Coverity Static vs Klocwork vs SonarQube comparison

Black Duck and Perforce are both solutions in the Static Application Security Testing (SAST) category. Black Duck is ranked #8 with an average rating of 7.8, while Perforce is ranked #15 with an average rating of 8.2. Black Duck holds a 3.8% mindshare in SAST, compared to Perforce’s 1.4% mindshare. Additionally, 89% of Black Duck users are willing to recommend the solution, compared to 93% of Perforce users who would recommend it.

Coverity Static

Read 43 Coverity Static reviews

9,882 Views
8,103 Comparison Views

89% willing to recommend

Klocwork

Read 25 Klocwork reviews

3,729 Views
2,349 Comparison Views

93% willing to recommend

SonarQube

Read 135 SonarQube reviews

37,820 Views
27,609 Comparison Views

84% willing to recommend

Coverity Static

Klocwork

SonarQube

Comparison Buyer's Guide

Download the report

Executive Summary

We performed a comparison between Coverity Static, Klocwork, and SonarQube based on real PeerSpot user reviews.

Find out what your peers are saying about SonarSource Sàrl, Veracode, Checkmarx and others in Static Application Security Testing (SAST).

To learn more, read our detailed Static Application Security Testing (SAST) Report (Updated: March 2026).

Buyer's Guide

Static Application Security Testing (SAST)

March 2026

Download the complete report

Helped 885,667 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Mindshare comparison

As of April 2026, in the Static Application Security Testing (SAST) category, the mindshare of Coverity Static is 3.8%, down from 8.0% compared to the previous year. The mindshare of Klocwork is 1.4%, down from 1.8% compared to the previous year. The mindshare of SonarQube is 17.7%, down from 25.9% compared to the previous year. It is calculated based on PeerSpot user engagement data.

Static Application Security Testing (SAST) Mindshare Distribution
Product	Mindshare (%)
SonarQube	17.7%
Coverity Static	3.8%
Klocwork	1.4%
Other	77.1%

Static Application Security Testing (SAST)

Featured Reviews

Kasiraja Thangapandian

Software Engineering Manager at Visteon Corporation

Using tools for compliance is beneficial but cost concerns persist

We have been using Coverity for quite a long period. It has been fine for our needs. I would rate Coverity between eight to nine, though the cost is high. I would rate their support from Coverity as six. That is the main complaint, but we still appreciate having it.

Read full review

Krishna M Gopalakrishnan

Manager, Quality, Functional Safety, Cybersecurity Embedded Processing at a manufacturing company with 10,001+ employees

Experience with compliance improvements and efficiency boosts but static analysis engine shows a need for enhancement

One area for improvement is that when customers use different static analysis tools, they report more issues compared to Klocwork. The static analysis engine of Klocwork has areas that need improvement. Customers using different static analysis tools report more issues than with Klocwork, indicating that Klocwork's engine is not as superior. Klocwork should be able to analyze large codebases efficiently, supporting a desktop version for periodic small delta changes before pushing to the server.

Read full review

KarthikHarpanhalli

Sr Software Engineering Supervisor at Mozarc Medical

Gains control over rule customization and achieves reliable vulnerability assessment

The deployment process took me about 2 or 3 hours to deploy SonarQube Server (formerly SonarQube), although I do not remember exactly since it was done about 2 years back. Currently, about 10 of my developers are using SonarQube Server (formerly SonarQube) in my company. I do not have plans to increase the usage of SonarQube Server (formerly SonarQube) in the future as there will not be any requirement to increase. I am a senior software engineer and supervisor at Mozark Medical. My corporate email address is karthik.k.a.r.t.h.i.k.h.a.r.p.a.n.h.a.l.l.i@mozarkmedical.com. Overall, I would rate SonarQube Server (formerly SonarQube) as a 9 out of 10.

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"One of the most valuable features is Contributing Events. That particular feature helps the developer understand the root cause of a defect. So you can locate the starting point of the defect and figure out exactly how it is being exploited."

"If you have enough budget, it is one of the best solutions right now."

"The interface of Coverity is quite good, and it is also easy to use."

"The ability to scan code gives us details of existing and potential vulnerabilities. What really matters for us is to ensure that we are able to catch vulnerabilities ahead of time."

"The most valuable feature of Coverity is that it shows examples of what is actually wrong with the code."

"The ability to scan code gives us details of existing and potential vulnerabilities."

"Considering the analysis part and the benchmarking process involving the product that my company carried out, the solution is good for finding bugs and violations"

"The most valuable feature is the ability to find vulnerabilities in our code."

More Coverity Static pros

"On-the-fly analysis and incremental analysis are the best parts of Klocwork, and currently we are using both of these features very effectively."

"The whole package offers a lot of possibilities: add-ons for Eclipse, standalone clients, access via web site, support, documentation, command line."

"The customer support team is very responsive, proactive, and engages in conversations to ensure our needs are met."

"Klocwork has reduced the manual analysis for a lot of scenarios like checking for internal standards and has saved a lot of time in developing code through the on the fly analysis mode."

"The reporting helps us understand the trend of our results and whether we improve over time. We can see the history within Klocwork's server architecture and know that we're making things better. It creates a great story for our management. We can demonstrate value and how our software is developing over time."

"There's a feature in Klocwork called 'on-the-fly analysis', which helps developers to find and fix the defects at the time of development itself."

"One can increase the number of vendors, so the solution is scalable."

"The best advantage of Klocwork is the reduced setup time."

More Klocwork pros

"We usually do the development in Java, and when we finish the development, we usually run the SonarQube tests and review the critical level, bugs, and security issues."

"It provides the security that is required from a solution for financial businesses."

"We previously used Codacy, but we switched to SonarCloud because of their good reputation and we compared reports from both of them and SonarCloud seems to be more accurate."

"It is a very good tool for analysis despite its limitations."

"The most valuable features of SonarQube Cloud (formerly SonarCloud) include code inspection, addressing technical debt, and identifying security vulnerabilities."

"I would suggest trying the product."

"SonarQube is useful for controlling all of our Azure task tracking and scanning."

"The solution can verify vulnerabilities, code smells, and hotspots, making the software more secure and helping make a junior or novice developer sharper."

More SonarQube pros

Cons

"The tool needs to improve its reporting."

"Coverity could improve the ease of use. Sometimes things become difficult and you need to follow the guides from the website but the guides could be better."

"Coverity is far from perfection, and I'm not 100 percent sure it's helping me find what I need to find in my role."

"It would be great if we could customize the rules to focus on critical issues."

"They could improve the usability. For example, how you set things up, even though it's straightforward, it could be still be easier."

"I had tried integrating the tool with Azure DevOps, but the report I got stated that my team faced many challenges."

"Coverity is not stable."

"Its price can be improved. Price is always an issue with Synopsys."

More Coverity Static cons

"Support for AUTOSAR C++14 by adding a new taxonomy that you can use to ensure compliance with the AUTOSAR C++14 Standard, release 18-03."

"Even though it does the job, there's room for feature enhancements, such as integrations with Git for better tracking and notifications."

"This solution could be improved if they offered support of more languages including Ada and Golang. They currently only support seven languages."

"The way to define the rules is too complex."

"I would like to see better codes between projects and a more user-friendly desktop in the next release."

"I hope that in each new release they add new features relating to the addition of checkers, improving their analysis engines etc."

"Modern languages, such as Angular and .NET, should be included as a part of Klocwork. They have recently added Kotlin as a part of their project, but we would like to see more languages in Klocwork. That's the reason we are using Coverity as a backup for some of the other languages."

"Customers using different static analysis tools report more issues than with Klocwork, indicating that Klocwork's engine is not as superior."

More Klocwork cons

"We had some issues where the Quality Gate check sometimes gets stuck and it is unclear."

"The interface could be a little better and should be enhanced."

"New plug-ins should be integrated into SonarCloud to give more flexibility to the product."

"If I configure a project in SonarQube, it generates a token. When we're compiling our code with SonarQube, we have to provide the token for security reasons."

"I see a problem with SonarQube Server (formerly SonarQube) because the vulnerability assessment is continuous; if I fix some vulnerabilities today, they reappear in the next scan, and there will be completely different issues that need to be fixed."

"Currently requires multiple tools, lacking one overall tool."

"There could be better integration with other products. It could have more functionality, and the updates could be faster."

"I've been told by the developers that the solution is too limited. It's not testing enough within the containers."

More SonarQube cons

Pricing and Cost Advice

"Coverity is quite expensive."

"I would rate the tool's pricing a one out of ten."

"Coverity is very expensive."

"The solution's pricing is comparable to other products."

"The solution is affordable."

"It is expensive."

"The pricing is very reasonable compared to other platforms. It is based on a three year license."

"The tool was fairly priced."

More Coverity Static pricing and cost advice

"Licensing fees are paid annually, but they also have a perpetual license."

"When it comes to licensing, the solution has two packages, one for a fixed and the other for a floating server, with the former being more cost effective than the latter."

"Klocwork is still tight on their licensing. If Klocwork would loosen up on the licensing, and where the license could be used, and how many different programs could be run on it, then we have several development programs that I would love to be able to use it for going forward."

"The pricing for Klocwork is very competitive if you compare it from apple to apple. It has competitive pricing regarding the licensing model and the per-license cost. Klocwork isn't a high-end investment for anyone deploying it; even SMBs can afford it. The Klocwork cost per user would depend on the license type, so I'm unable to mention a ballpark figure because it would depend on the type of installation and how the deployment will be, and the nodes to give an accurate calculation or figure. The total price depends on the package, so my company could never publish pricing for Klocwork on the website. My team first collects information from potential clients on the deployment scenario, project environment, etc., before suggesting a package for Klocwork. My rating for Klocwork in terms of pricing is a five because of its flexible license models. There's a license model for every type of organization, whether small, midsize, or enterprise, so it's a five out of five for me."

"The limitation that we have is that Klocwork is licensed to certain programs, and if you want to license them to other programs, you have to pay more money."

"This solution offers competitive pricing."

"There are other solutions on the market such as Microsoft Visual Studio. They have been adding more static code analysis features that come for free. It is getting better all the time. That is one of the possibilities is that we've been considering that we may stop using the Klocwork because it doesn't give us any added value."

"Klocwork should not to be quite so heavy handed on the licensing for very specific programs."

"I rate the pricing a five out of ten."

"Get the paid version which allows the customized dashboard and provides technical support."

"The tool's pricing is reasonable."

"We have a license with 125,000 lines of code. We did not purchase a lot of lines but it is specific to our code environment."

"We pay €10 per month for this solution, which is good. It provides a good value for money."

"While not extremely cheap, it aligns well with market standards and offers good value."

"The development license cost is reasonable, and we've had no concerns about SonarQube when it comes to cost."

"The developer edition is based on cost per lines of code."

More SonarQube pricing and cost advice

See which vendors are best for you

Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.

See recommendations

885,667 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Manufacturing Company

31%

Computer Software Company

10%

Financial Services Firm

Comms Service Provider

Manufacturing Company

22%

Computer Software Company

Transportation Company

Comms Service Provider

Manufacturing Company

13%

Financial Services Firm

13%

Computer Software Company

12%

Comms Service Provider

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

By reviewers
Company Size	Count
Small Business	8
Midsize Enterprise	6
Large Enterprise	31

By reviewers
Company Size	Count
Small Business	12
Midsize Enterprise	2
Large Enterprise	12

By reviewers
Company Size	Count
Small Business	42
Midsize Enterprise	24
Large Enterprise	79

Questions from the Community

How would you decide between Coverity and Sonarqube?

We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and securi...

See all answers

What is your experience regarding pricing and costs for Coverity?

I do not know about the pricing.

See all answers

What needs improvement with Coverity?

The price is a concern, and there are a lot of false positives coming through. Support with Coverity is adequate, but...

See all answers

What is your experience regarding pricing and costs for Klocwork?

Klocwork's pricing seems attractive, as it uses a per-user license model that does not have a lot of overhead.

See all answers

What needs improvement with Klocwork?

One area for improvement is that when customers use different static analysis tools, they report more issues compared...

See all answers

What is your primary use case for Klocwork?

I work on tools such as Klocwork, LDRA, as well as Jira and Confluence, focusing more on the software quality assuran...

See all answers

Is SonarQube the best tool for static analysis?

I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which ...

See all answers

Which gives you more for your money - SonarQube or Veracode?

SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. Son...

See all answers

How does Snyk compare with SonarQube?

Snyk does a great job identifying and reducing vulnerabilities. This solution is fully automated and monitors 24/7 to...

See all answers

Comparisons

Veracode vs Coverity Static

Compared 7% of the time

CodeSonar vs Coverity Static

Compared 6% of the time

Polyspace Code Prover vs Coverity Static

Compared 6% of the time

Checkmarx One vs Coverity Static

Compared 5% of the time

OpenText Core Application Security vs Coverity Static

Compared 4% of the time

More Coverity Static Competitors

Polyspace Code Prover vs Klocwork

Compared 8% of the time

Helix QAC vs Klocwork

Compared 7% of the time

Axivion Static Code Analysis vs Klocwork

Compared 4% of the time

Checkmarx One vs Klocwork

Compared 4% of the time

Veracode vs Klocwork

Compared 3% of the time

More Klocwork Competitors

Checkmarx One vs SonarQube

Compared 30% of the time

Snyk vs SonarQube

Compared 9% of the time

GitHub Advanced Security vs SonarQube

Compared 4% of the time

OpenText Core Application Security vs SonarQube

Compared 4% of the time

Aikido Security vs SonarQube

Compared 1% of the time

More SonarQube Competitors

Product Reports

Buyer's Guide

Coverity Static

March 2026

Download Coverity Static product report

Buyer's Guide

Klocwork

March 2026

Download Klocwork product report

Buyer's Guide

SonarQube

March 2026

Download SonarQube product report

Also Known As

Synopsys Static Analysis

No data available

Sonar, SonarQube Cloud

Interactive Demo

Demo not available

Black Duck

Demo not available

Perforce

SonarSource Sàrl

Overview

Coverity gives you the speed, ease of use, accuracy, industry standards compliance, and scalability that you need to develop high-quality, secure applications. Coverity identifies critical software quality defects and security vulnerabilities in code as it’s written, early in the development process, when it’s least costly and easiest to fix. With the Code Sight integrated development environment (IDE) plugin, developers get accurate analysis in seconds in their IDE as they code. Precise actionable remediation advice and context-specific eLearning help your developers understand how to fix their prioritized issues quickly, without having to become security experts.

Coverity seamlessly integrates automated security testing into your CI/CD pipelines and supports your existing development tools and workflows. Choose where and how to do your development: on-premises or in the cloud with the Polaris Software Integrity Platform (SaaS), a highly scalable, cloud-based application security platform. Coverity supports more than 20 languages and 200 frameworks and templates.

Black Duck

Klocwork detects security, safety, and reliability issues in real-time by using this static code analysis toolkit that works alongside developers, finding issues as early as possible, and integrates with teams, supporting continuous integration and actionable reporting.

Perforce

SonarQube leads automated code review, enhancing code quality and security in AI-driven SDLCs. It analyzes pull requests, providing developers with actionable feedback and AI-driven fixes before code merges. Trusted by top enterprises, it supports SaaS and self-managed deployments.

SonarQube supports a wide range of programming languages and integrates seamlessly with CI/CD tools like Jenkins. It is renowned for its static code analysis, code coverage, and security vulnerability detection. While its open-source foundation and scalability are praised, users seek enhanced integration across multiple languages, better security features, and improved documentation. Despite challenges, its ability to automate code inspections and ensure compliance with coding standards makes it essential in software development processes, facilitating continuous improvement.

What are the most important features?

Language Support: Extensive support for multiple programming languages.
Custom Coding Rules: Allows defining project-specific rules.
Integration: Seamlessly works with Jenkins and CI/CD pipelines.
Quality Gates: Simplifies monitoring code quality.
Dashboards: Facilitates easy monitoring and management.
Static Code Analysis: Detects issues early in development.
Security Detection: Identifies vulnerabilities automatically.

What benefits should users look for?

Improved Code Quality: Enhances reliability and maintainability.
Security Assurance: Strengthens code against vulnerabilities.
Technical Debt Reduction: Ensures cleaner, maintainable code.
Efficient Feedback: Speeds up development cycles.
Standards Compliance: Aids in adhering to best practices.

In industries like finance, healthcare, and automotive, SonarQube is leveraged for static code analysis, automating code inspections, and ensuring compliance with stringent standards. Teams integrate it into their CI/CD pipelines to maintain high-quality code, identify security vulnerabilities, and enhance code maintainability.

SonarSource Sàrl

Sample Customers

SAP, Mega International, Thales Alenia Space

ACCESS Co Ltd, Risk-AI, Winbond Electronics, Bristol-Myers Squibb Pharmaceutical Research Institute, University of Southern California, Alebra Technologies, SIMULIA, Risk Management Solutions, Brigham Young University, SRD, HRL

Snowflake, Booking.com, Deutsche Bank, AstraZeneca, and Ford Motor Company.

Buyer's Guide

Static Application Security Testing (SAST)

March 2026

Download Free Report

Find out what your peers are saying about SonarSource Sàrl, Veracode, Checkmarx and others in Static Application Security Testing (SAST). Updated: March 2026.

DOWNLOAD NOW

885,667 professionals have used our research since 2012.