This blog was originally published on April 28, 2020. It was refreshed for updated content and new product features added since the initial publication.
Both SonarCloud and SonarQube are valuable tools to help you write clean, quality code in your projects. So, which product is best for you and your team?
In this article, I’ll break down a few important aspects of each product so you can make an informed decision before you try. In our journey, we’ll touch on considerations related to getting up and running along with elements related to available features and extensibility. We’ll also cover language support and the underlying static analysis engine.
The foundation: Static code analysis for 30+ languages
Both products cover essentially the same languages (SonarCloud doesn’t support PL/I, RPG or VB6). They both share the same underlying static analysis engine to catch bugs, vulnerabilities and code smells and generate valuable code quality metrics.
The essential distinction: Your existing software development pipeline
One of the key differences concerns how each product is hosted and managed. If your team, code and workflow are fully cloud-based (e.g. GitHub.com+Travis), then SonarCloud is a good fit.
SonarCloud readily integrates with GitHub.com, Azure DevOps Services, Bitbucket.com and GitLab.com. SonarCloud is hosted by SonarSource in AWS and is the easiest path to start scanning your code in minutes. SonarSource does all the heavy lifting for SonarCloud so you don’t have to worry about installation or maintenance. As a SaaS offering, SonarCloud gives you immediate access to new features and functionality.
To get you up and running fast, SonarCloud features automatic analysis for many popular languages. This autoscanning feature can be a perfect fit for teams that want actionable code quality metrics without the burden of tool configuration. For some use cases, fully setting up the analysis configuration will yield a better developer experience and 'unlock' more SonarCloud features.
On the other hand, SonarQube, along with a supported database, is installed on your own servers or in a self-managed cloud environment. Once installed, SonarQube readily integrates with your instance of GitHub, Azure DevOps, Bitbucket or GitLab. If you have a hybrid environment where you store code in the cloud and rely on a locally managed CI/CD pipeline, SonarQube can also integrate with the cloud versions of all these code management tools.
Going the SonarQube route means you’ll be hands-on with installing and maintaining your environment. You’ll also be responsible for installing new versions when they’re released. On average, there’s a new SonarQube version every two months. Not upgrading means you’d miss out on new features, functionality and non-blocker bug fixes. While we’re talking about versions, it’s important to note that SonarQube offers a Long-Term Support (LTS) version. SonarSource releases a SonarQube LTS approximately every 18 months. For the LTS, an emphasis is put on stability and reliability and blocker bugs are back-ported into a point release.
For Enterprise use cases, explore SonarQube
SonarQube Enterprise Edition (EE) includes a few management features that may be valuable to your organization. These come in the form of project visualization and reporting.
SonarQube Enterprise Edition includes the Applications and Portfolios features, which are visual containers that allow you to organize projects in a manner that tracks your business objectives. Applications allow you to aggregate all the projects that ship together into a single view. Portfolios are similar and allow you to aggregate projects around organizational or business objectives. For example, you can create a Portfolio to track all your front-end projects or all the projects for a geographical team.
SonarQube Enterprise Edition also includes executive-level reporting capabilities. These reports work hand-in-hand with your Portfolios to give you insight into key metrics such as reliability, maintainability and releasability. Additionally, there are security reports including coverage for PCI DSS, OWASP ASVS, OWASP Top 10 and CWE Top 25.
At this time, SonarCloud does not include Executive Reporting, Applications or Portfolios functionality. SonarQube saw its beginnings well over a decade ago. As the product matured, we identified an ‘Enterprise’ use case that is distinct from the ‘core’ functionality use case that’s centered on developers. It’s common for large organizations to have a ‘non-developer’ audience requiring measurement from a broader perspective and context. To satisfy this need for reporting and business Kuse casePIs, we added a set of ‘governance’ features to SonarQube.
For SonarCloud, the prime focus is on the developer’s workflow and bringing value to the development team within their existing DevOps platform (GitHub, Azure, Bitbucket, GitLab) environment. Thus, the ‘Enterprise’ use case is not currently addressed by SonarCloud.
A note on extensibility
Lastly, I’ll touch on extensibility. There is an extensive and robust library of SonarQube plugins developed and maintained by the SonarSource community. These plugins enhance the core functionality of SonarQube around a larger ecosystem. Examples of this include additional programming language support, integration with less mainstream SCM engines and regional language localization.
At this time, SonarCloud is not open for 3rd party plugin contributions from the community. Again, the reason for this comes back to product focus. The vision for SonarCloud is to provide a developer-first clean code tool with the DevOps platform integrating additional functionality.
Said another way, we understand that the DevOps platforms take great care to build a valuable developer workflow experience and the intention of SonarCloud is to enhance and augment that value. Opening SonarCloud to 3rd party integrations would detract from that vision.
Wrapping it all up
In summary, if your team is fully cloud-based, you don’t want maintenance hassles and you’d like the fastest access to new features, then SonarCloud is a great choice. If you’re fine with self-hosting and maintenance or see value in the management capabilities, then SonarQube would make sense for you.
Once you’ve picked your path, I encourage you to visit our solution summary page to get the full details on how to get started.
The goal of this article wasn’t to exhaustively list all the product differences, as each environment is unique. However, you now have the info that is relevant for most use cases. If you have further questions, I encourage you to reach out to our Community Forum. If you need assistance regarding commercial usage, you can submit a question to the team.
Thanks for reading and happy, clean coding!