We performed a comparison between SonarQube and Checkmarx based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: SonarQube has an edge over Checkmarx in pricing, but Checkmarx offers better support.
"There is a single area on the dashboard where you can get a full view of all of the tests and the results from everything. There is a nice, very simple graphic that shows you the types of vulnerabilities that were found, their severity, the scoring, and in what part of the code they were found. All the details are together in one place."
"The policy reporting for ensuring compliance with industry standards and regulations is pretty comprehensive, especially around PCI. If you do the static analysis, the dynamic analysis, and then a manual penetration test, it aggregates all of these results into one report. And then they create a PCI-specific report around it which helps to illustrate how the application adheres to different standards."
"The time savings has been tremendous. We saw ROI in the first six months."
"Veracode's technical support is great. They assigned us a TAM and once a week, we have a brief engagement with the TAM to verify that everything's going well. If we have any outstanding issues, they get serviced and addressed."
"It's comprehensive from a feature standpoint."
"In terms of secure development, the SAST scan is very useful because we are able to identify security flaws in the code base itself, for the application."
"The visibility into application status helps reduce risk exposure for our software. Today, any findings provided by the DAST are reviewed by the developers and we have internal processes in place to correct those findings before there can be a release. So it absolutely does prevent us from releasing weak code."
"The features and technologies are very good. The flexibility and the roadmap have also been very good. They're at the forefront of delivering the additional capabilities that are required with cloud delivery, etc. Their ability to deliver what customers require and when they require is very important."
"The most valuable feature of Checkmarx is the user interface, it is very easy to use. We do not need to configure anything, we only have to scan to see the results."
"The identification of verification-related security vulnerabilities is really important and one of the key things. It also identifies vulnerabilities for any kind of third-party tool coming into the system or any third-party tools that you are using, which is very useful for avoiding random hacking."
"The most valuable features of Checkmarx are the automation and information that it provides in the reports."
"One of the most valuable features is it is flexible."
"The value you can get out of the speedy production may be worth the price tag."
"It is very useful because it fits our requirements. It is also easy to use. It is not complex, and we are satisfied with the results."
"The main thing we find valuable about Checkmarx is the ease of use. It's easy to initiate scans and triage defects."
"Provides local scanning for developers."
"It has very good scalability and stability."
"The solution is stable."
"Some of the most valuable features have been the latest up-to-date of the OWASP, the monitoring, the reporting, and the ease of use with the IDE plugins, in terms of integration."
"My focus is mainly on the DevOps pipeline side of things, and from my perspective, the ease of use and configuration is valuable. It is pretty straightforward to take a deployment pipeline or CI/CD pipeline and integrate SonarQube into it."
"The most valuable features are that it is user-friendly, easy to access, and they provide good training files."
"I am only interested in the security features in SonarQube. There are plenty of features other features, such as test coverage, code anomalies, and pointer access are handled by the business logic teams. They get the reports and they have to fix them in JIRA or Bugzilla."
"This solution has the capability to analyze source code in almost all the languages in the market."
"The solution could improve the Dynamic Analysis Security Testing(DAST)."
"Veracode has plenty of data. The problem is the information on the dashboards of Veracode, as the user interface is not great. It's not immediately usable. Most of the time, the best way to use it is to just create issues and put them in JIRA... But if I were a startup, and only had products with a good user interface, I wouldn't use Veracode because the UI is very dated."
"Another problem we have is that, while it is integrated with single sign-on—we are using Okta—the user interface is not great. That's especially true for a permanent link of a report of a page. If you access it, it goes to the normal login page that has nothing that says "Log in with single sign-on," unlike other software as a service that we use. It's quite bothersome because it means that we have to go to the Okta dashboard, find the Veracode link, and log in through it. Only at that point can we go to the permanent link of the page we wanted to access."
"The reports on offer are too verbose."
"Third-party library scanning would be very useful to have. When I was researching this a year ago, there was not a third-party library scan available. This would be a nice feature to have because we are now running through some assessments and finding out which tool can do it since this information needs to be captured. Since Veracode is a security solution, this should be related."
"I've seen slightly better static analysis tools from other companies when it comes to speed and ease of use."
"I would like to see them provide more content in the developer training section. This field is really changing each day and there are flaws that are detected each day. Some sort of regular updates to the learning would help."
"The static analysis is prone to a lot of false positives. But that's how it is with most static analysis tools... Also, the static analysis can sometimes take a little while. The time that it takes to do a scan should be improved."
"The statistics module has a function that allows you to show some statistics, but I think it's limited. Maybe it needs more information."
"Checkmarx could be improved with more integration with third-party software."
"We would like to be able to run scans from our local system, rather than having to always connect to the product server, which is a longer process."
"Its user interface could be improved and made more friendly."
"They could work to improve the user interface. Right now, it really is lacking."
"We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code. The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything."
"They can support the remaining languages that are currently not supported. They can also create a different model that can identify zero-day attacks. They can work on different patterns to identify and detect zero-day vulnerability attacks."
"Checkmarx needs to be more scalable for large enterprise companies."
"You may need to purchase add-ons to get the useability you desire."
"I have found this solution creates more noise than competitors."
"It should be user-friendly."
"If you don't have any experience with the configuration or how to configure the files, it can be complicated."
"Technical support and the price could be better."
"It does not provide deeper scanning of vulnerabilities in an application, on a live session. This is something we are not happy about. Maybe the reason for that is we are running the community edition currently, but other editions may improve on that aspect."
"Their dashboarding is very limited. They can improve their dashboards for multiple areas, such as security review, maintainability, etc. They have all this information, so they should publish all this information on the dashboard so that the users can view the summary and then analyze it further. This is something that I would like to see in the next version."
"A little bit more emphasis on security and a bit more security scanning features would be nice."
Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.
Checkmarx is a highly accurate and flexible static code analysis product that allows organizations to automatically scan uncompiled code and identify hundreds of security vulnerabilities in all major coding languages and software frameworks. Checkmarx is available as a standalone product and can be effectively integrated into the software development lifecycle (SDLC) to streamline vulnerability detection and remediation. Checkmarx is trusted by leading organizations such as SAP, Samsung, and Salesforce.com.
Checkmarx is a global leader in software security solutions for modern software development. Checkmarx delivers a comprehensive software security platform that unites with DevOps by scanning uncompiled source code for security vulnerabilities early in the development life cycle to reduce and remediate risk from software vulnerabilities. Using Checkmarx, teams avoid software security vulnerabilities managed via a single and unified dashboard without slowing down their delivery schedule.
Checkmarx balances the needs of the entire organization, delivering seamless security from the start and throughout the entire software development life cycle. Checkmarx can be deployed on-premises in a private data center or hosted via a public cloud.
Some of Checkmarx’s features include:
Reviews from Real Users
Checkmarx stands out among its competitors for a number of reasons. Two major ones are its ability to enable developers to secure their code with a single management dashboard and its high-speed scanning abilities.
PeerSpot users note the effectiveness of these features. A CEO at a tech services company writes, “The most valuable features are the easy-to-understand interface, and it’s very user-friendly. We spend some time tuning to start scanning a new project, which is only a few clicks. A few simple tunes for custom rules and we can start our scan. We can do the work quickly and we don't need to compile the source code because Checkmarx does the work without compiling the project. The scanning is very quick. It's about 20,000 lines per hour, which is a good speed for scanning.”
A director at a tech services company notes, “The features and technologies are very good. The flexibility and the roadmap have also been very good. They're at the forefront of delivering the additional capabilities that are required with cloud delivery, etc. Their ability to deliver what customers require and when they require is very important.”
A senior manager at a manufacturing company writes, “The identification of verification-related security vulnerabilities is really important and one of the key things. It also identifies vulnerabilities for any kind of third-party tool coming into the system or any third-party tools that you are using, which is very useful for avoiding random hacking."
SonarQube is the leading tool for continuously inspecting Code Quality and Code Security, and guiding development teams during code reviews. SonarQube provides clear remediation guidance for 27 languages so developers can understand and fix issues, and so teams can deliver better and safer software. SonarQube integrates into your workflow to provide the right feedback at the right time: in-IDE with SonarLint, in pull requests, and in SonarQube itself. With over 225,000 deployments helping small development teams and global organizations, SonarQube provides the means for teams and companies around the world to own and impact their Code Quality and Code Security.
Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.
Checkmarx is ranked 7th in Application Security Tools with 21 reviews while SonarQube is ranked 1st in Application Security Tools with 51 reviews. Checkmarx is rated 7.4, while SonarQube is rated 8.0. The top reviewer of Checkmarx writes "Supports different languages, has excellent support, and easily expands". On the other hand, the top reviewer of SonarQube writes "Open-source, stable, and finds the problems for you and tells you where they are". Checkmarx is most compared with Micro Focus Fortify on Demand, Snyk, Coverity, Fortify Application Defender and Mend, whereas SonarQube is most compared with Coverity, Snyk, Sonatype Nexus Lifecycle, Micro Focus Fortify on Demand and Mend. See our Checkmarx vs. SonarQube report.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.