Quick verdict: Both tools cost $30/committer/month for their core SAST product. CodeQL achieves higher benchmark scores (OWASP F1: 74.4% vs 69.4%) and deeper semantic analysis. Semgrep is faster, easier to extend with custom rules, and works across all CI systems. Many teams run Semgrep in CI for fast PR feedback and CodeQL in nightly builds for deeper analysis.
Semgrep and CodeQL are the two most prominent SAST engines in modern application security. Both are powerful. Both have real limitations. They represent fundamentally different philosophies: fast pattern matching versus deep semantic code analysis.
As of early 2026, both tools have converged on $30/month per committer for their core SAST product. That makes the choice less about price and more about analysis depth, ecosystem fit, and developer workflow.
This comparison draws on academic benchmarks (EASE 2024, OWASP Benchmark studies), independent security assessments (Doyensec, DryRun Security), practitioner evaluations, and official documentation. Where vendor claims diverge from independent findings, both are noted.
What Semgrep and CodeQL actually are
Semgrep
Semgrep originated at r2c (Return to Corp), a security tooling startup later renamed Semgrep, Inc. The name stands for "semantic grep." The open-source CLI (LGPL 2.1 license) performs AST-based pattern matching across 35+ languages using tree-sitter parsers.
The commercial Semgrep AppSec Platform expands into four products: Semgrep Code (SAST with Pro Engine for cross-file analysis), Semgrep Supply Chain (SCA with reachability analysis), Semgrep Secrets (credential detection with live validation), and Semgrep Assistant (AI-powered triage and autofix).
The distinction between the free Community Edition (CE) and the commercial platform matters. CE provides only intraprocedural (single-function) taint analysis. The Pro Engine adds cross-file and cross-function dataflow analysis, which independent studies associate with 50-71% more true positive detections.
The Semgrep Registry contains 2,800+ community rules plus proprietary Pro rules maintained by Semgrep's security research team and updated weekly.
In December 2024, Semgrep moved several previously open features behind a commercial license, prompting 10+ competing vendors to fork Semgrep CE into "Opengrep" in January 2025. The core LGPL engine license did not change, but the episode introduced uncertainty about Semgrep's open-source trajectory.
CodeQL
CodeQL originated at Semmle, a code analysis company founded in 2006 as a spinoff from Oxford University research. GitHub (owned by Microsoft since 2018) acquired Semmle in September 2019. Pre-acquisition, Semmle's clients included Microsoft, Google, NASA, Uber, and Nasdaq. CodeQL variant analysis has identified 400+ CVEs in open-source projects.
CodeQL is a semantic code analysis engine that compiles source code into a queryable relational database representing the AST, data flow graph, and control flow graph. Users write queries in QL, a Datalog-derived declarative language, to traverse this database. CodeQL is deployed primarily through GitHub Advanced Security (GHAS), now unbundled into GitHub Code Security and GitHub Secret Protection as of April 2025.
Queries are open source (MIT-licensed), but the analysis engine binary is proprietary and requires a GHAS license for private repository use. CodeQL is free for all public repositories on GitHub.com.
The philosophical divide
Semgrep optimizes for speed, developer accessibility, and low barrier to rule authoring. A security engineer can write a useful YAML rule in minutes. CodeQL optimizes for depth of semantic analysis and precision on complex, multi-step vulnerability patterns. The tradeoff: a steeper learning curve (QL is a full programming language), longer scan times (database creation adds minutes to tens of minutes), and tighter ecosystem coupling (GitHub-centric).
How each tool works under the hood
Semgrep's architecture
Semgrep parses source code into an AST using tree-sitter parsers, then translates it into a generic AST type that works across all supported languages. Rules are written in YAML using patterns that resemble the target source code itself. No need to learn AST schemas or a domain-specific language.
The pattern system includes metavariables ($X) that capture code fragments, the ellipsis operator (...) that matches sequences, and operators like pattern, patterns (AND), pattern-either (OR), pattern-not, and pattern-inside. For dataflow analysis, taint mode defines sources, sinks, sanitizers, and propagators.
The analysis depth depends on your tier:
- Community Edition (CE): Single-function taint analysis only. Cannot track taint across function boundaries or files.
- Pro Engine (cross-function): Interprocedural analysis for all 30+ supported languages.
- Pro Engine (cross-file): Full cross-file analysis for C, C++, C#, Go, Java, JavaScript/TypeScript, Kotlin, and Python.
Structural limits of pattern-based matching: no pointer or shape analysis, no soundness guarantees, no path sensitivity, limited ability to track taint through complex data structures like HashMap key-value relationships.
CodeQL's architecture
CodeQL compiles source code into a relational database containing the full AST, data flow graph, and control flow graph. For compiled languages, CodeQL supports three build modes: none (creates a database without building), autobuild (attempts automatic compilation), and manual (user-provided build commands).
The none mode, available since 2024-2025, addresses CodeQL's historically biggest complaint: the build requirement. For C/C++ in none mode, CodeQL infers compilation units from source files but may produce less accurate results when code depends on custom macros or defines.
Queries use QL, a declarative, object-oriented language with syntax similar to SQL but semantics based on Datalog. Standard libraries provide classes like DataFlow::Node for traversing data flow graphs and taint tracking libraries for defining source-sink relationships with semantic sanitizer modeling.
CodeQL's structural advantage is whole-program analysis via the database. Because the entire codebase is compiled into a queryable structure, queries can traverse arbitrary call chains without the per-rule overhead of pattern matching. The tradeoff: extraction can fail on unbuildable code, and even with none mode, accuracy may degrade.
As of September 2025, all CodeQL-supported languages support incremental analysis on pull requests, with speed improvements of 5-40%.
Language and ecosystem support
SAST language coverage
| Language | Semgrep Status | Semgrep Analysis Depth | CodeQL Status | Notes |
|---|---|---|---|---|
| Python | GA | Cross-file + framework-specific | GA | Both have deep coverage; Semgrep has 710+ Pro rules |
| JavaScript | GA | Cross-file + framework-specific | GA | Semgrep has 250+ Pro rules |
| TypeScript | GA | Cross-file + framework-specific | GA | Runs via CodeQL JS extractor |
| Java | GA | Cross-file + framework-specific | GA | Both strongest here; Semgrep 190+ Pro rules |
| C/C++ | GA | Cross-file dataflow | GA | CodeQL none mode may lose accuracy |
| C# | GA | Cross-file dataflow | GA | Practitioners report CodeQL stronger for C# |
| Go | GA | Cross-file dataflow | GA | Both well-supported |
| Ruby | GA | Cross-function dataflow | GA | Semgrep lacks cross-file for Ruby |
| Kotlin | GA | Cross-file dataflow | GA | Extension of Java support in CodeQL |
| Swift | GA | Cross-function dataflow | GA | CodeQL requires macOS |
| PHP | GA | Cross-function dataflow | Not supported | Critical gap for CodeQL |
| Rust | GA | Cross-function dataflow | Public preview | CodeQL Rust support is new (July 2025) |
| Scala | GA | Cross-function dataflow | Not supported | Semgrep community rules only |
| Terraform | GA | Cross-function dataflow | Not supported | IaC scanning via Semgrep |
| Apex | Beta | -- | Not supported | Salesforce ecosystem |
| GitHub Actions YAML | -- | -- | GA | CodeQL uniquely scans workflow files |
Summary: Semgrep covers 35+ languages (many at experimental level). CodeQL deeply supports roughly 12 languages with none of the niche or IaC languages. PHP is a critical gap for CodeQL with zero support. Semgrep lacks cross-file analysis for Ruby, PHP, Swift, and Rust. CodeQL's cross-file analysis applies to all its supported languages.
SCA and secrets detection
Semgrep Supply Chain performs SCA with reachability analysis, checking whether the vulnerable function in a dependency is actually called in your code. This reduces noise compared to tools that flag all vulnerable dependency versions.
CodeQL itself does not perform SCA. That function is handled by Dependabot within GHAS, which supports a broad set of ecosystems but does not offer reachability analysis. All known-vulnerable dependencies are flagged regardless of usage.
Semgrep Secrets combines regex detection, entropy analysis, semantic dataflow tracking, and live HTTP validation to check if detected secrets are actively in use. GHAS Secret Scanning focuses on push prevention, blocking secrets before they reach the repository. Secret scanning is a separate product at $19/month per committer.
Detection accuracy: what the independent data says
Accuracy benchmarks for SAST tools are sparse. Most comparisons are vendor-funded or use synthetic test suites. A few independent studies stand out.
OWASP Benchmark (arXiv 2025)
The most precise quantitative comparison comes from "Sifting the Noise" (arXiv:2601.22952, 2025), which tested CodeQL, Semgrep, SonarQube, and Joern on the OWASP Benchmark v1.2 (2,740 Java test cases).
| Metric | CodeQL | Semgrep |
|---|---|---|
| Accuracy | 65.5% | 58.9% |
| Precision | 60.3% | 56.3% |
| Recall | 97.0% | 90.4% |
| F1 Score | 74.4% | 69.4% |
| False Positive Rate | 68.2% | 74.8% |
CodeQL achieved the highest F1 score. Both tools have high false positive rates: CodeQL flagged 68.2% of non-vulnerable cases as positive, Semgrep flagged 74.8%. The study found that LLM-based post-filtering could reduce initial false positive rates from over 92% to 6.3%.
Real-world vulnerability detection (EASE 2024)
Bennett et al. (2024, ACM EASE) evaluated four tools on 502 real-world Java vulnerabilities from 205 open-source projects. Individual tool detection rates ranged from 11.2% to 26.5%. Combining all four tools detected only 38.8% of vulnerabilities.
The critical finding: after creating custom Semgrep rules for missed patterns, Semgrep's detection rate improved to 44.7%. That is a 181% improvement over its baseline and better than the four-tool combination. The study concluded that 76.9% of false negatives were caused by missing rules, not analysis engine limitations.
This is the most important finding in the comparison. Rule coverage, not engine sophistication, is the primary lever for improving detection.
Doyensec benchmark (2022)
Doyensec tested both tools on OWASP Benchmark Java code and reported that Semgrep performed better on average, primarily because CodeQL had three CWE categories with zero detections. However, CodeQL outperformed in individual categories. The divergence from the arXiv results likely reflects different query suite configurations and rule selection.
What the benchmarks miss
Every academic study uses Semgrep CE (open-source), which is limited to single-function analysis. No independent study has tested Semgrep's commercial Pro Engine against CodeQL. This is the most significant data gap in the entire comparison. The Pro Engine's cross-file analysis likely narrows or closes the accuracy gap on complex vulnerability patterns, but that remains unverified by independent research.
Both tools share a fundamental limitation: they cannot precisely reason about object-level semantics. Tracking data through HashMap key-value relationships, for example, breaks the taint chain and produces false positives in both tools.
Neither tool reliably catches business logic vulnerabilities. Broken access control, authentication flaws, and authorization bypasses require understanding application semantics that pattern-matching and data-flow analysis cannot capture.
CI/CD integration and developer workflow
Platform support
| CI/CD Platform | Semgrep | CodeQL |
|---|---|---|
| GitHub Actions | Guided setup | Native one-click setup |
| GitLab CI/CD | Guided setup | Via CLI + SARIF upload |
| Jenkins | Guided setup | Via CLI + SARIF upload |
| Bitbucket Pipelines | Guided setup | Via CLI + SARIF upload |
| CircleCI | Guided setup | Via CLI + SARIF upload |
| Azure Pipelines | Guided setup | Dedicated Azure DevOps tasks |
| Managed Scans | Yes (40%+ of customers) | No |
Semgrep is CI-agnostic with first-class support for all major platforms. CodeQL has deep native GitHub Actions integration (one-click setup, auto-detected languages) but can run in any CI system via the CLI. The catch: results from non-GitHub CI environments must still be uploaded to GitHub for the full code scanning experience.
Semgrep also offers Managed Scans, where Semgrep's infrastructure clones your repository and runs the scan. Over 40% of Semgrep customers use this mode, including Dropbox, Snowflake, Shopify, and Figma.
Scan speed
This is the clearest differentiator. Practitioners consistently report Semgrep completing CI scans in roughly 10 seconds with approximately 150MB memory usage. CodeQL takes minutes to 30+ minutes with approximately 450MB memory.
One practitioner (Kitty Chiu) reported CodeQL "consuming entitled compute minutes at exponential rate." GitHub itself maintains documentation dedicated to "Code scanning analysis takes too long." Optimization levers for CodeQL include dependency caching, file exclusions, and query suite tuning.
For teams running scans on every PR, the speed difference compounds. Semgrep's speed advantage is universally acknowledged across independent sources.
PR comments and diff-aware scanning
Both tools support diff-aware scanning that surfaces only new findings. Semgrep's semgrep ci runs diff-aware by default on PRs. CodeQL added incremental analysis for all supported languages in September 2025.
Semgrep supports inline PR comments on GitHub, GitLab, Bitbucket, and Azure DevOps with autofix suggestions. CodeQL surfaces findings as code scanning alerts with Copilot Autofix generating AI-powered fix suggestions (included with Code Security license).
IDE support
Semgrep offers a GA VS Code extension (supports Pro rules and cross-file analysis) and a beta IntelliJ extension (CE only, no Pro features).
CodeQL's VS Code extension is oriented toward query authoring and security research: custom queries, database management, AST visualization, data flow path visualization. One practitioner described it as "wonderful to work with... you really couldn't ask for a better way to work with CodeQL."
Rule customization and extensibility
This is where the tools diverge most sharply.
Semgrep's rule system
Semgrep rules are YAML files that use the target language's syntax for patterns. A minimal rule needs five fields: id, pattern specification, message, languages, and severity. Taint rules use mode: taint with sources, sinks, sanitizers, and propagators.
The learning curve is consistently praised. Doyensec: "Someone can become reasonably proficient with the tool in a matter of hours." One Hacker News user: "I just wrote this Semgrep rule in 45 seconds." A Czech Technical University thesis (2023) identified Semgrep as "the most developer-friendly tool."
The Semgrep Registry includes 2,800+ community rules and proprietary Pro rules. Third-party contributors include Trail of Bits and GitLab.
CodeQL's query system
CodeQL queries use QL, a declarative, object-oriented programming language with import, from, where, select structure. Writing production-ready queries requires understanding language-specific library classes that differ across languages (e.g., Call in Python vs CallExpression in JavaScript).
Practitioners universally describe the learning curve as steep. One practitioner (Spaceraccoon) noted: "You will spend a lot of time reading the CodeQL library documentation, which often lacks usage examples and is a mess of subtypes." Typical time to first useful query: hours to days, versus minutes for Semgrep.
CodeQL ships approximately 318 security queries by default, expandable to 432+ with extended packs. The open-source repository receives community contributions. GitHub Security Lab runs a bounty program that ensures only high-precision queries are promoted to the standard set.
The tradeoff
If your team needs developer-accessible, fast-to-write rules for banned APIs, internal frameworks, or domain-specific patterns, Semgrep is clearly easier. If you need maximum query precision on complex multi-step flows and have dedicated security researchers, CodeQL's QL language provides superior analytical depth.
One practitioner summed it up well: "A pentester or vulnerability researcher can handle false positives; you prefer fewer false negatives. Speed is less of an issue." That points to CodeQL. For developer-facing security in CI, that points to Semgrep.
Pricing
Semgrep pricing tiers
| Tier | Price | Key Inclusions |
|---|---|---|
| Free | $0 (up to 10 contributors, 50 repos) | Pro Engine, cross-file analysis, Pro rules, SCA, AI triage |
| Teams (Code/SAST) | $30/mo per contributor | SSO, RBAC, private rules, Jira integration, API access |
| Teams (Supply Chain/SCA) | $30/mo per contributor | SCA with reachability analysis (modular add-on) |
| Teams (Secrets) | $15/mo per contributor | Secrets detection with validation (modular add-on) |
| Enterprise | Custom | On-prem SCM, dedicated infrastructure, volume pricing |
A contributor is anyone who made at least one commit to a Semgrep-scanned private repo in the past 90 days. Vendr reports show negotiated deals at $12.80/user/month (36% off list) for mid-size companies.
CodeQL / GHAS pricing (restructured April 2025)
| Product | Price | Key Inclusions |
|---|---|---|
| GitHub Code Security | $30/mo per active committer | CodeQL, Copilot Autofix, Dependabot, dependency review |
| GitHub Secret Protection | $19/mo per active committer | Push protection, secret scanning, AI detection, custom patterns |
| Legacy GHAS bundle | $49/mo per active committer | Both products (transitioning at renewal) |
| Public repositories | Free | Full CodeQL and secret scanning |
GHAS is now available on GitHub Team plans ($4/user/month), no longer requiring GitHub Enterprise ($21/user/month). Active committers are deduplicated across organizations within an enterprise.
Cost comparison
| Scenario | Semgrep (Code+SCA+Secrets) | GHAS (Code Security + Secret Protection) |
|---|---|---|
| Startup (15 devs) | $0 (within free tier for <=10) or $1,125/mo | $735/mo ($8,820/yr) + GitHub plan |
| Mid-market (100 devs) | $7,500/mo list; ~$46,800/yr negotiated | $4,900/mo ($58,800/yr) |
| Enterprise (500 devs) | Est. $150K-$300K/yr (custom) | $294,000/yr list (full) |
Critical context: GHAS requires a GitHub plan. For teams already on GitHub, GHAS is purely incremental cost. For teams on GitLab, Bitbucket, or Azure DevOps, Semgrep has no platform prerequisite cost.
Semgrep's free tier is notably generous: full Pro Engine, cross-file analysis, and all Pro rules for up to 10 contributors and 50 repos. CodeQL is free for public repositories but requires a paid license for private repo CI/CD use.
Enterprise readiness
| Feature | Semgrep | GHAS/CodeQL |
|---|---|---|
| SSO | SAML 2.0, OIDC/OAuth2 (Teams+) | SAML SSO (Enterprise) |
| SCIM | Not confirmed | Supported (Enterprise Managed Users) |
| RBAC | Admin/Member/Viewer/Manager; Teams for project access | Org owners, security managers, delegated dismissal |
| Audit logging | Referenced in compliance docs; API token tracking | Full audit log API + streaming to S3, Azure Blob, Splunk |
| SOC 2 Type II | Yes | Yes |
| ISO 27001 | Not confirmed | Yes |
| FedRAMP | Not authorized | Tailored LI-SaaS authorized; pursuing Moderate |
| Multi-org | Enterprise tier | Enterprise Cloud with cross-org deduplication |
| SIEM integration | Via webhooks only | Native connectors for Splunk, Sentinel, Elastic, Datadog |
| Jira integration | Native (Cloud only, beta) | Via Atlassian integration + GitHub Action |
| Managed Scans | Yes | No |
GHAS has deeper enterprise features: full audit log streaming, SCIM provisioning, FedRAMP authorization, and native SIEM connectors. Semgrep relies on generic webhooks for SIEM connectivity and lacks FedRAMP authorization (though Semgrep argues DevOps tools fall outside the authorization boundary).
GHAS also provides a more mature Security Overview dashboard with detection/remediation/prevention tabs, built-in MTTR tracking, and Security Campaigns for coordinated remediation across repositories. Semgrep's AppSec Platform dashboard is functional but less mature.
For regulated industries, particularly US government contractors, the FedRAMP and SCIM gaps in Semgrep can be dealbreakers.
Known weaknesses
Semgrep: top criticisms from non-vendor sources
-
CE has significant analysis limitations. Single-function taint only. Semgrep's own documentation acknowledges CE "will miss many true positives." The Doyensec study quantified this gap at 50-71% fewer true positives versus Pro.
-
Community rules can be noisy. Kree et al. (2024, DIMVA) found 86% precision with Semgrep OSS PHP rules, but 81% of findings were estimated as not exploitable. Teams need to invest in rule selection and tuning.
-
Licensing instability. The December 2024 changes triggered the Opengrep fork by 10+ vendors. InfoQ reported the change "harms all similar open-source projects." Teams building on the open-source ecosystem face vendor risk.
-
Platform gaps. No native Windows support (WSL2 required). No ServiceNow integration. Jira integration is beta and Cloud-only. Dashboard less mature than GHAS Security Overview.
-
SCA is less mature. Not included in Forrester Wave SCA evaluations. No reachability on transitive dependencies.
CodeQL: top criticisms from non-vendor sources
-
Build requirement pain. Historically the #1 complaint. Doyensec (2022) reported CodeQL "generated errors on the majority of files" when code was not fully buildable. Now partially addressed by
nonemode, but with potential accuracy tradeoffs. -
Scan time and resource consumption. One practitioner reported scans taking "minutes to 30+ minutes" with approximately 450MB memory. Another noted it was "consuming the entitled compute minutes at exponential rate."
-
Steep query authoring curve. Custom queries require "days of study to write effectively." QL class names differ across languages, adding cognitive overhead. The VS Code extension helps but does not eliminate the learning curve.
-
GitHub ecosystem lock-in. One practitioner noted: "Unless you're an existing GitHub customer or trying to use it outside of the GitHub ecosystem, good luck." The April 2025 unbundling partially addresses bundling concerns but not platform dependency.
-
Licensing friction. The CLI license explicitly prohibits CI/CD use on private repos without a paid license. Another practitioner: "They really don't want to sell you a license and unless you're prepared to put up some serious money... they don't really even want to talk to you."
Shared weaknesses
Neither tool reliably detects business logic vulnerabilities, authorization bypass, race conditions, or insecure design patterns. Both rely heavily on pre-written rules. Bennett et al. showed that missing rules, not engine limitations, cause the majority of false negatives. Both produce high false positive rates on standard benchmarks (68-75% FPR on the OWASP Benchmark).
When to pick which
There is no universally correct answer. The right tool depends on your ecosystem, your team's skills, and what you need to customize.
Semgrep fits best when:
- You are not on GitHub. Semgrep is fully CI-agnostic with first-class support for GitLab, Bitbucket, Azure DevOps, and others. CodeQL's full experience is GitHub-native.
- Scan speed is critical. 10-second CI scans versus minutes-to-30-minutes for CodeQL. For teams scanning every PR, this compounds.
- Your team writes custom rules. Semgrep's YAML patterns are dramatically easier to learn and write. Minutes versus hours or days.
- Budget matters and you are small. Semgrep's free tier covers up to 10 contributors with the full Pro Engine. Hard to beat for startups.
- You need PHP, Terraform, or IaC scanning. CodeQL has no support for PHP and no IaC scanning capability.
CodeQL fits best when:
- Your team is deeply embedded in GitHub. Native one-click setup, Copilot Autofix, Security Overview, Dependabot, and secret scanning with push protection create a cohesive experience. One practitioner reported: "We have CodeQL and Dependabot enabled enterprise-wide... They don't block developers from committing code and they don't require any education or training."
- Deep semantic analysis matters. CodeQL's whole-program database approach provides a structural advantage for complex, multi-step vulnerability patterns.
- You work on open-source. CodeQL is completely free for public repositories with full semantic analysis.
- Compliance requirements are strict. FedRAMP authorization, SCIM provisioning, audit log streaming, and native SIEM connectors give GHAS an edge for regulated environments.
- C# is a primary language. Practitioners consistently report CodeQL as stronger for C# security analysis.
Running both together
Practitioners widely report running both tools. The pattern: Semgrep in CI for instant PR-level feedback (10-second scans) and CodeQL in nightly or scheduled builds for deeper analysis. Both output SARIF, enabling unified results in GitHub code scanning or third-party dashboards.
One practitioner: "I don't think one is necessarily right or wrong in their approaches, I think they are complementary."
This dual-tool approach addresses the fundamental tradeoff. Semgrep catches pattern-identifiable issues with minimal developer friction. CodeQL performs the deep semantic analysis that uncovers complex multi-step vulnerabilities.
Bottom line
CodeQL provides deeper semantic analysis. Semgrep provides faster scans, easier rule authoring, and broader ecosystem support. The independent benchmarks favor CodeQL on precision (F1 of 74.4% vs 69.4%), but all academic studies test only Semgrep CE, not the commercial Pro Engine. The real-world accuracy gap is likely smaller than the benchmarks suggest.
The most important finding from independent research: rule coverage drives the majority of detection outcomes, not engine architecture. Custom Semgrep rules outperformed a four-tool combination in the EASE 2024 study. Organizations should weigh their capacity to write custom rules alongside the architectural considerations.
Neither tool solves the problem that comes after scanning. Both will generate findings. Both will include false positives. Both will miss real vulnerabilities. The bottleneck is rarely detection. It is triage: deciding which findings are exploitable, which ones matter in your specific context, and which ones can wait.
If you are running either tool (or both) and finding that triage is the bottleneck, that is the problem Konvu solves.
Related comparisons
- Snyk vs Semgrep: How Snyk's SCA strength compares to Semgrep's customizable SAST engine and developer workflow.
- Snyk vs SonarQube: How Snyk's SCA strength compares to SonarQube's code quality enforcement and SAST depth.
- Semgrep vs SonarQube: Semgrep's custom rule engine and security focus against SonarQube's quality gates and compliance reporting.