Cancel
You must select at least 2 products to compare!
Veracode Logo
45,825 views|26,935 comparisons
Checkmarx Logo
41,874 views|32,089 comparisons
Sonar Logo
86,920 views|71,172 comparisons
Comparison Buyer's Guide
Executive Summary
Updated on Apr 20, 2022

We performed a comparison between SonarQube and Checkmarx based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.

  • Ease of Deployment: Most users of both solutions say their initial setup is straightforward.
  • Features: Users of both products are happy with their ease of use, stability, and scalability. Most SonarQube reviewers mentioned ease of other product integration as a benefit, though they would like to see this improved in the free version. Checkmarx reviewers noted the benefits of the solution’s application security, scanning, and tracking, but some of them would like to see more integrations with other products.
  • Pricing: Most SonarQube reviewers feel satisfied with the pricing, especially with its free Community Edition. SonarQube offers an open-source version as well as a reasonably priced product in its market. On the other hand, Checkmarx reviewers say its pricing is expensive.
  • Service and Support: Most reviewers of Checkmarx are satisfied with the support levels but would like faster response times. Some reviewers of SonarQube feel that support leaves room for improvement.

Comparison Results: SonarQube has an edge over Checkmarx in pricing, but Checkmarx offers better support.

To learn more, read our detailed Checkmarx vs. SonarQube Report (Updated: October 2022).
653,522 professionals have used our research since 2012.
Q&A Highlights
Question: Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
Answer: My opinions are my own and do not represent any other entities that I may be or have been affiliated with.  On this topic I think it is important to acknowledge that no matter which solution you go for you will have false positives. I don't think there will be any solution that properly solves this anytime soon.  As for Checkmarx vs SonarQube...  Checkmarx may cover more rules over a wider landscape, however I personally found this extra breadth covered outlyer rules and mostly lower priority issues. Both Checkmarx and SonarQube cover the OWASP top 10 and Sans25. Both tools can be tuned to help reduce false positives, for both you will need to analyse your tuning to ensure you are not introducing false negatives. Any tools that provide you customisation come with the risk that you could make things worse.  SonarQube has very good integration into most development IDEs empowering the engineers to run scans against the company rules on their local machine before submitting your source control and further tooling. In some it will even check the code automatically while you type it.  I see you also included Veracode in here. In my opinion that is a far superior tool to Checkmarx, this is down to their more modern approach to this problem. They also allow local developer integration to self lint code before submission.  In a perfect world, I would use Sonar for development bugs, test coverage and technical debt measurements. Then veracode to handle the SAST side for me. In short I would not duplicate the security scans in Sonar and Veracode.  Hope that helps
Featured Review
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"There is a single area on the dashboard where you can get a full view of all of the tests and the results from everything. There is a nice, very simple graphic that shows you the types of vulnerabilities that were found, their severity, the scoring, and in what part of the code they were found. All the details are together in one place.""The solution's ability to prevent vulnerable code from going into production is perfectly fine. It delivers, at least for the reports that we have been checking on Java and JavaScript. It has reported things that were helpful.""The policy reporting for ensuring compliance with industry standards and regulations is pretty comprehensive, especially around PCI. If you do the static analysis, the dynamic analysis, and then a manual penetration test, it aggregates all of these results into one report. And then they create a PCI-specific report around it which helps to illustrate how the application adheres to different standards.""The time savings has been tremendous. We saw ROI in the first six months.""Veracode's technical support is great. They assigned us a TAM and once a week, we have a brief engagement with the TAM to verify that everything's going well. If we have any outstanding issues, they get serviced and addressed.""It's comprehensive from a feature standpoint.""In terms of secure development, the SAST scan is very useful because we are able to identify security flaws in the code base itself, for the application.""The visibility into application status helps reduce risk exposure for our software. Today, any findings provided by the DAST are reviewed by the developers and we have internal processes in place to correct those findings before there can be a release. So it absolutely does prevent us from releasing weak code."

More Veracode Pros →

"The features and technologies are very good. The flexibility and the roadmap have also been very good. They're at the forefront of delivering the additional capabilities that are required with cloud delivery, etc. Their ability to deliver what customers require and when they require is very important.""The most valuable feature of Checkmarx is the user interface, it is very easy to use. We do not need to configure anything, we only have to scan to see the results.""The identification of verification-related security vulnerabilities is really important and one of the key things. It also identifies vulnerabilities for any kind of third-party tool coming into the system or any third-party tools that you are using, which is very useful for avoiding random hacking.""The most valuable features of Checkmarx are the automation and information that it provides in the reports.""One of the most valuable features is it is flexible.""The value you can get out of the speedy production may be worth the price tag.""It is very useful because it fits our requirements. It is also easy to use. It is not complex, and we are satisfied with the results.""The main thing we find valuable about Checkmarx is the ease of use. It's easy to initiate scans and triage defects."

More Checkmarx Pros →

"Provides local scanning for developers.""It has very good scalability and stability.""The solution is stable.""Some of the most valuable features have been the latest up-to-date of the OWASP, the monitoring, the reporting, and the ease of use with the IDE plugins, in terms of integration.""My focus is mainly on the DevOps pipeline side of things, and from my perspective, the ease of use and configuration is valuable. It is pretty straightforward to take a deployment pipeline or CI/CD pipeline and integrate SonarQube into it.""The most valuable features are that it is user-friendly, easy to access, and they provide good training files.""I am only interested in the security features in SonarQube. There are plenty of features other features, such as test coverage, code anomalies, and pointer access are handled by the business logic teams. They get the reports and they have to fix them in JIRA or Bugzilla.""This solution has the capability to analyze source code in almost all the languages in the market."

More SonarQube Pros →

Cons
"The solution could improve the Dynamic Analysis Security Testing(DAST).""Veracode has plenty of data. The problem is the information on the dashboards of Veracode, as the user interface is not great. It's not immediately usable. Most of the time, the best way to use it is to just create issues and put them in JIRA... But if I were a startup, and only had products with a good user interface, I wouldn't use Veracode because the UI is very dated.""Another problem we have is that, while it is integrated with single sign-on—we are using Okta—the user interface is not great. That's especially true for a permanent link of a report of a page. If you access it, it goes to the normal login page that has nothing that says "Log in with single sign-on," unlike other software as a service that we use. It's quite bothersome because it means that we have to go to the Okta dashboard, find the Veracode link, and log in through it. Only at that point can we go to the permanent link of the page we wanted to access.""The reports on offer are too verbose.""Third-party library scanning would be very useful to have. When I was researching this a year ago, there was not a third-party library scan available. This would be a nice feature to have because we are now running through some assessments and finding out which tool can do it since this information needs to be captured. Since Veracode is a security solution, this should be related.""I've seen slightly better static analysis tools from other companies when it comes to speed and ease of use.""I would like to see them provide more content in the developer training section. This field is really changing each day and there are flaws that are detected each day. Some sort of regular updates to the learning would help.""The static analysis is prone to a lot of false positives. But that's how it is with most static analysis tools... Also, the static analysis can sometimes take a little while. The time that it takes to do a scan should be improved."

More Veracode Cons →

"The statistics module has a function that allows you to show some statistics, but I think it's limited. Maybe it needs more information.""Checkmarx could be improved with more integration with third-party software.""We would like to be able to run scans from our local system, rather than having to always connect to the product server, which is a longer process.""Its user interface could be improved and made more friendly.""They could work to improve the user interface. Right now, it really is lacking.""We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code. The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything.""They can support the remaining languages that are currently not supported. They can also create a different model that can identify zero-day attacks. They can work on different patterns to identify and detect zero-day vulnerability attacks.""Checkmarx needs to be more scalable for large enterprise companies."

More Checkmarx Cons →

"You may need to purchase add-ons to get the useability you desire.""I have found this solution creates more noise than competitors.""It should be user-friendly.""If you don't have any experience with the configuration or how to configure the files, it can be complicated.""Technical support and the price could be better.""It does not provide deeper scanning of vulnerabilities in an application, on a live session. This is something we are not happy about. Maybe the reason for that is we are running the community edition currently, but other editions may improve on that aspect.""Their dashboarding is very limited. They can improve their dashboards for multiple areas, such as security review, maintainability, etc. They have all this information, so they should publish all this information on the dashboard so that the users can view the summary and then analyze it further. This is something that I would like to see in the next version.""A little bit more emphasis on security and a bit more security scanning features would be nice."

More SonarQube Cons →

Pricing and Cost Advice
  • "Veracode is expensive. Some of its products are expensive. I don't think it's way more expensive than its competitors. The dynamic is definitely worth it, as I think it's cheaper than the competitors. The static scan is a little bit more expensive, around 20 percent more expensive. The manual pen test is more expensive, but it is an expensive service because it's a manual pen test and we also do retests. I don't think it is way more expensive than the competitors, but it's about 15 to 20 percent more expensive."
  • "We use this product per project rather than per developer... Your development model will really determine what the best fit is for you in terms of licensing, because of the project-based licensing. If you do a few projects, that's more attractive. If you have a large number of developers, that would also make the product a little more attractive."
  • "The pricing is really fair compared to a lot of other tools on the market."
  • "It is very reasonably priced compared to what we were paying our previous vendor. For the same price, we are getting much more value and reducing our AppSec costs from 40 to 50 percent."
  • "Veracode is one of the more expensive solutions in the market, but it is worth the expense because of the eLearning and the security consultations; everything is included in the license."
  • "Licensing cost is on a yearly basis and there are no additional costs, the pricing is straightforward."
  • "From a cost perspective, it seems okay, although we will probably evaluate alternatives next time it's up for renewal because for us, it's a relatively high cost, and we want to make sure that we are using our resources most appropriately."
  • "The pricing is a little on the high side but since we combine our product into one suite, it is easy to do and works well for us."
  • More Veracode Pricing and Cost Advice →

  • "Its price is fair. It is in or around the right spot. Ultimately, if the price is wrong, customers won't commit, but they do tend to commit. It is neither too cheap nor too expensive."
  • "It is not expensive, but sometimes, their pricing model or licensing model is not very clear. There are similar variables, such as projects or developers, and sometimes, it is a little bit confusing."
  • "Most of my customers opted for a perpetual license. They prefer to pay the highest amount up front for the perpetual license and then pay for additional support annually."
  • "We have purchased an annual license to use this solution. The price is reasonable."
  • "We're using a commercial version of Checkmarx, and we paid for the solution for one year. The price is high and could be reduced."
  • "The price of Checkmarx could be reduced to match their competitors, it is expensive."
  • "The average deal size was usually anywhere between $120K to $175K on an annual basis, which could be divided across 12 months."
  • "If you want more, you have to pay more. You have to pay for additional modules or functionalities."
  • More Checkmarx Pricing and Cost Advice →

  • "I am satisfied with the pricing."
  • "Can try developer version for 14 days on the free trial."
  • "It's a bit expensive for us. The currency rate of the dollar is a problem but it may be fine for other countries."
  • "I think comparing the product to competitors it should be less expensive."
  • "The development license cost is reasonable, and we've had no concerns about SonarQube when it comes to cost."
  • "We use the free version; there are no hidden costs or licensing required."
  • "We have a license with 125,000 lines of code. We did not purchase a lot of lines but it is specific to our code environment."
  • "I use the full trial version of SonarQube."
  • More SonarQube Pricing and Cost Advice →

    report
    Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
    653,522 professionals have used our research since 2012.
    Answers from the Community
    William Hayes
    Swapna Ragi - PeerSpot reviewerSwapna Ragi
    Real User

    SonarQube depends on completely what you configure the Rules. You will have the option of the Profile creation and can be assigned to the Projects. If you configure the project --> under them services configuration it is good to go. Proper configuration is important in the Sonat Qube. Yes, Sonarqube allows developers to delint their code before SAST.


    Veracode recently introduced it. But this integration at developer Machine integration available for only JAVA coded Projets.


    About the Vulnerability coverage, both are the same. OWASP TOP 10 is equal to Sans 25. sans25 is categorized with one category number and describes under that subsection. Refer to this.  https://www.templarbit.com/blog/2018/02/08/owasp-top-10-vs-sans-cwe-25/

    Durga Gudimetla - PeerSpot reviewerDurga Gudimetla
    Real User

    SonarQube can be used for SAST. However, based on our internal analysis, our team feel CheckMarx is better suited for Security compared to SonarQube. SoanrQube is used in day to day developer code scan and Checkmarx is used during code movement to staging or during release.

    Questions from the Community
    Top Answer:SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis… more »
    Top Answer:The findings of their security analysis are wonderful. You can easily go through all the analyses done by Veracode. You… more »
    Top Answer:It is quite good. If you adapt it for the whole organization, it is quite affordable. The pricing plans are good as… more »
    Top Answer:I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as… more »
    Top Answer:JaeLee, check out our comparison page hereof Veracode vs Checkmarx: https://www.itcentralstation.c... Checkmarx is… more »
    Top Answer:I’ve always viewed sonarqube as a code quality tool that compliments many code security tools like a checkmarx. 
    Top Answer:I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which… more »
    Top Answer:We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security… more »
    Top Answer:Snyk does a great job identifying and reducing vulnerabilities. This solution is fully automated and monitors 24/7 to… more »
    Comparisons
    Also Known As
    Sonar
    Learn More
    Overview

    Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.

    Checkmarx is a highly accurate and flexible static code analysis product that allows organizations to automatically scan uncompiled code and identify hundreds of security vulnerabilities in all major coding languages and software frameworks. Checkmarx is available as a standalone product and can be effectively integrated into the software development lifecycle (SDLC) to streamline vulnerability detection and remediation. Checkmarx is trusted by leading organizations such as SAP, Samsung, and Salesforce.com.

    Checkmarx is a global leader in software security solutions for modern software development. Checkmarx delivers a comprehensive software security platform that unites with DevOps by scanning uncompiled source code for security vulnerabilities early in the development life cycle to reduce and remediate risk from software vulnerabilities. Using Checkmarx, teams avoid software security vulnerabilities managed via a single and unified dashboard without slowing down their delivery schedule.

    Checkmarx balances the needs of the entire organization, delivering seamless security from the start and throughout the entire software development life cycle. Checkmarx can be deployed on-premises in a private data center or hosted via a public cloud.

    Checkmarx Features

    Some of Checkmarx’s features include:

    • Source code scanning: Detect and repair more vulnerabilities before you release your code.

    • Open-source scanning: Find and eliminate the risks in your open-source code.

    • Interactive code scanning: Scan for vulnerabilities and runtime threats.

    • Open-source security for infrastructure as code: Identify and fix insecure IaC configurations that put your application at risk.

    Reviews from Real Users

    Checkmarx stands out among its competitors for a number of reasons. Two major ones are its ability to enable developers to secure their code with a single management dashboard and its high-speed scanning abilities.

    PeerSpot users note the effectiveness of these features. A CEO at a tech services company writes, “The most valuable features are the easy-to-understand interface, and it’s very user-friendly. We spend some time tuning to start scanning a new project, which is only a few clicks. A few simple tunes for custom rules and we can start our scan. We can do the work quickly and we don't need to compile the source code because Checkmarx does the work without compiling the project. The scanning is very quick. It's about 20,000 lines per hour, which is a good speed for scanning.”

    A director at a tech services company notes, “The features and technologies are very good. The flexibility and the roadmap have also been very good. They're at the forefront of delivering the additional capabilities that are required with cloud delivery, etc. Their ability to deliver what customers require and when they require is very important.”

    A senior manager at a manufacturing company writes, “The identification of verification-related security vulnerabilities is really important and one of the key things. It also identifies vulnerabilities for any kind of third-party tool coming into the system or any third-party tools that you are using, which is very useful for avoiding random hacking."

    SonarQube is the leading tool for continuously inspecting Code Quality and Code Security, and guiding development teams during code reviews. SonarQube provides clear remediation guidance for 27 languages so developers can understand and fix issues, and so teams can deliver better and safer software. SonarQube integrates into your workflow to provide the right feedback at the right time: in-IDE with SonarLint, in pull requests, and in SonarQube itself. With over 225,000 deployments helping small development teams and global organizations, SonarQube provides the means for teams and companies around the world to own and impact their Code Quality and Code Security.

    Offer
    Keep your software secure

    Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.

    Learn more about Checkmarx
    Learn more about SonarQube
    Sample Customers
    State of Missouri, Rekner
    YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC
    Bank of America, Siemens, Cognizant, Thales, Cisco, eBay
    Top Industries
    REVIEWERS
    Financial Services Firm31%
    Insurance Company11%
    Computer Software Company11%
    Healthcare Company7%
    VISITORS READING REVIEWS
    Computer Software Company21%
    Financial Services Firm15%
    Comms Service Provider10%
    Manufacturing Company7%
    REVIEWERS
    Computer Software Company35%
    Financial Services Firm22%
    Manufacturing Company9%
    Pharma/Biotech Company9%
    VISITORS READING REVIEWS
    Financial Services Firm22%
    Computer Software Company19%
    Comms Service Provider8%
    Manufacturing Company7%
    REVIEWERS
    Computer Software Company22%
    Financial Services Firm21%
    Comms Service Provider10%
    Insurance Company7%
    VISITORS READING REVIEWS
    Computer Software Company20%
    Financial Services Firm17%
    Comms Service Provider10%
    Manufacturing Company8%
    Company Size
    REVIEWERS
    Small Business24%
    Midsize Enterprise27%
    Large Enterprise49%
    VISITORS READING REVIEWS
    Small Business16%
    Midsize Enterprise13%
    Large Enterprise71%
    REVIEWERS
    Small Business38%
    Midsize Enterprise16%
    Large Enterprise47%
    VISITORS READING REVIEWS
    Small Business14%
    Midsize Enterprise11%
    Large Enterprise76%
    REVIEWERS
    Small Business26%
    Midsize Enterprise17%
    Large Enterprise56%
    VISITORS READING REVIEWS
    Small Business15%
    Midsize Enterprise12%
    Large Enterprise73%
    Buyer's Guide
    Checkmarx vs. SonarQube
    October 2022
    Find out what your peers are saying about Checkmarx vs. SonarQube and other solutions. Updated: October 2022.
    653,522 professionals have used our research since 2012.

    Checkmarx is ranked 7th in Application Security Tools with 21 reviews while SonarQube is ranked 1st in Application Security Tools with 51 reviews. Checkmarx is rated 7.4, while SonarQube is rated 8.0. The top reviewer of Checkmarx writes "Supports different languages, has excellent support, and easily expands". On the other hand, the top reviewer of SonarQube writes "Open-source, stable, and finds the problems for you and tells you where they are". Checkmarx is most compared with Micro Focus Fortify on Demand, Snyk, Coverity, Fortify Application Defender and Mend, whereas SonarQube is most compared with Coverity, Snyk, Sonatype Nexus Lifecycle, Micro Focus Fortify on Demand and Mend. See our Checkmarx vs. SonarQube report.

    See our list of best Application Security Tools vendors and best Application Security Testing (AST) vendors.

    We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.