Checkmarx One vs Coverity comparison


Comparison Buyer's Guide

Executive Summary

Categories and Ranking

Checkmarx One
Ranking in Static Application Security Testing (SAST)
Average Rating
Number of Reviews
Ranking in other categories
Application Security Tools (3rd), Vulnerability Management (11th), Static Code Analysis (2nd), API Security (4th), DevSecOps (2nd), Risk-Based Vulnerability Management (5th)
Ranking in Static Application Security Testing (SAST)
Average Rating
Number of Reviews
Ranking in other categories
No ranking in other categories

Mindshare comparison

As of June 2024, in the Static Application Security Testing (SAST) category, the mindshare of Checkmarx One is 10.1%, down from 12.7% compared to the previous year. The mindshare of Coverity is 8.1%, up from 6.6% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Static Application Security Testing (SAST)
Unique Categories:
Application Security Tools
Vulnerability Management
No other categories found

Featured Reviews

May 9, 2023
Responsive support, useful code-checking module, and high availability
Checkmarx is used to check the code from programmers and vulnerabilities in third-party software. Checkmarx can be deployed on the cloud and on-premise. However, it depends on the version Checkmarx detected code sections that did not adhere to best practices. After being informed, the programmers…
Archana Verma - PeerSpot reviewer
May 12, 2023
Provides software security and helps find potential security bugs or defects
We use this tool for call scans in order to improve call quality. We implement testing and this tool cleans up our potential feedback. We are a semiconductor company and provide software solutions to our clients. I'm a senior manager.  Coverity has improved our functionality and efficiency. This…

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:


"The ability to track the vulnerabilities inside the code (origin and destination of weak variables or functions)."
"The user interface is modern and nice to use."
"The solution has good performance, it is able to compute in 10 to 15 minutes."
"The process of remediating software security vulnerabilities can now be performed (ongoing) as portions of the application are being built in advance of being compiled."
"We were using HPE Security Fortify to scan code for security vulnerabilities, but it can scan only after a successful compile. If the code has dependencies or build errors, the scan fails. With Checkmarx, pre-compile scanning is seamless. This allows us to scan more code."
"The most valuable features of Checkmarx are difficult to pinpoint because of the way the functionalities and the features are intertwined, it's difficult to say which part of them I prefer most. You initiate the scan, you have a scan, you have the review set, and reporting, they all work together as one whole process. It's not like accounting software, where you have the different features, et cetera."
"Checkmarx has helped us deliver more secure products. We are able to do static code analysis with the tool before shipping our code to production. When the integration is in the pipeline, this tool gives us early notifications on code fixes."
"Scan reviews can occur during the development lifecycle."
"This solution is easy to use."
"One of the most valuable features is Contributing Events. That particular feature helps the developer understand the root cause of a defect. So you can locate the starting point of the defect and figure out exactly how it is being exploited."
"I encountered a bug with Coverity, and I opened a ticket. Support provided me with a workaround. So it's working at the moment, or at least it seems to be."
"The product has been beneficial in logging functionality, allowing me to categorize vulnerabilities based on severity. This aids in providing updated reports on subsequent scans."
"It's pretty stable. I rate the stability of Coverity nine out of ten."
"The product is easy to use."
"It's very stable."
"The most valuable feature is that there were not a whole lot of false positives, at least on the codebases that I looked at."


"Updating and debugging of queries is not very convenient."
"When we first ran it on a big project, there wasn't enough memory on the computer. It originally ran with eight gigabytes, and now it runs with 32. The software stopped at some point, and while I don't think it said it ran out of memory, it just said "stopped" and something else. We had to go to the logs and send them to the integrator, and eventually, they found a memory issue in the logs and recommended increasing the memory. We doubled it once, and it didn't seem enough. We doubled it again, and it helped."
"The product's reporting feature could be better. The feature works well for developers, but reports generated to be shared with external parties are poor, it lacks the details one gets when viewing the results directly from the Checkmarx One platform."
"I would like to see the DAST solution in the future."
"Checkmarx reports many false positives that we need to manually segregate and mark “Not exploitable”."
"Licensing models and Swift language support are the aspects in which this product needs to improve. Swift is a new language, in which major customers require support for lower prices."
"We would like to be able to run scans from our local system, rather than having to always connect to the product server, which is a longer process."
"The resolutions should also be provided. For example, if the user faces any problem regarding an installation due to the internal security policies of their company, there should be a resolution offered."
"Coverity is far from perfection, and I'm not 100 percent sure it's helping me find what I need to find in my role. We need exactly what we are looking for, i.e. security errors and vulnerabilities. It doesn't seem to be reporting while we are changing our code."
"It would be great if we could customize the rules to focus on critical issues."
"They could improve the usability. For example, how you set things up, even though it's straightforward, it could be still be easier."
"Some features are not performing well, like duplicate detection and switch case situations."
"Right now, the Coverity executable is around 1.2GB to download. If they can reduce it to approximately 600 or 700MB, that would be great. If they decrease the executable, it will be much easier to work in an environment like Docker."
"We use GitHub and Gitflow, and Coverity does not fit with Gitflow. I have to create a screen for our branches, and it's a pain for developers. It has been difficult to integrate Coverity with our system."
"The solution is a bit complex to use in comparison to other products that have many plugins."
"The product could be enhanced by providing video troubleshooting guides, making issue resolution more accessible. Troubleshooting without visual guides can be time-consuming."

Pricing and Cost Advice

"Be cautious of the one-year subscription date. Once it expires, your price will go up."
"The number of users and coverage for languages will have an impact on the cost of the license."
"We got a special offer for a 30% reduction for three years, after our first year. I think for a real source-code scanning tool, you have to add a lot of money for Open Source Analysis, and AppSec Coach (160 Euro per user per year)."
"We have a subscription license that is on a yearly basis, and it's a pretty competitive solution."
"The price of Checkmarx could be reduced to match their competitors, it is expensive."
"We're using a commercial version of Checkmarx, and we paid for the solution for one year. The price is high and could be reduced."
"The pricing was not very good. This is just a framework which shouldn’t cost so much."
"Its price is fair. It is in or around the right spot. Ultimately, if the price is wrong, customers won't commit, but they do tend to commit. It is neither too cheap nor too expensive."
"The licensing fees are based on the number of lines of code."
"I would rate the pricing a six out of ten, where one is low, and ten is high price."
"The price is competitive with other solutions."
"It is expensive."
"Coverity’s price is on the higher side. It should be lower."
"This is a pretty expensive solution. The overall value of the solution could be improved if the price was reduced. Licensing is done on an annual basis."
"Coverity is quite expensive."
"I rate Coverity's price a ten on a scale of one to ten, where one is cheap and ten is expensive."
Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.
789,728 professionals have used our research since 2012.

Top Industries

By visitors reading reviews
Financial Services Firm
Computer Software Company
Manufacturing Company
Manufacturing Company
Computer Software Company
Financial Services Firm

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business

Questions from the Community

What alternatives are there for Fortify WebInspect and Fortify SCA?
I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as well. Veracode is only a cloud solution. Hope this helps.
What do you like most about Checkmarx?
Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%.
What is your experience regarding pricing and costs for Checkmarx?
The solution's price is high and you pay based on the number of users.
How would you decide between Coverity and Sonarqube?
We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing rem...
What do you like most about Coverity?
The solution has improved our code quality and security very well.
What is your experience regarding pricing and costs for Coverity?
Coverity offers varying prices for different companies. Our company has a five-year licensing contract with Coverity, so the licensing posture is seamless. As our organization is based in Banglades...



Also Known As

No data available
Synopsys Static Analysis



Sample Customers

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC
MStar Semiconductor, Alcatel-Lucent
Find out what your peers are saying about Checkmarx One vs. Coverity and other solutions. Updated: May 2024.
789,728 professionals have used our research since 2012.