SonarCloud vs MSCA

Does SonarCloud covers the same static code scanning capabilities of the Microsoft Security Code Analysis(MSCA)?
Examples of MSCA toolset:

  • Credential Scanner: a proprietary Microsoft tool that helps detect credentials, secrets, certificates, and other sensitive content in your source code and build output.
  • Roslyn Analyzer: Microsoft’s compiler integrated static analysis tool for analyzing managed code (C# and VB)

Hey there –

SonarCloud has some fairly rudimentary rules in this respect (Hard-coded credentials are security-sensitive) with aims to improve this in the future (MMF-1932 - Enhanced hard-coded credentials detection).

Roslyn is at the core of our C# analyzers (it’s what they are built on!) and issues from other Roslyn analyzers are automatically imported to SonarCloud during analysis.

Thanks Colin for the clarification.

Could you share some of these rules in SonarCloud that helps in identifying hard-coded credentials?

When I said rules, maybe I oversold it. SonarCloud has the one rule, which I already linked!

No worries… thanks Colin.
Does SonarCloud scan the libraries/opensource that the application leverage?

SonarCloud does not track the libraries that are included in a project – we leave SCA (Software Component Analysis) to those who do it best (like our friends at Snyk or WhiteSource)!

Hello from the future!

We recently announced SonarQube Advanced Security, which will include SCA capabilities. While it’s not available yet, we expect general availability for SonarQube Server in May 2025, and SonarQube Cloud Enterprise shortly after.

Please see this announcement for more details.