Try our new research platform with insights from 80,000+ expert users

Semgrep vs SonarQube Cloud (formerly SonarCloud) comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Oct 30, 2024
 

Categories and Ranking

Semgrep
Ranking in Static Application Security Testing (SAST)
27th
Average Rating
8.0
Number of Reviews
1
Ranking in other categories
Supply Chain Management Software (3rd), Software Composition Analysis (SCA) (15th), Static Code Analysis (9th)
SonarQube Cloud (formerly S...
Ranking in Static Application Security Testing (SAST)
10th
Average Rating
8.2
Reviews Sentiment
6.3
Number of Reviews
11
Ranking in other categories
No ranking in other categories
 

Featured Reviews

Henry Mwawai - PeerSpot reviewer
Sep 23, 2024
Automated code reviews and good scalability with custom rule adaptability
We use Semgrep to check custom user pipelines and test their claims for any vulnerabilities. We process the code by passing it through the testing process for any operability issues before sending feedback to the developers and providing the final product. This is part of the static testing…
Diego Moreo - PeerSpot reviewer
Oct 7, 2024
Enhanced code quality with data consolidation needs and good pipeline integration
We have SonarCloud integrated into our pipeline. It is used as a tool for checking code quality, clean code, bugs, and security issues. It acts as a quality gate for production, helping decide if our code can be applied SonarCloud aids us in checking major issues in legacy systems and helps…

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The most valuable feature is the ability to write our custom rules."
"The solution provides continuous code analysis which has improved the quality of our code. It can raise alarms on vulnerabilities with immediate reports on the dashboard. Few things are false positives and we can customize the rules."
"For what it is meant to do, it works pretty well."
"The solution can be installed locally."
"The reports from SonarCloud are very good."
"SonarCloud is overall a good tool for identifying code smells, bugs, and code duplication, but we've found that using Android Lint is more effective for our needs."
"Recently, they introduced support for mono reports and microservices, which is a noteworthy development as it provides a more detailed view of each service."
"I'm not implementing the solutions. However, I've talked to the people who deploy the tools, and they are happy with how easy setting up SonarCloud is."
"The most valuable feature of SonarCloud is its overall performance."
 

Cons

"There should be more information on how to acquire the system, catering to beginners in application security, to make it more user-friendly."
"Reporting features are missing in SonarCloud."
"The solution needs to improve its customization and flexibility."
"There's room for improvement in the configuration process, particularly during the initial setup phase."
"SonarCloud can improve the false positives. Sometimes the gates sometimes act a little weird. We then need to manually go and mark the false positive."
"The reports could improve by providing more information. We are not able to use the reports in our operation until they are improved. Additionally, if the vendor provided more customization capabilities it would be a benefit."
"The documentation needs improvement on optimizing build time for seamless CI/CD integration with our Android apps."
"CI/CD pipeline is part of a whole chain of design, development, and production, and it's becoming increasingly crucial to optimize the various tools across different stages. However, it's still a silo approach because the full integration is missing. This isn't just an issue with SonarCloud. It's a general problem with tooling."
"We had some issues with the scanner."
 

Pricing and Cost Advice

Information not available
"The current pricing is quite cheap."
"I am using the free version of the solution."
"While not extremely cheap, it aligns well with market standards and offers good value."
"I rate the pricing a five out of ten."
"Previously, the pricing was 17,000 euros for five million lines analyzed. However, they now charge $15,000 per one million lines, significantly increasing the cost."
"The price of SonarCloud could be less expensive. We are using the community version and the price should be more reasonable."
"The price of SonarCloud is not expensive, it goes by the lines of code. 1 million lines per code are approximately 4,000 USD per year. If you need 2 million lines of code you would double the annual cost."
report
Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.
814,528 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
20%
Computer Software Company
17%
Manufacturing Company
11%
Government
5%
Computer Software Company
19%
Financial Services Firm
10%
Manufacturing Company
9%
Insurance Company
5%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
No data available
 

Questions from the Community

What needs improvement with Semgrep?
There should be more information on how to acquire the system, catering to beginners in application security, to make it more user-friendly.
What is your primary use case for Semgrep?
We use Semgrep to check custom user pipelines and test their claims for any vulnerabilities. We process the code by passing it through the testing process for any operability issues before sending ...
What do you like most about SonarCloud?
Recently, they introduced support for mono reports and microservices, which is a noteworthy development as it provides a more detailed view of each service.
What is your experience regarding pricing and costs for SonarCloud?
Previously, the pricing was 17,000 euros for five million lines analyzed. However, they now charge $15,000 per one million lines, significantly increasing the cost.
What needs improvement with SonarCloud?
Reporting features are missing in SonarCloud. We do not have a way to consolidate data within the tool, requiring us to extract data and use Power BI for reports.
 

Also Known As

Semgrep Code, Semgrep Supply Chain, Semgrep AppSec Platform
No data available
 

Learn More

 

Interactive Demo

Demo not available
 

Overview

 

Sample Customers

Policygenius, Tide, Lyft, Thinkific, FloQast, Vanta, and Fareportal
Information Not Available
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Static Application Security Testing (SAST). Updated: October 2024.
814,528 professionals have used our research since 2012.