The world of code review is changing from rules-based to AI code review applications. Still, organizations continue to utilize rules-based code review for several reasons, even with the rise of AI-powered tools.
So, why are organizations clinging to rules-based review? The two most important reasons are:
Given the above, rules-based tools are likely to stick around for a while. But there are plenty of reasons why organizations should add AI code review to their toolset. To provide a better idea how AI tools differ from their rules-based counterparts, we conducted two studies where we compare two static code analysis tools: Metabob and SonarCloud.
SonarCloud is a cloud-based, Software-as-a-Service version of SonarQube. Sonar utilizes a set of predefined programming rules to detect problems in the code it analyzes. Metabob is an AI-powered static code analysis tool that utilizes a combination of graph neural networks (GNNs) and large language models (LLMs) to analyze code.
In the first study we let both tools analyze a Python repository, in study 2, we run analyses on JavaScript code. Because of the different underlying analysis techniques, we expect to see variance in the results.
For the Python study we selected a user and authentication management application called Fief (v20 version). For the JavaScript study we chose an API e-commerce web application written in JavaScript that utilizes REST APIs, NodeJS, Express, and MongoDB.
SonarCloud and Metabob approach code analysis from very different angles, and the contrast between their outputs shows the strengths of each tool. SonarCloud focuses on standardized rule enforcement and code health metrics. Its detections are centered on security risks, reliability problems, and maintainability concerns. An overview of both programming languages with example detections can be found below.
Table 1: SonarCloud detections
open redirection or unverified SSL hostnames
potential NoSQL injection vulnerabilities
misused async functions or __init__ returning a value
reassigned const variables, duplicate member names, or ignored return values
overly complex functions or local variables shadowing built-ins
including ignored exceptions and commented-out code
These detections map closely to established coding standards and static analysis rules. They are systematic, conservative, and designed to ensure compliance with broadly accepted best practices. The strength of SonarCloud lies in spotting universally recognized errors that undermine security, correctness, and long-term readability. Its findings are generic but reliable, acting as a quality baseline.
Metabob, in contrast, highlights context-specific issues with direct implications for how the application behaves at runtime. An overview for both programming languages with example detections can be found below.
Table 2: Metabob detections
incorrect tenant validation, faulty parameter handling, or misapplied redirect behavior
directly affecting correctness such as wrong variable used to fetch an order, flawed token validation
Tangled responsibilities such as business logic mixed with HTTP responses
redundant environment checks, misuse of HTTP status codes, inefficient async patterns
missing pagination or redundant query building
redundant queries or leftover debugging code
go beyond SonarCloud’s generic checks, such as identifying subtle timing attack risks and SQL injection vectors
focused not just on injection risks, but also on missing authorization checks
pointing out query construction patterns that could drag down performance
highlight unclear rounding methods
In addition, for the Python repository, Metabob identified runtime pitfalls such as mismatched time zones in session age calculations.
Where SonarCloud catches broadly recognized anti-patterns and enforces clean, conventional code, Metabob is more dynamic in spotting contextual mistakes that could lead to functional bugs, performance problems, or subtle security oversights. SonarCloud provides broad guardrails to ensure that code aligns with established coding standards, while Metabob acts like a domain-aware reviewer, catching deeper flaws that static rules alone won’t expose. Metabob digs into whether the code actually does what it is supposed to do correctly and efficiently.
In short:
Detailed comparisons of SonarCloud and Metabob are available as Google Docs for the Python and JavaScript study.
We hope this overview is helpful when deciding what static analysis tool to use. Both selected repositories were chosen randomly. If you would like us to test both tools on different repos please let us know!