Semgrep / CodeQL / SonarQube selection matrix
| Need | Start here |
|---|---|
| Fast custom rules | Semgrep |
| GitHub-native semantic analysis | CodeQL |
| Central quality gates and hotspots | SonarQube |
| Deep custom semantic research | CodeQL |
| Broad developer-near AppSec guardrails | Semgrep |
| Code-quality plus security governance | SonarQube |