user passwords or sensitive information are not accidentally exposed in code or reports."
"GitHub provides advanced security, which is why the customers choose this tool; it allows them to rely solely on GitHub as one platform for everything they need."
"The most valuable is the developer experience and the extensibility of the overall ecosystem."
"The product's most valuable features are security scan, dependency scan, and cost-effectiveness."
"Code Convention: Using the tool to implement some sort of coding convention is really useful and ensures that the code is consistent no matter how many contributors."
"If you want to have your code scanned and timed then this is a good tool."
"It is working fine. It provides a good value for money."
"I like that it's easy to navigate not just in terms of code findings but you can actually see them in the context of your source code because it gives you a copy of your code with the items that it found and highlights them. You can see it directly in your code, so you can easily go back and make the corrections in the code. It basically finds the problems for you and tells you where they are."
"The most valuable features are the segregation containment and the suspension of product services."
"The software quality gate streamlines the product's quality."
"We consider it a handy tool that helps to resolve our issues immediately."
"The static code analysis of the solution is the most important aspect for us. When it comes to security breaches within the code, we can leverage some rules to allow us to identify the repetition in our code and the possible targets that we may have. It makes it very easy to review our code for security purposes."
"The report limitations are the main issue."
"There could be a centralized dashboard to view reports of all the projects on one platform."
"The customizations are a little bit difficult."
"A more refined approach, categorizing and emphasizing specific vulnerabilities, would be beneficial."
"There could be DST features included in the product."
"The deployment part of the product is an area of concern that needs to be made easier from an improvement perspective."
"There are times that we have the database crash. However, this might be an issue with how we have configured it and not a software issue. Apart from this, I do not see any issues with the solution."
"There is need for support for the additional languages and ease of use in adding new rules for detecting issues."
"From a reporting perspective, we sometimes have problems interpreting the vulnerability scan reports. For example, if it finds a possible threat, our analysts have to manually check the provided reports, and sometimes we have issues getting all the data needed to properly verify if it's accurate or not."
"For improvement, this solution could be offered on Docker and the cloud and the support for this solution could be improved. Customizing rules could also be made simpler."
"I don't believe you can have metrics of code quality based upon code analysis. I don't think it's possible for a computer to do it."
"SonarQube could be improved with more dynamic testing—basically, now, it's a static code analysis scan. For example, when the developer writes the code and does the corresponding unit test, he can cover functional and non-functional. So the SonarQube could be improved by helping to execute unit tests and test dynamically, using various parameters, and to help detect any vulnerabilities. Currently, it'll just give the test case and say whether it passes or fails—it won't give you any other input or dynamic testing. They could use artificial intelligence to build a feature that would help developers identify and fix issues in the early stages, which would help us deliver the product and reduce costs. Another area with room for improvement is in regard to automating things, since the process currently needs to be done manually."
"SonarQube could improve by adding automatic creation of tasks after scanning and more support for the Czech language."
"We're in the process of figuring out how to automate the workflow for QA audit controls on it. I think that's perhaps an area that we could use some buffing. We're a Kubernetes shop, so there are some things that aren't direct fits, which we're struggling with on the component Docker side. But nothing major."
GitHub Advanced Security is ranked 14th in Application Security Tools with 6 reviews while SonarQube is ranked 1st in Application Security Tools with 110 reviews. GitHub Advanced Security is rated 9.0, while SonarQube is rated 8.0. The top reviewer of GitHub Advanced Security writes "A tool that provides ease of integration with the set of existing codes in an infrastructure". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". GitHub Advanced Security is most compared with Snyk, Veracode, Fortify on Demand, Checkmarx One and GitLab, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Veracode and Sonatype Lifecycle. See our GitHub Advanced Security vs. SonarQube report.
See our list of best Application Security Tools vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.