Checking your code quality at every commit is important. It guarantees your code quality is consistent and no more issue is introduced as new code is released. SonarQube and SonarCloud are two well-known code analysis platforms. In this article, we give an overview of each platform and explain what alternatives exist.
What is SonarQube?
Released in 2006, SonarQube is considered an established code analysis platform. SonarQube is released as an open source project and supports 24 languages to analyze code. The developer edition also provides pull request analysis on GitHub, GitLab, Bitbucket, and Azure DevOps.
SonarQube requires an installation of a server in your infrastructure (either on-premise or in your cloud infrastructure), which means that you need to maintain (provision, upgrade, etc) the server in your infrastructure. This is ideal if you host your control system (e.g., Git) in your infrastructure.
For a cloud-based solution, SonarSource, the company behind SonarQube, started SonarCloud.
What is SonarCloud?
SonarCloud is a cloud-based solution to analyze code. It integrates with GitHub, GitLab, Bitbucket, and Azure DevOps. And it analyzes every pull request. It reports on bugs, vulnerabilities, potential code smells, and code duplicates.
SonarCloud also introduces the concept of a quality gate that represents the set of acceptable issues before considering the code as "good". The quality gate is checked each time a developer sends a pull request, showing if the code can be merged or not.
Unlike Sonarqube, SonarCloud does not require any server installation as it operates in the cloud.
What are the common issues with SonarQube and SonarCloud?
A SonarQube solution requires a DevOps engineer to install, maintain and upgrade the server regularly. And ensure that the server stays up-to-date with your ecosystem (e.g., Bitbucket or GitLab installations).
SonarQube or Sonarsource may also be hard to configure or use for some users. If you only want to dive into the analysis results and not set up your Quality Gate, the interface can be intimidating for first users unfamiliar with the platform. The interface is confusing for users who want to explore the analysis result and find where issues are located.
Last, the pricing of these platforms can be confusing. Professional support for SonarQube is available on request, and SonarCloud pricing is based on the number of lines of code, which makes it unpredictable for the administrator.
What alternatives for code analysis and code reviews?
Set up your CI/CD pipelines
You can implement checks in your CI/CD pipelines using existing linters and code analysis tools. Many open source linters integrates into your CI/CD pipeline.
You can rely on GitHub Actions if you use GitHub to host your code. GitHub Actions seamlessly integrate with your Git repository and provide direct feedback in your Pull Request.
However, building your own CI/CD pipeline requires you to build and maintain your CI/CD infrastructure and have a dedicated engineering team to manage it.
Other Code Analysis platforms
There are other code analysis platforms available that provide similar options. Codiga provides a cloud-based code analysis and code review platform. Codiga integrates with GitHub, GitLab, and Bitbucket.
Codiga supports 12+ languages. It reports code violations, complex functions, long functions, and code duplicates. Codiga also reports any secret or API keys in the source code. And also detects any outdated dependency. It’s easy to use and has transparent pricing based on the platform's number of engineers.