• Home
  • SonarCloud vs. SonarQube

SonarCloud vs SonarQube comparison

Cancel
You must select at least 2 products to compare!
Sonar Logo

SonarCloud

Read 10 SonarCloud reviews
10,008 views|7,371 comparisons
100% willing to recommend
Sonar Logo

SonarQube

Read 108 SonarQube reviews
53,436 views|42,331 comparisons
80% willing to recommend
Comparison Buyer's Guide
Download the complete report
Buyer's Guide
SonarCloud vs. SonarQube
March 2024
Executive Summary
Updated on Mar 20, 2023

We performed a comparison between SonarCloud and SonarQube based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.

  • Ease of Deployment: Based on the reviews, both SonarCloud and SonarQube appear to have relatively straightforward deployment processes, although some minor issues were reported with the initial setup of each platform.
  • Features: SonarCloud is best for startups and mid-size companies, discovering vulnerabilities, security weak points, and feedback on feature branches. SonarQube detects code quality during development, code standard rules, and covers top OWASP vulnerabilities, with easy DevOps pipeline configuration. Its dynamic testing and automation could be improved.
  • Pricing: SonarCloud pricing is based on the number of users, services, and lines of code. SonarQube offers a free open source version and a yearly subscription for the enterprise version.
  • Service and Support: SonarCloud has community support, but not technical support. SonarQube offers online resources and support at an additional cost.

Comparison Result: Based on the parameters we compared, SonarQube comes out ahead of SonarCloud. Although both products have valuable features and can be estimated as high-end solutions, our reviewers found that SonarCloud lacks technical support.

To learn more, read our detailed SonarCloud vs. SonarQube Report (Updated: March 2024).
Download the complete report
768,857 professionals have used our research since 2012.
Featured Review
Huzaifa Asif
A comprehensive code quality management offering all-in-one functionality, including static code analysis, security...
Through SonarCloud, we gain insights, especially in a microservices environment with product-based products. It provides valuable guidance in... Read more →
Devid William
An affordable and stable solution that has a variety of features that enable users to improve their products
We see the security issues in our solutions with the help of the product. It helps us improve the solutions.
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"The most valuable features of SonarCloud are the ability to discover vulnerabilities, security weak points, security hotspots, and all the feedback that comes into the feature branch. You can deploy the code with the security, you can eliminate the problem at the developer level rather than identifying the problem in the productions.""For what it is meant to do, it works pretty well.""SonarCloud is overall a good tool for identifying code smells, bugs, and code duplication, but we've found that using Android Lint is more effective for our needs.""The solution can be installed locally.""The solution provides continuous code analysis which has improved the quality of our code. It can raise alarms on vulnerabilities with immediate reports on the dashboard. Few things are false positives and we can customize the rules.""Recently, they introduced support for mono reports and microservices, which is a noteworthy development as it provides a more detailed view of each service.""I'm not implementing the solutions. However, I've talked to the people who deploy the tools, and they are happy with how easy setting up SonarCloud is.""The most valuable feature of SonarCloud is its overall performance."

More SonarCloud Pros →

"Code Convention: Using the tool to implement some sort of coding convention is really useful and ensures that the code is consistent no matter how many contributors.""The most valuable features are code scanning and Quality Gates.""The fact that the solution does security scanning is valuable.""One of the most valuable features of SonarQube is its ability to detect code quality during development. There are rules that define various technologies—Java, C#, Python, everything—and these rules declare the coding standards and code quality. With SonarQube, everything is detectable during the time of development and continuous integration, which is an advantage. SonarQube also has a Quality Gate, where the code should reach 85%. Below that, the code cannot be promoted to a further environment, it should be in a development environment only. So the checks are there, and SonarQube will provide that increase. It also provides suggestions on how the code can be fixed and methods of going about this, without allowing hackers to exploit the code. Another valuable feature is that it is tightly integrated with third-party tools. For example, we can see the SonarQube metrics in Bitbucket, the code repository. Once I raise the full request, the developer, team lead, or even the delivery lead can see the code quality metrics of the deliverable so that they can make a decision. SonarQube will also cover all of the top OWASP vulnerabilities, however it doesn't have penetration testing or hacker testing. We use other tools, like Checkmarx, to do penetration testing from the outside.""The product itself has a friendly UI.""It easily ties into our continuous integration pipeline.""The good thing with SonarQube is it covers a lot of issues, it's a very robust framework.""The features of SonarQube that I find most valuable for identifying code smells are its comprehensive code analysis capabilities, which cover various aspects of code sustainability."

More SonarQube Pros →

Cons
"The solution needs to improve its customization and flexibility.""The reports could improve by providing more information. We are not able to use the reports in our operation until they are improved. Additionally, if the vendor provided more customization capabilities it would be a benefit.""SonarCloud can improve the false positives. Sometimes the gates sometimes act a little weird. We then need to manually go and mark the false positive.""I've been told by the developers that the solution is too limited. It's not testing enough within the containers.""It would be helpful if notifications could go out to an extra person.""The documentation needs improvement on optimizing build time for seamless CI/CD integration with our Android apps.""SonarCloud's UI needs enhancement.""We had some issues with the scanner."

More SonarCloud Cons →

"The exporting capabilities could be improved. Currently, exporting is fully dependent on the SonarQube environment.""We found a solution with dynamic testing, and are looking to find a solution that can be used for both types of testing.""We previously experienced issues with security but a segregated security violation has been implemented and the issues we experienced are being fixed.""Ease of use/interface.""The BPM language is important and should be considered in SonarQube.""A robust credential scanner would be a huge bonus as it would remove the need for yet another niche product.""We called support and complained but have not received any information as we use the free version. We had to fix it on our own and could not escalate it to the tool's developer.""It would be better if SonarQube provided a good UI for external configuration."

More SonarQube Cons →

Pricing and Cost Advice
  • "The price of SonarCloud could be less expensive. We are using the community version and the price should be more reasonable."
  • "The price of SonarCloud is not expensive, it goes by the lines of code. 1 million lines per code are approximately 4,000 USD per year. If you need 2 million lines of code you would double the annual cost."
  • "I am using the free version of the solution."
  • "I rate the pricing a five out of ten."
  • "While not extremely cheap, it aligns well with market standards and offers good value."
  • "The current pricing is quite cheap."

    • More SonarCloud Pricing and Cost Advice →

  • "This is open source."
  • "We did not purchase a license (required for C++ support), but this option was considered."
  • "Get the paid version which allows the customized dashboard and provides technical support."
  • "People can try the free licenses and later can seek buying plugins/support, etc. once they started liking it."
  • "This product is open source and very convenient."
  • "The licence is standard open source licensing"
  • "The price point on SonarQube is good."
  • "Some of the plugins that were previously free are not free now."

    • More SonarQube Pricing and Cost Advice →

    report
    See Which Vendors Are Best For You
    Use our free recommendation engine to learn which Application Security Testing (AST) solutions are best for your needs.
    See Recommendations
    768,857 professionals have used our research since 2012.
    Questions from the Community
    What do you like most about SonarCloud?
    Top Answer:Recently, they introduced support for mono reports and microservices, which is a noteworthy development as it provides a more detailed view of each service.
    Read all 9 answers   →
    What is your experience regarding pricing and costs for SonarCloud?
    Top Answer:I would rate the price an eight out of ten because it's reasonable. While not extremely cheap, it aligns well with market standards and offers good value. It's an all-inclusive package where you pay a… more »
    Read all 7 answers   →
    What needs improvement with SonarCloud?
    Top Answer:There's room for improvement in the configuration process, particularly during the initial setup phase. Setting up features like mono reports can be challenging, and the existing documentation could… more »
    Read all 9 answers   →
    Is SonarQube the best tool for static analysis?
    Top Answer:I am not very familiar with SonarQube and their solutions, so I can not answer But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have  a look… more »
    Read all 10 answers   →
    Which gives you more for your money - SonarQube or Veracode?
    Top Answer:SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use… more »
    Read all 6 answers   →
    How would you decide between Coverity and Sonarqube?
    Top Answer:We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing… more »
    Ranking
    10th
    out of 67 in Application Security Testing (AST)
    Views
    10,008
    Comparisons
    7,371
    Reviews
    8
    Average Words per Review
    524
    Rating
    8.4
    1st
    out of 67 in Application Security Testing (AST)
    Views
    53,436
    Comparisons
    42,331
    Reviews
    19
    Average Words per Review
    391
    Rating
    8.0
    Comparisons
    Veracode logo
    Veracode vs. SonarCloud
    Compared 7% of the time.
    Checkmarx One logo
    Checkmarx One vs. SonarCloud
    Compared 5% of the time.
    OWASP Zap logo
    OWASP Zap vs. SonarCloud
    Compared 3% of the time.
    GitLab logo
    GitLab vs. SonarCloud
    Compared 3% of the time.
    Coverity logo
    Coverity vs. SonarCloud
    Compared 2% of the time.
    More SonarCloud Competitors   →
    Checkmarx One logo
    Checkmarx One vs. SonarQube
    Compared 21% of the time.
    Coverity logo
    Coverity vs. SonarQube
    Compared 11% of the time.
    Veracode logo
    Veracode vs. SonarQube
    Compared 10% of the time.
    Snyk logo
    Snyk vs. SonarQube
    Compared 7% of the time.
    Sonatype Lifecycle logo
    Sonatype Lifecycle vs. SonarQube
    Compared 5% of the time.
    More SonarQube Competitors   →
    Also Known As
    Sonar
    Learn More
    Sonar
    Sonar
    Interactive Demo
    Sonar
    Watch a demo
    Sonar
    Watch a demo
    Overview

    SonarCloud is a cloud-based alternative of the SonarQube platform, offering continuous code quality and security analysis as a service. SonarCloud integrates seamlessly with popular version control and CI/CD platforms such as GitHub, Bitbucket, and Azure DevOps. It provides static code analysis to identify and help remediate issues such as bugs and security vulnerabilities. SonarCloud enables developers to receive immediate feedback on their code within their development environment, facilitating the maintenance of high-quality code standards, and promoting a culture of continuous improvement in software development projects. It helps produce software that is secure, reliable, and maintainable. SonarCloud is free for open-source projects and is offered as a paid subscription for private projects, priced per lines of code.

    SonarQube is a self-managed open-source platform that helps developers create code devoid of quality and vulnerability issues. By integrating seamlessly with the top DevOps platforms in the Continuous Integration (CI) pipeline, SonarQube continuously inspects projects across multiple programming languages, providing immediate status feedback while coding. SonarQube’s quality gates become part of your release pipeline, displaying pass/fail results for new code based on quality profiles you customize to your company standards. Following Sonar’s Clean as You Code methodology guarantees that only software of the highest quality makes it to production.

    At its core, SonarQube includes a static code analyzer that identifies bugs, security vulnerabilities, hidden secrets, and code smells. The platform guides you through issue resolution, fostering a culture of continuous improvement. SonarQube’s comprehensive reporting is a valuable tool for dev teams to monitor their codebase's overall health and quality across multiple projects in their portfolio. With SonarQube, you can achieve a state of Clean Code, leading to secure, reliable, and maintainable software.

    Sonar is the only solution combining the power of industry-leading software quality analysis with static application security testing (SAST) and real-time coding guidance in the IDE (with SonarLint) to meet the DevOps and DevSecOps demand of putting agility, automation, and security in the hands of developers. Further accelerate DevOps continuous integration by helping developers find and fix issues in code before the software testing stage, reducing the churn of finding, fixing, rebuilding, and retesting your app.

    With over 5,000 Clean Code rules, SonarQube analyzes 30+ of the most popular programming languages, including dozens of frameworks, the top DevOps platforms (GitLab, GitHub, Azure DevOps, and Bitbucket, and more), and the leading infrastructure as code (IaC) platforms.

    SonarQube is the most trusted static code analyzer used by over 7 million developers and 400,000 organizations globally to clean over half a trillion lines of code.

    Sample Customers
    Top Industries
    VISITORS READING REVIEWS
    Computer Software Company18%
    Financial Services Firm9%
    Manufacturing Company9%
    Healthcare Company5%
    REVIEWERS
    Computer Software Company30%
    Financial Services Firm21%
    Comms Service Provider7%
    Manufacturing Company7%
    VISITORS READING REVIEWS
    Financial Services Firm17%
    Computer Software Company15%
    Manufacturing Company11%
    Government6%
    Company Size
    REVIEWERS
    Small Business56%
    Midsize Enterprise33%
    Large Enterprise11%
    VISITORS READING REVIEWS
    Small Business23%
    Midsize Enterprise19%
    Large Enterprise58%
    REVIEWERS
    Small Business25%
    Midsize Enterprise16%
    Large Enterprise59%
    VISITORS READING REVIEWS
    Small Business17%
    Midsize Enterprise13%
    Large Enterprise71%
    Buyer's Guide
    SonarCloud vs. SonarQube
    March 2024
    Free Report: SonarCloud vs. SonarQube
    Find out what your peers are saying about SonarCloud vs. SonarQube and other solutions. Updated: March 2024.
    DOWNLOAD NOW
    768,857 professionals have used our research since 2012.

    SonarCloud is ranked 10th in Application Security Testing (AST) with 10 reviews while SonarQube is ranked 1st in Application Security Testing (AST) with 108 reviews. SonarCloud is rated 8.4, while SonarQube is rated 8.0. The top reviewer of SonarCloud writes "Beneficial vulnerability discovery, simple to maintain, and proactive support". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". SonarCloud is most compared with Veracode, Checkmarx One, OWASP Zap, GitLab and Coverity, whereas SonarQube is most compared with Checkmarx One, Coverity, Veracode, Snyk and Sonatype Lifecycle. See our SonarCloud vs. SonarQube report.

    See our list of best Application Security Testing (AST) vendors.

    We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.