# Semgrep / CodeQL / SonarQube Positioning

> **Intro:** Teams often ask which static-analysis platform to standardize on, but the more useful question is: **what class of problem do we want the tool to be best at, and where do we need developer workflow, custom policy, or central review most?** Semgrep, CodeQL, and SonarQube overlap, but they are not strongest in the same places.
>
> **What this page includes**
>
> * practical positioning for Semgrep, CodeQL, and SonarQube
> * where the tools overlap and where they differ
> * when to run one, two, or all three
> * a simple decision matrix for Product Security programs

## The quick positioning

| Tool          | Best mental model                                                                                 |
| ------------- | ------------------------------------------------------------------------------------------------- |
| **Semgrep**   | fast, customizable, developer-near policy and SAST guardrail platform                             |
| **CodeQL**    | deep semantic analysis over a code database with powerful custom query and dataflow capabilities  |
| **SonarQube** | centralized code-quality and secure-coding review platform with strong PR / quality-gate workflow |

## Where each tool is strongest

### Semgrep

Best when you need:

* fast feedback in CI and local workflows;
* easy custom rule authoring by security engineers;
* broad first-party SAST with practical customization;
* one platform that can also cover secrets and SCA in the same motion.

### CodeQL

Best when you need:

* deep semantic analysis;
* rich dataflow and framework modeling;
* custom queries for specific languages and framework behavior;
* tight alignment with GitHub code-scanning workflows.

### SonarQube

Best when you need:

* a shared developer review surface;
* quality gates and pull-request decoration;
* maintainability + security + duplication + coverage signals in one place;
* Security Hotspots workflow and new-code policy discipline.

## Main differences

| Dimension                 | Semgrep                                               | CodeQL                                     | SonarQube                                                                        |
| ------------------------- | ----------------------------------------------------- | ------------------------------------------ | -------------------------------------------------------------------------------- |
| **Custom rule authoring** | easiest for most AppSec teams                         | strongest but steeper                      | possible, but less convenient for many teams                                     |
| **Analysis depth**        | good and improving, especially for fast policy checks | strongest semantic / query-centric model   | mixed model, strong for centralized review rather than custom deep semantic work |
| **Developer workflow**    | strong in PR and CLI workflows                        | strong in GitHub-native code scanning      | strong in centralized PR quality gates and IDE-connected review                  |
| **Best fit**              | guardrails + custom AppSec policy                     | deep security research / semantic analysis | code-quality + security workflow anchor                                          |

## Overlap map

```mermaid
flowchart LR
    A[Custom policy and fast guardrails] --> B[Semgrep]
    C[Deep semantic / dataflow analysis] --> D[CodeQL]
    E[Centralized quality and review workflow] --> F[SonarQube]
    B --- G[Shared SAST problem space]
    D --- G
    F --- G
```

## When to use only one

### Semgrep only

Good for fast-moving teams that need:

* CI guardrails now;
* custom rules quickly;
* practical detection breadth with manageable complexity.

### CodeQL only

Good for GitHub-centric teams that want:

* code scanning integrated in GitHub;
* custom query packs;
* strong semantic coverage on supported languages.

### SonarQube only

Good for teams that want:

* one shared code review and release-gate surface;
* quality gate enforcement on new code;
* security findings and hotspots integrated with broader code-health policy.

## When to combine them

### Semgrep + SonarQube

Useful when:

* security engineers want custom policy velocity;
* engineering wants a central PR / quality gate surface.

### CodeQL + SonarQube

Useful when:

* GitHub is the primary development platform;
* Product Security wants deeper semantic coverage while keeping SonarQube as the broader quality/governance surface.

### Semgrep + CodeQL

Useful when:

* Semgrep carries broad fast policy and framework coverage;
* CodeQL is reserved for deeper semantic analysis on key repositories or languages.

### All three

Justifiable only when roles are clear:

* **Semgrep** = fast custom guardrails;
* **CodeQL** = deep semantic and research-driven queries;
* **SonarQube** = central quality / hotspot / PR gate workflow.

Without that clarity, teams create duplicate findings and tool fatigue.

## Decision matrix

| Need                                                 | Best starting choice |
| ---------------------------------------------------- | -------------------- |
| Fast custom AppSec policy in CI                      | Semgrep              |
| GitHub-native semantic analysis                      | CodeQL               |
| Org-wide developer review + quality gate discipline  | SonarQube            |
| Security engineering wants easy rule writing         | Semgrep              |
| Research-heavy custom semantic detection             | CodeQL               |
| Secure-coding review plus maintainability governance | SonarQube            |

## Anti-patterns

1. buying depth and using only default rules forever;
2. running all three with no deduplication or ownership model;
3. blocking merges on noisy low-value rules;
4. treating Security Hotspots like confirmed exploitable vulns;
5. assuming CodeQL or Semgrep should replace all quality-gate and code-health use cases.

## Recommended operating split

* **Semgrep** for fast custom policy and security guardrails;
* **CodeQL** for deeper language-specific semantic coverage in GitHub-centric estates;
* **SonarQube** for broad code-review governance, hotspots, new-code gates, and code-health visibility.

## Read next

* [🛡️ SonarQube — Modern Practical Guide, Quality Gates, Security Hotspots, and Review Workflows](/application-security-and-secure-sdlc/index-1/sonarqube-modern-practical-guide-quality-gates-hotspots-and-review-workflows.md)
* [🧱 SAST Noise Reduction](/application-security-and-secure-sdlc/index-1/sast-noise-reduction.md)
* [🔍 IDE Security Linters and Pre-Commit SAST](/application-security-and-secure-sdlc/index-1/ide-security-linters-and-pre-commit-sast.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.product-security.expert/application-security-and-secure-sdlc/index-1/semgrep-codeql-sonarqube-positioning.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.