This blog was originally published on April 28, 2020. Since then, it has been refreshed with updated content, including newly added features as of August 2024.
SonarCloud and SonarQube are both valuable tools to help you write clean, high-quality code for your projects. So, which solution is best for you and your team?
The choice boils down to whether you want a self-managed solution or a cloud-based SaaS service that is managed for you. Both solutions give you essentially the same core features at each edition level, whether you're a small team or a large enterprise company. In this blog, I will walk you through the options so you can make an informed decision.
The base: Static analysis for 30+ languages
Both products cover the same 30+ languages and frameworks. They share the same underlying static code analysis engine to catch issues that result in bugs, vulnerabilities, and code smells and generate valuable code quality metrics. The essential distinction: Your existing software development pipeline
The distinction: Where is your CI/CD pipeline?
One of the key differences concerns how each product is hosted and managed. SonarCloud is a fully SaaS offering where Sonar hosts and manages the software for you in the cloud. If your team is already operating in a cloud DevOps platform, where your code and workflow are fully cloud-based (e.g., GitHub.com+Travis), then SonarCloud is a good fit.
SonarCloud readily integrates with cloud-based DevOps platforms: GitHub.com, GitHub Enterprise Cloud, Azure DevOps Services, Bitbucket Cloud, and GitLab.com. Sonar operates SonarCloud in AWS, which is the easiest path to start scanning your code within minutes. With SonarCloud, Sonar does all the heavy lifting for you, so you don't have to worry about installation, upgrades, or maintenance. As a SaaS offering, SonarCloud gives you immediate access to new features and functionality the moment they are released.
SonarCloud features automatic analysis for over 30 languages to get you up and running fast. This autoscanning feature can be a perfect fit for teams that want actionable code quality metrics without the burden of tool configuration. For some use cases, fully setting up the analysis configuration will yield a better developer experience and 'unlock' more SonarCloud features.
SonarQube, on the other hand, is entirely operated by you in the environment of your choice. You deploy SonarQube along with a supported database on your own servers or in a self-managed cloud environment. Once installed, SonarQube readily integrates with your self-hosted instance of GitHub, GitLab, Azure DevOps, or Bitbucket. If you have a hybrid environment where you store code in the cloud and rely on a locally managed CI/CD pipeline, SonarQube can also integrate with the cloud versions of all these DevOps platforms.
Going the SonarQube route means you'll be hands-on with installing, upgrading, and maintaining your environment on your terms. On average, we release a new version of SonarQube every two months. To stay current with new features, functionality, security updates, and bug fixes, we recommend you upgrade when a new version is released. Speaking of versions, it's important to note that SonarQube offers a Long-Term Active (LTA) version. Sonar releases a SonarQube LTA version approximately every 18 months. The focus of the LTA is to package all the features of the dot releases in a stable version that we release on a cadence in line with large companies' ability to schedule large upgrades. Critical bug fixes and security updates are also released to the LTA in patches as needed.
For enterprise needs, Sonar recommends the SonarCloud Enterprise plan and SonarQube Enterprise Edition (EE), both offering advanced features tailored to your organization's specific use cases. This functionality falls into five main categories: authentication, governance, executive reporting, multiple repository support, and extensibility.
Authentication
With SonarCloud and all editions of SonarQube, you can authenticate using your existing DevOps platform credentials (GitHub, Bitbucket, Azure, and GitLab). SonarQube also allows you to authenticate using third-party tools that support SAML and LDAP protocols. SonarCloud Enterprise offers Single Sign On with SAML.
Additionally, with SonarQube Enterprise Edition, automatic provisioning of users and groups through System for Cross-domain Identity Management (SCIM) is available for Okta and Azure AD.
Governance
Sonar's solutions also include aggregating projects into applications (SonarQube Developer Edition+) and portfolios (SonarCloud Enterprise plan and SonarQube Enterprise Edition+), which are visual dashboards that allow you to organize projects in a manner that tracks your business objectives. Applications allow you to have a single view of all the projects that ship together as a complete app. Portfolios are similar and enable you to aggregate multiple apps and projects around organizational or business objectives. For example, you can create a portfolio to track all your front-end projects or all the projects for a geographical team.
Executive reporting
With SonarQube Enterprise Edition and SonarCloud Enterprise plan, you additionally get executive-level reporting capabilities. These reports work hand-in-hand with your portfolios to give you insight into key metrics such as reliability, maintainability, and releasability. Additionally, there are security reports, including coverage for PCI DSS, OWASP ASVS, OWASP Top 10, CASA, STIG, and CWE Top 25.
SonarQube saw its beginnings well over a decade ago. As the product matured, we identified an 'Enterprise' use case distinct from the 'core' functionality use case centered on developers. It's common for large organizations to have a 'non-developer' audience requiring measurement from a broader perspective and context. To satisfy this need for reporting and business KPIs, we added a set of 'governance' features to SonarQube.
As our customers started adopting the cloud and asking for enterprise features, we started offering these features in the Enterprise plan that was released in the summer of 2024.
DevOps platform support
Sonar solutions serve organizations that require connectivity to multiple DevOps platforms.
For example, a single SonarQube Developer Edition instance can make a single connection each for up to four DevOps platforms (1x GitHub, 1x Bitbucket, 1x GitLab, and 1x Azure DevOps). If you need multiple configurations for a specific DevOps provider (e.g., 2x GitHub Enterprise Server and 1x GitHub.com), you'll need SonarQube Enterprise Edition.
SonarCloud also supports multiple DevOps platforms. With SonarCloud Enterprise, several organizations can be grouped together under an enterprise. The enterprise’s organizations may belong to different DevOps platforms. This means you can add all your organizations (no matter which DevOps platform or how many) to your enterprise.
A note on extensibility
Lastly, I'll touch on extensibility. The Sonar community has developed and maintained an expansive and robust library of SonarQube plugins. These plugins extend the functionality of SonarQube in more fringe areas to cover capabilities Sonar does not plan to support. Examples include additional programming language support, integration with less mainstream SCM engines, and regional language localization.
At this time, SonarCloud is not open for 3rd party plugin contributions from the community.
Wrapping it all up
In summary, if your team is entirely cloud-based, you don't want maintenance hassles and you'd like the fastest access to new features, SonarCloud is an excellent choice. If you're OK with self-hosting and maintenance or see value in the management capabilities, then SonarQube would make sense.
Once you've chosen your path, I encourage you to visit our solution summary for full details on how to get started.
The goal of this article wasn't to exhaustively list all the product differences, as each environment is unique. However, you now have the information relevant to most use cases. If you have further questions, I encourage you to contact our Community Forum. If you need assistance regarding commercial usage, you can submit a question to the team.
Thanks for reading, and happy, clean coding!
Pick a topic to discover more:
How Bad Code Destroys Developer Velocity