GitGuardian Internal Monitoring vs SonarQube comparison

You must select at least 2 products to compare!
Comparison Buyer's Guide
Executive Summary

We performed a comparison between GitGuardian Internal Monitoring and SonarQube based on real PeerSpot user reviews.

Find out in this report how the two Application Security Tools solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI.
To learn more, read our detailed GitGuardian Internal Monitoring vs. SonarQube Report (Updated: September 2023).
734,963 professionals have used our research since 2012.
Featured Review
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
"The secrets detection and alerting is the most important feature. We get alerted almost immediately after someone commits a secret. It has been very accurate, allowing us to jump on it right away, then figure out if we have something substantial that has been leaked or whether it is something that we don't have to worry about. This general main feature of the app is great.""When they give you a description of what happened, it's really easy to follow and to retest. And the ability to retest is something that you don't have in other solutions. If a secret was detected, you can retest if it is still there. It will show you if it is in the history.""Presently, we find the pre-commit hooks more useful.""GitGuardian has pretty broad detection capabilities. It covers all of the types of secrets that we've been interested in... [Yet] The "detector" concept, which identifies particular categories or types of secrets, allows an organization to tweak and tailor the configuration for things that are specific to its environment. This is highly useful if you're particularly worried about a certain type of secret and it can help focus attention, as part of early remediation efforts.""The most valuable feature of GitGuardian is that it finds tokens and passwords. That's why we need this tool. It minimizes the possibility of security violations that we cannot find on our own.""The entire GitGuardian solution is valuable. The product is doing its job and showing us many things. We get many false positives, but the ability to automatically display potential leaks when developers commit is valuable. The dashboards show you recent and historical commits, and we have a full scan that shows historical leaked secrets.""GitGuardian has also helped us develop a security-minded culture. We're serious about shift left and getting better about code security. I think a lot of people are getting more mindful about what a secret is.""It actually creates an incident ticket for us. We can now go end-to-end after a secret has been identified, to track down who owns the repository and who is responsible for cleaning it up."

More GitGuardian Internal Monitoring Pros →

"The most valuable features are the dashboard, the ability to drill down to the code, user-friendly, and the technical debt estimation.""The solution has a plug-in that supports both C and C++ languages.""My focus is mainly on the DevOps pipeline side of things, and from my perspective, the ease of use and configuration is valuable. It is pretty straightforward to take a deployment pipeline or CI/CD pipeline and integrate SonarQube into it.""SonarQube is one of the more popular solutions because it supports 29 languages.""The SonarQube dashboard looks great.""We are using the Community edition. So, we don't have to incur any licensing costs. This is the best part.""All the features of the solution are quite good.""This solution has helped with the integration and building of our CICD pipeline."

More SonarQube Pros →

"They could give a developer access to a dashboard for their team's repositories that just shows their repository secrets. I think more could be exposed to developers.""One improvement that I'd like to see is a cleaner for Splunk logs. It would be nice to have a middle man for anything we send or receive from Splunk forwarders. I'd love to see it get cleaned by GitGuardian or caught to make sure we don't have any secrets getting committed to Splunk logs.""GitGuardian could have more detailed information on what software engineers can do. It only provides some highly generic feedback when a secret is detected. They should have outside documentation. We send this to our software engineers, who are still doing the commits. It's the wrong way to work, but they are accustomed to doing it this way. When they go into that ticket, they see a few instructions that might be confusing. If I see a leaked secret committed two years ago, it's not enough to undo that commit. I need to go in there, change all my code to utilize GitHub secrets, and go on AWS to validate my key.""There is room for improvement in its integration for bug-tracking. It should be more direct. They have invested a lot in user management, but they need to invest in integrations. That is a real lack.""I would like to see more fine-grained access controls when tickets are assigned for incidents. I would like the ability to provide more controls to the team leads or the product managers so that they can drive what we, the AppSec team, are doing.""For some repositories, there are a lot of incidents. For example, one repository says 255 occurrences, so I assume these are 255 alerts and nobody is doing anything about them. These could be false positives. However, I cannot assess it correctly, because I haven't been closing these false positives myself. From the dashboard, I can see that for some of the repositories, there have been a lot of closing of these occurrences, so I would assume there are a lot of false positives. A ballpark estimate would be 60% being false positives. One of the arguments from the developers against this tool is the number of false positives.""It would be nice if they supported detecting PII or had some kind of data loss prevention feature.""It took us a while to get new patterns introduced into the pattern reporting process."

More GitGuardian Internal Monitoring Cons →

"New plug-ins should be integrated into SonarCloud to give more flexibility to the product.""The learning curve can be fairly steep at first, but then, it's not an entry-level type of application. It's not like an introduction to C programming. You should know not just C programming and how to make projects but also how to apply its findings to the bigger picture. I've had users who said that they wish it was easier to understand how to configure, but I don't know if that's doable because what it's doing is a very complicated thing. I don't know if it is possible to make a complicated thing trivially simple.""It would be better if SonarQube provided a good UI for external configuration.""The time it took for me to do the whole process was approximately two hours because I had to download, read the documentation, and do the configurations.""The product provides false reports sometimes.""There could be better integration with other products.""We previously experienced issues with security but a segregated security violation has been implemented and the issues we experienced are being fixed.""There isn't a very good enterprise report."

More SonarQube Cons →

Pricing and Cost Advice
  • "It's a little bit expensive."
  • "You get what you pay for. It's one of the more expensive solutions, but it is very good, and the low false positive rate is a really appealing factor."
  • "The pricing and licensing are fair. It isn't very expensive and it's good value."
  • "The internal side is cheap per user. It is annual pricing based on the number of users."
  • "We have seen a return on investment. The amount of time that we would have spent manually doing this definitely outpaces the cost of GitGuardian. It is saving us about $35,000 a year, so I would say the ROI is about $20,000 a year."
  • "It could be cheaper. When GitHub secrets monitoring solution goes to general access and general availability, GitGuardian might be in a little bit of trouble from the competition, and maybe then they might lower their prices. The GitGuardian solution is great. I'm just concerned that they're not GitHub."
  • "It's not cheap, but it's not crazy expensive either."
  • "With GitGuardian, we didn't need any middlemen."
  • More GitGuardian Internal Monitoring Pricing and Cost Advice →

  • "On the pricing side, it's 3,000 Euros for 1 million lines of code."
  • "My guess is that we have a yearly subscription. We use it quite extensively, so a monthly license wouldn't make sense. Yearly subscriptions are usually cheaper. In addition to the standard licensing fee, there is just the cost of running the hardware where it is hosted."
  • "Compared to similar solutions, SonarQube was more accessible to us and had more benefits, with regards to size of the code base and supported languages. Apart from the Enterprise licensing fee, there are no additional costs."
  • "SonarQube enterprise, I am not sure of the price but from what I understand they are charging a fee. It's is not clear if it is an annual fee or a one-off."
  • "The free version of SonarQube does everything that we need it to."
  • "We're using an older version because it is the open-source flavor of it and we can continue using it at no cost. We're not paying any licensing at all, which was another factor in choosing this route so that we can learn and grow with it and not be committed to licenses and other similar things. If we choose to get something else, we have to relearn, but we don't have to relicense. Basically, we're paying no license costs."
  • "We are using the Developer Edition and the cost is based on the amount of code that is being processed."
  • "As a user and a consumer of this solution, it can be pricey for my company to support and use, even though there are many benefits. For this reason, we use the free version. In the future, as our product cycles develop and evolve at a more steady pace, we hope to invest in the licensing for this tool."
  • More SonarQube Pricing and Cost Advice →

    Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
    734,963 professionals have used our research since 2012.
    Questions from the Community
    Top Answer:It actually creates an incident ticket for us. We can now go end-to-end after a secret has been identified, to track down who owns the repository and who is responsible for cleaning it up.
    Top Answer:The pricing is reasonable. GitGuardian is one of the most recent security tools we've adopted. When it came time to renew it, there was no doubt about it. It is licensed per developer, so it scales… more »
    Top Answer:I would like to see more fine-grained access controls when tickets are assigned for incidents. I would like the ability to provide more controls to the team leads or the product managers so that they… more »
    Top Answer:I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have  a look… more »
    Top Answer:SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use… more »
    Top Answer:We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing… more »
    Average Words per Review
    Average Words per Review
    Also Known As
    Learn More

    GitGuardian helps organizations detect and fix vulnerabilities in source code at every step of the software development lifecycle. With GitGuardian’s policy engine, security teams can monitor and enforce rules across their VCS, DevOps tools, and infrastructure-as-code configurations.

    Widely adopted by developer communities, GitGuardian is used by more than 200 thousand developers and is the #1 app in the security category on the GitHub Marketplace. GitGuardian is also trusted by leading companies, including Instacart, Genesys, Orange, Iress, Beyond Identity, NOW: Pensions, and Stedi.

    GitGuardian Platform includes automated secrets detection and remediation. By reducing the risks of secrets exposure across the SDLC, GitGuardian helps software-driven organizations strengthen their security posture and comply with frameworks and standards.

    Its detection engine is trained against more than a billion public GitHub commits every year, and it covers 350+ types of secrets such as API keys, database connection strings, private keys, certificates, and more.

    GitGuardian brings security and development teams together with automated remediation playbooks and collaboration features to resolve incidents fast and in full. By pulling developers closer to the remediation process, organizations can achieve higher incident closing rates and shorter fix times.

    The platform integrates across the DevOps toolchain, including native support for continuously scanning VCS platforms like GitHub, Gitlab, Azure DevOps and Bitbucket or CI/CD tools like Jenkins, CircleCI, Travis CI, GitLab pipelines, and many more. It also integrates with ticketing and messaging systems like Splunk, PagerDuty, Jira and Slack to support teams with their incident remediation workflows. GitGuardian is offered as a SaaS platform but can also be hosted on-premise for organizations operating in highly regulated industries or with strict data privacy requirements.

    SonarQube is the leading tool for continuously inspecting Code Quality and Code Security, and guiding development teams during code reviews. SonarQube provides clear remediation guidance for 27 languages so developers can understand and fix issues, and so teams can deliver better and safer software. SonarQube integrates into your workflow to provide the right feedback at the right time: in-IDE with SonarLint, in pull requests, and in SonarQube itself. With over 225,000 deployments helping small development teams and global organizations, SonarQube provides the means for teams and companies around the world to own and impact their Code Quality and Code Security.

    Learn more about GitGuardian Internal Monitoring
    Learn more about SonarQube
    Sample Customers
    Automox, 66degrees (ex Cloudbakers), Instacart, Iress, Now:Pensions, Payfit, Orange, Seequent, Stedi, Talend
    Bank of America, Siemens, Cognizant, Thales, Cisco, eBay
    Top Industries
    Computer Software Company33%
    Insurance Company17%
    Comms Service Provider17%
    Comms Service Provider22%
    Financial Services Firm10%
    Computer Software Company7%
    Computer Software Company30%
    Financial Services Firm21%
    Comms Service Provider8%
    Insurance Company6%
    Financial Services Firm18%
    Computer Software Company15%
    Manufacturing Company10%
    Company Size
    Small Business33%
    Midsize Enterprise33%
    Large Enterprise33%
    Small Business33%
    Midsize Enterprise9%
    Large Enterprise58%
    Small Business25%
    Midsize Enterprise17%
    Large Enterprise58%
    Small Business16%
    Midsize Enterprise12%
    Large Enterprise71%
    Buyer's Guide
    GitGuardian Internal Monitoring vs. SonarQube
    September 2023
    Find out what your peers are saying about GitGuardian Internal Monitoring vs. SonarQube and other solutions. Updated: September 2023.
    734,963 professionals have used our research since 2012.

    GitGuardian Internal Monitoring is ranked 8th in Application Security Tools with 16 reviews while SonarQube is ranked 1st in Application Security Tools with 30 reviews. GitGuardian Internal Monitoring is rated 9.0, while SonarQube is rated 8.2. The top reviewer of GitGuardian Internal Monitoring writes "Even before a commit gets to GitHub, the CLI identifies secrets within the code and prevents the commit". On the other hand, the top reviewer of SonarQube writes "Open-source, stable, and finds the problems for you and tells you where they are". GitGuardian Internal Monitoring is most compared with Cycode, Snyk, Microsoft Purview Data Loss Prevention, Veracode and Checkmarx, whereas SonarQube is most compared with Checkmarx, Coverity, SonarCloud, Veracode and Snyk. See our GitGuardian Internal Monitoring vs. SonarQube report.

    See our list of best Application Security Tools vendors and best Application Security Testing (AST) vendors.

    We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.