SonarCloud vs SonarQube

SonarQube and SonarCloud both come from Sonarsource and share the same analysis engine and rule sets. The key difference is where they run. This topic compares both products in detail so you can choose the right one for your team.

The Core Difference

SONARQUBE                          SONARCLOUD
------------------------------     ------------------------------
You install it on your server      Sonarsource hosts it for you
You manage updates                 Updates happen automatically
You pay for the server             You pay per lines of code
Full control over data             Data stored in the cloud
Works on any network               Requires internet access
Free Community Edition available   Free for public repositories

SonarCloud: How It Works

SonarCloud lives at sonarcloud.io. You sign up with your GitHub, GitLab, Bitbucket, or Azure DevOps account. SonarCloud reads your repositories directly and runs analysis on its own infrastructure. You never install anything on a server.

SONARCLOUD SETUP FLOW
  1. Log in at sonarcloud.io with your GitHub account
  2. Select your organization
  3. Import your repositories
  4. Add the scan step to your CI pipeline
  5. Results appear in your SonarCloud dashboard

Total server setup time: 0 minutes

SonarQube: How It Works

SonarQube runs on infrastructure you control — your own server, a virtual machine, or a container. You install the server, configure a database, install the scanner in your pipelines, and maintain the system over time.

SONARQUBE SETUP FLOW
  1. Provision a server (minimum 4 GB RAM)
  2. Install PostgreSQL
  3. Download and configure SonarQube
  4. Install SonarScanner in CI pipelines
  5. Create projects and tokens
  6. Run first scan

Total setup time: 2-4 hours for a basic install

Feature Comparison Table

FEATURE                      SONARQUBE CE  SONARQUBE DEV  SONARCLOUD
---------------------------  ------------  -------------  ----------
Price                        Free          Paid           Free (public)
Hosting                      Self-hosted   Self-hosted    Cloud
Languages supported          30+           30+            30+
Branch analysis              No            Yes            Yes
PR decoration                No            Yes            Yes
Portfolio view               No            Enterprise     Yes
OWASP / security standards   Yes           Yes            Yes
Custom rules                 Yes           Yes            No (limited)
SAML / SSO                   Yes           Yes            Yes (GitHub/GL)
Audit logs                   Yes           Yes            Yes
Data residency control       Full          Full           Limited
Air-gapped network support   Yes           Yes            No

When to Choose SonarCloud

SonarCloud is the right choice when:

  • Your team is small (2–15 developers) and does not want server maintenance overhead
  • Your code is in a public GitHub repository (SonarCloud is free for public projects)
  • You use GitHub, GitLab, Bitbucket, or Azure DevOps and want the fastest possible integration
  • Your organization does not have a strict policy against storing code metadata in the cloud
  • You want branch analysis and PR decoration without paying for SonarQube Developer Edition

When to Choose SonarQube

SonarQube is the right choice when:

  • Your organization has strict data residency requirements — code and scan data must stay on-premises
  • You work in a regulated industry (finance, healthcare, government) where cloud tools require lengthy approval
  • Your development environment is air-gapped — no external internet access allowed
  • You need custom plugins or rules that SonarCloud does not support
  • Your team already operates servers and has the DevOps capacity to maintain SonarQube

Pricing Overview

SONARCLOUD PRICING
  Public repos:   Free, unlimited
  Private repos:  Billed by lines of code analyzed
  100K lines:     ~$10/month
  1M lines:       ~$75/month
  (Prices approximate — check sonarcloud.io for current rates)

SONARQUBE COMMUNITY EDITION
  Cost: Free forever
  Limitation: No branch analysis, no PR decoration

SONARQUBE DEVELOPER EDITION
  Cost: Starts at ~$150/year (based on lines of code)
  Adds: Branch analysis, PR decoration, more languages

SONARQUBE ENTERPRISE EDITION
  Cost: Custom pricing
  Adds: Portfolio view, security report, OWASP dashboard

Migration Path: SonarCloud to SonarQube

Teams often start with SonarCloud for simplicity and migrate to self-hosted SonarQube as they grow. The migration is straightforward because both products use the same scanner, the same rule keys, and the same Quality Profile format.

MIGRATION STEPS
  1. Export Quality Profiles from SonarCloud
  2. Import them into SonarQube
  3. Update CI pipelines:
     Replace sonar.host.url=https://sonarcloud.io
     With    sonar.host.url=http://your-server:9000
     Replace sonar.organization=your-org (remove — not needed)
  4. Update tokens in CI secrets
  5. Re-import projects manually or via DevOps integration

SonarLint: The IDE Companion

Both SonarCloud and SonarQube work alongside SonarLint, a free IDE plugin available for VS Code, IntelliJ IDEA, Eclipse, Visual Studio, and others. SonarLint highlights issues directly in your editor as you write code — before you even commit.

HOW SONARLINT FITS IN
  You type code in VS Code
          |
  SonarLint highlights the issue immediately
  (red underline, tooltip explains the problem)
          |
  You fix it before committing
          |
  The CI scan never sees the issue
          |
  Quality Gate passes — no interruption

Connected Mode: SonarLint + SonarQube

SonarLint can connect to your SonarQube or SonarCloud server in Connected Mode. In this mode, SonarLint uses the exact same Quality Profile and rules that the server uses. This means the issues SonarLint shows in your editor are identical to the issues SonarQube would report in the CI scan — no surprises after committing.

CONNECTED MODE SETUP (VS Code)
  1. Install SonarLint extension from the marketplace
  2. Open VS Code settings and search for SonarLint
  3. Add server connection:
     Type: SonarQube
     URL:  http://your-server:9000
     Token: sqp_your_personal_token
  4. Bind your workspace to the project key
  5. SonarLint now uses your server's Quality Profile

Summary: Choosing the Right Product

+---------------------------+----------------------+
| SCENARIO                  | RECOMMENDED PRODUCT  |
+---------------------------+----------------------+
| Learning, personal use    | SonarQube Community  |
| Open-source project       | SonarCloud (free)    |
| Small team, quick setup   | SonarCloud           |
| Enterprise, on-premises   | SonarQube Enterprise |
| Air-gapped environment    | SonarQube Community  |
|   + branch analysis       |   or Developer Ed.   |
| IDE feedback while coding | SonarLint (always)   |
+---------------------------+----------------------+

The best setup for most teams combines SonarLint in the IDE for immediate feedback, SonarQube or SonarCloud in the CI pipeline for automated gate enforcement, and regular Quality Profile reviews to keep the rules aligned with evolving team standards.

Previous lessons
Back to courses

Leave a Comment

Your email address will not be published. Required fields are marked *