Both SonarQube and Technical Debt Radar detect code quality issues. But they approach the problem very differently — and they catch very different bugs. Here's an honest comparison for Node.js teams.
What SonarQube does well
SonarQube is the industry standard for code quality. It supports 30+ languages, has 100,000+ installations, and has been battle-tested since 2007. It detects code smells, bugs, vulnerabilities, and tracks test coverage. For multi-language enterprises with compliance requirements, it's hard to beat.
What SonarQube doesn't detect in Node.js
SonarQube's JavaScript/TypeScript analysis is generic. It doesn't understand the Node.js event loop, ORM patterns, or framework-specific architecture. Here's what it misses:
1. Event loop blockers in request handlers
// SonarQube: no issue found
// Radar: BLOCKS — sync I/O in request handler
app.get('/config', (req, res) => {
const data = fs.readFileSync('./config.json', 'utf8');
res.json(JSON.parse(data));
});SonarQube doesn't know this code runs inside a request handler. Radar does — and flags it as a critical runtime risk.
2. Volume-aware ORM patterns
// SonarQube: no issue found
// Radar: WARNS on XL table, BLOCKS on XXL table
const events = await prisma.event.findMany(); // 50M rowsSonarQube doesn't know your table sizes. Radar reads your radar.yml volume declarations and adjusts severity accordingly.
3. Architecture policy violations
// SonarQube: no issue found (syntactically valid)
// Radar: BLOCKS — controllers cannot import from infrastructure
import { PrismaClient } from '@prisma/client';
@Controller()
export class UserController {
private prisma = new PrismaClient();
}SonarQube has no concept of YAML-defined layer boundaries. Radar enforces your architecture rules per pull request.
4. Scope-aware detection
// In a cron job: both tools say nothing (correct)
const data = fs.readFileSync('./seeds.json', 'utf8');
// In a request handler: SonarQube says nothing. Radar blocks.
app.get('/data', (req, res) => {
const data = fs.readFileSync('./seeds.json', 'utf8'); // BLOCKS
});The same code is safe in one context and dangerous in another. Radar understands the difference.
Side-by-side comparison
| Feature | SonarQube | Technical Debt Radar |
|---|---|---|
| Languages | 30+ | TypeScript, JavaScript |
| Runtime risk detection | No | Yes (11 patterns) |
| Volume-aware ORM analysis | No | Yes (7 ORMs) |
| Architecture YAML policy | No | Yes |
| Scope-aware (handler vs cron) | No | Yes |
| PR merge blocking | Yes | Yes |
| AI-powered fixes | No | Yes |
| NestJS / Express / Fastify aware | No | Yes (5 frameworks) |
| Free tier | Community Edition | Unlimited scans |
| Paid plans | $150+/mo (Developer) | $0–49/mo |
When to use SonarQube
- Multi-language projects (Java + Python + JavaScript)
- Compliance requirements (ISO, OWASP reporting)
- Large enterprise with existing SonarQube investment
- You need security vulnerability scanning across many languages
When to use Technical Debt Radar
- Node.js/TypeScript backend teams
- NestJS, Express, Fastify, Koa, or Hapi projects
- You need architecture enforcement via YAML policy
- You want volume-aware ORM detection (Prisma, TypeORM, Sequelize, etc.)
- Your team uses AI code generation (Cursor, Copilot, Claude)
Can you use both?
Yes — and many teams should. SonarQube for general code quality and security across all languages. Technical Debt Radar for Node.js-specific runtime safety, architecture enforcement, and ORM analysis. They complement each other.
Try it on your codebase
npx technical-debt-radar scan .First scan free. No account needed. See what SonarQube misses.