We performed a comparison between GitHub Code Scanning and SonarQube based on real PeerSpot user reviews.
Find out in this report how the two Static Application Security Testing (SAST) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."The solution helps identify vulnerabilities by understanding how ports communicate with applications running on a system. Ports are like house numbers; to visit someone's house, you must know their number. Similarly, ports are used to communicate with applications. For example, if you want to use an HTTP web server, you must use port 80. It is the port on which the web application or your server listens for incoming requests."
"We use GitHub Code Scanning mostly for source code management."
"SonarQube is admin friendly."
"It automatically scans for code, detects vulnerabilities, and generates daily reports."
"I follow Quality Gate's graduation model within organization, and it is extremely helpful for me to benchmark products."
"Can tweak rules and feed them into our build pipelines."
"If you want to have your code scanned and timed then this is a good tool."
"The good thing with SonarQube is it covers a lot of issues, it's a very robust framework."
"It provides you with many features, as it does with the premium model, but there are still extra features that can be purchased if needed."
"The software quality gate streamlines the product's quality."
"GitHub Code Scanning should add more templates."
"The documentation is not clear and it needs to be updated."
"Their dashboarding is very limited. They can improve their dashboards for multiple areas, such as security review, maintainability, etc. They have all this information, so they should publish all this information on the dashboard so that the users can view the summary and then analyze it further. This is something that I would like to see in the next version."
"It does not provide deeper scanning of vulnerabilities in an application, on a live session. This is something we are not happy about. Maybe the reason for that is we are running the community edition currently, but other editions may improve on that aspect."
"The product's pricing could be lower."
"I would like to see improvements in defining the quality sets of rules and the quality to ensure code with low-performance does not end up in production."
"Lacks sufficient visibility and documentation."
"New plug-ins should be integrated into SonarCloud to give more flexibility to the product."
"Code security could be better. They are already focusing on it, but I see a lot of improvement opportunities over there. I can see a lot of false positives in terms of security. They need to make the tests more accurate so that the false positives are not detected so frequently. It would also help if they provided us with an installer."
GitHub Code Scanning is ranked 22nd in Static Application Security Testing (SAST) with 2 reviews while SonarQube is ranked 1st in Static Application Security Testing (SAST) with 112 reviews. GitHub Code Scanning is rated 9.6, while SonarQube is rated 8.0. The top reviewer of GitHub Code Scanning writes "A highly stable solution that can be used for source code management". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". GitHub Code Scanning is most compared with SonarCloud, Coverity, Polaris Software Integrity Platform and Veracode, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Veracode and GitHub Advanced Security. See our GitHub Code Scanning vs. SonarQube report.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.