๐ Semgrep / CodeQL / SonarQube Positioning
Intro: Teams often ask which static-analysis platform to standardize on, but the more useful question is: what class of problem do we want the tool to be best at, and where do we need developer workflow, custom policy, or central review most? Semgrep, CodeQL, and SonarQube overlap, but they are not strongest in the same places.
What this page includes
- practical positioning for Semgrep, CodeQL, and SonarQube
- where the tools overlap and where they differ
- when to run one, two, or all three
- a simple decision matrix for Product Security programs
The quick positioning
| Tool | Best mental model |
|---|---|
| Semgrep | fast, customizable, developer-near policy and SAST guardrail platform |
| CodeQL | deep semantic analysis over a code database with powerful custom query and dataflow capabilities |
| SonarQube | centralized code-quality and secure-coding review platform with strong PR / quality-gate workflow |
Where each tool is strongest
Semgrep
Best when you need:
- fast feedback in CI and local workflows;
- easy custom rule authoring by security engineers;
- broad first-party SAST with practical customization;
- one platform that can also cover secrets and SCA in the same motion.
CodeQL
Best when you need:
- deep semantic analysis;
- rich dataflow and framework modeling;
- custom queries for specific languages and framework behavior;
- tight alignment with GitHub code-scanning workflows.
SonarQube
Best when you need:
- a shared developer review surface;
- quality gates and pull-request decoration;
- maintainability + security + duplication + coverage signals in one place;
- Security Hotspots workflow and new-code policy discipline.
Main differences
| Dimension | Semgrep | CodeQL | SonarQube |
|---|---|---|---|
| Custom rule authoring | easiest for most AppSec teams | strongest but steeper | possible, but less convenient for many teams |
| Analysis depth | good and improving, especially for fast policy checks | strongest semantic / query-centric model | mixed model, strong for centralized review rather than custom deep semantic work |
| Developer workflow | strong in PR and CLI workflows | strong in GitHub-native code scanning | strong in centralized PR quality gates and IDE-connected review |
| Best fit | guardrails + custom AppSec policy | deep security research / semantic analysis | code-quality + security workflow anchor |
Overlap map
flowchart LR
A[Custom policy and fast guardrails] --> B[Semgrep]
C[Deep semantic / dataflow analysis] --> D[CodeQL]
E[Centralized quality and review workflow] --> F[SonarQube]
B --- G[Shared SAST problem space]
D --- G
F --- G
When to use only one
Semgrep only
Good for fast-moving teams that need:
- CI guardrails now;
- custom rules quickly;
- practical detection breadth with manageable complexity.
CodeQL only
Good for GitHub-centric teams that want:
- code scanning integrated in GitHub;
- custom query packs;
- strong semantic coverage on supported languages.
SonarQube only
Good for teams that want:
- one shared code review and release-gate surface;
- quality gate enforcement on new code;
- security findings and hotspots integrated with broader code-health policy.
When to combine them
Semgrep + SonarQube
Useful when:
- security engineers want custom policy velocity;
- engineering wants a central PR / quality gate surface.
CodeQL + SonarQube
Useful when:
- GitHub is the primary development platform;
- Product Security wants deeper semantic coverage while keeping SonarQube as the broader quality/governance surface.
Semgrep + CodeQL
Useful when:
- Semgrep carries broad fast policy and framework coverage;
- CodeQL is reserved for deeper semantic analysis on key repositories or languages.
All three
Justifiable only when roles are clear:
- Semgrep = fast custom guardrails;
- CodeQL = deep semantic and research-driven queries;
- SonarQube = central quality / hotspot / PR gate workflow.
Without that clarity, teams create duplicate findings and tool fatigue.
Decision matrix
| Need | Best starting choice |
|---|---|
| Fast custom AppSec policy in CI | Semgrep |
| GitHub-native semantic analysis | CodeQL |
| Org-wide developer review + quality gate discipline | SonarQube |
| Security engineering wants easy rule writing | Semgrep |
| Research-heavy custom semantic detection | CodeQL |
| Secure-coding review plus maintainability governance | SonarQube |
Anti-patterns
- buying depth and using only default rules forever;
- running all three with no deduplication or ownership model;
- blocking merges on noisy low-value rules;
- treating Security Hotspots like confirmed exploitable vulns;
- assuming CodeQL or Semgrep should replace all quality-gate and code-health use cases.
Recommended operating split
- Semgrep for fast custom policy and security guardrails;
- CodeQL for deeper language-specific semantic coverage in GitHub-centric estates;
- SonarQube for broad code-review governance, hotspots, new-code gates, and code-health visibility.