We performed a comparison between SonarCloud and SonarQube based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.
Comparison Result: Based on the parameters we compared, SonarQube comes out ahead of SonarCloud. Although both products have valuable features and can be estimated as high-end solutions, our reviewers found that SonarCloud lacks technical support.
"SonarCloud is overall a good tool for identifying code smells, bugs, and code duplication, but we've found that using Android Lint is more effective for our needs."
"The most valuable features of SonarCloud are the ability to discover vulnerabilities, security weak points, security hotspots, and all the feedback that comes into the feature branch. You can deploy the code with the security, you can eliminate the problem at the developer level rather than identifying the problem in the productions."
"The solution can be installed locally."
"Recently, they introduced support for mono reports and microservices, which is a noteworthy development as it provides a more detailed view of each service."
"The most valuable feature of SonarCloud is its overall performance."
"Its dashboard provides a unified view of various code quality metrics, including code duplication, unit test coverage, and security hotspots."
"The solution provides continuous code analysis which has improved the quality of our code. It can raise alarms on vulnerabilities with immediate reports on the dashboard. Few things are false positives and we can customize the rules."
"I'm not implementing the solutions. However, I've talked to the people who deploy the tools, and they are happy with how easy setting up SonarCloud is."
"SonarQube is useful for controlling all of our Azure task tracking and scanning."
"Integrate it into the developers' workbench so that they can bench check their code against what will be done in the server-based audit version."
"The most valuable function is its usability."
"All the features of the solution are quite good."
"SonarQube: Recording of issues over a period of time, with an indication of the addition in the new issues or the reduction of existing issues (which were fixed)."
"It automatically scans for code, detects vulnerabilities, and generates daily reports."
"This solution has the capability to analyze source code in almost all the languages in the market."
"SonarQube is good in terms of code review and to report on basic vulnerabilities in your applications."
"The solution needs to improve its customization and flexibility."
"There's room for improvement in the configuration process, particularly during the initial setup phase."
"It would be helpful if notifications could go out to an extra person."
"SonarCloud can improve the false positives. Sometimes the gates sometimes act a little weird. We then need to manually go and mark the false positive."
"The documentation needs improvement on optimizing build time for seamless CI/CD integration with our Android apps."
"SonarCloud's UI needs enhancement."
"I've been told by the developers that the solution is too limited. It's not testing enough within the containers."
"The reports could improve by providing more information. We are not able to use the reports in our operation until they are improved. Additionally, if the vendor provided more customization capabilities it would be a benefit."
"Monitoring is a feature that can be improved in the next version."
"In terms of what can be improved, the areas that need more attention in the solution are its architecture and development."
"SonarQube needs to improve its ease of use, integration with third-party platforms, and scalability."
"We previously experienced issues with security but a segregated security violation has been implemented and the issues we experienced are being fixed."
"If you don't have any experience with the configuration or how to configure the files, it can be complicated."
"The time it took for me to do the whole process was approximately two hours because I had to download, read the documentation, and do the configurations."
"In the next release, I would like to have notifications because now, it is a bit difficult. I think that's a feature which we could add there and it would benefit the users as well. For every full request, they should be able to see their bugs or vulnerability directly on the surface."
"The interface could be a little better and should be enhanced."
SonarCloud is ranked 10th in Static Application Security Testing (SAST) with 10 reviews while SonarQube is ranked 1st in Static Application Security Testing (SAST) with 110 reviews. SonarCloud is rated 8.4, while SonarQube is rated 8.0. The top reviewer of SonarCloud writes "Beneficial vulnerability discovery, simple to maintain, and proactive support". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". SonarCloud is most compared with Veracode, Checkmarx One, GitLab, OWASP Zap and Coverity, whereas SonarQube is most compared with Checkmarx One, Coverity, Veracode, Snyk and GitHub Advanced Security. See our SonarCloud vs. SonarQube report.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.