We performed a comparison between SonarQube and Checkmarx based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Both solutions have intuitive interfaces and are easy to use. However, Checkmarx offers a more comprehensive feature set, including software composition scanning and a higher number of vulnerabilities detected. Checkmarx also provides better language support and more advanced reporting capabilities. SonarQube has a simpler pricing model and is generally considered more affordable. SonarQube focuses strongly on code quality and offers better integration with DevOps pipelines. The customer service and support experiences for both products vary, with some users praising the support and others reporting negative experiences.
"From my point of view, it is the best product on the market."
"The solution allows us to create custom rules for code checks."
"It can integrate very well with DAST solutions. So both of them are combined into an integrated solution for customers running application security."
"The most valuable feature for me is the Jenkins Plugin."
"The SAST component was absolutely 100% stable."
"Scan reviews can occur during the development lifecycle."
"It's not an obstacle for developers. They can easily write their code and make it more secure with Checkmarx."
"It shows in-depth code of where actual vulnerabilities are."
"We have worked with the support from SonarQube and we have had good experiences."
"We consider it a handy tool that helps to resolve our issues immediately."
"Using SonarQube has helped us to identify areas of technical debt to work on, resulting in better code, fewer vulnerabilities, and fewer bugs."
"I like that it covers most programming languages for source code review."
"The most valuable feature of SonarQube I have found to be the configuration that has allowed us to can make adjusts to the demands of the code review. It gives a specified classification regarding the skill, prioritization, and it is easy for me to review and make my code."
"The solution has a plug-in that supports both C and C++ languages."
"The product is simple."
"It is an easy tool that you can deploy and configure. After that you can measure the history of your obligation and integrate it with other tools like GitLab or GitHub or Azure DevOps to do quality code analysis."
"C, C++, VB and T-SQL are not supported by this product. Although, C and C++ were advertised as being supported."
"If it is a very large code base then we have a problem where we cannot scan it."
"It is an expensive solution."
"There is nothing particular that I don't like in this solution. It can have more integrations, but the integrations that we would like are in the roadmap anyway, and they just need to deliver the roadmap. What I like about the roadmap is that it is going where it needs to go. If I were to look at the roadmap, there is nothing that is jumping out there that says to me, "Yeah. I'd like something else on the roadmap." What they're looking to deliver is what I would expect and forecast them to deliver."
"It provides us with quite a handful of false positive issues. If Checkmarx could reduce this number, it would be a great tool to use."
"I would like to see the tool’s pricing improved."
"Checkmarx is not good because it has too many false positive issues."
"Updating and debugging of queries is not very convenient."
"From a reporting perspective, we sometimes have problems interpreting the vulnerability scan reports. For example, if it finds a possible threat, our analysts have to manually check the provided reports, and sometimes we have issues getting all the data needed to properly verify if it's accurate or not."
"The reporting is good, but I am not able to download a specific report as a PDF, so downloading reports is something that should be looked at."
"The solution could improve the management reports by making them easier to understand for the technical team that needs to review them."
"The exporting capabilities could be improved. Currently, exporting is fully dependent on the SonarQube environment."
"SonarQube is not development-centric like Snyk."
"One thing to improve would be the integration. There is a steep learning curve to get it integrated."
"Code security could be better. They are already focusing on it, but I see a lot of improvement opportunities over there. I can see a lot of false positives in terms of security. They need to make the tests more accurate so that the false positives are not detected so frequently. It would also help if they provided us with an installer."
"We also use Fortify, which is another tool to find security errors. Fortify is a better security tool. It is better than SonarQube in finding errors. Sometimes, SonarQube doesn't find some of the errors that Fortify is able to find. Fortify also has a community, which SonarQube doesn't have. Its installation is a little bit complex. We need to install a database, install the product, and specify the version of the database and the product. They can simplify the installation and make it easier. We use docker for the installation because it is easier to use. Its dashboard needs to be improved. It is not intuitive. It is hard to understand the interface, and it can be improved to provide a better user experience."
Checkmarx One is ranked 3rd in Application Security Tools with 67 reviews while SonarQube is ranked 1st in Application Security Tools with 108 reviews. Checkmarx One is rated 7.6, while SonarQube is rated 8.0. The top reviewer of Checkmarx One writes "The report function is a great, configurable asset but sometimes yields false positives". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Checkmarx One is most compared with Veracode, Fortify on Demand, Snyk, Coverity and Mend.io, whereas SonarQube is most compared with SonarCloud, Coverity, Veracode, Snyk and Sonatype Lifecycle. See our Checkmarx One vs. SonarQube report.
See our list of best Application Security Tools vendors and best Application Security Testing (AST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
SonarQube depends on completely what you configure the Rules. You will have the option of the Profile creation and can be assigned to the Projects. If you configure the project --> under them services configuration it is good to go. Proper configuration is important in the Sonat Qube. Yes, Sonarqube allows developers to delint their code before SAST.
Veracode recently introduced it. But this integration at developer Machine integration available for only JAVA coded Projets.
About the Vulnerability coverage, both are the same. OWASP TOP 10 is equal to Sans 25. sans25 is categorized with one category number and describes under that subsection. Refer to this. https://www.templarbit.com/blog/2018/02/08/owasp-top-10-vs-sans-cwe-25/
SonarQube can be used for SAST. However, based on our internal analysis, our team feel CheckMarx is better suited for Security compared to SonarQube. SoanrQube is used in day to day developer code scan and Checkmarx is used during code movement to staging or during release.