Try our new research platform with insights from 80,000+ expert users

Semgrep vs SonarQube Cloud (formerly SonarCloud) comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Mar 9, 2025

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

Semgrep
Ranking in Static Application Security Testing (SAST)
25th
Average Rating
8.0
Reviews Sentiment
7.8
Number of Reviews
1
Ranking in other categories
Supply Chain Management Software (3rd), Software Composition Analysis (SCA) (13th), Static Code Analysis (7th)
SonarQube Cloud (formerly S...
Ranking in Static Application Security Testing (SAST)
8th
Average Rating
8.2
Reviews Sentiment
6.6
Number of Reviews
15
Ranking in other categories
No ranking in other categories
 

Mindshare comparison

As of April 2025, in the Static Application Security Testing (SAST) category, the mindshare of Semgrep is 1.8%, up from 0.1% compared to the previous year. The mindshare of SonarQube Cloud (formerly SonarCloud) is 6.6%, down from 6.7% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Static Application Security Testing (SAST)
 

Featured Reviews

Henry Mwawai - PeerSpot reviewer
Automated code reviews and good scalability with custom rule adaptability
We use Semgrep to check custom user pipelines and test their claims for any vulnerabilities. We process the code by passing it through the testing process for any operability issues before sending feedback to the developers and providing the final product. This is part of the static testing…
Archana Verma - PeerSpot reviewer
Provides valuable insights on code vulnerabilities and integrates seamlessly with CI/CD pipelines
I find SonarQube Cloud to be very user-friendly with an easy-to-use interface. It provides detailed code smell reports and insights on hotspots, which can later represent security vulnerabilities. It gives precise reports compared to Coverity and has a slightly lower number of false positives. It is integrated easily with the CI/CD pipeline, saving time and cost. It provides information on upcoming vulnerability details and loopholes that might turn into vulnerabilities.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The most valuable feature is the ability to write our custom rules."
"SonarCloud is overall a good tool for identifying code smells, bugs, and code duplication, but we've found that using Android Lint is more effective for our needs."
"It is the best product we use for easy integration into YAML pipelines for scanning."
"I find SonarQube Cloud to be very user-friendly with an easy-to-use interface."
"The most valuable features of SonarQube Cloud (formerly SonarCloud) include code inspection, addressing technical debt, and identifying security vulnerabilities."
"The solution can be installed locally."
"For what it is meant to do, it works pretty well."
"Its dashboard provides a unified view of various code quality metrics, including code duplication, unit test coverage, and security hotspots."
"I find SonarQube Cloud to be very user-friendly with an easy-to-use interface."
 

Cons

"There should be more information on how to acquire the system, catering to beginners in application security, to make it more user-friendly."
"We had some issues with the scanner."
"I need a solution that can bring together three key areas: vulnerabilities, static scanning, and misarchitecture. Currently, to achieve our expectations, we have to use more than one product, as some products excel at scanning for vulnerabilities but are poor at checking code quality."
"CI/CD pipeline is part of a whole chain of design, development, and production, and it's becoming increasingly crucial to optimize the various tools across different stages. However, it's still a silo approach because the full integration is missing. This isn't just an issue with SonarCloud. It's a general problem with tooling."
"The documentation needs improvement on optimizing build time for seamless CI/CD integration with our Android apps."
"SonarCloud's UI needs enhancement."
"The UI can be improved."
"SonarQube Cloud could improve its vulnerability detection compared to Veracode. Additionally, it has fewer capabilities, which prompted us to use Veracode."
"There's room for improvement in the configuration process, particularly during the initial setup phase."
 

Pricing and Cost Advice

Information not available
"I am using the free version of the solution."
"While not extremely cheap, it aligns well with market standards and offers good value."
"The price of SonarCloud is not expensive, it goes by the lines of code. 1 million lines per code are approximately 4,000 USD per year. If you need 2 million lines of code you would double the annual cost."
"The price of SonarCloud could be less expensive. We are using the community version and the price should be more reasonable."
"The current pricing is quite cheap."
"I rate the pricing a five out of ten."
"Previously, the pricing was 17,000 euros for five million lines analyzed. However, they now charge $15,000 per one million lines, significantly increasing the cost."
report
Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.
848,716 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
20%
Computer Software Company
14%
Manufacturing Company
12%
Comms Service Provider
5%
Computer Software Company
18%
Financial Services Firm
10%
Manufacturing Company
10%
Insurance Company
5%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
No data available
 

Questions from the Community

What needs improvement with Semgrep?
There should be more information on how to acquire the system, catering to beginners in application security, to make it more user-friendly.
What is your primary use case for Semgrep?
We use Semgrep to check custom user pipelines and test their claims for any vulnerabilities. We process the code by passing it through the testing process for any operability issues before sending ...
What do you like most about SonarCloud?
Recently, they introduced support for mono reports and microservices, which is a noteworthy development as it provides a more detailed view of each service.
What is your experience regarding pricing and costs for SonarCloud?
From my experience, SonarQube Cloud (formerly SonarCloud) is very expensive for small companies. It would be a great improvement if the price for smaller companies were reduced, as I do not have th...
What needs improvement with SonarCloud?
I need a solution that can bring together three key areas: vulnerabilities, static scanning, and misarchitecture. Currently, to achieve our expectations, we have to use more than one product, as so...
 

Also Known As

Semgrep Code, Semgrep Supply Chain, Semgrep AppSec Platform
No data available
 

Interactive Demo

Demo not available
 

Overview

 

Sample Customers

Policygenius, Tide, Lyft, Thinkific, FloQast, Vanta, and Fareportal
Information Not Available
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Static Application Security Testing (SAST). Updated: April 2025.
848,716 professionals have used our research since 2012.