No more typing reviews! Try our Samantha, our new voice AI agent.

GitHub Code Scanning vs OpenText Core Application Security comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Mar 29, 2026

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

GitHub Code Scanning
Ranking in Static Application Security Testing (SAST)
18th
Average Rating
8.6
Reviews Sentiment
6.7
Number of Reviews
6
Ranking in other categories
No ranking in other categories
OpenText Core Application S...
Ranking in Static Application Security Testing (SAST)
9th
Average Rating
8.0
Reviews Sentiment
7.0
Number of Reviews
64
Ranking in other categories
Application Security Tools (10th)
 

Mindshare comparison

As of July 2026, in the Static Application Security Testing (SAST) category, the mindshare of GitHub Code Scanning is 1.3%, down from 1.3% compared to the previous year. The mindshare of OpenText Core Application Security is 3.3%, down from 4.2% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Static Application Security Testing (SAST) Mindshare Distribution
ProductMindshare (%)
OpenText Core Application Security3.3%
GitHub Code Scanning1.3%
Other95.4%
Static Application Security Testing (SAST)
 

Featured Reviews

AK
Software Development Manager at Amazon
Code scanning identifies vulnerabilities quickly and improves team response with minimal setup
I have been using Git for approximately 13-14 years. I have used GitHub Code Scanning for about three to four years. The primary purpose is to identify any vulnerability in the code itself. The system logs vulnerabilities that we can immediately examine to see all the error-prone areas. The AI functionalities include predefined agents that scan through and immediately provide responses regarding the best nomenclature or code coverage percentage. It's actually a one-time setup, and the team benefits as long as they push code and changes in the repository itself. Every time we push something, we immediately check the total deviation, whether our code coverage has improved, or if any vulnerability has been identified. There is always a metrics dashboard that we can see and identify. Primarily, GitHub is used for doing the versioning itself in the repository. With vulnerability functionality being provided and AI agents available, it makes a complete package. As soon as we publish our code, we immediately get to know the test code coverage. This immediately informs us about all the vulnerable areas which are not being fully tested. If we address those areas, most vulnerabilities are resolved. Even after tests are added, if by any chance the test is not treated cleanly or corner cases are missed, GitHub Code Scanning immediately flags those corners. It's always beneficial to have because it's not humanly possible to check all corner case scenarios, but as a system where they diagnose each line item, that's very helpful.
Himanshu_Tyagi - PeerSpot reviewer
Lead Cybersecurity at TBO
Supports secure development pipelines and improves issue detection but limits internal visibility and needs broader dashboard integration
If you have an internal team and you want your internal team to validate false positives, basically to determine whether it's a valid issue or an invalid issue, then I wouldn't recommend it much. That was the only reason we migrated from Fortify on Demand to another solution. Fortify has another tool which is Fortify WebInspect. On Demand is the outsourcing solution, and WebInspect you can use with your in-house team, which is basically the product developed by the Fortify team. For automated scanning, Fortify helps a lot. Regarding the visibility for the internal team, everyone is moving toward the DevSecOps side, and Fortify team has made good progress that you can integrate into your CICD pipeline. One thing I would highlight is if Fortify can focus more on the centralized dashboard of the tools because nowadays, tools such as SentinelOne also exist for identifying security issues, but they have a centralized dashboard that merges their cloud solution and application security side solution together. If you have one tool that works for different solutions, it helps a lot. They are doing good, but they should invest more on the AI side as well because AI security is evolving these days. On the cloud side, they have already made good progress, but I believe they should explore the new area related to AI security as well.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"We use GitHub Code Scanning mostly for source code management."
"It's very scalable, very easy to handle, and very intuitive."
"The solution helps identify vulnerabilities by understanding how ports communicate with applications running on a system. Ports are like house numbers; to visit someone's house, you must know their number. Similarly, ports are used to communicate with applications. For example, if you want to use an HTTP web server, you must use port 80. It is the port on which the web application or your server listens for incoming requests."
"GitHub Code Scanning has positively impacted my organization as it helps us recognize errors and avoid many later issues which may arise."
"The static code analysis capability in GitHub Code Scanning is a very powerful feature, providing the ability to identify vulnerabilities and ensure code quality."
"GitHub Code Spaces brings significant value with its simplicity and ease of use."
"Audit workbench: for on-the-fly defect auditing."
"HP Fortify on Demand provides an independent review of third-party applications, allowing organizations to test software before purchasing, and also allowing software vendors to demonstrate the security of their software."
"Fortify on Demand has helped us more easily ensure the security of our client's application, which works with sensitive information such as payments and taxation."
"The most valuable feature is the capacity to be able to check vulnerabilities during the development process. The development team can check whether the code they are using is vulnerable to some type of attack or there is some type of vulnerability so that they can mitigate it. It helps us in achieving a more secure approach towards internal applications. It is an intuitive solution. It gives all the information that a developer needs to remediate a vulnerability in the coding process. It also gives you some examples of how to remediate a vulnerability in different programming languages. This solution is pretty much what we were searching for."
"I use the solution in my company for security code scans."
"The features that I have found most valuable include its security scan, the vulnerability finds, and the web interface to search and review the issues."
"I don’t know of any other On-Demand enterprise solution like this one where we can load the details and within a few days, receive the results of intrusion attacks, and work with HP Security Experts when needed for clarification"
"One of the top features is the source code review for vulnerabilities. When we look at source code, it's hard to see where areas may be weak in terms of security, and Fortify on Demand's source code review helps with that."
 

Cons

"In my opinion, areas of GitHub Code Scanning that could be improved include that a few things are not visible to us, such as where it stores data and which path."
"One area for improvement could be the ability to have an AI system digest the reports generated from code scanning and provide a summary. Currently, the reports can be extensive, and users may overlook details, such as outdated libraries, which could be highlighted for attention."
"GitHub Code Scanning should add more templates."
"When running code scans, GitHub Code Scanning provides recommendations for probable fixes. However, integrating a feature where developers receive real-time highlights of vulnerabilities when checking in or merging a PR would be beneficial."
"At times it becomes very annoying as it highlights certain things which are intuitive. They require code coverage for those aspects as an extra overhead."
"I would say OpenText Core Application Security is not very user-friendly in terms of price; it is quite high."
"We typically do our bulk uploads of our scans with some automation at the end of the development cycle but the scanning can take a lot of time. If you were doing all of it at regular intervals it would still consume a lot of time. This could procedure could improve."
"The vulnerability analysis does not always provide guidelines for what the developer should do in order to correct the problem, which means that the code has to be manually inspected and understood."
"It natively supports only a few languages. They can include support for more native languages. The response time from the support team can also be improved. They can maybe include video tutorials explaining the remediation process. The remediation process is sometimes not that clear. It would be helpful to have videos. Sometimes, the solution that the tool gives in the GUI is not straightforward to understand for the developer. At present, for any such issues, you have to create a ticket for the support team and request help from the support team."
"When we sent a question about the product to their support team, we had to wait a while but they did send us a response eventually."
"The reporting capabilities need improvement, as there are some features that we would like to have but are not available at the moment."
"We have some stability issues, but they are minimal."
"Temenos's (T-24) info basic is a separate programming interface, and such proprietary platforms and programming interfaces were not easily supported by the out-of-the-box versions of Fortify."
 

Pricing and Cost Advice

"GitHub Code Scanning is a moderately priced solution."
"The minimum pricing for the tool is five dollars a month."
"It is cost-effective."
"It is quite expensive. Pricing and the licensing model could be improved."
"It is not more expensive than other solutions, but the pricing is competitive."
"Despite being on the higher end in terms of cost, the biggest value lies in its abilities, including robust features, seamless integration, and high-quality findings."
"Buying a license would be feasible for regular use. For intermittent use, the cloud-based option can be used (Fortify on Demand)."
"Their subscriptions could use a little bit of a reworking, but I am very happy with what they're able to provide."
"Fortify on Demand is more expensive than Burpsuite. I rate its pricing a nine out of ten."
"I believe the rental license is not too expensive, but it provides a lot of information about the vulnerabilities."
report
Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.
902,894 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
11%
Manufacturing Company
10%
Computer Software Company
9%
Construction Company
5%
Financial Services Firm
14%
Manufacturing Company
12%
Construction Company
7%
Government
7%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
No data available
By reviewers
Company SizeCount
Small Business18
Midsize Enterprise8
Large Enterprise46
 

Questions from the Community

What is your experience regarding pricing and costs for GitHub Code Scanning?
The organization pays for the license of GitHub Code Scanning, but specific price details are unknown.
What needs improvement with GitHub Code Scanning?
In my opinion, areas of GitHub Code Scanning that could be improved include that a few things are not visible to us, such as where it stores data and which path. There is a separate team for that w...
What advice do you have for others considering GitHub Code Scanning?
I am an end user only here with GitHub Code Scanning. I currently might be using the latest version of GitHub Code Scanning, but I don't remember the specific version. I have not utilized the real-...
What is your experience regarding pricing and costs for Micro Focus Fortify on Demand?
In comparison with other tools, they're competitive. It is not more expensive than other solutions, but their pricing is competitive. The licenses for Fortify On Demand are generally bought in unit...
What needs improvement with Micro Focus Fortify on Demand?
Areas for improvement should be contextualized post the OpenText acquisition, but back when I was working with Micro Focus, they focused heavily on enterprise-centric solutions. Now, after the acqu...
What is your primary use case for Micro Focus Fortify on Demand?
For OpenText Core Application Security, I currently support a couple of my clients who are using Fortify on Demand for their web application, CRM, and sales platform. Many good features of Fortify ...
 

Also Known As

No data available
Micro Focus Fortify on Demand
 

Overview

 

Sample Customers

Information Not Available
SAP, Aaron's, British Gas, FICO, Cox Automative, Callcredit Information Group, Vital and more.
Find out what your peers are saying about GitHub Code Scanning vs. OpenText Core Application Security and other solutions. Updated: June 2026.
902,894 professionals have used our research since 2012.