Try our new research platform with insights from 80,000+ expert users

GitHub Advanced Security vs SonarQube Server (formerly SonarQube) comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Mar 9, 2025

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

GitHub Advanced Security
Ranking in Application Security Tools
11th
Average Rating
8.6
Reviews Sentiment
7.6
Number of Reviews
9
Ranking in other categories
No ranking in other categories
SonarQube Server (formerly ...
Ranking in Application Security Tools
1st
Average Rating
8.0
Reviews Sentiment
7.2
Number of Reviews
114
Ranking in other categories
Static Application Security Testing (SAST) (1st), Software Development Analytics (1st)
 

Mindshare comparison

As of April 2025, in the Application Security Tools category, the mindshare of GitHub Advanced Security is 8.6%, up from 2.8% compared to the previous year. The mindshare of SonarQube Server (formerly SonarQube) is 25.1%, down from 26.9% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Application Security Tools
 

Featured Reviews

Sabna Sainudeen - PeerSpot reviewer
Seamlessly integrates into developer environment for streamlined code scanning
GitHub Advanced Security should look into API security issues, which they currently do not. Additionally, open-source security vulnerabilities are not getting updated in a timely manner. There are features in GitHub Advanced Security that cannot be used within Microsoft, which is strange since they are the same company. It should also focus on developing a software bill of materials (SBOM) to see all open software used in one place.
Wang Dayong - PeerSpot reviewer
Easy to integrate and has a plug-in that supports both C and C++ languages
The product provides false reports sometimes. It also fails to understand the context of the code. It reports that a line of code has issues without considering its relation with the previous line. The product should improve the report quality. While it asks us to improve the code quality, it would be good if it also suggests how to improve the quality.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"GitHub Advanced Security is a very developer-friendly solution that is integrated within my development environment."
"The product's most valuable features are security scan, dependency scan, and cost-effectiveness."
"GitHub Advanced Security uses artificial intelligence in the backend, specifically CodeQL, to analyze code and provide fewer but more reliable findings, so there are less false positives."
"It ensures user passwords or sensitive information are not accidentally exposed in code or reports."
"Dependency scanning is a valuable feature."
"The initial setup was straightforward and completed in a matter of minutes."
"It is a stable solution...It is a scalable solution as it can handle new applications along with the analysis part."
"The most valuable is the developer experience and the extensibility of the overall ecosystem."
"It easily ties into our continuous integration pipeline."
"The solution's user interface is very user-friendly."
"The integrations SonarQube provides with our software delivery pipeline are very seamless."
"One of the most valuable features of SonarQube is its ability to detect code quality during development. There are rules that define various technologies—Java, C#, Python, everything—and these rules declare the coding standards and code quality. With SonarQube, everything is detectable during the time of development and continuous integration, which is an advantage. SonarQube also has a Quality Gate, where the code should reach 85%. Below that, the code cannot be promoted to a further environment, it should be in a development environment only. So the checks are there, and SonarQube will provide that increase. It also provides suggestions on how the code can be fixed and methods of going about this, without allowing hackers to exploit the code. Another valuable feature is that it is tightly integrated with third-party tools. For example, we can see the SonarQube metrics in Bitbucket, the code repository. Once I raise the full request, the developer, team lead, or even the delivery lead can see the code quality metrics of the deliverable so that they can make a decision. SonarQube will also cover all of the top OWASP vulnerabilities, however it doesn't have penetration testing or hacker testing. We use other tools, like Checkmarx, to do penetration testing from the outside."
"The most valuable feature is the security hotspot feature that identifies where your code is prone to have security issues."
"Before you even compile, it can catch known vulnerability issues or patterns."
"The most valuable function is its usability."
"The static code analysis of the solution is the most important aspect for us. When it comes to security breaches within the code, we can leverage some rules to allow us to identify the repetition in our code and the possible targets that we may have. It makes it very easy to review our code for security purposes."
 

Cons

"A more refined approach, categorizing and emphasizing specific vulnerabilities, would be beneficial."
"The report limitations are the main issue."
"The customizations are a little bit difficult."
"For GitHub Advanced Security, I would like to see more support for various programming languages."
"Open-source security vulnerabilities are not getting updated in a timely manner."
"Maybe make it compatible with more programming languages. Have a customized ruleset where the end-user can create their own rules for scanning."
"The deployment part of the product is an area of concern that needs to be made easier from an improvement perspective."
"There could be a centralized dashboard to view reports of all the projects on one platform."
"From a reporting perspective, we sometimes have problems interpreting the vulnerability scan reports. For example, if it finds a possible threat, our analysts have to manually check the provided reports, and sometimes we have issues getting all the data needed to properly verify if it's accurate or not."
"A little bit more emphasis on security and a bit more security scanning features would be nice."
"There are times that we have the database crash. However, this might be an issue with how we have configured it and not a software issue. Apart from this, I do not see any issues with the solution."
"I am not very pleased with the technical debt computation."
"The learning curve can be fairly steep at first, but then, it's not an entry-level type of application. It's not like an introduction to C programming. You should know not just C programming and how to make projects but also how to apply its findings to the bigger picture. I've had users who said that they wish it was easier to understand how to configure, but I don't know if that's doable because what it's doing is a very complicated thing. I don't know if it is possible to make a complicated thing trivially simple."
"The solution could improve the management reports by making them easier to understand for the technical team that needs to review them."
"We're in the process of figuring out how to automate the workflow for QA audit controls on it. I think that's perhaps an area that we could use some buffing. We're a Kubernetes shop, so there are some things that aren't direct fits, which we're struggling with on the component Docker side. But nothing major."
"The implementation of the solution is straightforward. However, we did have some initial initialization issues at the of the projects. I don't think it was SonarQube's fault. It was the way it was implemented in our organization because it's mainly integrated with many software, such as Jira, Confluence, and Butler."
 

Pricing and Cost Advice

"The solution is expensive."
"The current licensing model, which relies on active commitments, poses challenges, particularly in predicting and managing growth."
"We did not purchase a license (required for C++ support), but this option was considered."
"We are using the community version of the solution and we plan on purchasing licenses for the upgraded version soon. There is a limitation on how many lines of code can be scanned and this is why we are going to purchase a license for an increased amount."
"The licence is standard open source licensing"
"We use the solution free of cost."
"We pay €10 per month for this solution, which is good. It provides a good value for money."
"People can try the free licenses and later can seek buying plugins/support, etc. once they started liking it."
"The price of the solution could be reduced."
"For the Community edition, there is no extra cost. It's totally free. The Enterprise edition, Data Center edition, and Developer edition are the paid versions."
report
Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
849,190 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
14%
Computer Software Company
11%
Manufacturing Company
8%
Government
7%
Financial Services Firm
17%
Computer Software Company
15%
Manufacturing Company
13%
Government
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

What do you like most about GitHub Advanced Security?
It is a stable solution...It is a scalable solution as it can handle new applications along with the analysis part.
What needs improvement with GitHub Advanced Security?
For GitHub Advanced Security, I would like to see more support for various programming languages. Additionally, it would be beneficial to have more control at an organizational level rather than ha...
What is your primary use case for GitHub Advanced Security?
I use GitHub Advanced Security ( /products/github-advanced-security-reviews ) at my workplace to scan for code vulnerabilities and secrets in our software development workflow. It is used across mu...
Is SonarQube the best tool for static analysis?
I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have a look...
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
How would you decide between Coverity and Sonarqube?
We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing rem...
 

Also Known As

No data available
Sonar
 

Interactive Demo

Demo not available
 

Overview

Find out what your peers are saying about GitHub Advanced Security vs. SonarQube Server (formerly SonarQube) and other solutions. Updated: April 2025.
849,190 professionals have used our research since 2012.