Try our new research platform with insights from 80,000+ expert users

Semgrep vs SonarQube Server (formerly SonarQube) comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Oct 30, 2024
 

Categories and Ranking

Semgrep
Ranking in Static Application Security Testing (SAST)
27th
Average Rating
8.0
Number of Reviews
1
Ranking in other categories
Supply Chain Management Software (3rd), Software Composition Analysis (SCA) (15th), Static Code Analysis (9th)
SonarQube Server (formerly ...
Ranking in Static Application Security Testing (SAST)
1st
Average Rating
8.0
Number of Reviews
113
Ranking in other categories
Application Security Tools (1st), Software Development Analytics (1st)
 

Featured Reviews

Henry Mwawai - PeerSpot reviewer
Sep 23, 2024
Automated code reviews and good scalability with custom rule adaptability
We use Semgrep to check custom user pipelines and test their claims for any vulnerabilities. We process the code by passing it through the testing process for any operability issues before sending feedback to the developers and providing the final product. This is part of the static testing…
Wang Dayong - PeerSpot reviewer
May 10, 2023
Easy to integrate and has a plug-in that supports both C and C++ languages
We use the product to review our software codes. We have integrated the product to review our new delivery code When we deliver a code, the solution scans the code and reports whether the code has bugs or any other vulnerability issues. Thus the solution helps us identify issues and improve the…

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The most valuable feature is the ability to write our custom rules."
"SonarQube is a fantastic tool which saves us precious time."
"The static code analysis is very good."
"Using SonarQube benefits us because we are able to avoid the inclusion of malware in our applications."
"I like the by-default policies that are they, as they seem to cover most of what I need."
"When comparing other static code analysis tools, SonarQube has fewer false-positive issues being reported. They have a lot of support for different tech stacks. It covers the entire developer community which includes Salesforce or it could be the regular Java.net project. It has actually sufficed all the needs in one tool for static code analysis."
"The solution's user interface is very user-friendly."
"It provides the security that is required from a solution for financial businesses."
"I like that it's easy to navigate not just in terms of code findings but you can actually see them in the context of your source code because it gives you a copy of your code with the items that it found and highlights them. You can see it directly in your code, so you can easily go back and make the corrections in the code. It basically finds the problems for you and tells you where they are."
 

Cons

"There should be more information on how to acquire the system, catering to beginners in application security, to make it more user-friendly."
"We have tens of millions of code to be analyzed and processed. There can be some performance degradation if we are applying Sonar Link to large code or code that is complex. When the code had to be analyzed is when we ran into the main issues. There were several routines involved to solve those performance issues but this process should be improved."
"The product needs to integrate other security tools for security scanning."
"One thing to improve would be the integration. There is a steep learning curve to get it integrated."
"If you don't have any experience with the configuration or how to configure the files, it can be complicated."
"The solution could improve by providing more advanced technologies."
"I am not very pleased with the technical debt computation."
"Our developers have complained about the Quality Gates and the number of false positives that this product reports."
"This is a well-rounded solution, however, some features could be made available on the free version. The price of the solution could be reduced."
 

Pricing and Cost Advice

Information not available
"For the Community edition, there is no extra cost. It's totally free. The Enterprise edition, Data Center edition, and Developer edition are the paid versions."
"Get the paid version which allows the customized dashboard and provides technical support."
"I was using the Community Edition, which is available free of charge."
"The free version of SonarQube does everything that we need it to."
"This is open source."
"SonarQube is an open-source product that can be used free of charge."
"Some of the plugins that were previously free are not free now."
"It is very expensive. Its price should be improved."
report
Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.
814,528 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
20%
Computer Software Company
17%
Manufacturing Company
11%
Government
5%
Financial Services Firm
17%
Computer Software Company
15%
Manufacturing Company
13%
Government
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
No data available
 

Questions from the Community

What needs improvement with Semgrep?
There should be more information on how to acquire the system, catering to beginners in application security, to make it more user-friendly.
What is your primary use case for Semgrep?
We use Semgrep to check custom user pipelines and test their claims for any vulnerabilities. We process the code by passing it through the testing process for any operability issues before sending ...
Is SonarQube the best tool for static analysis?
I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have a look...
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
How would you decide between Coverity and Sonarqube?
We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing rem...
 

Also Known As

Semgrep Code, Semgrep Supply Chain, Semgrep AppSec Platform
Sonar
 

Learn More

 

Interactive Demo

Demo not available
 

Overview

 

Sample Customers

Policygenius, Tide, Lyft, Thinkific, FloQast, Vanta, and Fareportal
Information Not Available
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Static Application Security Testing (SAST). Updated: October 2024.
814,528 professionals have used our research since 2012.