Cancel
You must select at least 2 products to compare!
Veracode Logo
39,640 views|23,533 comparisons
Checkmarx Logo
42,040 views|30,268 comparisons
Sonar Logo
84,631 views|67,716 comparisons
Comparison Buyer's Guide
Executive Summary
Updated on Apr 20, 2022

We performed a comparison between SonarQube and Checkmarx based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.

  • Ease of Deployment: Most users of both solutions say their initial setup is straightforward.
  • Features: Users of both products are happy with their ease of use, stability, and scalability. Most SonarQube reviewers mentioned ease of other product integration as a benefit, though they would like to see this improved in the free version. Checkmarx reviewers noted the benefits of the solution’s application security, scanning, and tracking, but some of them would like to see more integrations with other products.
  • Pricing: Most SonarQube reviewers feel satisfied with the pricing, especially with its free Community Edition. SonarQube offers an open-source version as well as a reasonably priced product in its market. On the other hand, Checkmarx reviewers say its pricing is expensive.
  • Service and Support: Most reviewers of Checkmarx are satisfied with the support levels but would like faster response times. Some reviewers of SonarQube feel that support leaves room for improvement.

Comparison Results: SonarQube has an edge over Checkmarx in pricing, but Checkmarx offers better support.

To learn more, read our detailed Checkmarx vs. SonarQube Report (Updated: March 2023).
690,226 professionals have used our research since 2012.
Q&A Highlights
Question: Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
Answer: My opinions are my own and do not represent any other entities that I may be or have been affiliated with.  On this topic I think it is important to acknowledge that no matter which solution you go for you will have false positives. I don't think there will be any solution that properly solves this anytime soon.  As for Checkmarx vs SonarQube...  Checkmarx may cover more rules over a wider landscape, however I personally found this extra breadth covered outlyer rules and mostly lower priority issues. Both Checkmarx and SonarQube cover the OWASP top 10 and Sans25. Both tools can be tuned to help reduce false positives, for both you will need to analyse your tuning to ensure you are not introducing false negatives. Any tools that provide you customisation come with the risk that you could make things worse.  SonarQube has very good integration into most development IDEs empowering the engineers to run scans against the company rules on their local machine before submitting your source control and further tooling. In some it will even check the code automatically while you type it.  I see you also included Veracode in here. In my opinion that is a far superior tool to Checkmarx, this is down to their more modern approach to this problem. They also allow local developer integration to self lint code before submission.  In a perfect world, I would use Sonar for development bugs, test coverage and technical debt measurements. Then veracode to handle the SAST side for me. In short I would not duplicate the security scans in Sonar and Veracode.  Hope that helps
Featured Review
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"There is a single area on the dashboard where you can get a full view of all of the tests and the results from everything. There is a nice, very simple graphic that shows you the types of vulnerabilities that were found, their severity, the scoring, and in what part of the code they were found. All the details are together in one place.""Veracode creates a list of issues. You can go through them one by one and click through to a new window with all the information about the issue discovered.""I like the ability to integrate Veracode with other coding platforms like Visual Studio, which helps you write code quickly by implementing already inserted code. For example, if we have tags you want to put in the software, it is effortless to choose which programming language you want to use in the integrated development environment.""The user interface is quick, familiar, and user-friendly and makes navigation to other software very easy.""Veracode enables us to build a strong data security layer in our platforms. We can increase customer confidence in data security. Some PCI/HIPAA compliance issues were impossible to resolve without Veracode.""Veracode's integration with our continuous integration solution is what I've found to be the most valuable feature. It is easy to connect the two and to run scans in an automated way without needing as much manual intervention.""The Security Labs [is] where I have the developers training and constantly improving their security, and remembering their security techniques. That way, they are more proactive and make sure things are correct. They're faster because they're doing it in the first place.""You can easily integrate it with Azure DevOps. This is an added value because we work with Azure DevOps. Veracode is natively supported and we don't have to work with APIs."

More Veracode Pros →

"The report function is the solution's greatest asset.""The most valuable features of Checkmarx are difficult to pinpoint because of the way the functionalities and the features are intertwined, it's difficult to say which part of them I prefer most. You initiate the scan, you have a scan, you have the review set, and reporting, they all work together as one whole process. It's not like accounting software, where you have the different features, et cetera.""The main advantage of this solution is its centralized reporting functionality, which lets us track issues, then see and report on the priorities via a web portal.""The most valuable features of Checkmarx are the automation and information that it provides in the reports.""The main thing we find valuable about Checkmarx is the ease of use. It's easy to initiate scans and triage defects.""I like that you don't have to compile the code in order to execute static code analysis. So, it's very handy.""The administration in Checkmarx is very good.""It's not an obstacle for developers. They can easily write their code and make it more secure with Checkmarx."

More Checkmarx Pros →

"I like that it has a better dashboard compared to Clockwork. It's also stable.""When comparing other static code analysis tools, SonarQube has fewer false-positive issues being reported. They have a lot of support for different tech stacks. It covers the entire developer community which includes Salesforce or it could be the regular Java.net project. It has actually sufficed all the needs in one tool for static code analysis.""My focus is mainly on the DevOps pipeline side of things, and from my perspective, the ease of use and configuration is valuable. It is pretty straightforward to take a deployment pipeline or CI/CD pipeline and integrate SonarQube into it.""SonarQube has a lot of value, it reviews the basic coding standards and security vulnerabilities of code that help to reduce issues.""SonarQube is useful for controlling all of our Azure task tracking and scanning.""I am only interested in the security features in SonarQube. There are plenty of features other features, such as test coverage, code anomalies, and pointer access are handled by the business logic teams. They get the reports and they have to fix them in JIRA or Bugzilla.""The most valuable features are the analysis and detection of issues within the application code.""The solution can verify vulnerabilities, code smells, and hotspots. It makes the software more secure and it helps make a junior or novice developer sharper."

More SonarQube Pros →

Cons
"The solution could improve the Dynamic Analysis Security Testing(DAST).""Veracode's SAST, DAST, and SCA are pretty good with respect to industry standards, but with regard to container security, they are in either beta or alpha testing. They need to get that particular feature up and running so that they take care of the container security part.""I think if they could improve the operations around accepted vulnerabilities, we would see improvements in our productivity.""The training lab is not very user-friendly and takes a long time to set up.""We get some false positives with JavaScript languages like React, TypeScript, and Angular. The problem is rooted in the build process of JavaScript, not the code we are using. This is something we spend lots of time trying to resolve. When we point to a specific library and review that on the code, we can see it is a part of the build that isn't going into production. It's only a part of the build because JavaScript has a different build process.""I've seen slightly better static analysis tools from other companies when it comes to speed and ease of use.""Scheduling can be a little difficult. For instance, if you set up recurring scheduled scans and a developer comes in and says, "Hey, I have this critical release that happened outside of our normal release patterns and they want you to scan it," we actually have to change our schedule configuration and that means we lose the recurring scheduling settings we had.""Their platform is not consistent. It needs a lot of user experience updates. It's slow performing, and they log you out of the system every 15 minutes, so using the platform is challenging from a developer's perspective because you always have to log in."

More Veracode Cons →

"As the solution becomes more complex and feature rich, it takes more time to debug and resolve problems. Feature-wise, we have no complaints, but Checkmarx becomes harder to maintain as the product becomes more complex. When I talk to support, it takes them longer to fix the problem than it used to.""We want to have a holistic view of the portfolio-level dashboard and not just an individual technical project level.""Checkmarx needs to improve the false positives and provide more accuracy in identifying vulnerabilities. It misses important vulnerabilities.""One area for improvement in Checkmarx is pricing, as it's more expensive than other products.""The statistics module has a function that allows you to show some statistics, but I think it's limited. Maybe it needs more information.""We would like to be able to run scans from our local system, rather than having to always connect to the product server, which is a longer process.""Its pricing model can be improved. Sometimes, it is a little complex to understand its pricing model.""Checkmarx has a slightly difficult compilation with the CI/CD pipeline."

More Checkmarx Cons →

"SonarQube could be improved with more dynamic testing—basically, now, it's a static code analysis scan. For example, when the developer writes the code and does the corresponding unit test, he can cover functional and non-functional. So the SonarQube could be improved by helping to execute unit tests and test dynamically, using various parameters, and to help detect any vulnerabilities. Currently, it'll just give the test case and say whether it passes or fails—it won't give you any other input or dynamic testing. They could use artificial intelligence to build a feature that would help developers identify and fix issues in the early stages, which would help us deliver the product and reduce costs. Another area with room for improvement is in regard to automating things, since the process currently needs to be done manually.""Dynamic scanning is missing and there are some issues with security scanning.""A little bit more emphasis on security and a bit more security scanning features would be nice.""The time it took for me to do the whole process was approximately two hours because I had to download, read the documentation, and do the configurations.""We did have some trouble with the LDAP integration for the console.""For improvement, this solution could be offered on Docker and the cloud and the support for this solution could be improved. Customizing rules could also be made simpler.""Code security scanning could be improved.""We previously experienced issues with security but a segregated security violation has been implemented and the issues we experienced are being fixed."

More SonarQube Cons →

Pricing and Cost Advice
  • "From a cost perspective, it seems okay, although we will probably evaluate alternatives next time it's up for renewal because for us, it's a relatively high cost, and we want to make sure that we are using our resources most appropriately."
  • "The pricing is a little on the high side but since we combine our product into one suite, it is easy to do and works well for us."
  • "It is quite good. If you adapt it for the whole organization, it is quite affordable. The pricing plans are good as compared to the other competitors, and any small, medium, or big company can easily adopt Veracode. Its cost includes deployment, training, and support for one year."
  • "The cost has been a barrier to wider use here. I think my team is the only one at the university. Other folks might like to use it, but it's pretty pricey. You could see what else is in the market, but I hear that's the price for most solutions. You might not find a better deal in the market, or it might be an incomplete solution. I mean, for the level of interaction we get with Veracode staff, it's been pretty good."
  • "There is a fee to scale up the solution which I consider expensive."
  • "I know that Veracode is a semi-pricey solution. If you are serious about security, I would recommend that you use an open-source option to learn how the scanning process works and then look into Veracode if you want to really step up your game and have an all-in-one solution."
  • "I wouldn't really recommend Veracode for a small firm, because it might be a little pricey for them. But for a large organization, with more than 1,000 applications in the enterprise, there are tiered levels of pricing."
  • "There are no setup or implementation charges. They offer a free trial and free consulting services... The price depends on your requirements, your source code sizes, and how complicated your source code is."
  • More Veracode Pricing and Cost Advice →

  • "It is not expensive, but sometimes, their pricing model or licensing model is not very clear. There are similar variables, such as projects or developers, and sometimes, it is a little bit confusing."
  • "Most of my customers opted for a perpetual license. They prefer to pay the highest amount up front for the perpetual license and then pay for additional support annually."
  • "We have purchased an annual license to use this solution. The price is reasonable."
  • "We're using a commercial version of Checkmarx, and we paid for the solution for one year. The price is high and could be reduced."
  • "The price of Checkmarx could be reduced to match their competitors, it is expensive."
  • "The average deal size was usually anywhere between $120K to $175K on an annual basis, which could be divided across 12 months."
  • "If you want more, you have to pay more. You have to pay for additional modules or functionalities."
  • "Checkmarx is comparatively costlier than other products, which is why some of the customers feel reluctant to go for it, though performance-wise, Checkmarx can compete with other products."
  • More Checkmarx Pricing and Cost Advice →

  • "The beauty of this solution is the free open-source version is capable enough in doing pretty much what an enterprise-level version can do."
  • "I requested this license for one million lines of code and they accepted this."
  • "SonarQube price is a little bit higher than Kiuwan's. Kiuwan also gives a little bit of flexibility in terms of pricing."
  • "This solution is free."
  • "We're using the Community Edition, and we don't pay for anything."
  • "It is very expensive. Its price should be improved."
  • "The price of the solution could be reduced."
  • "The price of this solution is more expensive than competitors. However, it works better than competitors."
  • More SonarQube Pricing and Cost Advice →

    report
    Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
    690,226 professionals have used our research since 2012.
    Answers from the Community
    William Hayes
    Swapna Ragi - PeerSpot reviewerSwapna Ragi
    Real User

    SonarQube depends on completely what you configure the Rules. You will have the option of the Profile creation and can be assigned to the Projects. If you configure the project --> under them services configuration it is good to go. Proper configuration is important in the Sonat Qube. Yes, Sonarqube allows developers to delint their code before SAST.


    Veracode recently introduced it. But this integration at developer Machine integration available for only JAVA coded Projets.


    About the Vulnerability coverage, both are the same. OWASP TOP 10 is equal to Sans 25. sans25 is categorized with one category number and describes under that subsection. Refer to this.  https://www.templarbit.com/blog/2018/02/08/owasp-top-10-vs-sans-cwe-25/

    Durga Gudimetla - PeerSpot reviewerDurga Gudimetla
    Real User

    SonarQube can be used for SAST. However, based on our internal analysis, our team feel CheckMarx is better suited for Security compared to SonarQube. SoanrQube is used in day to day developer code scan and Checkmarx is used during code movement to staging or during release.

    Questions from the Community
    Top Answer:SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis… more »
    Top Answer:The user interface is excellent, the code review process is quick and provides great analytics to understand our code… more »
    Top Answer:It is quite good. If you adapt it for the whole organization, it is quite affordable. The pricing plans are good as… more »
    Top Answer:I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as… more »
    Top Answer:JaeLee, check out our comparison page hereof Veracode vs Checkmarx: https://www.itcentralstation.c... Checkmarx is… more »
    Top Answer:SonarQube historically was focused on Code Quality and Best Practices. Recently the enterprise and data center versions… more »
    Top Answer:I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which… more »
    Top Answer:We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security… more »
    Top Answer:Snyk does a great job identifying and reducing vulnerabilities. This solution is fully automated and monitors 24/7 to… more »
    Comparisons
    Also Known As
    Sonar
    Learn More
    Overview

    Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.

    Checkmarx is a highly accurate and flexible static code analysis product that allows organizations to automatically scan uncompiled code and identify hundreds of security vulnerabilities in all major coding languages and software frameworks. Checkmarx is available as a standalone product and can be effectively integrated into the software development lifecycle (SDLC) to streamline vulnerability detection and remediation. Checkmarx is trusted by leading organizations such as SAP, Samsung, and Salesforce.com.

    Checkmarx is a global leader in software security solutions for modern software development. Checkmarx delivers a comprehensive software security platform that unites with DevOps by scanning uncompiled source code for security vulnerabilities early in the development life cycle to reduce and remediate risk from software vulnerabilities. Using Checkmarx, teams avoid software security vulnerabilities managed via a single and unified dashboard without slowing down their delivery schedule.

    Checkmarx balances the needs of the entire organization, delivering seamless security from the start and throughout the entire software development life cycle. Checkmarx can be deployed on-premises in a private data center or hosted via a public cloud.

    Checkmarx Features

    Some of Checkmarx’s features include:

    • Source code scanning: Detect and repair more vulnerabilities before you release your code.

    • Open-source scanning: Find and eliminate the risks in your open-source code.

    • Interactive code scanning: Scan for vulnerabilities and runtime threats.

    • Open-source security for infrastructure as code: Identify and fix insecure IaC configurations that put your application at risk.

    Reviews from Real Users

    Checkmarx stands out among its competitors for a number of reasons. Two major ones are its ability to enable developers to secure their code with a single management dashboard and its high-speed scanning abilities.

    PeerSpot users note the effectiveness of these features. A CEO at a tech services company writes, “The most valuable features are the easy-to-understand interface, and it’s very user-friendly. We spend some time tuning to start scanning a new project, which is only a few clicks. A few simple tunes for custom rules and we can start our scan. We can do the work quickly and we don't need to compile the source code because Checkmarx does the work without compiling the project. The scanning is very quick. It's about 20,000 lines per hour, which is a good speed for scanning.”

    A director at a tech services company notes, “The features and technologies are very good. The flexibility and the roadmap have also been very good. They're at the forefront of delivering the additional capabilities that are required with cloud delivery, etc. Their ability to deliver what customers require and when they require is very important.”

    A senior manager at a manufacturing company writes, “The identification of verification-related security vulnerabilities is really important and one of the key things. It also identifies vulnerabilities for any kind of third-party tool coming into the system or any third-party tools that you are using, which is very useful for avoiding random hacking."

    SonarQube is the leading tool for continuously inspecting Code Quality and Code Security, and guiding development teams during code reviews. SonarQube provides clear remediation guidance for 27 languages so developers can understand and fix issues, and so teams can deliver better and safer software. SonarQube integrates into your workflow to provide the right feedback at the right time: in-IDE with SonarLint, in pull requests, and in SonarQube itself. With over 225,000 deployments helping small development teams and global organizations, SonarQube provides the means for teams and companies around the world to own and impact their Code Quality and Code Security.

    Offer
    Keep your software secure

    Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.

    Learn more about Checkmarx
    Learn more about SonarQube
    Sample Customers
    State of Missouri, Rekner
    YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC
    Bank of America, Siemens, Cognizant, Thales, Cisco, eBay
    Top Industries
    REVIEWERS
    Financial Services Firm29%
    Computer Software Company16%
    Insurance Company9%
    Comms Service Provider7%
    VISITORS READING REVIEWS
    Computer Software Company19%
    Financial Services Firm16%
    Comms Service Provider7%
    Manufacturing Company7%
    REVIEWERS
    Computer Software Company35%
    Financial Services Firm23%
    Manufacturing Company12%
    Pharma/Biotech Company8%
    VISITORS READING REVIEWS
    Financial Services Firm22%
    Computer Software Company18%
    Manufacturing Company7%
    Insurance Company6%
    REVIEWERS
    Computer Software Company25%
    Financial Services Firm20%
    Comms Service Provider10%
    Insurance Company7%
    VISITORS READING REVIEWS
    Computer Software Company18%
    Financial Services Firm17%
    Manufacturing Company8%
    Comms Service Provider7%
    Company Size
    REVIEWERS
    Small Business26%
    Midsize Enterprise21%
    Large Enterprise52%
    VISITORS READING REVIEWS
    Small Business17%
    Midsize Enterprise12%
    Large Enterprise71%
    REVIEWERS
    Small Business36%
    Midsize Enterprise16%
    Large Enterprise48%
    VISITORS READING REVIEWS
    Small Business14%
    Midsize Enterprise11%
    Large Enterprise75%
    REVIEWERS
    Small Business26%
    Midsize Enterprise17%
    Large Enterprise57%
    VISITORS READING REVIEWS
    Small Business16%
    Midsize Enterprise12%
    Large Enterprise72%
    Buyer's Guide
    Checkmarx vs. SonarQube
    March 2023
    Find out what your peers are saying about Checkmarx vs. SonarQube and other solutions. Updated: March 2023.
    690,226 professionals have used our research since 2012.

    Checkmarx is ranked 8th in Application Security Tools with 21 reviews while SonarQube is ranked 1st in Application Security Tools with 39 reviews. Checkmarx is rated 7.6, while SonarQube is rated 8.2. The top reviewer of Checkmarx writes "Supports different languages, has excellent support, and easily expands". On the other hand, the top reviewer of SonarQube writes "Open-source, stable, and finds the problems for you and tells you where they are". Checkmarx is most compared with Snyk, Micro Focus Fortify on Demand, Coverity, Fortify Application Defender and OWASP Zap, whereas SonarQube is most compared with Coverity, Snyk, Sonatype Nexus Lifecycle, SonarCloud and Micro Focus Fortify on Demand. See our Checkmarx vs. SonarQube report.

    See our list of best Application Security Tools vendors and best Application Security Testing (AST) vendors.

    We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.