Checkmarx One vs Contrast Security Assess vs GitLab comparison

Read 86 GitLab reviews

19,204 Views
2,881 Comparison Views

97% willing to recommend

Checkmarx One

Contrast Security Assess

Comparison Buyer's Guide

Download the report

Executive Summary

We performed a comparison between Checkmarx One, Contrast Security Assess, and GitLab based on real PeerSpot user reviews.

Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools.

To learn more, read our detailed Application Security Tools Report (Updated: August 2025).

Application Security Tools

August 2025

Download the complete report

Helped 867,497 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Mindshare comparison

As of September 2025, in the Application Security Tools category, the mindshare of Checkmarx One is 10.2%, down from 13.7% compared to the previous year. The mindshare of Contrast Security Assess is 0.8%, up from 0.4% compared to the previous year. The mindshare of GitLab is 2.5%, down from 2.8% compared to the previous year. It is calculated based on PeerSpot user engagement data.

Application Security Tools Market Share Distribution
Product	Market Share (%)
Checkmarx One	10.2%
GitLab	2.5%
Contrast Security Assess	0.8%
Other	86.5%

Application Security Tools

Featured Reviews

Syed Hasan

Specialist Leader at Deloitte

Partner experiences excellent technical support and seamless initial setup

In my opinion, if we are able to extract or show the report, and because everything is going towards agent tech and GenAI, it would be beneficial if it could get integrated with our code base and do the fix automatically. It could suggest how the code base is written and automatically populate the source code with three different solution options to choose from. This would be really helpful.

Read full review

ToddMcAlister

Lead Application and Data Security Engineer at a insurance company with 5,001-10,000 employees

It has an excellent API interface to pull APIs.

Assess has brought our development time down because it helps create code the first time. Instead of going through the Jenkins process to build an application, they can see right off the bat that if there are errors in the code and fix them before it even goes to build.

Read full review

Rohit Kesharwani

Manager, Engineering at 7-Eleven

Improved agility and time to market with CI/CD enhancements

The CI/CD pipelines in GitLab are highly valuable. Another important feature is the single source of repository, allowing efficient repository management and source code management. GitLab provides manageability by allowing us to manage source code effectively through separate repositories. Additionally, GitLab enables the creation of individual CI/CD pipelines for each repository, making software more agile. By integrating GitLab as a DevOps platform, we have enhanced agility, improved our time to market, and different teams can work collaboratively on various projects.

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"The solution communicates where to fix the issue for the purpose of less iterations."

"The tool's valuable features include integrating GPT and Copilot. Additionally, the UI web representation is very user-friendly, making navigation easy. GPT has made several improvements to my security code."

"Checkmarx pinpoints the vulnerability in the code and also presents the flow of malicious input across the application."

"What I like best about Checkmarx is that it has fewer false positives than other products, giving you better results."

"The main thing we find valuable about Checkmarx is the ease of use. It's easy to initiate scans and triage defects."

"It allows for SAST scanning of uncompiled code. Further, it natively integrates with all key repos formats (Git, TFS, SVN, Perforce, etc)."

"It shows in-depth code of where actual vulnerabilities are."

"The value you can get out of the speedy production may be worth the price tag."

More Checkmarx One pros

"Assess has an excellent API interface to pull APIs."

"By far, the thing that was able to provide value was the immediate response while testing ahead of release, in real-time."

"The most valuable feature is the continuous monitoring aspect: the fact that we don't have to wait for scans to complete for the tool to identify vulnerabilities. They're automatically identified through developers' business-as-usual processes."

"We use the Contrast OSS feature that allows us to look at third-party, open-source software libraries, because it has a cool interface where you can look at all the different libraries. It has some really cool additional features where it gives us how many instances in which something has been used... It tells us it has been used 10 times out of 20 workloads, for example. Then we know for sure that OSS is being used."

"The accuracy of the solution in identifying vulnerabilities is better than any other product we've used, far and away. In our internal comparisons among different tools, Contrast consistently finds more impactful vulnerabilities, and also identifies vulnerabilities that are nearly guaranteed to be there, meaning that the chance of false positives is very low."

"When we access the application, it continuously monitors and detects vulnerabilities."

"The solution is very accurate in identifying vulnerabilities. In cases where we are performing application assessment using Contrast Assess, and also using legacy application security testing tools, Contrast successfully identifies the same vulnerabilities that the other tools have identified but it also identifies significantly more. In addition, it has visibility into application components that other testing methodologies are unaware of."

"This has changed the way that developers are looking at usage of third-party libraries, upfront. It's changing our model of development and our culture of development to ensure that there is more thought being put into the usage of third-party libraries."

More Contrast Security Assess pros

"The best thing is that as the developers work on separate tasks, all of the code goes there and the other team members don't have to wait on each other to finish."

"I have had no problem with the stability of the solution."

"The most valuable functionality of GitLab, for me, is the DevOps. Besides the normal source control based on Git, I find the Auto DevOps features most important in the solution."

"The CI/CD process is very efficient."

"It scales well."

"For us, Gitlab's most valuable feature is the integration with Cypress. We're using Cypress as an automation tool, so we're using GitLab as a tool for running in parallel."

"GitLab is very well-organized and easy to use. Also, it offers most features that customers need."

"The most valuable feature of GitLab is the ability to upload scripts and make changes when needed and then reupload them. Additionally, the solution is user-friendly."

More GitLab pros

Cons

"I really would like to integrate it as a service along with the SAP HANA Cloud Platform. It will then be easy to use it directly as a service."

"The product can be improved by continuing to expand the application languages and frameworks that can be scanned for vulnerabilities. This includes expanded coverage for mobile applications as well as open-source development tools."

"Checkmarx could improve by reducing the price."

"Integration into the SDLC (i.e. support for last version of SonarQube) could be added."

"I expect application security vendors to cover all aspects of application security, including SAST, DAST, and even mobile application security testing. And it would be much better if they provided an on-premises and cloud option for all these main application security features."

"I think the CxAudit tool has room for improvement. At the beginning you can choose a scan of a project, but in any event the project must be scanned again (wasting time)."

"In terms of dashboarding, the solution could provide a little more flexibility in terms of creating more dashboards. It has some of its own dashboards that come out of the box. However, if I have to implement my own dashboards that are aligned to my organization's requirements, that dashboarding feature has limited capability right now."

"We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code. The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything."

More Checkmarx One cons

"I would like to see them come up with more scanning rules."

"Personalization of the board and how to make it appealing to an organization is something that could be done on their end. The reports could be adaptable to the customer's preferences."

"Regarding the solution's OSS feature, the one drawback that we do have is that it does not have client-side support. We'll be missing identification of libraries like jQuery or JavaScript, and such, that are client-side."

"The setup of the solution is different for each application. That's the one thing that has been a challenge for us. The deployment itself is simple, but it's tough to automate because each application is different, so each installation process for Contrast is different."

"I think there was activity underway to support the centralized configuration control. There are ways to do it, but I think they were productizing more of that."

"The solution needs to improve flexibility...The scalability of the product is a problem in the solution, especially from a commercial perspective."

"To instrument an agent, it has to be running on a type of application technology that the agent recognizes and understands. It's excellent when it works. If we're using an application that is using an unsupported technology, then we can't instrument it at all. We do use PHP and Contrast presently doesn't support that, although it's on their roadmap. My primary hurdle is that it doesn't support all of the technologies that we use."

"The out-of-the-box reporting could be improved. We need to write our own APIs to make the reporting more robust."

More Contrast Security Assess cons

"The solution should again offer an on-premises deployment option."

"Perhaps the integration could be better."

"GitLab should enhance its GitOps capability as they are currently using FluxCD, however, Argo CD is better and offers more features. GitLab should work on improving their user interface for GitOps as it is lagging behind."

"It has fewer options, and its UI is not so user-friendly."

"There are missing search features, particularly when searching repositories or applying filters. Additionally, I have encountered issues with the deployment of CI/CD pipelines, especially dealing with variable environments."

"The pricing has been substantially increased, which is a major concern."

"The only thing our company is really waiting on in terms of features is the development of metrics."

"I believe there's room for improvement in the advanced features, particularly in enhancing the pipeline functionalities."

More GitLab cons

Pricing and Cost Advice

"It is an expensive solution."

"If you want more, you have to pay more. You have to pay for additional modules or functionalities."

"The tool's pricing is fine."

"The average deal size was usually anywhere between $120K to $175K on an annual basis, which could be divided across 12 months."

"It is not expensive, but sometimes, their pricing model or licensing model is not very clear. There are similar variables, such as projects or developers, and sometimes, it is a little bit confusing."

"It's relatively expensive."

"Checkmarx is not a cheap scanning tool, but none of the security tools are cheap. Checkmarx is a powerful scanning tool, and it’s essential to have one of these products."

"Checkmarx is comparatively costlier than other products, which is why some of the customers feel reluctant to go for it, though performance-wise, Checkmarx can compete with other products."

More Checkmarx One pricing and cost advice

"The good news is that the agent itself comes in two different forms: the unlicensed form and the licensed form. Unlicensed gives use of that software composition analysis for free. Thereafter, if you apply a license to that same agent, that's when the instrumentation takes hold. So one of my suggestions is to do what we're doing: Deploy the agent to as many applications as possible, with just the SCA feature turned on with no license applied, and then you can be more choosy and pick which teams will get the license applied."

"The solution is expensive."

"You only get one license for an application. Ours are very big, monolithic applications with millions of lines of code. We were able to apply one license to one monolithic application, which is great. We are happy with the licensing. Pricing-wise, they are industry-standard, which is fine."

"The product's pricing is low. I would rate it a two out of ten."

"For what it offers, it's a very reasonable cost. The way that it is priced is extremely straightforward. It works on the number of applications that you use, and you license a server. It is something that is extremely fair, because it doesn't take into consideration the number of requests, etc. It is only priced based on the number of onboarded applications. It suits our model as well, because we have huge traffic. Our number of applications is not that large, so the pricing works great for us."

"It's a tiered licensing model. The more you buy, as you cross certain quantity thresholds, the pricing changes. If you have a smaller environment, your licensing costs are going to be different than a larger environment... The licensing is primarily per application. An application can be as many agents as you need. If you've got 10 development servers and 20 production servers and 50 QA servers, all of those agents can be reporting as a single application that utilizes one license."

"I like the per-application licensing model... We just license the app and we look at different vulnerabilities on that app and we remediate within the app. It's simpler."

"In terms of the pricing for GitLab, on a scale of one to five, with one being expensive and five being cheap, I'm rating pricing for the solution a four. It could still be cheaper because right now, my company has a small team, and sometimes it's difficult to use a paid product for a small team. You'd hope the team will grow and scale, but currently, you're paying a high license fee for a small team. I'm referring to the GitLab license that has premium features and will give you all features. This can be a problem for management to approve the high price of the license for a team this small."

"I'm not sure if they have some kind of discount. I've been negotiating with them on prices before, and I believe they weren't too happy to give discounts, but list prices are $19 per user, per month for Premium and $99 per user, per month for Ultimate. So, the difference between Premium and Ultimate is a bit bigger, and in most companies, you need to build some type of business case."

"It is very expensive. We can't bear it now, and we have to find another solution. We have a yearly subscription in which we can increase the number of licenses, but we have to pay at the end of the year."

"GitLab's pricing is good compared to others on the market."

"We are using its free version, and we are evaluating its Premium version. Its Ultimate version is very expensive."

"The price of GitLab could be better, it is expensive."

"We are using the free version of GitLab."

"This is an open-source solution."

More GitLab pricing and cost advice

See which vendors are best for you

Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.

See recommendations

867,497 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Financial Services Firm

20%

Computer Software Company

13%

Manufacturing Company

10%

Government

Financial Services Firm

22%

Manufacturing Company

12%

Computer Software Company

Insurance Company

Financial Services Firm

14%

Computer Software Company

13%

Government

11%

Manufacturing Company

10%

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

By reviewers
Company Size	Count
Small Business	30
Midsize Enterprise	9
Large Enterprise	38

By reviewers
Company Size	Count
Small Business	2
Midsize Enterprise	3
Large Enterprise	6

By reviewers
Company Size	Count
Small Business	35
Midsize Enterprise	9
Large Enterprise	42

Questions from the Community

What alternatives are there for Fortify WebInspect and Fortify SCA?

I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as ...

What do you like most about Checkmarx?

Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%.

What is your experience regarding pricing and costs for Checkmarx?

The pricing is relatively expensive due to the product's quality and performance, but it is worth it.

What do you like most about Contrast Security Assess?

When we access the application, it continuously monitors and detects vulnerabilities.

What needs improvement with Contrast Security Assess?

Technical support for the solution should be faster. We have to further analyze what kind of CVEs are in the reported...

What advice do you have for others considering Contrast Security Assess?

Contrast Security Assess is deployed on-cloud in our organization. I would recommend Contrast Security Assess to othe...

What do you like most about GitLab?

I find the features and version control history to be most valuable for our development workflow. These aspects provi...

What is your experience regarding pricing and costs for GitLab?

The pricing and cost are on par with other tools and are neither too expensive nor cheap.

What needs improvement with GitLab?

Regarding improvements, making task management is something that GitLab can potentially make easier, similar to what ...

SonarQube Server (formerly SonarQube) vs Checkmarx One

Comparisons

Compared 42% of the time

Veracode vs Checkmarx One

Compared 8% of the time

Checkmarx SAST vs Checkmarx One

Compared 7% of the time

OpenText Core Application Security vs Checkmarx One

Compared 5% of the time

Mend.io vs Checkmarx One

Compared 1% of the time

More Checkmarx One Competitors

OpenText Dynamic Application Security Testing vs Contrast Security Assess

Compared 20% of the time

Seeker Interactive vs Contrast Security Assess

Compared 15% of the time

SonarQube Server (formerly SonarQube) vs Contrast Security Assess

Compared 10% of the time

Veracode vs Contrast Security Assess

Compared 9% of the time

PortSwigger Burp Suite Professional vs Contrast Security Assess

Compared 9% of the time

More Contrast Security Assess Competitors

Microsoft Azure DevOps vs GitLab

Compared 34% of the time

GitHub CoPilot vs GitLab

Compared 13% of the time

TeamCity vs GitLab

Compared 5% of the time

Tekton vs GitLab

Compared 5% of the time

SonarQube Server (formerly SonarQube) vs GitLab

Compared 4% of the time

More GitLab Competitors

Product Reports

Download Checkmarx One product report

Checkmarx One

September 2025

Download Contrast Security Assess product report

Contrast Security Assess

September 2025

Download GitLab product report

September 2025

Also Known As

No data available

Contrast Assess

Fuzzit

Overview

Checkmarx One is an enterprise cloud-native application security platform focused on providing cross-tool, correlated results to help AppSec and developer teams prioritize where to focus time and resources.

Checkmarx One offers comprehensive application scanning across the SDLC:

Static Application Security Testing (SAST)
Software Composition Analysis (SCA)
API security
Dynamic Application Security Testing (DAST)
Container security
IaC security
Correlation, prioritization, and risk management
Codebashing secure code training
AI security
Tech partnerships extending AppSec into runtime analysis
Developer tool integrations including: CI/CD tools, development frameworks, feedback tools, IDEs, programming languages and SCMs

Checkmarx One provides everything you need to secure application development from the first line of code through deployment and runtime in the cloud. With an ever-evolving set of AppSec engines, correlation and prioritization features, and AI capabilities, Checkmarx One helps consolidate expanding lists of AppSec tools and make better sense of results. Its capabilities are designed to provide an improved developer experience to build trust with development teams and ensure the success of your AppSec program investment.

Checkmarx

Contrast Security is the world’s leading provider of security technology that enables software applications to protect themselves against cyberattacks, heralding the new era of self-protecting software. Contrast's patented deep security instrumentation is the breakthrough technology that enables highly accurate assessment and always-on protection of an entire application portfolio, without disruptive scanning or expensive security experts. Only Contrast has sensors that work actively inside applications to uncover vulnerabilities, prevent data breaches, and secure the entire enterprise from development, to operations, to production.

Contrast Security

GitLab offers a secure and user-friendly platform for CI/CD pipeline management, code repository control, and collaboration, enhancing development speed and efficiency. It facilitates automation with extensive customization and tool integration, ideal for DevOps processes.

GitLab supports source code management, version control, and collaborative development. It's frequently used in CI/CD processes to automate builds and deployments while integrating DevOps practices. GitLab allows companies to manage repositories, automate pipelines, conduct code reviews, and maintain development lifecycles. The platform supports infrastructure and configuration management, enabling efficient code collaboration, deployment automation, and comprehensive repository handling. Many organizations commit and deploy developed code using GitLab's capabilities.

What are GitLab's most valuable features?

CI/CD Pipeline Management: Streamlines development through automated testing and deployment.
User-Friendly Interface: Ensures ease of collaboration and task automation.
Code Merging and Branching: Facilitates smooth code integration and version control.
Security Platform: Provides strong security features for safe development.
Tool Integration: Enhances functionality with diverse tool integration.

What benefits should users evaluate?

Development Speed: Accelerates processes through automation.
Collaboration Ease: Simplifies team interactions and workflow.
Customization Options: Offers extensive personalization for specific needs.
Comprehensive Documentation: Provides detailed guidance for users.
Secure Platform: Maintains integrity with robust security features.

In specific industries, GitLab serves as a backbone for source code management and CI/CD implementation. Companies leverage its capabilities for infrastructure management and deployment automation, thus streamlining project delivery timelines. Its ability to handle configuration management and code repositories effectively aids in maintaining development lifecycles, making it a preferred choice for organizations committed to enhancing their DevOps practices.

Sample Customers

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC

Williams-Sonoma, Autodesk, HUAWEI, Chromeriver, RingCentral, Demandware.

1. NASA 2. IBM 3. Sony 4. Alibaba 5. CERN 6. Siemens 7. Volkswagen 8. ING 9. Ticketmaster 10. SpaceX 11. Adobe 12. Intuit 13. Autodesk 14. Rakuten 15. Unity Technologies 16. Pandora 17. Electronic Arts 18. Nordstrom 19. Verizon 20. Comcast 21. Philips 22. Deutsche Telekom 23. Orange 24. Fujitsu 25. Ericsson 26. Nokia 27. General Electric 28. Cisco 29. Accenture 30. Deloitte 31. PwC 32. KPMG