Does SonarCloud covers the same static code scanning capabilities of the Microsoft Security Code Analysis(MSCA)?
Examples of MSCA toolset:
Credential Scanner: a proprietary Microsoft tool that helps detect credentials, secrets, certificates, and other sensitive content in your source code and build output.
Roslyn Analyzer: Microsoft’s compiler integrated static analysis tool for analyzing managed code (C# and VB)
Roslyn is at the core of our C# analyzers (it’s what they are built on!) and issues from other Roslyn analyzers are automatically imported to SonarCloud during analysis.
SonarCloud does not track the libraries that are included in a project – we leave SCA (Software Component Analysis) to those who do it best (like our friends at Snyk or WhiteSource)!
We recently announced SonarQube Advanced Security, which will include SCA capabilities. While it’s not available yet, we expect general availability for SonarQube Server in May 2025, and SonarQube Cloud Enterprise shortly after.