SonarQube analyzes code quality and security in your own code. dpndncY is a Dependency Firewall — pre-install enforcement that blocks risky third-party packages before they enter your tree, with signed JWS evidence on every decision. Different scope; complementary tools.
Dependency Firewall blocks risky packages at install time. Multi-signal stack (KEV, EPSS, ExploitDB, reachability, attack-path) drives decisions. Plus 404 SAST rules, container, IaC, and signed evidence on every decision.
SonarQube detects code smells, bugs, and security hotspots in your own code. Strong on code-quality metrics. No dependency CVE tracking, no supply-chain firewall, no exploitability intelligence on third-party packages.
| Capability | dpndncY | SonarQube |
|---|---|---|
| Pre-install Dependency Firewall | ✓ Block risky packages before install (npm, PyPI, Maven, NuGet, RubyGems, Cargo, Go) | ✗ Not available — code-quality focus |
| Signed JWS evidence per decision | ✓ Verifiable offline with public key | ✗ Not available |
| Trust-delta gating | ✓ Catches typosquats and takeovers | ✗ Not available |
| Primary purpose | ✓ Supply chain firewall + dependency security | ~ Code quality + your-code security |
| SCA — dependency CVE scanning | ✓ Full — OSV, NVD, GHSA, KEV | ✗ Not available natively |
| SAST (code security rules) | ~ AST taint analysis for JS/TS and Python; pattern analysis across 12 languages | ✓ Extensive, mature rule library — SonarQube's core strength |
| AI risk attribution | ✓ Detects AI-written code concentration co-located with findings | ✗ Not available |
| AI risk attribution | ✓ Detects AI-written code concentration co-located with findings | ✗ Not available |
| EPSS exploitability scoring | ✓ Per vulnerability | ✗ Not available |
| CISA KEV integration | ✓ Automatic prioritization | ✗ Not available |
| Attack Path analysis | ✓ Full graph and scoring | ✗ Not available |
| Container image scanning | ✓ Built in | ✗ Not available |
| SBOM export (CycloneDX) | ✓ CycloneDX, SARIF, PDF | ✗ Not available |
| Upgrade risk delta | ✓ Before/after risk comparison | ✗ Not available |
| CI/CD policy gates (PASS/FAIL) | ✓ Configurable thresholds | ✓ Quality gates |
| GitHub/GitLab remediation PRs | ✓ Built in | ✗ Not available |
| License compliance | ✓ Per package | ✗ Not available |
| Self-hosted | ✓ Always | ✓ Community edition free |
| Code quality metrics | ✗ Not in scope | ✓ Core strength |
| Patch decision engine | ✓ Patch Now / Patch Sprint / Monitor / Accept Risk — with SLA timeline and rationale per finding | ✗ Not available |
| Compliance policy presets | ✓ 17 built-in templates — FedRAMP, HIPAA, PCI-DSS, ISO 26262, NERC CIP, DoD, and more | ✗ Not available |
SonarQube Community is free and widely deployed. If your team only needs SAST and code quality checks — no dependency CVE tracking, no SBOM, no continuous monitoring — it's hard to argue against on cost. dpndncY is a paid product. The question is whether what dpndncY adds is worth the price for your team. For small projects doing their first security scan, it might not be.
SonarQube tracks cognitive complexity, duplication density, maintainability ratings, and code smells alongside security. dpndncY is deliberately scoped to security risk only — it doesn't touch code quality. If a single tool covering both security and code health is the requirement, SonarQube wins that evaluation.
SonarQube's security rules have been community-refined for years across a wide CWE range. False-positive rates on established patterns are well-tuned. dpndncY's SAST engine focuses on AST-based data-flow taint analysis — deeper on exploitable flows, narrower on pattern coverage. Both are trade-offs.
SonarQube has a massive user base, plugin registry, and documented integrations. Getting help or finding CI/CD integration examples is significantly easier. dpndncY's community is much smaller — the trade-off is a more focused product with direct support access, not forum threads.
SonarQube analyzes your source code. It has no knowledge of CVEs in your npm packages, Maven dependencies, PyPI requirements, or Go modules. If lodash@4.17.20 has an actively exploited prototype pollution vulnerability in CISA KEV, SonarQube will not tell you. That is a fundamental scope gap — dpndncY is built entirely around that problem.
dpndncY pulls from OSV, NVD, GHSA, and CISA KEV, assigns EPSS exploitation probability, tracks it daily, and runs a decision engine that tells you "Patch Now — 48 hours" with the exact rationale. SonarQube's security output is about code patterns in your own code — not known vulnerabilities in third-party libraries with active exploit activity.
SonarQube scans when you trigger it. dpndncY continuously monitors your dependencies — when a new CVE hits a package you're running, when EPSS on a known vulnerability crosses a threshold, when CISA adds a package to KEV — you get an alert. The vulnerability landscape changes while your code sits unchanged.
dpndncY adds what SonarQube fundamentally cannot: attack path reachability graphs, CycloneDX SBOM export, IaC misconfiguration scanning (Terraform, Kubernetes, Dockerfile, GitHub Actions), and compliance policy gates (FedRAMP, PCI-DSS, HIPAA, ISO 26262). These aren't features on SonarQube's roadmap — they require a different category of tool.
They solve different problems. dpndncY's Dependency Firewall blocks risky packages before they're installed; SonarQube grades the code you wrote. Run them together — that's what most security teams do.
