This blog was originally published on April 28, 2020. It was refreshed for updated content and new product features added since the initial publication.
Both SonarCloud and SonarQube are valuable tools to help you write clean, quality code for your projects. So, which product is best for you and your team?
In this article, I’ll break down a few important aspects of each product so you can make an informed decision before you try. In our journey, we’ll touch on considerations related to getting up and running along with elements related to available features and extensibility. We’ll also cover language support and the underlying static analysis engine.
The foundation: Static code analysis for 30+ languages
Both products cover the same 30+ languages and frameworks. They both share the same underlying static analysis engine to catch bugs, vulnerabilities, and code smells and generate valuable code quality metrics.
The essential distinction: Your existing software development pipeline
One of the key differences concerns how each product is hosted and managed. If your team, code, and workflow are fully cloud-based (e.g. GitHub.com+Travis), then SonarCloud is a good fit.
SonarCloud readily integrates with GitHub.com, Azure DevOps Services, Bitbucket.com, and GitLab.com. SonarCloud is hosted by SonarSource in AWS and is the easiest path to start scanning your code in minutes. SonarSource does all the heavy lifting for SonarCloud so you don’t have to worry about installation or maintenance. As a SaaS offering, SonarCloud gives you immediate access to new features and functionality.
To get you up and running fast, SonarCloud features automatic analysis for many popular languages. This autoscanning feature can be a perfect fit for teams that want actionable code quality metrics without the burden of tool configuration. For some use cases, fully setting up the analysis configuration will yield a better developer experience and 'unlock' more SonarCloud features.
On the other hand, SonarQube, along with a supported database, is installed on your own servers or in a self-managed cloud environment. Once installed, SonarQube readily integrates with your instance of GitHub, Azure DevOps, Bitbucket or GitLab. If you have a hybrid environment where you store code in the cloud and rely on a locally managed CI/CD pipeline, SonarQube can also integrate with the cloud versions of all these code management tools.
Going the SonarQube route means you’ll be hands-on with installing and maintaining your environment. You’ll also be responsible for installing new versions when they’re released. On average, there’s a new SonarQube version every two months. Not upgrading means you’d miss out on new features, functionality, and non-blocker bug fixes. While we’re talking about versions, it’s important to note that SonarQube offers a Long-Term Support (LTS) version. SonarSource releases a SonarQube LTS approximately every 18 months. For the LTS, an emphasis is put on stability and reliability, and blocker bugs are back-ported into a point release.
For Enterprise use cases, explore SonarQube
SonarQube Developer Edition and Enterprise Edition (EE) include some additional enterprise features that may be valuable to your organization’s specific use case(s). This functionality falls into five main categories: authentication, governance, executive reporting, multiple repository support, and extensibility.
Authentication
With SonarCloud and all editions of SonarQube, you can authenticate using your existing DevOps platform credentials (i.e., GitHub, Bitbucket, Azure, and GitLab). SonarQube also has the ability to authenticate using 3rd party tools that support SAML and LDAP protocols.
Additionally, with SonarQube Enterprise Edition, automatic provisioning of users and groups through System for Cross-domain Identity Management (SCIM) is available for Okta and Azure AD.
Governance
SonarQube includes the Applications (Developer Edition+) and Portfolios (Enterprise Edition+) features, which are visual dashboards that allow you to organize projects in a manner that tracks your business objectives. Applications allow you to aggregate all the projects that ship together into a single view. Portfolios are similar and allow you to aggregate projects around organizational or business objectives. For example, you can create a Portfolio to track all your front-end projects or all the projects for a geographical team.
At this time, SonarCloud does not support the Applications or Portfolios functionality. With SonarQube Enterprise Edition, you additionally get executive-level reporting capabilities. These reports work hand-in-hand with your Portfolios to give you insight into key metrics such as reliability, maintainability, and releasability. Additionally, there are security reports including coverage for PCI DSS, OWASP ASVS, OWASP Top 10, and CWE Top 25.
Executive reporting
SonarQube Enterprise Edition also includes executive-level reporting capabilities. These reports work hand-in-hand with your Portfolios to give you insight into key metrics such as reliability, maintainability, and releasability. Additionally, there are security reports including coverage for PCI DSS, OWASP ASVS, OWASP Top 10, and CWE Top 25.
At this time, SonarCloud does not include Executive Reporting functionality. SonarQube saw its beginnings well over a decade ago. As the product matured, we identified an ‘Enterprise’ use case that is distinct from the ‘core’ functionality use case that’s centered on developers. It’s common for large organizations to have a ‘non-developer’ audience requiring measurement from a broader perspective and context. To satisfy this need for reporting and business KPIs, we added a set of ‘governance’ features to SonarQube.
For SonarCloud, the prime focus is on the developer’s workflow and bringing value to the development team within their existing DevOps platform (GitHub, Azure, Bitbucket, GitLab) environment. Thus, the ‘Enterprise’ use case is not currently addressed by SonarCloud.
DevOps Platform Support
Organizations that require connectivity to multiple DevOps platforms will want to go with SonarQube Enterprise Edition. For example, a single SonarQube Developer Edition instance can connect up to 4 DevOps platforms (i.e., 1x GitHub, 1x Bitbucket, 1x GitLab, and 1x Azure DevOps). If you need to have multiple configurations for a specific DevOps provider (ie. 1x GitHub Enterprise Server and 1x GitHub.com), you’ll need SonarQube Enterprise Edition.
In SonarCloud, you’re limited to binding with a single DevOps platform and a DevOps ‘organization’. (Note, Bitbucket calls them workspaces and GitLab refers to them as groups).
A note on extensibility
Lastly, I’ll touch on extensibility. There is an extensive and robust library of SonarQube plugins developed and maintained by the SonarSource community. These plugins enhance the core functionality of SonarQube around a larger ecosystem. Examples of this include additional programming language support, integration with less mainstream SCM engines, and regional language localization.
At this time, SonarCloud is not open for 3rd party plugin contributions from the community. Again, the reason for this comes back to product focus. The vision for SonarCloud is to provide a developer-first clean code tool with the DevOps platform integrating additional functionality.
Said another way, we understand that the DevOps platforms take great care to build a valuable developer workflow experience and the intention of SonarCloud is to enhance and augment that value. Opening SonarCloud to 3rd party integrations would detract from that vision.
Wrapping it all up
In summary, if your team is fully cloud-based, you don’t want maintenance hassles and you’d like the fastest access to new features, then SonarCloud is a great choice. If you’re fine with self-hosting and maintenance or see value in the management capabilities, then SonarQube would make sense for you.
Once you’ve picked your path, I encourage you to visit our solution summary page to get the full details on how to get started.
The goal of this article wasn’t to exhaustively list all the product differences, as each environment is unique. However, you now have the info that is relevant for most use cases. If you have further questions, I encourage you to reach out to our Community Forum. If you need assistance regarding commercial usage, you can submit a question to the team.
Thanks for reading and happy, clean coding!
Pick a topic to discover more:
How Bad Code Destroys Developer Velocity
