Try our new research platform with insights from 80,000+ expert users

GitHub Code Scanning vs SonarQube Cloud (formerly SonarCloud) comparison

GitHub and Sonar are both solutions in the Static Application Security Testing (SAST) category. GitHub is ranked #17 with an average rating of 9.3, while Sonar is ranked #8 with an average rating of 8.1. GitHub holds a 1.0% mindshare in SAST, compared to Sonar’s 6.6% mindshare. Additionally, 100% of GitHub users are willing to recommend the solution, compared to 100% of Sonar users who would recommend it.
GitHub Code Scanning
Read 3 GitHub Code Scanning reviews
  • 676 Views
  • 585 Comparison Views
100% willing to recommend
SonarQube Cloud (formerly S...
Read 13 SonarQube Cloud (formerly SonarCloud) reviews
  • 8,985 Views
  • 7,383 Comparison Views
100% willing to recommend
 

Comparison Buyer's Guide

Download the report
Executive SummaryUpdated on Mar 9, 2025

SonarQube Cloud and GitHub Code Scanning are products competing in the code analysis and security category. SonarQube Cloud is preferred for its favorable pricing and support offerings, while GitHub Code Scanning stands out due to its powerful features and seamless integration within the GitHub environment.

Features: SonarQube Cloud supports a wide array of programming languages, offers comprehensive code analysis, and integrates with numerous development tools. GitHub Code Scanning integrates natively with GitHub, offers real-time detections, and provides a rich set of security rules. The main distinction is in GitHub's convenience due to its ecosystem integration versus SonarQube's extensive language support.

Ease of Deployment and Customer Service: GitHub Code Scanning offers seamless deployment with minimal overhead due to its integration into the GitHub platform, along with strong customer service. SonarQube Cloud provides flexible deployment options but may require additional setup time. It offers a variety of support options.

Pricing and ROI: SonarQube Cloud is cost-effective for initial setup, appealing to organizations seeking robust code analytics at a reasonable cost. GitHub Code Scanning requires a higher upfront investment due to its deep integration and real-time scanning capabilities. For organizations operating extensively within the GitHub environment, the investment in GitHub Code Scanning may yield a strong ROI through enhanced features and seamless workflow operations.

DOWNLOAD THE COMPLETE REPORT
To learn more, read our detailed GitHub Code Scanning vs. SonarQube Cloud (formerly SonarCloud) Report (Updated: March 2025).
Buyer's Guide
GitHub Code Scanning vs. SonarQube Cloud (formerly SonarCloud)
March 2025
Download the complete report
Helped 845,040 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

GitHub Code Scanning
Ranking in Static Application Security Testing (SAST)
17th
Average Rating
9.4
Reviews Sentiment
7.9
Number of Reviews
3
Ranking in other categories
No ranking in other categories
SonarQube Cloud (formerly S...
Ranking in Static Application Security Testing (SAST)
8th
Average Rating
8.2
Reviews Sentiment
6.6
Number of Reviews
13
Ranking in other categories
No ranking in other categories
 

Mindshare comparison

As of April 2025, in the Static Application Security Testing (SAST) category, the mindshare of GitHub Code Scanning is 1.0%, up from 0.1% compared to the previous year. The mindshare of SonarQube Cloud (formerly SonarCloud) is 6.6%, down from 6.7% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Static Application Security Testing (SAST)
 

Featured Reviews

VishalSingh - PeerSpot reviewer
Traverses the entire network, scanning every system to determine which ports are open
You can use the tool locally on your system or in the cloud. I rate it a nine out of ten. It's a very good tool for people who want to start using GitHubCode Scanning, especially for software development or team collaboration. GitHubCode Scanning allows teams to collaborate by uploading files to repositories. For example, if someone is developing an application, they can host the code on GitHub Code Scanning. Other developers can then download the code for testing purposes. If bugs are found, fixes can be applied using the GitHub Code Scanningrepository, and everyone on the team can see the changes. Software developers often use GitHub Code Scanning for version control, and it's essential for CI/CD pipelines to work.
Read full review
Archana Verma - PeerSpot reviewer
Provides valuable insights on code vulnerabilities and integrates seamlessly with CI/CD pipelines
I find SonarQube Cloud to be very user-friendly with an easy-to-use interface. It provides detailed code smell reports and insights on hotspots, which can later represent security vulnerabilities. It gives precise reports compared to Coverity and has a slightly lower number of false positives. It is integrated easily with the CI/CD pipeline, saving time and cost. It provides information on upcoming vulnerability details and loopholes that might turn into vulnerabilities.
Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The solution helps identify vulnerabilities by understanding how ports communicate with applications running on a system. Ports are like house numbers; to visit someone's house, you must know their number. Similarly, ports are used to communicate with applications. For example, if you want to use an HTTP web server, you must use port 80. It is the port on which the web application or your server listens for incoming requests."
"GitHub Code Spaces brings significant value with its simplicity and ease of use."
"We use GitHub Code Scanning mostly for source code management."
"The most valuable feature of SonarCloud is its overall performance."
"SonarCloud is overall a good tool for identifying code smells, bugs, and code duplication, but we've found that using Android Lint is more effective for our needs."
"The SaaS solution for checking code without execution and dealing with security issues is valuable."
"I find SonarQube Cloud very easy to use and simple to integrate initially."
"The reports from SonarCloud are very good."
"Its dashboard provides a unified view of various code quality metrics, including code duplication, unit test coverage, and security hotspots."
"The solution can be installed locally."
"Recently, they introduced support for mono reports and microservices, which is a noteworthy development as it provides a more detailed view of each service."
More SonarQube Cloud (formerly SonarCloud) pros
 

Cons

"One area for improvement could be the ability to have an AI system digest the reports generated from code scanning and provide a summary. Currently, the reports can be extensive, and users may overlook details, such as outdated libraries, which could be highlighted for attention."
"GitHub Code Scanning should add more templates."
"SonarQube Cloud could improve its vulnerability detection compared to Veracode. Additionally, it has fewer capabilities, which prompted us to use Veracode."
"It would be helpful if notifications could go out to an extra person."
"I've been told by the developers that the solution is too limited. It's not testing enough within the containers."
"SonarCloud's UI needs enhancement."
"The solution needs to improve its customization and flexibility."
"There's room for improvement in the configuration process, particularly during the initial setup phase."
"The UI can be improved. Additionally, in future updates, I would like to see SonarQube Cloud provide more detailed solutions for fixing code issues, especially solutions related to CVEs."
"SonarQube Cloud could improve its vulnerability detection compared to Veracode."
More SonarQube Cloud (formerly SonarCloud) cons
 

Pricing and Cost Advice

"The minimum pricing for the tool is five dollars a month."
"GitHub Code Scanning is a moderately priced solution."
"While not extremely cheap, it aligns well with market standards and offers good value."
"The price of SonarCloud is not expensive, it goes by the lines of code. 1 million lines per code are approximately 4,000 USD per year. If you need 2 million lines of code you would double the annual cost."
"The current pricing is quite cheap."
"I rate the pricing a five out of ten."
"The price of SonarCloud could be less expensive. We are using the community version and the price should be more reasonable."
"I am using the free version of the solution."
"Previously, the pricing was 17,000 euros for five million lines analyzed. However, they now charge $15,000 per one million lines, significantly increasing the cost."
report
See which vendors are best for you
Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.
See recommendations
845,040 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Computer Software Company
15%
Financial Services Firm
10%
Manufacturing Company
8%
Government
8%
Computer Software Company
18%
Financial Services Firm
10%
Manufacturing Company
9%
Insurance Company
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
No data available
 

Questions from the Community

What do you like most about GitHub Code Scanning?
We use GitHub Code Scanning mostly for source code management.
See all answers
What is your experience regarding pricing and costs for GitHub Code Scanning?
The minimum pricing for the tool is five dollars a month.
See all answers
What needs improvement with GitHub Code Scanning?
One area for improvement could be the ability to have an AI system digest the reports generated from code scanning and provide a summary. Currently, the reports can be extensive, and users may over...
See all answers
What do you like most about SonarCloud?
Recently, they introduced support for mono reports and microservices, which is a noteworthy development as it provides a more detailed view of each service.
See all answers
What is your experience regarding pricing and costs for SonarCloud?
From what I understand, SonarQube Cloud is roughly equivalent in cost to Veracode, maybe a little cheaper.
See all answers
What needs improvement with SonarCloud?
SonarQube Cloud could improve its vulnerability detection compared to Veracode. Additionally, it has fewer capabilities, which prompted us to use Veracode.
See all answers
 

Comparisons

SonarQube Server (formerly SonarQube) vs GitHub Code Scanning Logo
SonarQube Server (formerly SonarQube) vs GitHub Code Scanning
Compared 33% of the time
Coverity vs GitHub Code Scanning Logo
Coverity vs GitHub Code Scanning
Compared 31% of the time
Aikido Security vs GitHub Code Scanning Logo
Aikido Security vs GitHub Code Scanning
Compared 9% of the time
Polaris Software Integrity Platform vs GitHub Code Scanning Logo
Polaris Software Integrity Platform vs GitHub Code Scanning
Compared 5% of the time
OWASP Zap vs GitHub Code Scanning Logo
OWASP Zap vs GitHub Code Scanning
Compared 4% of the time
More GitHub Code Scanning Competitors
SonarQube Server (formerly SonarQube) vs SonarQube Cloud (formerly SonarCloud) Logo
SonarQube Server (formerly SonarQube) vs SonarQube Cloud (formerly SonarCloud)
Compared 66% of the time
Veracode vs SonarQube Cloud (formerly SonarCloud) Logo
Veracode vs SonarQube Cloud (formerly SonarCloud)
Compared 7% of the time
GitLab vs SonarQube Cloud (formerly SonarCloud) Logo
GitLab vs SonarQube Cloud (formerly SonarCloud)
Compared 4% of the time
Coverity vs SonarQube Cloud (formerly SonarCloud) Logo
Coverity vs SonarQube Cloud (formerly SonarCloud)
Compared 4% of the time
Semgrep vs SonarQube Cloud (formerly SonarCloud) Logo
Semgrep vs SonarQube Cloud (formerly SonarCloud)
Compared 3% of the time
More SonarQube Cloud (formerly SonarCloud) Competitors
 

Product Reports

Buyer's Guide
Static Application Security Testing (SAST)
March 2025
GitHub Code Scanning reportDownload GitHub Code Scanning product report
Buyer's Guide
SonarQube Cloud (formerly SonarCloud)
March 2025
SonarQube Cloud (formerly SonarCloud) reportDownload SonarQube Cloud (formerly SonarCloud) product report
 

Interactive Demo

Demo not available
GitHub
Sonar
 

Overview

Code scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in GitHub.

GitHub

SonarQube Cloud offers static code analysis and application security testing, seamlessly integrating into CI/CD pipelines. It's a vital tool for identifying vulnerabilities and ensuring code quality before deployment.

SonarQube Cloud is widely used for its ability to integrate with tools like GitHub, Jenkins, and Bitbucket, providing critical feedback at the pull request level. It's designed to help organizations maintain clean code by acting as a quality gate. This service supports development methodologies including sprints and Kanban for ongoing vulnerability management. While appreciated for its dashboard and integration capabilities, some users find initial setup challenging and note the need for enhanced documentation. The recent addition of mono reports and microservices support offers deeper insights into security and code quality, though container testing limitations and false positives are noted drawbacks. Manual intervention is sometimes required to address detailed reporting, with external tools being necessary for comprehensive analysis. Notifications for larger teams during serious issues and streamlined integration of new features are also areas of improvement.

What are the key features of SonarQube Cloud?
  • Vulnerability Detection: Identifies potential security threats within code.
  • Security Hotspots: Highlights sections of the code that require closer inspection.
  • Feedback on Feature Branches: Enables early detection and resolution of quality issues.
  • No Maintenance: Ensures focus remains on development rather than tool upkeep.
  • Mono and Multi-Reports: Offers diverse insights into code quality.
What benefits should users look for?
  • Integration Ease: Seamlessly connects with popular development platforms.
  • Continuous Code Analysis: Provides consistent feedback to improve code standards.
  • Unified Quality View: Dashboard offers a comprehensive look at code metrics.
  • Security Insights: Detailed information on vulnerabilities and their impact.

In specific industries, SonarQube Cloud finds application in finance and healthcare where code integrity and security are paramount. It allows teams to identify critical vulnerabilities early and ensures that software development aligns with industry regulations and standards. By continuously analyzing code, it aids organizations in deploying secure and reliable applications, fostering trust and compliance.

Sonar
Buyer's Guide
GitHub Code Scanning vs. SonarQube Cloud (formerly SonarCloud)
March 2025
Free Report: GitHub Code Scanning vs. SonarQube Cloud (formerly SonarCloud)
Find out what your peers are saying about GitHub Code Scanning vs. SonarQube Cloud (formerly SonarCloud) and other solutions. Updated: March 2025.
DOWNLOAD NOW
845,040 professionals have used our research since 2012.
See our GitHub Code Scanning vs. SonarQube Cloud (formerly SonarCloud) report.
See our list of best Static Application Security Testing (SAST) vendors.

We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.