SonarQube vs SonarCloud


I am very mch interested to know the difference between SonarQube and SonarCloud when it comes to below topics. Can anyone elaborate ? -

  • Ease of updating the rule set team-wide or organization-wide

  • Extensibility:- If you need customizations that don’t make business sense for the Sonarsource, is there an API that allows me to implement them on myown? If so, is the API well-documented?

  • Product stability

  • Legacy code identification and support

  • Plan for adding new built-in rules:- Do you have incremental improvements with each release? Is an additional cost is required to access the new rules.?


This is available in both.

This is only available in SonarQube.

Let’s say that documentation exists, and that the community is an invaluable resource. :smiley:

I wish you’d given us more than 2 words here because it depends on what you mean by “stable”.

SonarCloud is updated frequently, so the UX can change (be improved) without notice.

SonarQube is released every ~2mo. so the UX changes at a much slower frequency, but it still changes.

SonarQube LTS (long-term support version) is released every ~18mo. so the UX is much more stable.

All three are robust, and production-ready.

Uhm… Again, it depends on what you mean. If you want more details, you’ll have to be more specific in your question and also maybe name the language(s) you have in mind.

Not every :sonarcloud: release includes new rules, but every :sonarqube:release does.

Why yes, of course. Otherwise, what’s the point of releasing? :smiley:

In SonarQube many languages are available for free in the Community Edition, and some languages are only available in paid editions. Once you have access to the paid languages, you always have access to all their rules. However, there are some rules for the free languages (taint analysis / injection detection) that are only available in paid editions. Once you upgrade from Community Edition to a paid edition, you always have access to all of those rules. You never have to pay extra to unlock new rules (leaving aside the caveat about the taint analysis rules).

In SonarCloud, you always have access to all the rules for all the languages it offers.



Hey Ann,

I will come back with more details to get clarified better. But just in general if I have to weigh both the offerings on basis of these criteria, how do I do this ? let’s say i need to rate each on a scale of 5.


You’re asking me to make your choice for you between apples and pears. I can’t do it for you. I can only tell you the characteristics of each so that you can make an informed choice.


Hello Ann,

How do the 2 offerings vary in the following regard -

Legacy code identification and support: Can the tool apply one rule set to new code and another to legacy code? Can it identify and ignore all legacy code if this is what you want to do? How does it define legacy code? Is it flexible enough to recognize that a file might contain both legacy code and new code? If a one-line change is made to a legacy file, will the tool still recognize that the other lines of code are legacy code?


If by ‘legacy code identification’ you mean the ability to distinguish code written 2 years ago from that written 2 days ago, they’re equal. Neither will ‘ignore’ old code; it’ll still be analyzed and have metrics calculated on it. But you’ll have all tools you need to focus on New Code and Clean as You Code.


1 Like

Thanks Ann. And can you elaborate more on Batch Mode kind of scanning offering from SonarSource ? Is it possible to run the scanning over night by help of a script or something ?


I’d say nightly is a minimum analysis frequency. Ideally you’d look at running analysis after every commit (depending on the size of the code base). But it’s not SonarQube that triggers analysis; you’ll set your CI/CD system (e.g. Jenkins) up to handle that.


1 Like

@ganncamp Hi, Do SonarQube and SonarCloud run against binaries instead of source ? And what steps are taken to avoid false positives and false negatives in each of the offerings ?

Hi again,

You really need to start creating new threads for new questions. I’ll answer one of these.

You must provide source files for every language. For Java you must also provide binaries. For some other languages you must allow the analysis to eavesdrop on the build. You can find details in the docs.