Repotoire vs SonarQube
SonarQube is the industry standard for rule-based code analysis with unmatched language breadth. Repotoire takes a different approach: graph-powered analysis that finds architectural issues traditional scanners miss. Here's how they compare.
Feature Comparison
| Feature | Repotoire | SonarQube |
|---|---|---|
| Analysis approach | Graph-powered (petgraph) | Rule-based AST scanning |
| Languages | 9 (Python, TS/JS, Rust, Go, Java, C#, C, C++) | 30+ |
| Rules / Detectors | 106 pure Rust detectors | 5,000+ rules |
| Architectural analysis | Yes (circular deps, god classes, bottlenecks, coupling) | Limited |
| Graph algorithms | PageRank, Louvain, SCC, betweenness centrality | None |
| Setup | Single binary, no dependencies | Java server + database required |
| CI/CD integration | GitHub Action, SARIF output | SonarScanner + server, deep CI integration |
| Self-hosted option | Yes (single binary) | Yes (Community Edition, requires Java + DB) |
| Cloud option | Coming soon | SonarCloud |
| Security scanning | 23 SSA-based taint detectors | Extensive (SAST, secrets, hotspots) |
| Incremental analysis | Yes (content-hash cache, ~1.4s warm) | Yes (server-side) |
| IDE plugins | VS Code (preview) | SonarLint (VS Code, IntelliJ, Eclipse) |
| Pricing | Free CLI, Pro plans coming | Community (free), Developer ($150/yr), Enterprise ($65K+/yr) |
Architecture
Repotoire
Builds an in-memory knowledge graph of your codebase using petgraph and tree-sitter. Runs graph algorithms (PageRank, Louvain community detection, SCC, betweenness centrality) to surface architectural issues. Single binary, no server, no database. Detectors query the graph directly for O(1) lookups on pre-computed metrics.
SonarQube
Client-server architecture. SonarScanner runs locally and sends results to a SonarQube server backed by a database (PostgreSQL, Oracle, or SQL Server). The server stores historical data, manages quality gates, and provides a web dashboard. Rules operate on ASTs per-file with some cross-file dataflow analysis in paid editions.
Detection Capabilities
SonarQube excels at breadth. With 5,000+ rules across 30+ languages, it catches a wide range of bugs, vulnerabilities, code smells, and security hotspots. Its SAST capabilities are mature and well-tested across millions of projects.
Repotoire excels at depth.Its 106 detectors include graph-based architectural analysis that SonarQube cannot perform: circular dependency detection via Tarjan's SCC, god class identification through fan-in/fan-out metrics, architectural bottleneck detection via PageRank and betweenness centrality, hidden coupling through git co-change analysis, and community misplacement via Louvain clustering.
If your primary concern is per-file bug and vulnerability detection across many languages, SonarQube has the edge. If you need to understand and improve your codebase's architecture, Repotoire finds issues that rule-based tools structurally cannot detect.
Setup & Deployment
Repotoire
Install a single binary. Run it. That's it.
# Install cargo binstall repotoire # or: brew install repotoire # Analyze repotoire analyze .
No Java, no database, no server configuration. Works offline. Results in seconds.
SonarQube
Requires Java 17+, a database, and server configuration.
# Start server (Docker) docker run -d sonarqube:community # Install scanner brew install sonar-scanner # Configure & scan sonar-scanner \ -Dsonar.projectKey=my-project \ -Dsonar.host.url=http://localhost:9000
Or use SonarCloud for a managed experience without self-hosting.
Pricing
Repotoire
- ✓CLI is free and open source
- ✓All 106 detectors included
- ✓Pro plans (team features, dashboard) coming soon
SonarQube
- •Community Edition: Free (open source, limited features)
- •Developer Edition: ~$150/year (branch analysis, PR decoration)
- •Enterprise Edition: $20K–$65K+/year (portfolio management, SAST)
- •SonarCloud: Free for open source, paid for private repos
Who Each Tool Is For
Choose Repotoire if you...
- Need architectural analysis (circular deps, coupling, bottlenecks)
- Want zero-setup, single binary deployment
- Work primarily in Rust, Python, TypeScript, Go, Java, C#, C, or C++
- Value graph-powered insights over rule count
- Want fast local analysis without a server
Choose SonarQube if you...
- Need coverage across 30+ languages
- Want mature quality gates and CI/CD integration
- Need a centralized dashboard for multiple projects
- Require compliance reporting and enterprise governance
- Already have Java infrastructure and database resources
Verdict
SonarQube and Repotoire solve different problems. SonarQube is the right choice when you need broad language coverage, enterprise governance, and a centralized quality platform. Its ecosystem is mature, well-documented, and battle-tested.
Repotoire is the right choice when you need to understand your codebase's architecture. Graph-powered analysis finds structural problems — circular dependencies, architectural bottlenecks, hidden coupling — that rule-based tools cannot detect. And with a single binary and no infrastructure requirements, you can be running in seconds. Many teams use both: SonarQube for broad coverage in CI, and Repotoire for architectural health locally.
Try Repotoire on your codebase
See what your linter is missing. One command, zero setup.
cargo binstall repotoire && repotoire analyze .