What SonarCloud Does
SonarCloud is Sonar's managed code analysis platform — the hosted sibling of self-hosted SonarQube — that scans repositories for bugs, code smells, security vulnerabilities, security hotspots, and duplications, then surfaces findings inside pull requests and a persistent project dashboard. It connects as a GitHub App (with equivalents for GitLab, Azure DevOps, and Bitbucket Cloud), scoring each pull request against a configurable Quality Gate before merge so substandard changes can be blocked automatically.
Setup Speed and Pull-Request Decoration
Onboarding SonarCloud on a GitHub-hosted project is the fastest path into serious static analysis available today. You authorize the GitHub App, pick the repositories to import, and the first scan runs within minutes — Quality Gates appear as required status checks on pull requests and the PR decoration panel highlights exactly which lines introduced new issues without any further configuration. The default gate (no new issues, coverage above a threshold) is sensible enough that most teams keep it for the first quarter before tuning.
Adjusting thresholds, activating language-specific rules, or building Quality Profiles is done through the web UI and propagates to every connected project in the organization. The web UI is polished, the documentation is among the best in the static-analysis category, and the historical trend charts make code-health regressions visible to non-engineers — a meaningful organizational benefit when you need to communicate technical debt to leadership.
Language Coverage and Rule Depth
SonarCloud analyzes more than thirty languages — including JavaScript, TypeScript, Python, Java, C#, Go, Kotlin, Swift, PHP, Ruby, and lower-level languages like C and C++ — using over five thousand built-in rules across reliability, maintainability, and security categories. Security Hotspots flag code that requires manual review even when not definitively vulnerable, which is a useful triage layer when a security team needs to walk through a repository systematically rather than chase only proven exploits.
The rule engine does not support writing custom AST-level patterns the way Semgrep does. Teams with highly specific internal vulnerability shapes — custom ORM injection sinks, internal authentication bypasses, framework-specific anti-patterns — will hit the ceiling of SonarCloud's customization model. Activating, deactivating, or severity-adjusting existing rules and bundling them into Quality Profiles covers most team-policy needs, but pattern authoring at the AST level is not part of the product.
Pricing Reality for Private Repositories
Public and open-source repositories are completely free on SonarCloud with no feature restrictions — a meaningful gift to the OSS ecosystem and the cleanest reason to recommend it for community projects. Private repositories are priced per analyzed lines of code, with paid tiers starting around $14 per month for 100K LOC and scaling up from there. The cost stays manageable for focused services but compounds quickly on monorepos or repositories with large generated code volumes.