Critiq is an open source code review toolchain. The public CLI (`@critiq/cli`) and rules catalog (`@critiq/rules`) scan your repository locally and return deterministic findings you can use in the terminal or CI.

Does Critiq send my code to the cloud?

The OSS CLI runs locally on your machine or in your CI runner. It analyzes files in your checkout and does not upload your source to Critiq by default. Hosted Critiq Cloud features are optional and separate from the open source CLI.

How is this different from AI review tools?

Critiq findings come from explicit, testable rules, not probabilistic model output. You can inspect each rule, reproduce results, and tune what runs in CI. That makes feedback consistent and auditable.

Is Critiq open source?

Yes. The core engine, public CLI, and OSS rules catalog are open source under the Critiq GitHub organization. Premium rule packs and hosted product features are separate offerings.

Is Critiq a SonarQube replacement?

Not for teams that rely on Sonar quality gates, coverage trends, and org-wide dashboards. Critiq is an open source code review CLI with inspectable rules. It can complement Sonar on pull requests or serve teams that want a lighter OSS starting point.

Can I run Critiq and SonarQube on the same pull request?

Yes. Many teams keep Sonar for coverage and duplication while adding Critiq for deterministic, rule-readable security and quality checks via GitHub Actions or local CLI scans.

Does Critiq match SonarQube language coverage?

No. Sonar supports far more languages and IaC dialects today. Critiq ships a growing OSS catalog across major languages with transparent rules you can extend; breadth is not the primary wedge.

Which tool is better for enterprise AppSec programs?

SonarQube and SonarCloud are built for enterprise rollouts, portfolio views, and integrated SCA on commercial tiers. Critiq OSS targets developers who want readable rules and local reproducibility first.

Back to comparisons

Compare

Critiq vs SonarQube for pull request review.

SonarQube is the category reference for quality gates, coverage, and broad language support. Critiq is an open source CLI with a readable rules catalog for teams that want deterministic PR checks without standing up a Sonar server first.

Where SonarQube shines

Mature quality platform, not just security

SonarQube earned its place with deep quality analytics, enterprise governance, and decades of language coverage. Critiq does not try to replicate that full platform on day one.

Quality gates with coverage, duplication, and complexity metrics out of the box.
SonarCloud SaaS and self-hosted SonarQube Server for org-wide rollouts, SSO, and portfolio views.
Broad language and IaC coverage (30+ languages) with IDE plugins and PR decoration on major SCMs.
Advanced Security add-on for SCA, secrets patterns, and SARIF import on top of the core analyzer.
AI CodeFix and remediation agents for suggested patches on supported findings.

Side by side

Different categories, overlapping PR checks

Both can comment on pull requests. The trade-off is inspectable OSS rules and a lightweight CLI vs a full quality platform with dashboards and gate policies.

Feature	Critiq	SonarQube
Open source core you can fork and audit	Yes. CLI, rules catalog, and GitHub Action are OSS.	Partial. Community Edition exists; many teams run SonarCloud or commercial tiers for full features.
Runs locally without a review server	Yes. `npx @critiq/cli check` on your machine or in CI.	Yes with SonarScanner, but analysis is typically tied to a SonarQube or SonarCloud project.
Inline PR comments on the diff	Yes via the open source critiq-action GitHub Action.	Yes via PR decoration and quality gate status on supported SCMs.
Rule inspectability (read the check, run the fixture)	Yes. YAML rules in `@critiq/rules` with RuleSpec tests in the repo.	Partial. Rules and profiles exist, but teams often treat Sonar as a black-box gate rather than a catalog they edit.
Coverage, duplication, and complexity gates	Not today. Critiq focuses on rule-backed security and quality findings.	Yes. This is Sonar's default strength and "Sonar way" reference gate.
Dependency / SCA and SBOM at platform scale	Planned on the Pro dependency path, not shipped as a suite yet.	Yes with Advanced Security and dependency risk features on supported tiers.
AI-generated review or autofix	No AI reviewer shipped. Deterministic rules only; optional AI layers are roadmap.	Optional AI CodeFix and agentic remediation on supported findings.

When Critiq fits

Choose Critiq when inspectability matters more than a full AppSec suite

Critiq is a code review CLI and public rules catalog, not a replacement for Sonar's enterprise quality program. It fits teams that want reproducible PR checks they can read and tune.

You want to read every rule before it blocks a merge

Open catalog rules with IDs, severities, and fixtures. No opaque "Sonar way" profile you cannot diff in git.

You need a fast OSS path from install to CI comment

Install the CLI, run a diff scan locally, then wire critiq-action without provisioning SonarQube Server or SonarCloud org setup first.

Privacy-first local scans matter

Analysis runs where you invoke the CLI. You decide what leaves the machine; there is no required hosted analysis plane for OSS.

You still use Sonar for coverage gates

Many teams pair a lightweight rule-based backstop with Sonar quality gates. Critiq does not ask you to rip out Sonar on day one.

From the blog

Frequently asked questions

Is Critiq a SonarQube replacement?: Not for teams that rely on Sonar quality gates, coverage trends, and org-wide dashboards. Critiq is an open source code review CLI with inspectable rules. It can complement Sonar on pull requests or serve teams that want a lighter OSS starting point.
Can I run Critiq and SonarQube on the same pull request?: Yes. Many teams keep Sonar for coverage and duplication while adding Critiq for deterministic, rule-readable security and quality checks via GitHub Actions or local CLI scans.
Does Critiq match SonarQube language coverage?: No. Sonar supports far more languages and IaC dialects today. Critiq ships a growing OSS catalog across major languages with transparent rules you can extend; breadth is not the primary wedge.
Which tool is better for enterprise AppSec programs?: SonarQube and SonarCloud are built for enterprise rollouts, portfolio views, and integrated SCA on commercial tiers. Critiq OSS targets developers who want readable rules and local reproducibility first.

npx @critiq/cli check .

Run the OSS CLI and read the rules yourself.

Install Critiq, scan a diff locally, and inspect the catalog before you wire it into CI.

Get started for free Explore the OSS product

Critiq vs SonarQube for pull request review.

Mature quality platform, not just security

Different categories, overlapping PR checks

Choose Critiq when inspectability matters more than a full AppSec suite

You want to read every rule before it blocks a merge

You need a fast OSS path from install to CI comment

Privacy-first local scans matter

You still use Sonar for coverage gates

Related reading

Why we open-sourced the rules engine (and what stays in the catalog)

Linting vs rule-based code review: what each layer catches

Frequently asked questions

Run the OSS CLI and read the rules yourself.

Mature quality platform, not just security

Different categories, overlapping PR checks

Choose Critiq when inspectability matters more than a full AppSec suite

You want to read every rule before it blocks a merge

You need a fast OSS path from install to CI comment

Privacy-first local scans matter

You still use Sonar for coverage gates

Related reading

Why we open-sourced the rules engine (and what stays in the catalog)

Linting vs rule-based code review: what each layer catches

Install, docs, and related reading

Frequently asked questions

Run the OSS CLI and read the rules yourself.