GitHub Code Scanning vs SonarCloud comparison

Cancel
You must select at least 2 products to compare!
GitHub Logo
190 views|160 comparisons
100% willing to recommend
Sonar Logo
10,251 views|7,670 comparisons
100% willing to recommend
Comparison Buyer's Guide
Executive Summary

We performed a comparison between GitHub Code Scanning and SonarCloud based on real PeerSpot user reviews.

Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Static Application Security Testing (SAST).
To learn more, read our detailed Static Application Security Testing (SAST) Report (Updated: April 2024).
771,740 professionals have used our research since 2012.
Featured Review
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"We use GitHub Code Scanning mostly for source code management."

More GitHub Code Scanning Pros →

"For what it is meant to do, it works pretty well.""The solution provides continuous code analysis which has improved the quality of our code. It can raise alarms on vulnerabilities with immediate reports on the dashboard. Few things are false positives and we can customize the rules.""Recently, they introduced support for mono reports and microservices, which is a noteworthy development as it provides a more detailed view of each service.""Its dashboard provides a unified view of various code quality metrics, including code duplication, unit test coverage, and security hotspots.""The most valuable feature of SonarCloud is its overall performance.""SonarCloud is overall a good tool for identifying code smells, bugs, and code duplication, but we've found that using Android Lint is more effective for our needs.""The most valuable features of SonarCloud are the ability to discover vulnerabilities, security weak points, security hotspots, and all the feedback that comes into the feature branch. You can deploy the code with the security, you can eliminate the problem at the developer level rather than identifying the problem in the productions.""The solution can be installed locally."

More SonarCloud Pros →

Cons
"GitHub Code Scanning should add more templates."

More GitHub Code Scanning Cons →

"The solution needs to improve its customization and flexibility.""We had some issues with the scanner.""CI/CD pipeline is part of a whole chain of design, development, and production, and it's becoming increasingly crucial to optimize the various tools across different stages. However, it's still a silo approach because the full integration is missing. This isn't just an issue with SonarCloud. It's a general problem with tooling.""It would be helpful if notifications could go out to an extra person.""The documentation needs improvement on optimizing build time for seamless CI/CD integration with our Android apps.""I've been told by the developers that the solution is too limited. It's not testing enough within the containers.""There's room for improvement in the configuration process, particularly during the initial setup phase.""SonarCloud can improve the false positives. Sometimes the gates sometimes act a little weird. We then need to manually go and mark the false positive."

More SonarCloud Cons →

Pricing and Cost Advice
  • "GitHub Code Scanning is a moderately priced solution."
  • More GitHub Code Scanning Pricing and Cost Advice →

  • "The price of SonarCloud could be less expensive. We are using the community version and the price should be more reasonable."
  • "The price of SonarCloud is not expensive, it goes by the lines of code. 1 million lines per code are approximately 4,000 USD per year. If you need 2 million lines of code you would double the annual cost."
  • "I am using the free version of the solution."
  • "I rate the pricing a five out of ten."
  • "While not extremely cheap, it aligns well with market standards and offers good value."
  • "The current pricing is quite cheap."
  • More SonarCloud Pricing and Cost Advice →

    report
    Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.
    771,740 professionals have used our research since 2012.
    Questions from the Community
    Top Answer:We use GitHub Code Scanning mostly for source code management.
    Top Answer:GitHub Code Scanning is a moderately priced solution. On a scale from one to ten, where one is cheap, and ten is expensive, I rate the solution's pricing a five out of ten. The solution's license is… more »
    Top Answer:GitHub Code Scanning should add more templates.
    Top Answer:Recently, they introduced support for mono reports and microservices, which is a noteworthy development as it provides a more detailed view of each service.
    Top Answer:I would rate the price an eight out of ten because it's reasonable. While not extremely cheap, it aligns well with market standards and offers good value. It's an all-inclusive package where you pay a… more »
    Top Answer:There's room for improvement in the configuration process, particularly during the initial setup phase. Setting up features like mono reports can be challenging, and the existing documentation could… more »
    Ranking
    Views
    190
    Comparisons
    160
    Reviews
    1
    Average Words per Review
    337
    Rating
    10.0
    Views
    10,251
    Comparisons
    7,670
    Reviews
    7
    Average Words per Review
    583
    Rating
    8.4
    Comparisons
    Learn More
    Interactive Demo
    GitHub
    Demo Not Available
    Overview

    Code scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in GitHub.

    SonarCloud is a cloud-based alternative of the SonarQube platform, offering continuous code quality and security analysis as a service. SonarCloud integrates seamlessly with popular version control and CI/CD platforms such as GitHub, Bitbucket, and Azure DevOps. It provides static code analysis to identify and help remediate issues such as bugs and security vulnerabilities. SonarCloud enables developers to receive immediate feedback on their code within their development environment, facilitating the maintenance of high-quality code standards, and promoting a culture of continuous improvement in software development projects. It helps produce software that is secure, reliable, and maintainable. SonarCloud is free for open-source projects and is offered as a paid subscription for private projects, priced per lines of code.

    Sample Customers
    Information Not Available
    Top Industries
    No Data Available
    VISITORS READING REVIEWS
    Computer Software Company18%
    Financial Services Firm10%
    Manufacturing Company9%
    Healthcare Company5%
    Company Size
    No Data Available
    REVIEWERS
    Small Business56%
    Midsize Enterprise33%
    Large Enterprise11%
    VISITORS READING REVIEWS
    Small Business23%
    Midsize Enterprise19%
    Large Enterprise57%
    Buyer's Guide
    Static Application Security Testing (SAST)
    April 2024
    Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Static Application Security Testing (SAST). Updated: April 2024.
    771,740 professionals have used our research since 2012.

    GitHub Code Scanning is ranked 20th in Static Application Security Testing (SAST) with 1 review while SonarCloud is ranked 10th in Static Application Security Testing (SAST) with 10 reviews. GitHub Code Scanning is rated 10.0, while SonarCloud is rated 8.4. The top reviewer of GitHub Code Scanning writes "A highly stable solution that can be used for source code management". On the other hand, the top reviewer of SonarCloud writes "Beneficial vulnerability discovery, simple to maintain, and proactive support". GitHub Code Scanning is most compared with Coverity, SonarQube, Polaris Software Integrity Platform and Veracode, whereas SonarCloud is most compared with SonarQube, Veracode, Checkmarx One, GitLab and Qualys Web Application Scanning.

    See our list of best Static Application Security Testing (SAST) vendors.

    We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.