You must select at least 2 products to compare!
Synopsys Logo
18,994 views|12,679 comparisons
Sonar Logo
58,263 views|46,097 comparisons
Comparison Buyer's Guide
Executive Summary
Updated on Mar 20, 2023

We performed a comparison between Coverity and SonarQube based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.

  • Ease of Deployment: Coverity has a simple deployment process with on-screen instructions, but the total deployment time varies based on the project and integrations. Maintenance is vendor-handled. SonarQube has a straightforward initial setup and automatic deployment, but some database and Java knowledge is needed.
  • Features: Coverity helps identify defect root causes with contributing events. SonarQube detects code quality during development with defined rules.
  • Pricing: Coverity is an expensive solution with an unfriendly licensing mechanism and a difficult exit process. SonarQube has an open source option and their pricing for the paid version is reasonable.
  • Service and support: Coverity offers a decent support package with email, call, and on-demand sessions available, while SonarQube offers extensive documentation and online resources for support, which is sufficient for their users.

Comparison Result: Based on the parameters we compared, SonarQube comes out ahead of Coverity. Although both products have valuable features and can be estimated as high-end solutions, our reviewers found that Coverity is an expensive solution with an unfriendly licensing mechanism and a difficult exit process, which may make it less accessible for smaller teams or companies with budgetary constraints.

To learn more, read our detailed Coverity vs. SonarQube Report (Updated: September 2023).
735,432 professionals have used our research since 2012.
Featured Review
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
"The app analysis is the most valuable feature as I know other solutions don't have that.""It's pretty stable. I rate the stability of Coverity nine out of ten.""One of the most valuable features is Contributing Events. That particular feature helps the developer understand the root cause of a defect. So you can locate the starting point of the defect and figure out exactly how it is being exploited.""The most valuable feature of Coverity is the wrapper. We use the wrapper to build the C++ component, then we use the other code analysis to analyze the code to the build object, and then send back the result to the SonarQube server. Additionally, it is a powerful capabilities solution.""The product is easy to use.""I like Coverity's capability to scan codes once we push it. We don't need more time to review our colleagues' codes. Its UI is pretty straightforward.""We were very comfortable with the initial setup.""The ability to scan code gives us details of existing and potential vulnerabilities. What really matters for us is to ensure that we are able to catch vulnerabilities ahead of time."

More Coverity Pros →

"There are many options and examples available in the tool that help us fix the issues it shows us.""My focus is mainly on the DevOps pipeline side of things, and from my perspective, the ease of use and configuration is valuable. It is pretty straightforward to take a deployment pipeline or CI/CD pipeline and integrate SonarQube into it.""The solution can verify vulnerabilities, code smells, and hotspots. It makes the software more secure and it helps make a junior or novice developer sharper.""The most valuable feature of SonarQube I have found to be the configuration that has allowed us to can make adjusts to the demands of the code review. It gives a specified classification regarding the skill, prioritization, and it is easy for me to review and make my code.""We use this solution for qualitative coding. We make use of the SonarLint plugin as well as the dashboard.""One of the most valuable features of SonarQube is its ability to detect code quality during development. There are rules that define various technologies—Java, C#, Python, everything—and these rules declare the coding standards and code quality. With SonarQube, everything is detectable during the time of development and continuous integration, which is an advantage. SonarQube also has a Quality Gate, where the code should reach 85%. Below that, the code cannot be promoted to a further environment, it should be in a development environment only. So the checks are there, and SonarQube will provide that increase. It also provides suggestions on how the code can be fixed and methods of going about this, without allowing hackers to exploit the code. Another valuable feature is that it is tightly integrated with third-party tools. For example, we can see the SonarQube metrics in Bitbucket, the code repository. Once I raise the full request, the developer, team lead, or even the delivery lead can see the code quality metrics of the deliverable so that they can make a decision. SonarQube will also cover all of the top OWASP vulnerabilities, however it doesn't have penetration testing or hacker testing. We use other tools, like Checkmarx, to do penetration testing from the outside.""SonarQube is useful for controlling all of our Azure task tracking and scanning.""The solution offers a very good community edition."

More SonarQube Pros →

"Sometimes, vulnerabilities remain unidentified even after setting up the rules.""We use GitHub and Gitflow, and Coverity does not fit with Gitflow. I have to create a screen for our branches, and it's a pain for developers. It has been difficult to integrate Coverity with our system.""SCM integration is very poor in Coverity.""The tool needs to improve its reporting.""Some features are not performing well, like duplicate detection and switch case situations.""We'd like it to be faster.""We actually specified several checkers, but we found some checkers had a higher false positive rate. I think this is a problem. Because we have to waste some time is really the issue because the issue is not an issue. I mean, the tool pauses or an issue, but the same issue is the filter now.Some check checkers cannot find some issues, but sometimes they find issues that are not relevant, right, that are not really issues. Some customisation mechanism can be added in the next release so that we can define our Checker. The Modelling feature provided by Coverity helps in finding more information for potential issues but it is not mature enough, it should be mature. The fast testing feature for security testing campaign can be added as well. So if you correctly integrate it with the training team, maybe you can help us to find more potential issues.""Right now, the Coverity executable is around 1.2GB to download. If they can reduce it to approximately 600 or 700MB, that would be great. If they decrease the executable, it will be much easier to work in an environment like Docker."

More Coverity Cons →

"The handling of the contents of Docker container images could be better.""I would also like SonarQube to be able to write custom scanning rules. More documentation would be helpful as well because some of our guys were struggling with the customization script.""There is no automation. You need to put the code there and test. You then pull the results and put them back in the development environment. There is no integration with the development environment. We would like it to be integrated with our development environment, which is basically the CI/CD pipeline or the IDE that we have.""For improvement, this solution could be offered on Docker and the cloud and the support for this solution could be improved. Customizing rules could also be made simpler.""The learning curve can be fairly steep at first, but then, it's not an entry-level type of application. It's not like an introduction to C programming. You should know not just C programming and how to make projects but also how to apply its findings to the bigger picture. I've had users who said that they wish it was easier to understand how to configure, but I don't know if that's doable because what it's doing is a very complicated thing. I don't know if it is possible to make a complicated thing trivially simple.""SonarQube can improve by scanning the internal library which currently it does not do. We are looking for a solution for this.""It would be better if SonarQube provided a good UI for external configuration.""Lacks sufficient visibility and documentation."

More SonarQube Cons →

Pricing and Cost Advice
  • "Coverity is very expensive."
  • "This is a pretty expensive solution. The overall value of the solution could be improved if the price was reduced. Licensing is done on an annual basis."
  • "The pricing is very reasonable compared to other platforms. It is based on a three year license."
  • "The pricing is on the expensive side, and we are paying for a couple of items."
  • "The solution is affordable."
  • "I would rate the pricing a six out of ten, where one is low, and ten is high price."
  • "The tool's price is somewhere in the middle. It's neither cheap nor expensive. I would rate the pricing a five out of ten."
  • "Coverity’s price is on the higher side. It should be lower."
  • More Coverity Pricing and Cost Advice →

  • "On the pricing side, it's 3,000 Euros for 1 million lines of code."
  • "My guess is that we have a yearly subscription. We use it quite extensively, so a monthly license wouldn't make sense. Yearly subscriptions are usually cheaper. In addition to the standard licensing fee, there is just the cost of running the hardware where it is hosted."
  • "Compared to similar solutions, SonarQube was more accessible to us and had more benefits, with regards to size of the code base and supported languages. Apart from the Enterprise licensing fee, there are no additional costs."
  • "SonarQube enterprise, I am not sure of the price but from what I understand they are charging a fee. It's is not clear if it is an annual fee or a one-off."
  • "The free version of SonarQube does everything that we need it to."
  • "We're using an older version because it is the open-source flavor of it and we can continue using it at no cost. We're not paying any licensing at all, which was another factor in choosing this route so that we can learn and grow with it and not be committed to licenses and other similar things. If we choose to get something else, we have to relearn, but we don't have to relicense. Basically, we're paying no license costs."
  • "We are using the Developer Edition and the cost is based on the amount of code that is being processed."
  • "As a user and a consumer of this solution, it can be pricey for my company to support and use, even though there are many benefits. For this reason, we use the free version. In the future, as our product cycles develop and evolve at a more steady pace, we hope to invest in the licensing for this tool."
  • More SonarQube Pricing and Cost Advice →

    Use our free recommendation engine to learn which Application Security Testing (AST) solutions are best for your needs.
    735,432 professionals have used our research since 2012.
    Questions from the Community
    Top Answer:We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing… more »
    Top Answer:I like Coverity's capability to scan codes once we push it. We don't need more time to review our colleagues' codes. Its UI is pretty straightforward.
    Top Answer:I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have  a look… more »
    Top Answer:SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use… more »
    Top Answer:Snyk does a great job identifying and reducing vulnerabilities. This solution is fully automated and monitors 24/7 to find any issues reported on the internet. It will store dependencies that you are… more »
    Average Words per Review
    Average Words per Review
    Also Known As
    Synopsys Static Analysis
    Learn More

    Coverity gives you the speed, ease of use, accuracy, industry standards compliance, and scalability that you need to develop high-quality, secure applications. Coverity identifies critical software quality defects and security vulnerabilities in code as it’s written, early in the development process, when it’s least costly and easiest to fix. With the Code Sight integrated development environment (IDE) plugin, developers get accurate analysis in seconds in their IDE as they code. Precise actionable remediation advice and context-specific eLearning help your developers understand how to fix their prioritized issues quickly, without having to become security experts. 

    Coverity seamlessly integrates automated security testing into your CI/CD pipelines and supports your existing development tools and workflows. Choose where and how to do your development: on-premises or in the cloud with the Polaris Software Integrity Platform (SaaS), a highly scalable, cloud-based application security platform. Coverity supports 22 languages and over 70 frameworks and templates.

    SonarQube is the leading tool for continuously inspecting Code Quality and Code Security, and guiding development teams during code reviews. SonarQube provides clear remediation guidance for 27 languages so developers can understand and fix issues, and so teams can deliver better and safer software. SonarQube integrates into your workflow to provide the right feedback at the right time: in-IDE with SonarLint, in pull requests, and in SonarQube itself. With over 225,000 deployments helping small development teams and global organizations, SonarQube provides the means for teams and companies around the world to own and impact their Code Quality and Code Security.

    Learn more about Coverity
    Learn more about SonarQube
    Sample Customers
    MStar Semiconductor, Alcatel-Lucent
    Bank of America, Siemens, Cognizant, Thales, Cisco, eBay
    Top Industries
    Manufacturing Company42%
    Computer Software Company21%
    Comms Service Provider16%
    Media Company5%
    Manufacturing Company25%
    Computer Software Company16%
    Financial Services Firm8%
    Computer Software Company30%
    Financial Services Firm21%
    Comms Service Provider8%
    Insurance Company6%
    Financial Services Firm18%
    Computer Software Company15%
    Manufacturing Company10%
    Company Size
    Small Business17%
    Midsize Enterprise10%
    Large Enterprise72%
    Small Business14%
    Midsize Enterprise10%
    Large Enterprise76%
    Small Business25%
    Midsize Enterprise17%
    Large Enterprise58%
    Small Business16%
    Midsize Enterprise12%
    Large Enterprise71%
    Buyer's Guide
    Coverity vs. SonarQube
    September 2023
    Find out what your peers are saying about Coverity vs. SonarQube and other solutions. Updated: September 2023.
    735,432 professionals have used our research since 2012.

    Coverity is ranked 4th in Application Security Testing (AST) with 19 reviews while SonarQube is ranked 1st in Application Security Testing (AST) with 30 reviews. Coverity is rated 7.8, while SonarQube is rated 8.2. The top reviewer of Coverity writes "Broad integration capacity and works with more languages than some competitors". On the other hand, the top reviewer of SonarQube writes "Open-source, stable, and finds the problems for you and tells you where they are". Coverity is most compared with Klocwork, Veracode, Checkmarx, Fortify on Demand and Polyspace Code Prover, whereas SonarQube is most compared with Checkmarx, SonarCloud, Veracode, Snyk and Sonatype Lifecycle. See our Coverity vs. SonarQube report.

    See our list of best Application Security Testing (AST) vendors.

    We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.