Try our new research platform with insights from 80,000+ expert users

GitHub Advanced Security vs SonarQube Server (formerly SonarQube) comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Mar 9, 2025

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

GitHub Advanced Security
Ranking in Application Security Tools
11th
Average Rating
8.6
Reviews Sentiment
7.6
Number of Reviews
9
Ranking in other categories
No ranking in other categories
SonarQube Server (formerly ...
Ranking in Application Security Tools
1st
Average Rating
8.0
Reviews Sentiment
7.2
Number of Reviews
114
Ranking in other categories
Static Application Security Testing (SAST) (1st), Software Development Analytics (1st)
 

Mindshare comparison

As of April 2025, in the Application Security Tools category, the mindshare of GitHub Advanced Security is 8.6%, up from 2.8% compared to the previous year. The mindshare of SonarQube Server (formerly SonarQube) is 25.1%, down from 26.9% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Application Security Tools
 

Featured Reviews

Sabna Sainudeen - PeerSpot reviewer
Seamlessly integrates into developer environment for streamlined code scanning
GitHub Advanced Security should look into API security issues, which they currently do not. Additionally, open-source security vulnerabilities are not getting updated in a timely manner. There are features in GitHub Advanced Security that cannot be used within Microsoft, which is strange since they are the same company. It should also focus on developing a software bill of materials (SBOM) to see all open software used in one place.
Wang Dayong - PeerSpot reviewer
Easy to integrate and has a plug-in that supports both C and C++ languages
The product provides false reports sometimes. It also fails to understand the context of the code. It reports that a line of code has issues without considering its relation with the previous line. The product should improve the report quality. While it asks us to improve the code quality, it would be good if it also suggests how to improve the quality.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The initial setup was straightforward and completed in a matter of minutes."
"The most valuable is the developer experience and the extensibility of the overall ecosystem."
"The product's most valuable features are security scan, dependency scan, and cost-effectiveness."
"GitHub Advanced Security is a very developer-friendly solution that is integrated within my development environment."
"GitHub Advanced Security uses artificial intelligence in the backend, specifically CodeQL, to analyze code and provide fewer but more reliable findings, so there are less false positives."
"It ensures user passwords or sensitive information are not accidentally exposed in code or reports."
"It is a stable solution...It is a scalable solution as it can handle new applications along with the analysis part."
"GitHub provides advanced security, which is why the customers choose this tool; it allows them to rely solely on GitHub as one platform for everything they need."
"It is a very good tool for analysis despite its limitations."
"We consider it a handy tool that helps to resolve our issues immediately."
"When comparing other static code analysis tools, SonarQube has fewer false-positive issues being reported. They have a lot of support for different tech stacks. It covers the entire developer community which includes Salesforce or it could be the regular Java.net project. It has actually sufficed all the needs in one tool for static code analysis."
"I am only interested in the security features in SonarQube. There are plenty of features other features, such as test coverage, code anomalies, and pointer access are handled by the business logic teams. They get the reports and they have to fix them in JIRA or Bugzilla."
"We advise all of our developers to have this solution in place."
"The tool helps us to monitor and manage violations. It manages the bugs and security violations."
"The overall quality of the indicator is good."
"The good thing with SonarQube is it covers a lot of issues, it's a very robust framework."
 

Cons

"There could be a centralized dashboard to view reports of all the projects on one platform."
"Open-source security vulnerabilities are not getting updated in a timely manner."
"The customizations are a little bit difficult."
"A more refined approach, categorizing and emphasizing specific vulnerabilities, would be beneficial."
"For GitHub Advanced Security, I would like to see more support for various programming languages."
"The report limitations are the main issue."
"The deployment part of the product is an area of concern that needs to be made easier from an improvement perspective."
"GitHub Advanced Security should look into API security issues, which they currently do not. Additionally, open-source security vulnerabilities are not getting updated in a timely manner."
"An improvement is with false positives. Sometimes the tool can say there is an issue in your code but, really, you have to do things in a certain way due to external dependencies, and I think it's very hard to indicate this is the case."
"I am not very pleased with the technical debt computation."
"The product provides false reports sometimes."
"It does not provide deeper scanning of vulnerabilities in an application, on a live session. This is something we are not happy about. Maybe the reason for that is we are running the community edition currently, but other editions may improve on that aspect."
"It should be user-friendly."
"New plug-ins should be integrated into SonarCloud to give more flexibility to the product."
"You may need to purchase add-ons to get the useability you desire."
"In the next release, I would like to have notifications because now, it is a bit difficult. I think that's a feature which we could add there and it would benefit the users as well. For every full request, they should be able to see their bugs or vulnerability directly on the surface."
 

Pricing and Cost Advice

"The current licensing model, which relies on active commitments, poses challenges, particularly in predicting and managing growth."
"The solution is expensive."
"We use the free version; there are no hidden costs or licensing required."
"The free version of SonarQube does everything that we need it to."
"The beauty of this solution is the free open-source version is capable enough in doing pretty much what an enterprise-level version can do."
"On the pricing side, it's 3,000 Euros for 1 million lines of code."
"We are using the open-source community version, but there are enterprise licenses available."
"This solution is free."
"SonarQube is a fairly affordable solution for a larger scale if you have a specific role or specific department for secure code."
"People can try the free licenses and later can seek buying plugins/support, etc. once they started liking it."
report
Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
845,040 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
14%
Computer Software Company
12%
Manufacturing Company
8%
Government
7%
Financial Services Firm
17%
Computer Software Company
15%
Manufacturing Company
13%
Government
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

What do you like most about GitHub Advanced Security?
It is a stable solution...It is a scalable solution as it can handle new applications along with the analysis part.
What needs improvement with GitHub Advanced Security?
GitHub Advanced Security should look into API security issues, which they currently do not. Additionally, open-source security vulnerabilities are not getting updated in a timely manner. There are ...
What is your primary use case for GitHub Advanced Security?
I use GitHub Advanced Security for source code analysis and code scanning. It is integrated within my development environment and is beneficial for organizations where all development is within Git...
Is SonarQube the best tool for static analysis?
I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have a look...
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
How would you decide between Coverity and Sonarqube?
We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing rem...
 

Also Known As

No data available
Sonar
 

Interactive Demo

Demo not available
 

Overview

Find out what your peers are saying about GitHub Advanced Security vs. SonarQube Server (formerly SonarQube) and other solutions. Updated: March 2025.
845,040 professionals have used our research since 2012.