We performed a comparison between GitHub Code Scanning and SonarQube based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Static Application Security Testing (SAST)."The solution helps identify vulnerabilities by understanding how ports communicate with applications running on a system. Ports are like house numbers; to visit someone's house, you must know their number. Similarly, ports are used to communicate with applications. For example, if you want to use an HTTP web server, you must use port 80. It is the port on which the web application or your server listens for incoming requests."
"We use GitHub Code Scanning mostly for source code management."
"The fact that the solution does security scanning is valuable."
"It's enabled us to improve software quality and help us to disseminate best practices."
"Code Convention: Using the tool to implement some sort of coding convention is really useful and ensures that the code is consistent no matter how many contributors."
"The initial setup is simple. It requires some security, but it's simple."
"The most valuable features are the wide array of languages, multiple languages per project, the breakdown of bugs, and the description of vulnerabilities and code smells (best practices)."
"We've configured it to run on each commit, providing feedback on our software quality. ]"
"We advise all of our developers to have this solution in place."
"It has very good scalability and stability."
"GitHub Code Scanning should add more templates."
"SonarQube can improve by scanning the internal library which currently it does not do. We are looking for a solution for this."
"I would like to see SonarQube implement a good amount of improvements to the product's security features. Another aspect of SonarQube that could be improved is the search functionality."
"In terms of what can be improved, the areas that need more attention in the solution are its architecture and development."
"There needs to be a shareable reporting piece or something we can click and generate easily."
"The product's user documentation can be vastly improved."
"I don't believe you can have metrics of code quality based upon code analysis. I don't think it's possible for a computer to do it."
"The security in SonarQube could be better."
"A little bit more emphasis on security and a bit more security scanning features would be nice."
GitHub Code Scanning is ranked 20th in Static Application Security Testing (SAST) with 2 reviews while SonarQube is ranked 1st in Static Application Security Testing (SAST) with 112 reviews. GitHub Code Scanning is rated 9.6, while SonarQube is rated 8.0. The top reviewer of GitHub Code Scanning writes "A highly stable solution that can be used for source code management". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". GitHub Code Scanning is most compared with SonarCloud, Coverity, Polaris Software Integrity Platform and Veracode, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Veracode and Snyk.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.