Try our new research platform with insights from 80,000+ expert users

Checkmarx One vs Sonatype Lifecycle comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Oct 8, 2024

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

ROI

Sentiment score
7.5
Organizations saw ROI with Checkmarx One via improved development speed, cost savings, and enhanced security, despite quantification challenges.
Sentiment score
7.0
Sonatype Lifecycle enhances visibility, security, and productivity, reducing vulnerability analysis time and lowering risks in application development.
We have seen cost savings and efficiency improvements as we now know what happens in what was previously a black box.
 

Customer Service

Sentiment score
7.1
Checkmarx One offers fast, expert support, though some users note resolution delays and additional support charges.
Sentiment score
5.7
Sonatype Lifecycle's customer service is praised for responsiveness and effectiveness, despite occasional delays with product enhancement requests.
They are helpful when we raise any tickets.
 

Scalability Issues

Sentiment score
7.1
Checkmarx One excels in scalability, integration, and automation, efficiently managing various organizational sizes though licensing can be restrictive.
Sentiment score
6.9
Sonatype Lifecycle is praised for infrastructure scalability and flexibility, but users report challenges with clustering and configuration complexities.
JFrog is easier to configure for high availability as it does not require extra components.
 

Stability Issues

Sentiment score
7.2
Checkmarx One is reliable with some performance issues during large scans; user ratings vary from six to ten.
Sentiment score
8.0
Sonatype Lifecycle is reliable and efficient, with minimal downtime and ease of use, even for large implementations.
I would rate the stability of this solution a nine on a scale of 1 to 10 where one is low stability and 10 is high.
Sonatype Lifecycle is very stable, especially in the binary repository management use case for managing binary artifacts.
 

Room For Improvement

Checkmarx One needs enhanced false positive reduction, language support, CD integration, pricing, UI, reporting, and automation improvements.
Sonatype Lifecycle should improve integration, reporting, support, user interface, and adapt to modern practices for better user experience.
It could suggest how the code base is written and automatically populate the source code with three different solution options to choose from.
We also noticed a lack of detailed information for configuring Sonatype Lifecycle for high availability and data recovery.
 

Setup Cost

Checkmarx One offers high quality and performance, though its pricing varies and is often seen as expensive yet competitive.
Sonatype Lifecycle offers competitive pricing with valuable features, though costs may impact startups due to licensing complexity.
For larger numbers like our case with 1,000 user licenses, JFrog becomes much more cost-effective, roughly ten times cheaper than Sonatype.
 

Valuable Features

Checkmarx One provides comprehensive vulnerability analysis with intuitive features, efficient reporting, CI/CD integration, and extensive language support.
Sonatype Lifecycle enhances security with seamless DevOps integration, user-friendly interface, real-time updates, and efficient dependency management.
My experience with the initial setup of Checkmarx One is straightforward; it is not complex compared to other tools that I have tried.
The integration into our CICD pipeline enables us to continuously monitor code changes and identify new vulnerabilities.
The most valuable feature for us is Sonatype Lifecycle's capability in identifying vulnerabilities.
 

Categories and Ranking

Checkmarx One
Ranking in Application Security Tools
3rd
Average Rating
7.6
Reviews Sentiment
6.9
Number of Reviews
71
Ranking in other categories
Static Application Security Testing (SAST) (3rd), Vulnerability Management (24th), Static Code Analysis (3rd), API Security (5th), DevSecOps (5th), Risk-Based Vulnerability Management (9th)
Sonatype Lifecycle
Ranking in Application Security Tools
6th
Average Rating
8.4
Reviews Sentiment
7.0
Number of Reviews
45
Ranking in other categories
Software Composition Analysis (SCA) (4th), Software Supply Chain Security (3rd)
 

Mindshare comparison

As of July 2025, in the Application Security Tools category, the mindshare of Checkmarx One is 9.9%, down from 14.3% compared to the previous year. The mindshare of Sonatype Lifecycle is 2.6%, down from 3.3% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Application Security Tools
 

Featured Reviews

Syed Hasan - PeerSpot reviewer
Partner experiences excellent technical support and seamless initial setup
In my opinion, if we are able to extract or show the report, and because everything is going towards agent tech and GenAI, it would be beneficial if it could get integrated with our code base and do the fix automatically. It could suggest how the code base is written and automatically populate the source code with three different solution options to choose from. This would be really helpful.
SrinathKuppannan2 - PeerSpot reviewer
Easily identifies problematic versions and ensures adherence to regulatory standards like HIPAA, critical for industries dealing with sensitive information
While Sonatype Lifecycle effectively manages artifacts in Nexus Repository and performs code firewall checks based on rules, it has the potential to expand further. I am looking forward to additional features similar to SonarQube, especially since licenses are often split per component. SonarType could integrate cloud-based capabilities, addressing the increasing shift towards cloud workloads. While there have been demos and discussions around this, significant progress on scanning and analyzing cloud images remains to be seen. I am looking forward to Sonatype incorporating these enhancements, particularly in regard to cloud-based features. On-prem workloads are getting to the cloud workloads. * I would like to see more cloud-related insights, such as logging capabilities for the images we use and image scanning information. * Additionally, it would be beneficial to have insights into the stages of dependencies and ensure they comply with standards. If there are any violations in respect to CVSS reports, * Integrating CVSS (Common Vulnerability Scoring System) report rules into the Lifecycle module to detect and report violations would be valuable. I am hoping to see these enhancements from Sonatype in the future. On the security side, I think there's a lot of development needed. There are many security tools on the market, like open-source ones, that Sonatype doesn't integrate with.
report
Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
860,825 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
21%
Computer Software Company
14%
Manufacturing Company
10%
Government
6%
Financial Services Firm
33%
Computer Software Company
12%
Manufacturing Company
9%
Government
8%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

What alternatives are there for Fortify WebInspect and Fortify SCA?
I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as well. Veracode is only a cloud solution. Hope this helps.
What do you like most about Checkmarx?
Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%.
What is your experience regarding pricing and costs for Checkmarx?
The pricing is relatively expensive due to the product's quality and performance, but it is worth it.
How does Sonatype Nexus Lifecycle compare with SonarQube?
We like the data that Sonatype Nexus Lifecycle consistently delivers. This solution helps us in fixing and understanding the issues a lot quicker. The policy engine allows you to set up different t...
What do you like most about Sonatype Nexus Lifecycle?
Fortify integrates with various development environments and tools, such as IDEs (Integrated Development Environments) and CI/CD pipelines.
What is your experience regarding pricing and costs for Sonatype Nexus Lifecycle?
According to my calculations, if you are working with up to 200 developers, Sonatype is cheaper than JFrog. However, for larger numbers like our case with 1,000 user licenses, JFrog becomes much mo...
 

Also Known As

No data available
Sonatype Nexus Lifecycle, Nexus Lifecycle
 

Overview

 

Sample Customers

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC
Genome.One, Blackboard, Crediterform, Crosskey, Intuit, Progress Software, Qualys, Liberty Mutual Insurance
Find out what your peers are saying about Checkmarx One vs. Sonatype Lifecycle and other solutions. Updated: July 2025.
860,825 professionals have used our research since 2012.