We performed a comparison between SonarCloud and SonarQube based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.
Comparison Result: Based on the parameters we compared, SonarQube comes out ahead of SonarCloud. Although both products have valuable features and can be estimated as high-end solutions, our reviewers found that SonarCloud lacks technical support.
"SonarCloud is overall a good tool for identifying code smells, bugs, and code duplication, but we've found that using Android Lint is more effective for our needs."
"The solution provides continuous code analysis which has improved the quality of our code. It can raise alarms on vulnerabilities with immediate reports on the dashboard. Few things are false positives and we can customize the rules."
"The solution can be installed locally."
"The reports from SonarCloud are very good."
"I'm not implementing the solutions. However, I've talked to the people who deploy the tools, and they are happy with how easy setting up SonarCloud is."
"The most valuable features of SonarCloud are the ability to discover vulnerabilities, security weak points, security hotspots, and all the feedback that comes into the feature branch. You can deploy the code with the security, you can eliminate the problem at the developer level rather than identifying the problem in the productions."
"Its dashboard provides a unified view of various code quality metrics, including code duplication, unit test coverage, and security hotspots."
"The most valuable feature of SonarCloud is its overall performance."
"I like that it's easy to navigate not just in terms of code findings but you can actually see them in the context of your source code because it gives you a copy of your code with the items that it found and highlights them. You can see it directly in your code, so you can easily go back and make the corrections in the code. It basically finds the problems for you and tells you where they are."
"The solution has a plug-in that supports both C and C++ languages."
"Using SonarQube has helped us to identify areas of technical debt to work on, resulting in better code, fewer vulnerabilities, and fewer bugs."
"SonarQube is a fantastic tool which saves us precious time."
"I like that it has a better dashboard compared to Clockwork. It's also stable."
"The product is simple."
"Integrate it into the developers' workbench so that they can bench check their code against what will be done in the server-based audit version."
"SonarQube is one of the more popular solutions because it supports 29 languages."
"SonarCloud's UI needs enhancement."
"The reports could improve by providing more information. We are not able to use the reports in our operation until they are improved. Additionally, if the vendor provided more customization capabilities it would be a benefit."
"The documentation needs improvement on optimizing build time for seamless CI/CD integration with our Android apps."
"The solution needs to improve its customization and flexibility."
"We had some issues with the scanner."
"It would be helpful if notifications could go out to an extra person."
"I've been told by the developers that the solution is too limited. It's not testing enough within the containers."
"There's room for improvement in the configuration process, particularly during the initial setup phase."
"We previously experienced issues with security but a segregated security violation has been implemented and the issues we experienced are being fixed."
"There could be better integration with other products."
"I have found this solution creates more noise than competitors."
"In the next release, I would like to have notifications because now, it is a bit difficult. I think that's a feature which we could add there and it would benefit the users as well. For every full request, they should be able to see their bugs or vulnerability directly on the surface."
"I would like to see more options for security, beyond the basics like SQL injection."
"Our developers have complained about the Quality Gates and the number of false positives that this product reports."
"From a reporting perspective, we sometimes have problems interpreting the vulnerability scan reports. For example, if it finds a possible threat, our analysts have to manually check the provided reports, and sometimes we have issues getting all the data needed to properly verify if it's accurate or not."
"The reporting can be improved."
SonarCloud is ranked 10th in Static Application Security Testing (SAST) with 10 reviews while SonarQube is ranked 1st in Static Application Security Testing (SAST) with 110 reviews. SonarCloud is rated 8.4, while SonarQube is rated 8.0. The top reviewer of SonarCloud writes "Beneficial vulnerability discovery, simple to maintain, and proactive support". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". SonarCloud is most compared with Veracode, Checkmarx One, GitLab, OWASP Zap and Coverity, whereas SonarQube is most compared with Checkmarx One, Coverity, Veracode, Snyk and GitHub Advanced Security. See our SonarCloud vs. SonarQube report.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.