Skip to main content

Compare Semgrep to SonarQube

Both Semgrep and SonarQube use static analysis to find bugs, but there are a few differences:

  • Extending Semgrep with custom rules is simple since Semgrep rules look like the source code you’re writing. Writing custom rules with SonarQube is restricted to a handful of languages and requires familiarity with Java and abstract syntax trees (ASTs).
  • Semgrep supports user-defined autofixes; SonarQube does not.
  • Semgrep focuses on speed and ease-of-use, making analysis possible at up to 20K-100K loc/sec per rule. SonarQube authors report approximately 0.4K loc/sec for rulesets in production.
  • Semgrep supports scanning only changed files (differential analysis), SonarQube does not.
  • Both have publicly available rules
  • Semgrep has an online, hosted free plan for up to ten contributors to private repositories; both have a hosted paid plan.

See the Semgrep development philosophy for more about what makes Semgrep different.

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.