Try our new research platform with insights from 80,000+ expert users

Semgrep vs SonarQube Cloud (formerly SonarCloud) comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Jun 15, 2025

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

Semgrep
Ranking in Static Application Security Testing (SAST)
25th
Average Rating
8.0
Reviews Sentiment
7.8
Number of Reviews
1
Ranking in other categories
Supply Chain Management Software (3rd), Software Composition Analysis (SCA) (12th), Static Code Analysis (9th)
SonarQube Cloud (formerly S...
Ranking in Static Application Security Testing (SAST)
10th
Average Rating
8.2
Reviews Sentiment
6.2
Number of Reviews
16
Ranking in other categories
No ranking in other categories
 

Mindshare comparison

As of August 2025, in the Static Application Security Testing (SAST) category, the mindshare of Semgrep is 2.7%, up from 0.3% compared to the previous year. The mindshare of SonarQube Cloud (formerly SonarCloud) is 4.5%, down from 6.2% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Static Application Security Testing (SAST)
 

Featured Reviews

Henry Mwawai - PeerSpot reviewer
Automated code reviews and good scalability with custom rule adaptability
We use Semgrep to check custom user pipelines and test their claims for any vulnerabilities. We process the code by passing it through the testing process for any operability issues before sending feedback to the developers and providing the final product. This is part of the static testing…
Archana Verma - PeerSpot reviewer
Provides valuable insights on code vulnerabilities and integrates seamlessly with CI/CD pipelines
I find SonarQube Cloud to be very user-friendly with an easy-to-use interface. It provides detailed code smell reports and insights on hotspots, which can later represent security vulnerabilities. It gives precise reports compared to Coverity and has a slightly lower number of false positives. It is integrated easily with the CI/CD pipeline, saving time and cost. It provides information on upcoming vulnerability details and loopholes that might turn into vulnerabilities.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The most valuable feature is the ability to write our custom rules."
"The reports from SonarCloud are very good."
"Recently, they introduced support for mono reports and microservices, which is a noteworthy development as it provides a more detailed view of each service."
"The SaaS solution for checking code without execution and dealing with security issues is valuable."
"I find SonarQube Cloud very easy to use and simple to integrate initially."
"SonarCloud is overall a good tool for identifying code smells, bugs, and code duplication, but we've found that using Android Lint is more effective for our needs."
"It is the best product we use for easy integration into YAML pipelines for scanning."
"I find SonarQube Cloud very easy to use and simple to integrate initially."
"The solution can be installed locally."
 

Cons

"There should be more information on how to acquire the system, catering to beginners in application security, to make it more user-friendly."
"SonarQube Cloud could improve its vulnerability detection compared to Veracode."
"CI/CD pipeline is part of a whole chain of design, development, and production, and it's becoming increasingly crucial to optimize the various tools across different stages. However, it's still a silo approach because the full integration is missing. This isn't just an issue with SonarCloud. It's a general problem with tooling."
"The solution needs to improve its customization and flexibility."
"I need a solution that can bring together three key areas: vulnerabilities, static scanning, and misarchitecture. Currently, to achieve our expectations, we have to use more than one product, as some products excel at scanning for vulnerabilities but are poor at checking code quality."
"I've been told by the developers that the solution is too limited. It's not testing enough within the containers."
"There's room for improvement in the configuration process, particularly during the initial setup phase."
"We had some issues with the scanner."
"It would be helpful if notifications could go out to an extra person."
 

Pricing and Cost Advice

Information not available
"I am using the free version of the solution."
"The current pricing is quite cheap."
"Previously, the pricing was 17,000 euros for five million lines analyzed. However, they now charge $15,000 per one million lines, significantly increasing the cost."
"I rate the pricing a five out of ten."
"The price of SonarCloud could be less expensive. We are using the community version and the price should be more reasonable."
"The price of SonarCloud is not expensive, it goes by the lines of code. 1 million lines per code are approximately 4,000 USD per year. If you need 2 million lines of code you would double the annual cost."
"While not extremely cheap, it aligns well with market standards and offers good value."
report
Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.
865,295 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
19%
Manufacturing Company
12%
Computer Software Company
12%
Comms Service Provider
5%
Computer Software Company
17%
Financial Services Firm
10%
Manufacturing Company
9%
Insurance Company
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
No data available
 

Questions from the Community

What needs improvement with Semgrep?
There should be more information on how to acquire the system, catering to beginners in application security, to make it more user-friendly.
What is your primary use case for Semgrep?
We use Semgrep to check custom user pipelines and test their claims for any vulnerabilities. We process the code by passing it through the testing process for any operability issues before sending ...
What do you like most about SonarCloud?
Recently, they introduced support for mono reports and microservices, which is a noteworthy development as it provides a more detailed view of each service.
What is your experience regarding pricing and costs for SonarCloud?
From my experience, SonarQube Cloud (formerly SonarCloud) is very expensive for small companies. It would be a great improvement if the price for smaller companies were reduced, as I do not have th...
What needs improvement with SonarCloud?
I need a solution that can bring together three key areas: vulnerabilities, static scanning, and misarchitecture. Currently, to achieve our expectations, we have to use more than one product, as so...
 

Also Known As

Semgrep Code, Semgrep Supply Chain, Semgrep AppSec Platform
No data available
 

Interactive Demo

Demo not available
 

Overview

 

Sample Customers

Policygenius, Tide, Lyft, Thinkific, FloQast, Vanta, and Fareportal
Information Not Available
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Static Application Security Testing (SAST). Updated: August 2025.
865,295 professionals have used our research since 2012.