Code-smell detection tools in 2026: SonarCloud, CodeScene, Sourcegraph, GHAS, CodeClimate, ESLint, PMD, Semgrep
Detection tools are necessary but not sufficient. Coverage varies. Noise varies. Team-fit varies. Pick one as a CI baseline, add a specialist if the default misses something you care about.
The reviews below are honest. Where a tool has a weakness, we say so. Pricing is April 2026; check vendor sites for current figures.
Pricing: Free for open source. Teams from approx $0-$1,500/month by lines of code.
Strengths: Widest language support. Strong Cognitive Complexity implementation. Well-maintained rule set. CI integration seamless. Good noise management on default configuration.
Weaknesses: High false-positive counts on legacy codebases without rule tuning. No temporal patterns. Default ruleset designed for new code.
Best for: A baseline gate in CI for any team starting fresh on smell detection.
Pricing: From approx $500/month for small teams. Enterprise negotiated.
Strengths: Combines static complexity with git history. Hotspot analysis, temporal coupling, and knowledge distribution are uniquely valuable for legacy codebases. Adam Tornhill's research is the most cited in behavioural code analysis.
Weaknesses: More expensive. Requires git history to be valuable. UI can be overwhelming.
Best for: Quarterly deep-dive on a legacy codebase. Use alongside SonarCloud, not instead.
Pricing: From approx $49/user/month. Enterprise negotiated.
Strengths: Cross-repo search at scale. Batch changes apply the same refactoring across an entire organisation. Code intelligence across repos is the best available.
Weaknesses: Not a smell-detection tool in the traditional sense. Requires custom queries. Best as a refactoring-execution tool after detection.
Best for: After you identify what to fix via SonarCloud or CodeScene, Sourcegraph is how you fix it at scale.
Pricing: Bundled with GitHub Enterprise. Approx $19/user/month standalone.
Strengths: CodeQL is the strongest engine for security vulnerability detection. Secret scanning is best-in-class.
Weaknesses: Coverage for structural smells (God Class, Long Method) is narrow. Not a substitute for SonarCloud on structural quality.
Best for: Always-on for security. Use alongside SonarCloud, not instead.
Pricing: From approx $50/month for small teams.
Strengths: Strong PR integration with a clear maintainability score delta per PR. Easy for non-engineers to understand. Good duplication detection.
Weaknesses: Less configurable than SonarCloud. More limited language support.
Best for: Teams wanting a simple maintainability score in their PR workflow without complex configuration.
Pricing: Free and open source.
Strengths: Best-in-class for JavaScript/TypeScript. Huge plugin ecosystem. complexity, max-lines, max-params, and no-unused-vars rules directly address several smells.
Weaknesses: JavaScript/TypeScript only. No cross-file or architectural analysis.
Best for: Every JavaScript or TypeScript project. Add complexity and max-lines-per-function rules immediately.
Pricing: Free and open source.
Strengths: PMD's GodClass, ExcessiveMethodLength, and LongParameterList rules are well-calibrated for Java. CPD (Copy-Paste Detector) is best-in-class for duplicate code detection across multiple languages.
Weaknesses: Java-centric. Dated UI. Requires more configuration effort than SonarCloud.
Best for: Any Java project, and for Duplicate Code detection across any language CPD supports.
Pricing: Free community tier. Teams from approx $40/user/month.
Strengths: Custom rules are the fastest to write. Strong for Primitive Obsession and Feature Envy with custom patterns. Active open-source rule registry.
Weaknesses: Requires more custom rule investment to cover the full smell catalog. Not a drop-in for comprehensive static analysis.
Best for: Teams with a specific smell pattern to enforce consistently - e.g. banning direct database calls from controller classes.
Starting from scratch
SonarCloud in CI. ESLint or PMD as language-specific guardrails. GHAS if security sensitivity applies. Budget two days for rule tuning before the first gated builds.
Auditing a legacy codebase
CodeScene first. Hotspot analysis shows where to look. Sourcegraph for navigation. SonarCloud as the standing gate. Budget for rule-tuning in month one or the noise buries the signal.
The install-and-hope anti-pattern
Every team that installs SonarCloud and walks away ends up with 15,000 findings and no resolution plan. The tool is cheap; the rule-tuning and triage process is the work. See /refactoring-roi for how to budget remediation.