GitHub Code Scanning vs SonarQube Cloud (formerly SonarCloud) comparison

GitHub Code Scanning vs. SonarQube Cloud (formerly SonarCloud)

Download the complete report

Helped 814,528 peers since 2012

Categories and Ranking

GitHub Code Scanning

Ranking in Static Application Security Testing (SAST)

22nd

Average Rating

9.6

Number of Reviews

Ranking in other categories

No ranking in other categories

SonarQube Cloud (formerly S...

Ranking in Static Application Security Testing (SAST)

10th

Average Rating

8.2

Reviews Sentiment

6.3

Number of Reviews

Ranking in other categories

No ranking in other categories

Mindshare comparison

As of November 2024, in the Static Application Security Testing (SAST) category, the mindshare of GitHub Code Scanning is 0.6%, up from 0.1% compared to the previous year. The mindshare of SonarQube Cloud (formerly SonarCloud) is 6.8%, up from 6.3% compared to the previous year. It is calculated based on PeerSpot user engagement data.

Static Application Security Testing (SAST)

Featured Reviews

VishalSingh

Consulting & Solutions, BA/BD in Enterprise IT on Open Source, Red Hat & EDB at KEEN AND ABLE COMPUTERS PVT LTD

May 28, 2024

Traverses the entire network, scanning every system to determine which ports are open

You can use the tool locally on your system or in the cloud. I rate it a nine out of ten. It's a very good tool for people who want to start using GitHubCode Scanning, especially for software development or team collaboration. GitHubCode Scanning allows teams to collaborate by uploading files to repositories. For example, if someone is developing an application, they can host the code on GitHub Code Scanning. Other developers can then download the code for testing purposes. If bugs are found, fixes can be applied using the GitHub Code Scanningrepository, and everyone on the team can see the changes. Software developers often use GitHub Code Scanning for version control, and it's essential for CI/CD pipelines to work.

Read full review

Diego Moreo

Software Quality Coordinator at a retailer with 10,001+ employees

Oct 7, 2024

Enhanced code quality with data consolidation needs and good pipeline integration

We have SonarCloud integrated into our pipeline. It is used as a tool for checking code quality, clean code, bugs, and security issues. It acts as a quality gate for production, helping decide if our code can be applied SonarCloud aids us in checking major issues in legacy systems and helps…

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"The solution helps identify vulnerabilities by understanding how ports communicate with applications running on a system. Ports are like house numbers; to visit someone's house, you must know their number. Similarly, ports are used to communicate with applications. For example, if you want to use an HTTP web server, you must use port 80. It is the port on which the web application or your server listens for incoming requests."

"We use GitHub Code Scanning mostly for source code management."

"Its dashboard provides a unified view of various code quality metrics, including code duplication, unit test coverage, and security hotspots."

"For what it is meant to do, it works pretty well."

"The most valuable features of SonarCloud are the ability to discover vulnerabilities, security weak points, security hotspots, and all the feedback that comes into the feature branch. You can deploy the code with the security, you can eliminate the problem at the developer level rather than identifying the problem in the productions."

"The reports from SonarCloud are very good."

"The solution can be installed locally."

"The SaaS solution for checking code without execution and dealing with security issues is valuable."

"Recently, they introduced support for mono reports and microservices, which is a noteworthy development as it provides a more detailed view of each service."

"The solution provides continuous code analysis which has improved the quality of our code. It can raise alarms on vulnerabilities with immediate reports on the dashboard. Few things are false positives and we can customize the rules."

More SonarQube Cloud (formerly SonarCloud) pros

Cons

"GitHub Code Scanning should add more templates."

"CI/CD pipeline is part of a whole chain of design, development, and production, and it's becoming increasingly crucial to optimize the various tools across different stages. However, it's still a silo approach because the full integration is missing. This isn't just an issue with SonarCloud. It's a general problem with tooling."

"It would be helpful if notifications could go out to an extra person."

"Reporting features are missing in SonarCloud."

"SonarCloud's UI needs enhancement."

"The documentation needs improvement on optimizing build time for seamless CI/CD integration with our Android apps."

"I've been told by the developers that the solution is too limited. It's not testing enough within the containers."

"The reports could improve by providing more information. We are not able to use the reports in our operation until they are improved. Additionally, if the vendor provided more customization capabilities it would be a benefit."

"There's room for improvement in the configuration process, particularly during the initial setup phase."

More SonarQube Cloud (formerly SonarCloud) cons

Pricing and Cost Advice

"GitHub Code Scanning is a moderately priced solution."

"The minimum pricing for the tool is five dollars a month."

"The current pricing is quite cheap."

"The price of SonarCloud is not expensive, it goes by the lines of code. 1 million lines per code are approximately 4,000 USD per year. If you need 2 million lines of code you would double the annual cost."

"I am using the free version of the solution."

"The price of SonarCloud could be less expensive. We are using the community version and the price should be more reasonable."

"While not extremely cheap, it aligns well with market standards and offers good value."

"I rate the pricing a five out of ten."

"Previously, the pricing was 17,000 euros for five million lines analyzed. However, they now charge $15,000 per one million lines, significantly increasing the cost."

See which vendors are best for you

Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.

See recommendations

814,528 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Computer Software Company

16%

Financial Services Firm

11%

Insurance Company

Transportation Company

Computer Software Company

19%

Financial Services Firm

10%

Manufacturing Company

Insurance Company

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

No data available

Questions from the Community

What do you like most about GitHub Code Scanning?

We use GitHub Code Scanning mostly for source code management.

What is your experience regarding pricing and costs for GitHub Code Scanning?

The minimum pricing for the tool is five dollars a month.

What needs improvement with GitHub Code Scanning?

GitHub Code Scanning should add more templates.

What do you like most about SonarCloud?

Recently, they introduced support for mono reports and microservices, which is a noteworthy development as it provides a more detailed view of each service.

What is your experience regarding pricing and costs for SonarCloud?

Previously, the pricing was 17,000 euros for five million lines analyzed. However, they now charge $15,000 per one million lines, significantly increasing the cost.

What needs improvement with SonarCloud?

Reporting features are missing in SonarCloud. We do not have a way to consolidate data within the tool, requiring us to extract data and use Power BI for reports.

Coverity vs GitHub Code Scanning

Comparisons

Compared 27% of the time

SonarQube Server (formerly SonarQube) vs GitHub Code Scanning

Compared 26% of the time

Polaris Software Integrity Platform vs GitHub Code Scanning

Compared 8% of the time

Aikido Security vs GitHub Code Scanning

Compared 6% of the time

Veracode vs GitHub Code Scanning

Compared 6% of the time

More GitHub Code Scanning Competitors

SonarQube Server (formerly SonarQube) vs SonarQube Cloud (formerly SonarCloud)

Compared 73% of the time

Veracode vs SonarQube Cloud (formerly SonarCloud)

Compared 8% of the time

Checkmarx One vs SonarQube Cloud (formerly SonarCloud)

Compared 4% of the time

GitLab vs SonarQube Cloud (formerly SonarCloud)

Compared 4% of the time

OWASP Zap vs SonarQube Cloud (formerly SonarCloud)

Compared 2% of the time

More SonarQube Cloud (formerly SonarCloud) Competitors

Product Reports

Static Application Security Testing (SAST)

Download GitHub Code Scanning product report

SonarQube Cloud (formerly SonarCloud)

Download SonarQube Cloud (formerly SonarCloud) product report

SonarQube Cloud (formerly SonarCloud) report

Learn More

GitHub

Sonar

Interactive Demo

Demo not available

GitHub

Sonar

Overview

Code scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in GitHub.

SonarQube Cloud offers static code analysis and application security testing, seamlessly integrating into CI/CD pipelines. It's a vital tool for identifying vulnerabilities and ensuring code quality before deployment.

SonarQube Cloud is widely used for its ability to integrate with tools like GitHub, Jenkins, and Bitbucket, providing critical feedback at the pull request level. It's designed to help organizations maintain clean code by acting as a quality gate. This service supports development methodologies including sprints and Kanban for ongoing vulnerability management. While appreciated for its dashboard and integration capabilities, some users find initial setup challenging and note the need for enhanced documentation. The recent addition of mono reports and microservices support offers deeper insights into security and code quality, though container testing limitations and false positives are noted drawbacks. Manual intervention is sometimes required to address detailed reporting, with external tools being necessary for comprehensive analysis. Notifications for larger teams during serious issues and streamlined integration of new features are also areas of improvement.

What are the key features of SonarQube Cloud?

Vulnerability Detection: Identifies potential security threats within code.
Security Hotspots: Highlights sections of the code that require closer inspection.
Feedback on Feature Branches: Enables early detection and resolution of quality issues.
No Maintenance: Ensures focus remains on development rather than tool upkeep.
Mono and Multi-Reports: Offers diverse insights into code quality.

What benefits should users look for?

Integration Ease: Seamlessly connects with popular development platforms.
Continuous Code Analysis: Provides consistent feedback to improve code standards.
Unified Quality View: Dashboard offers a comprehensive look at code metrics.
Security Insights: Detailed information on vulnerabilities and their impact.

In specific industries, SonarQube Cloud finds application in finance and healthcare where code integrity and security are paramount. It allows teams to identify critical vulnerabilities early and ensures that software development aligns with industry regulations and standards. By continuously analyzing code, it aids organizations in deploying secure and reliable applications, fostering trust and compliance.

GitHub Code Scanning vs. SonarQube Cloud (formerly SonarCloud)