We performed a comparison between GitHub Code Scanning and SonarQube based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Static Application Security Testing (SAST)."We use GitHub Code Scanning mostly for source code management."
"The solution helps identify vulnerabilities by understanding how ports communicate with applications running on a system. Ports are like house numbers; to visit someone's house, you must know their number. Similarly, ports are used to communicate with applications. For example, if you want to use an HTTP web server, you must use port 80. It is the port on which the web application or your server listens for incoming requests."
"The solution has a plug-in that supports both C and C++ languages."
"The most valuable features are the wide array of languages, multiple languages per project, the breakdown of bugs, and the description of vulnerabilities and code smells (best practices)."
"The most valuable feature of this solution is that it is free."
"The product itself has a friendly UI."
"This has improved our organization because it has helped to find Security Vulnerabilities."
"I like that it has a better dashboard compared to Clockwork. It's also stable."
"It is a very good tool for analysis and security vulnerability checking."
"I am only interested in the security features in SonarQube. There are plenty of features other features, such as test coverage, code anomalies, and pointer access are handled by the business logic teams. They get the reports and they have to fix them in JIRA or Bugzilla."
"GitHub Code Scanning should add more templates."
"I would like to see SonarQube implement a good amount of improvements to the product's security features. Another aspect of SonarQube that could be improved is the search functionality."
"Currently requires multiple tools, lacking one overall tool."
"The solution could improve by having better-consulting services."
"We called support and complained but have not received any information as we use the free version. We had to fix it on our own and could not escalate it to the tool's developer."
"SonarQube is not development-centric like Snyk."
"In terms of what can be improved, the areas that need more attention in the solution are its architecture and development."
"We had some issues scanning the master branch but when we upgraded to version 7.9 we noticed it does scan the master branch but we had to do a workaround for it to happen. This process could be improved in a future release."
"It would be a great add-on if SonarQube could update its database for vulnerabilities or plugging parts."
GitHub Code Scanning is ranked 20th in Static Application Security Testing (SAST) with 2 reviews while SonarQube is ranked 1st in Static Application Security Testing (SAST) with 112 reviews. GitHub Code Scanning is rated 9.6, while SonarQube is rated 8.0. The top reviewer of GitHub Code Scanning writes "A highly stable solution that can be used for source code management". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". GitHub Code Scanning is most compared with SonarCloud, Coverity, Polaris Software Integrity Platform and Veracode, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Veracode and Snyk.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.