Checkmarx One vs SonarCloud comparison

Checkmarx One
Read 68 Checkmarx One reviews
  • 30,477 Views
  • 19,375 Comparison Views
86% willing to recommend
SonarCloud
Read 10 SonarCloud reviews
  • 10,734 Views
  • 8,277 Comparison Views
100% willing to recommend
 

Comparison Buyer's Guide

Download the report
Executive Summary
We performed a comparison between Checkmarx One and SonarCloud based on real PeerSpot user reviews.

Find out in this report how the two Static Application Security Testing (SAST) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI.

DOWNLOAD THE COMPLETE REPORT
To learn more, read our detailed Checkmarx One vs. SonarCloud Report (Updated: July 2024).
Buyer's Guide
Checkmarx One vs. SonarCloud
July 2024
Download the complete report
Helped 793,295 peers since 2012
 

Categories and Ranking

Checkmarx One
Ranking in Static Application Security Testing (SAST)
3rd
Average Rating
7.6
Number of Reviews
68
Ranking in other categories
Application Security Tools (3rd), Vulnerability Management (12th), Static Code Analysis (2nd), API Security (4th), DevSecOps (2nd), Risk-Based Vulnerability Management (5th)
SonarCloud
Ranking in Static Application Security Testing (SAST)
10th
Average Rating
8.4
Number of Reviews
10
Ranking in other categories
No ranking in other categories
 

Mindshare comparison

As of July 2024, in the Static Application Security Testing (SAST) category, the mindshare of Checkmarx One is 11.1%, down from 14.3% compared to the previous year. The mindshare of SonarCloud is 9.0%, up from 6.5% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Static Application Security Testing (SAST)
Unique Categories:
Application Security Tools
13.0%
Vulnerability Management
0.6%
No other categories found
 

Featured Reviews

YB
Dec 20, 2021
Reasonably price, high performance, and simple installation
We are using Checkmarx for application code scanning, such as scanning for different leverages in the application code The solution has good performance, it is able to compute in 10 to 15 minutes.  Checkmarx could improve the REST APIs by including automation. I have been using Checkmarx for…
Read full review
Huzaifa Asif - PeerSpot reviewer
Dec 12, 2023
A comprehensive code quality management offering all-in-one functionality, including static code analysis, security assessments, and code optimization, while providing valuable insights for developers
There's room for improvement in the configuration process, particularly during the initial setup phase. Setting up features like mono reports can be challenging, and the existing documentation could use improvement in providing clearer instructions. I found myself needing to engage with support multiple times to navigate through certain aspects. Additionally, it would be beneficial if it could streamline the integration process for new features. Enhancing documentation on how to integrate these features seamlessly would go a long way in improving user experience. The introduction of an auto-commit functionality would be a valuable addition. Some other tools offer this feature, allowing for the automatic creation of pull requests to address identified issues. This functionality significantly reduces the manual effort required.
Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"Checkmarx pinpoints the vulnerability in the code and also presents the flow of malicious input across the application."
"The report function is the solution's greatest asset."
"The only thing I like is that Checkmarx does not need to compile."
"The most valuable feature is that it actually identifies the different criteria you can set to meet whatever standards you're trying to get your system accredited for."
"It gives the proper code flow of vulnerabilities and the number of occurrences."
"The most valuable features are the easy to understand interface, and it 's very user-friendly."
"The most valuable features of Checkmarx are the automation and information that it provides in the reports."
"Vulnerability details is valuable."
More Checkmarx One pros
"SonarCloud is overall a good tool for identifying code smells, bugs, and code duplication, but we've found that using Android Lint is more effective for our needs."
"The solution can be installed locally."
"I'm not implementing the solutions. However, I've talked to the people who deploy the tools, and they are happy with how easy setting up SonarCloud is."
"For what it is meant to do, it works pretty well."
"The most valuable feature of SonarCloud is its overall performance."
"Its dashboard provides a unified view of various code quality metrics, including code duplication, unit test coverage, and security hotspots."
"Recently, they introduced support for mono reports and microservices, which is a noteworthy development as it provides a more detailed view of each service."
"The solution provides continuous code analysis which has improved the quality of our code. It can raise alarms on vulnerabilities with immediate reports on the dashboard. Few things are false positives and we can customize the rules."
More SonarCloud pros
 

Cons

"The tool is currently quite static in terms of finding security vulnerabilities. It would be great if it was more dynamic and we had even more tools at our disposal to keep us safe. It would help if there was more scanning or if the process was more automated."
"The lack of ability to review compiled source code. It would then be able to compete with other scanning tools, such as Veracode."
"One area for improvement in Checkmarx is pricing, as it's more expensive than other products."
"Integration into the SDLC (i.e. support for last version of SonarQube) could be added."
"I really would like to integrate it as a service along with the SAP HANA Cloud Platform. It will then be easy to use it directly as a service."
"The product can be improved by continuing to expand the application languages and frameworks that can be scanned for vulnerabilities. This includes expanded coverage for mobile applications as well as open-source development tools."
"We would like to be able to run scans from our local system, rather than having to always connect to the product server, which is a longer process."
"Implementing a blackout time for any user or teams: Needs improvement."
More Checkmarx One cons
"The solution needs to improve its customization and flexibility."
"I've been told by the developers that the solution is too limited. It's not testing enough within the containers."
"We had some issues with the scanner."
"The reports could improve by providing more information. We are not able to use the reports in our operation until they are improved. Additionally, if the vendor provided more customization capabilities it would be a benefit."
"SonarCloud can improve the false positives. Sometimes the gates sometimes act a little weird. We then need to manually go and mark the false positive."
"CI/CD pipeline is part of a whole chain of design, development, and production, and it's becoming increasingly crucial to optimize the various tools across different stages. However, it's still a silo approach because the full integration is missing. This isn't just an issue with SonarCloud. It's a general problem with tooling."
"The documentation needs improvement on optimizing build time for seamless CI/CD integration with our Android apps."
"It would be helpful if notifications could go out to an extra person."
More SonarCloud cons
 

Pricing and Cost Advice

"We have a subscription license that is on a yearly basis, and it's a pretty competitive solution."
"Before implementing the product I would evaluate if it is really necessary to scan so many different languages and frameworks. If not, I think there must be a cheaper solution for scanning Java-only applications (which are 90% of our applications)."
"Its price is fair. It is in or around the right spot. Ultimately, if the price is wrong, customers won't commit, but they do tend to commit. It is neither too cheap nor too expensive."
"It is not expensive, but sometimes, their pricing model or licensing model is not very clear. There are similar variables, such as projects or developers, and sometimes, it is a little bit confusing."
"The solution's price is high and you pay based on the number of users."
"We got a special offer for a 30% reduction for three years, after our first year. I think for a real source-code scanning tool, you have to add a lot of money for Open Source Analysis, and AppSec Coach (160 Euro per user per year)."
"Most of my customers opted for a perpetual license. They prefer to pay the highest amount up front for the perpetual license and then pay for additional support annually."
"I would rate the solution’s pricing an eight out of ten. The tool’s pricing is higher than others and it is for the license alone."
More Checkmarx One pricing and cost advice
"I rate the pricing a five out of ten."
"I am using the free version of the solution."
"The current pricing is quite cheap."
"The price of SonarCloud is not expensive, it goes by the lines of code. 1 million lines per code are approximately 4,000 USD per year. If you need 2 million lines of code you would double the annual cost."
"The price of SonarCloud could be less expensive. We are using the community version and the price should be more reasonable."
"While not extremely cheap, it aligns well with market standards and offers good value."
report
See which vendors are best for you
Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.
See recommendations
793,295 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
21%
Computer Software Company
15%
Manufacturing Company
10%
Government
5%
Computer Software Company
18%
Financial Services Firm
10%
Manufacturing Company
9%
Healthcare Company
5%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

What alternatives are there for Fortify WebInspect and Fortify SCA?
I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as well. Veracode is only a cloud solution. Hope this helps.
See all answers
What do you like most about Checkmarx?
Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%.
See all answers
What is your experience regarding pricing and costs for Checkmarx?
The tool's pricing is fine.
See all answers
What do you like most about SonarCloud?
Recently, they introduced support for mono reports and microservices, which is a noteworthy development as it provides a more detailed view of each service.
See all answers
What is your experience regarding pricing and costs for SonarCloud?
I would rate the price an eight out of ten because it's reasonable. While not extremely cheap, it aligns well with market standards and offers good value. It's an all-inclusive package where you pa...
See all answers
What needs improvement with SonarCloud?
There's room for improvement in the configuration process, particularly during the initial setup phase. Setting up features like mono reports can be challenging, and the existing documentation coul...
See all answers
 

Comparisons

SonarQube vs Checkmarx One Logo
SonarQube vs Checkmarx One
Compared 52% of the time
Veracode vs Checkmarx One Logo
Veracode vs Checkmarx One
Compared 13% of the time
Fortify on Demand vs Checkmarx One Logo
Fortify on Demand vs Checkmarx One
Compared 7% of the time
Snyk vs Checkmarx One Logo
Snyk vs Checkmarx One
Compared 4% of the time
HCL AppScan vs Checkmarx One Logo
HCL AppScan vs Checkmarx One
Compared 1% of the time
More Checkmarx One Competitors
SonarQube vs SonarCloud Logo
SonarQube vs SonarCloud
Compared 78% of the time
Veracode vs SonarCloud Logo
Veracode vs SonarCloud
Compared 7% of the time
GitLab vs SonarCloud Logo
GitLab vs SonarCloud
Compared 3% of the time
OWASP Zap vs SonarCloud Logo
OWASP Zap vs SonarCloud
Compared 2% of the time
Coverity vs SonarCloud Logo
Coverity vs SonarCloud
Compared 2% of the time
More SonarCloud Competitors
 

Product Reports

Buyer's Guide
Checkmarx One
July 2024
Checkmarx One reportDownload Checkmarx One product report
Buyer's Guide
SonarCloud
June 2024
SonarCloud reportDownload SonarCloud product report
 

Learn More

Checkmarx
Sonar
 

Interactive Demo

Demo not available
Checkmarx
Sonar
 

Overview

Checkmarx One is an enterprise cloud-native application security platform focused on providing cross-tool, correlated results to help AppSec and developer teams prioritize where to focus time and resources.

Checkmarx One offers comprehensive application scanning across the SDLC:

  • Static Application Security Testing (SAST)
  • Software Composition Analysis (SCA)
  • API security
  • Dynamic Application Security Testing (DAST)
  • Container security
  • IaC security
  • Correlation, prioritization, and risk management
  • Codebashing secure code training
  • AI security
  • Tech partnerships extending AppSec into runtime analysis
  • Developer tool integrations including: CI/CD tools, development frameworks, feedback tools, IDEs, programming languages and SCMs

Checkmarx One provides everything you need to secure application development from the first line of code through deployment and runtime in the cloud. With an ever-evolving set of AppSec engines, correlation and prioritization features, and AI capabilities, Checkmarx One helps consolidate expanding lists of AppSec tools and make better sense of results. Its capabilities are designed to provide an improved developer experience to build trust with development teams and ensure the success of your AppSec program investment.

SonarCloud is a cloud-based alternative of the SonarQube platform, offering continuous code quality and security analysis as a service. SonarCloud integrates seamlessly with popular version control and CI/CD platforms such as GitHub, Bitbucket, and Azure DevOps. It provides static code analysis to identify and help remediate issues such as bugs and security vulnerabilities. SonarCloud enables developers to receive immediate feedback on their code within their development environment, facilitating the maintenance of high-quality code standards, and promoting a culture of continuous improvement in software development projects. It helps produce software that is secure, reliable, and maintainable. SonarCloud is free for open-source projects and is offered as a paid subscription for private projects, priced per lines of code.

 

Sample Customers

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC
Buyer's Guide
Checkmarx One vs. SonarCloud
July 2024
Free Report: Checkmarx One vs. SonarCloud
Find out what your peers are saying about Checkmarx One vs. SonarCloud and other solutions. Updated: July 2024.
DOWNLOAD NOW
793,295 professionals have used our research since 2012.
See our Checkmarx One vs. SonarCloud report.
See our list of best Static Application Security Testing (SAST) vendors.

We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.