We performed a comparison between SonarQube and Checkmarx based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: SonarQube has an edge over Checkmarx in pricing, but Checkmarx offers better support.
"There is a single area on the dashboard where you can get a full view of all of the tests and the results from everything. There is a nice, very simple graphic that shows you the types of vulnerabilities that were found, their severity, the scoring, and in what part of the code they were found. All the details are together in one place."
"Veracode creates a list of issues. You can go through them one by one and click through to a new window with all the information about the issue discovered."
"I like the ability to integrate Veracode with other coding platforms like Visual Studio, which helps you write code quickly by implementing already inserted code. For example, if we have tags you want to put in the software, it is effortless to choose which programming language you want to use in the integrated development environment."
"The user interface is quick, familiar, and user-friendly and makes navigation to other software very easy."
"Veracode enables us to build a strong data security layer in our platforms. We can increase customer confidence in data security. Some PCI/HIPAA compliance issues were impossible to resolve without Veracode."
"Veracode's integration with our continuous integration solution is what I've found to be the most valuable feature. It is easy to connect the two and to run scans in an automated way without needing as much manual intervention."
"The Security Labs [is] where I have the developers training and constantly improving their security, and remembering their security techniques. That way, they are more proactive and make sure things are correct. They're faster because they're doing it in the first place."
"You can easily integrate it with Azure DevOps. This is an added value because we work with Azure DevOps. Veracode is natively supported and we don't have to work with APIs."
"The report function is the solution's greatest asset."
"The most valuable features of Checkmarx are difficult to pinpoint because of the way the functionalities and the features are intertwined, it's difficult to say which part of them I prefer most. You initiate the scan, you have a scan, you have the review set, and reporting, they all work together as one whole process. It's not like accounting software, where you have the different features, et cetera."
"The main advantage of this solution is its centralized reporting functionality, which lets us track issues, then see and report on the priorities via a web portal."
"The most valuable features of Checkmarx are the automation and information that it provides in the reports."
"The main thing we find valuable about Checkmarx is the ease of use. It's easy to initiate scans and triage defects."
"I like that you don't have to compile the code in order to execute static code analysis. So, it's very handy."
"The administration in Checkmarx is very good."
"It's not an obstacle for developers. They can easily write their code and make it more secure with Checkmarx."
"I like that it has a better dashboard compared to Clockwork. It's also stable."
"When comparing other static code analysis tools, SonarQube has fewer false-positive issues being reported. They have a lot of support for different tech stacks. It covers the entire developer community which includes Salesforce or it could be the regular Java.net project. It has actually sufficed all the needs in one tool for static code analysis."
"My focus is mainly on the DevOps pipeline side of things, and from my perspective, the ease of use and configuration is valuable. It is pretty straightforward to take a deployment pipeline or CI/CD pipeline and integrate SonarQube into it."
"SonarQube has a lot of value, it reviews the basic coding standards and security vulnerabilities of code that help to reduce issues."
"SonarQube is useful for controlling all of our Azure task tracking and scanning."
"I am only interested in the security features in SonarQube. There are plenty of features other features, such as test coverage, code anomalies, and pointer access are handled by the business logic teams. They get the reports and they have to fix them in JIRA or Bugzilla."
"The most valuable features are the analysis and detection of issues within the application code."
"The solution can verify vulnerabilities, code smells, and hotspots. It makes the software more secure and it helps make a junior or novice developer sharper."
"The solution could improve the Dynamic Analysis Security Testing(DAST)."
"Veracode's SAST, DAST, and SCA are pretty good with respect to industry standards, but with regard to container security, they are in either beta or alpha testing. They need to get that particular feature up and running so that they take care of the container security part."
"I think if they could improve the operations around accepted vulnerabilities, we would see improvements in our productivity."
"The training lab is not very user-friendly and takes a long time to set up."
"We get some false positives with JavaScript languages like React, TypeScript, and Angular. The problem is rooted in the build process of JavaScript, not the code we are using. This is something we spend lots of time trying to resolve. When we point to a specific library and review that on the code, we can see it is a part of the build that isn't going into production. It's only a part of the build because JavaScript has a different build process."
"I've seen slightly better static analysis tools from other companies when it comes to speed and ease of use."
"Scheduling can be a little difficult. For instance, if you set up recurring scheduled scans and a developer comes in and says, "Hey, I have this critical release that happened outside of our normal release patterns and they want you to scan it," we actually have to change our schedule configuration and that means we lose the recurring scheduling settings we had."
"Their platform is not consistent. It needs a lot of user experience updates. It's slow performing, and they log you out of the system every 15 minutes, so using the platform is challenging from a developer's perspective because you always have to log in."
"As the solution becomes more complex and feature rich, it takes more time to debug and resolve problems. Feature-wise, we have no complaints, but Checkmarx becomes harder to maintain as the product becomes more complex. When I talk to support, it takes them longer to fix the problem than it used to."
"We want to have a holistic view of the portfolio-level dashboard and not just an individual technical project level."
"Checkmarx needs to improve the false positives and provide more accuracy in identifying vulnerabilities. It misses important vulnerabilities."
"One area for improvement in Checkmarx is pricing, as it's more expensive than other products."
"The statistics module has a function that allows you to show some statistics, but I think it's limited. Maybe it needs more information."
"We would like to be able to run scans from our local system, rather than having to always connect to the product server, which is a longer process."
"Its pricing model can be improved. Sometimes, it is a little complex to understand its pricing model."
"Checkmarx has a slightly difficult compilation with the CI/CD pipeline."
"SonarQube could be improved with more dynamic testing—basically, now, it's a static code analysis scan. For example, when the developer writes the code and does the corresponding unit test, he can cover functional and non-functional. So the SonarQube could be improved by helping to execute unit tests and test dynamically, using various parameters, and to help detect any vulnerabilities. Currently, it'll just give the test case and say whether it passes or fails—it won't give you any other input or dynamic testing. They could use artificial intelligence to build a feature that would help developers identify and fix issues in the early stages, which would help us deliver the product and reduce costs. Another area with room for improvement is in regard to automating things, since the process currently needs to be done manually."
"Dynamic scanning is missing and there are some issues with security scanning."
"A little bit more emphasis on security and a bit more security scanning features would be nice."
"The time it took for me to do the whole process was approximately two hours because I had to download, read the documentation, and do the configurations."
"We did have some trouble with the LDAP integration for the console."
"For improvement, this solution could be offered on Docker and the cloud and the support for this solution could be improved. Customizing rules could also be made simpler."
"Code security scanning could be improved."
"We previously experienced issues with security but a segregated security violation has been implemented and the issues we experienced are being fixed."
Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.
Checkmarx is ranked 8th in Application Security Tools with 21 reviews while SonarQube is ranked 1st in Application Security Tools with 39 reviews. Checkmarx is rated 7.6, while SonarQube is rated 8.2. The top reviewer of Checkmarx writes "Supports different languages, has excellent support, and easily expands". On the other hand, the top reviewer of SonarQube writes "Open-source, stable, and finds the problems for you and tells you where they are". Checkmarx is most compared with Snyk, Micro Focus Fortify on Demand, Coverity, Fortify Application Defender and OWASP Zap, whereas SonarQube is most compared with Coverity, Snyk, Sonatype Nexus Lifecycle, SonarCloud and Micro Focus Fortify on Demand. See our Checkmarx vs. SonarQube report.
See our list of best Application Security Tools vendors and best Application Security Testing (AST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
SonarQube depends on completely what you configure the Rules. You will have the option of the Profile creation and can be assigned to the Projects. If you configure the project --> under them services configuration it is good to go. Proper configuration is important in the Sonat Qube. Yes, Sonarqube allows developers to delint their code before SAST.
Veracode recently introduced it. But this integration at developer Machine integration available for only JAVA coded Projets.
About the Vulnerability coverage, both are the same. OWASP TOP 10 is equal to Sans 25. sans25 is categorized with one category number and describes under that subsection. Refer to this. https://www.templarbit.com/blog/2018/02/08/owasp-top-10-vs-sans-cwe-25/
SonarQube can be used for SAST. However, based on our internal analysis, our team feel CheckMarx is better suited for Security compared to SonarQube. SoanrQube is used in day to day developer code scan and Checkmarx is used during code movement to staging or during release.