Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools.
The main ROI factors include efficiency and how we meet compliance standards for various automotive requirements.
I have seen a return on the investment from SonarQube Server (formerly SonarQube) because the value it adds relates to static code analysis and vulnerability assessments needed for our FDA approval process.
We see productivity increasing based on the fact that the code review is mostly automated, allowing the developer to fix the code themselves before assigning it to someone else to review, thus receiving that ROI.
The issue is not about the knowledge of the support but about the prioritization of the tickets they handle.
The customer support team is very responsive, proactive, and engages in conversations to ensure our needs are met.
During the initial phase, there was a need for follow-ups and clarifications.
I would rate the technical support for SonarQube Server (formerly SonarQube) as a 10 because we have not faced any specific issues that required us to contact tech support, which is a very rare case.
The community support is quite effective.
They showed us where we can actually get those granular level reporting extracted for Excel, which was a quick guide.
Klocwork supports our scalability needs without issues, even as project volumes increase.
The program-to-program enablement is scalable.
I find SonarQube Server (formerly SonarQube) very scalable because we're able to create a new repository and integrate all the tools on that project and it just works.
I would rate the scalability of SonarQube Server as a 10 because we can configure the server to scan multiple projects based on the number of lines.
I would rate the stability of this solution a nine on a scale of 1 to 10 where one is low stability and 10 is high.
Installation is easy, and the solution is stable.
I think SonarQube Server (formerly SonarQube) is stable, and we did not face any problems unless there was a power outage or if the LAN cable was plugged out.
It could suggest how the code base is written and automatically populate the source code with three different solution options to choose from.
Klocwork should be able to analyze large codebases efficiently, supporting a desktop version for periodic small delta changes before pushing to the server.
We would like Klocwork to connect to Git and notify developers of issues tied to specific commits.
Klocwork sometimes provides too many additional warnings which require expertise to manage.
Currently, it should also be able to analyze the code and generate and fix the code for specific developers or features that the developers are tracking.
If I fix some vulnerabilities today, they reappear in the next scan, and there will be completely different issues that need to be fixed.
It is less expensive than Coverity.
The solution is not very cheap, however, it is less expensive than Coverity.
Klocwork's pricing seems attractive, as it uses a per-user license model that does not have a lot of overhead.
I would rate the pricing for SonarQube Server (formerly SonarQube) as an 8, where 1 is very cheap and 10 is very expensive, because Coverity is very expensive, and while SonarQube is not cheap, it is still less expensive than Coverity.
They always offer around a two-year contract, but we always take a one-year contract because it's expensive.
The freemium version of SonarQube Server offers excellent value, especially compared to the high costs of Snyk.
My experience with the initial setup of Checkmarx One is straightforward; it is not complex compared to other tools that I have tried.
Its integration with the CI/CD pipeline has helped streamline the software development process.
The most valuable feature of Klocwork is the static analysis tools, which help identify potential security threats and errors.
It takes just half a day to set up.
We use SonarQube Server's centralized management and visualization of code quality metrics on the dashboard because that's the executive dashboard that we send to the executives to show where we are in terms of quality, security, and where the company can improve.
Some of the static code analysis capabilities are the most beneficial.
The most valuable features of SonarQube Server (formerly SonarQube) for us include having control of the rules, enabling and disabling them.
| Product | Market Share (%) |
|---|---|
| SonarQube Server (formerly SonarQube) | 20.8% |
| Checkmarx One | 10.2% |
| Klocwork | 1.4% |
| Other | 67.6% |
| Company Size | Count |
|---|---|
| Small Business | 30 |
| Midsize Enterprise | 9 |
| Large Enterprise | 38 |
| Company Size | Count |
|---|---|
| Small Business | 12 |
| Midsize Enterprise | 2 |
| Large Enterprise | 12 |
| Company Size | Count |
|---|---|
| Small Business | 32 |
| Midsize Enterprise | 21 |
| Large Enterprise | 74 |
Checkmarx One is an enterprise cloud-native application security platform focused on providing cross-tool, correlated results to help AppSec and developer teams prioritize where to focus time and resources.
Checkmarx One offers comprehensive application scanning across the SDLC:
Checkmarx One provides everything you need to secure application development from the first line of code through deployment and runtime in the cloud. With an ever-evolving set of AppSec engines, correlation and prioritization features, and AI capabilities, Checkmarx One helps consolidate expanding lists of AppSec tools and make better sense of results. Its capabilities are designed to provide an improved developer experience to build trust with development teams and ensure the success of your AppSec program investment.
Klocwork detects security, safety, and reliability issues in real-time by using this static code analysis toolkit that works alongside developers, finding issues as early as possible, and integrates with teams, supporting continuous integration and actionable reporting.
SonarQube Server enhances code quality and security via static code analysis. It detects vulnerabilities, improves standards, and reduces technical debt, integrating into CI/CD pipelines.
SonarQube Server is a comprehensive tool for enhancing code quality and security. It offers static code analysis to identify vulnerabilities, improve coding standards, and reduce technical debt. By integrating into CI/CD pipelines, it provides automated checks for adherence to best practices. Organizations use it for code inspection, security testing, and compliance, ensuring development environments with better maintainability and fewer issues.
What are the key features of SonarQube Server?Many industries implement SonarQube Server to uphold coding standards, maintain security protocols, and streamline their software development lifecycle. In sectors like finance and healthcare, adhering to regulations and ensuring reliable software is critical, making SonarQube Server invaluable. It is often integrated into CI/CD pipelines, ensuring that code changes meet set standards before deployment. This approach enhances productivity and maintains compliance with industry-specific requirements.
