- Extending Semgrep with custom rules is simple since Semgrep rules look like the source code you’re writing. Writing custom rules with SonarQube is restricted to a handful of languages and requires familiarity with Java and abstract syntax trees (ASTs).
- Semgrep supports user-created, rule-defined fixes; SonarQube does not.
- Semgrep focuses on speed and ease-of-use, making analysis possible at up to 20K-100K loc/sec per rule. SonarQube authors report approximately 0.4K loc/sec for rulesets in production.
- Both have publicly available rules
- Semgrep has an online, hosted free plan for up to ten contributors to private repositories; both have a hosted paid plan.
Comparisons with other tools
Compare Semgrep to SonarQube
Both Semgrep and SonarQube use static analysis to find bugs, but there are a few differences: