type: service
status: active
timestamp: 2026-06-20
tags: [services, code-quality, sast, static-analysis]

Sonarcloud

Deeper static analysis — SAST, code smells, duplication, complexity, coverage; free for OSS

Sonarcloud

Role

Whole-repository static analysis after each merge to main. Sonarcloud catches:

Biome is fast and great at lint + format, but it’s not a full SAST tool — Sonarcloud fills that gap.

Free tier

Free forever for public repos:

Card / subscription required?

NO for OSS / public repos. Paid plans for private repos start at metered LOC.

Alternatives

Swap cost

Medium. Each replacement requires a different .github/workflows/<tool>.yml, a different webhook, and PR-decoration UI changes. The actual code stays the same — these are all CI-side checks.

Why this is our pick

Sonarcloud’s rule library on TypeScript is the broadest of the OSS-tier options, and the dashboard’s per-project quality-gate view gives the family a single pane across all 13+ repos. Critically, Sonarcloud catches issues biome can’t: it understands data flow, not just syntax. A function that builds a SQL string from user input is a Sonar finding, not a biome finding.

Cross-refs


Edit on GitHub · Back to index