HCL AppScan vs Invicti vs SonarQube Server (formerly SonarQube) comparison

SonarQube Server (formerly ...

Read 29 Invicti reviews

2,499 Views
500 Comparison Views

96% willing to recommend

Read 116 SonarQube Server (formerly SonarQube) reviews

35,651 Views
11,770 Comparison Views

81% willing to recommend

HCL AppScan

SonarQube Server (formerly ...

Comparison Buyer's Guide

Download the report

Executive Summary

We performed a comparison between HCL AppScan, Invicti, and SonarQube Server (formerly SonarQube) based on real PeerSpot user reviews.

Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Static Application Security Testing (SAST).

To learn more, read our detailed Static Application Security Testing (SAST) Report (Updated: June 2025).

Static Application Security Testing (SAST)

Download the complete report

Helped 858,649 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Mindshare comparison

As of June 2025, in the Static Application Security Testing (SAST) category, the mindshare of HCL AppScan is 2.6%, up from 2.5% compared to the previous year. The mindshare of Invicti is 1.5%, up from 1.2% compared to the previous year. The mindshare of SonarQube Server (formerly SonarQube) is 23.9%, down from 27.8% compared to the previous year. It is calculated based on PeerSpot user engagement data.

Static Application Security Testing (SAST)

Featured Reviews

Sthembiso Zondi

Head of Software Engineering at ronaldmariah@gmail.com

Has a straightforward setup process and valuable security features

We use AppScan primarily for security testing and performance monitoring across our systems The product's features for comprehensive code analysis (static) and live environment testing (dynamic) have significantly enhanced our ability to identify and address vulnerabilities, improving overall…

Read full review

Kunal M

Capability Center Leader, ETRM Platforms at Shell

Proactive scanning measures and realistic audit recommendations enhance development focus

Invicti's proactive scanning measures vulnerabilities each time we deploy or push code to a new environment. This feature helps us focus on priorities and prioritize the development team's effort, integrating seamlessly with DevOps to facilitate proactive scans of environments. Invicti also provides audit recommendations that are quite realistic, making it easy to discuss plans with developers.

Read full review

Sthembiso Zondi

Head of Software Engineering at ronaldmariah@gmail.com

Consistent improvements in code quality and security with effective integration and reliable technical support

The features of SonarQube Server (formerly SonarQube) that I find most useful are the suggestions received from reviewing the code. When they review the code, they provide suggestions on how to fix it, and we find those very useful from a development perspective. We use SonarQube Server's (formerly SonarQube) centralized management and visualization of code quality metrics on the dashboard because that's the executive dashboard that we send to the executives to show where we are in terms of quality, security, and where the company can improve. We use that for organizational improvement purposes. The ability to tailor metrics tracking in SonarQube Server (formerly SonarQube) has been beneficial to my team. There are team-specific dashboards which are related to specific repositories they utilize, and we have that aggregative dashboard that shows the whole organization's performance. We can drill down per specific repository, which makes it easier for the team to improve specific things.

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"The solution is cheap."

"It's generally a very user-friendly tool. Anyone can easily learn how to scan"

"The static scans are good, and the SaaS as well."

"The HCL AppScan turnaround time for Burp Suite or any new feature request is pretty good, and that is why we are sticking with the HCL."

"This is a stable solution."

"The solution is easy to install. I would rate the product's setup between six to seven out of ten. The deployment time depends on the applications that need to be scanned. We have a development and operations team to take care of the product's maintenance."

"It is easy it is to use. It is quick to find things, because of the code scanning tools. It's quite simple to use and it is very good the way it reports the findings."

"The security and the dashboard are the most valuable features."

More HCL AppScan pros

"Crawling feature: Netsparker has very detail crawling steps and mechanisms. This feature expands the attack surface."

"This tool is really fast and the information that they provide on vulnerabilities is pretty good."

"High level of accuracy and quick scanning."

"The dashboard is really cool, and the features are really good. It tells you about the software version you're using in your web application. It gives you the entire technology stack, and that really helps. Both web and desktop apps are good in terms of application scanning. It has a lot of security checks that are easily customizable as per your requirements. It also has good customer support."

"Netsparker has valuable features, including the ability to scan our website, an interactive approach, and security data integration."

"The best features of Invicti are its ability to confirm access vulnerabilities, SSL injection vulnerabilities, and its connectors to other security tools."

"Invicti's proactive scanning measures vulnerabilities each time we deploy or push code to a new environment."

"I like that it's stable and technical support is great."

More Invicti pros

"It provides the security that is required from a solution for financial businesses."

"Some of the static code analysis capabilities are the most beneficial."

"It's a great product. If you are in a hurry and just want to focus on the functional requirements of any kind of project, SonarQube is highly helpful. It enables the developers to code securely. SonarQube has a Community edition, which is open source and free. There are also three proprietary or paid versions: Enterprise edition, Data Center edition, and Developer edition."

"The most valuable features are that it is user-friendly, easy to access, and they provide good training files."

"It is a very good tool for analysis and security vulnerability checking."

"We've configured it to run on each commit, providing feedback on our software quality. ]"

"This has improved our organization because it has helped to find Security Vulnerabilities."

"We have worked with the support from SonarQube and we have had good experiences."

More SonarQube Server (formerly SonarQube) pros

Cons

"There are so many lines of code with so many different categories that I am likely to get lost. "

"I would like to see the roadmap for this product. We are still waiting to see it as we have only so many resources."

"The solution often has a high number of false positives. It's an aspect they really need to improve upon."

"Scans become slow on large websites."

"The dashboard, for AppScan or the Fortified fast tool, which we use needs to be improved."

"The databases for HCL are small and have room for improvement."

"The tool should improve its output. Scanning is not a challenge anymore since there are many such tools available in the market. The product needs to focus on how its output is being used by end users. It should be also more user-friendly. One of the major challenges is in the tool's integration with applications that need to be scanned. Sometimes, the scanning is not proper."

"Visibility is an issue for us. Our partners do not know we have integrations with some of IBM products."

More HCL AppScan cons

"The proxy review, the use report views, the current use tool and the subset requests need some improvement. It was hard to understand how to use them."

"The scanner itself should be improved because it is a little bit slow."

"Maybe the ability to make a good reporting format is needed."

"The higher level vulnerabilities like Cross-Site Scripting, SQL Injection, and other higher level injection attacks are difficult to highlight using Netsparker."

"The support's response time could be faster since we are in different time zones."

"Invicti's reporting capabilities need enhancement."

"Asset scanning could be better. Once, it couldn't scan assets, and the issue was strange. The price doesn't fit the budget of small and medium-sized businesses."

"The license could be better. It would help if they could allow us to scan multiple URLs on the same license. It's a major hindrance that we are facing while scanning applications, and we have to be sure that the URLs are the same and not different so that we do not end up consuming another license for it. Netsparker is one of the costliest products in the market. The licensing is tied to the URL, and it's restricted. If you have a URL that you scanned once, like a website, you cannot retry that same license. If you are scanning the same website but in a different domain or different URL, you might end up paying for a second license. It would also be better if they provided proper support for multi-factor authentications. In the next release, I would like them to include good multi-factor authentication support."

More Invicti cons

"It should be user-friendly."

"SonarQube can improve by scanning the internal library which currently it does not do. We are looking for a solution for this."

"If I configure a project in SonarQube, it generates a token. When we're compiling our code with SonarQube, we have to provide the token for security reasons. If IP-based connectivity is established with the solution, the project should automatically be populated without providing any additional token. It will be easy to provide just the IP address. It currently supports this functionality, but it makes a different branch in the project dashboard. From the configuration and dashboard point of view, it should have some transformations. There can be dashboard integration so that we can configure the dashboard for different purposes."

"The solution could improve the management reports by making them easier to understand for the technical team that needs to review them."

"SonarQube could be improved with more dynamic testing—basically, now, it's a static code analysis scan. For example, when the developer writes the code and does the corresponding unit test, he can cover functional and non-functional. So the SonarQube could be improved by helping to execute unit tests and test dynamically, using various parameters, and to help detect any vulnerabilities. Currently, it'll just give the test case and say whether it passes or fails—it won't give you any other input or dynamic testing. They could use artificial intelligence to build a feature that would help developers identify and fix issues in the early stages, which would help us deliver the product and reduce costs. Another area with room for improvement is in regard to automating things, since the process currently needs to be done manually."

"It requires advanced heuristics to recognize more complex constructs that could be disregarded as issues."

"SonarQube could improve by adding automatic creation of tasks after scanning and more support for the Czech language."

"There could be better integration with other products."

More SonarQube Server (formerly SonarQube) cons

Pricing and Cost Advice

"HCL AppScan is expensive."

"The product is moderately priced, though it's an investment due to extensive code analysis needs."

"With the features, that they offer, and the support, they offer, AppScan pricing is on a higher level."

"Our clients are willing to pay the extra money. It is expensive."

"AppScan is a little bit expensive. IBM needs to work a little bit on the pricing model, decreasing the license cost."

"The price of HCL AppScan is okay, in my opinion. You just buy HCL AppScan and don't pay anything anymore, meaning it is just a one-time purchase."

"I would rate the product's pricing a nine out of ten. The product's pricing is expensive compared to the features that they offer."

"I rate the product's price a seven on a scale of one to ten, where one is low, and ten is high. HCL AppScan is an expensive tool."

More HCL AppScan pricing and cost advice

"Invicti is best suited for large enterprises. I don't think small and medium-sized businesses can afford it. Maintenance costs aren't that great."

"OWASP Zap is free and it has live updates, so that's a big plus."

"I think that price it too high, like other Security applications such as Acunetix, WebInspect, and so on."

"Netsparker is one of the costliest products in the market. It would help if they could allow us to scan multiple URLs on the same license."

"It is competitive in the security market."

"The price should be 20% lower"

"We never had any issues with the licensing; the price was within our assigned limits."

"We are using an NFR license and I do not know the exact price of the NFR license. I think 20 FQDN for three years would cost around 35,000 US Dollars."

More Invicti pricing and cost advice

"SonarQube is a cost-effective solution."

"I do not know about the pricing as I am using the community edition, which is free. But I compared the pricing with Sigma, and it is higher than SonarQube."

"The free version of SonarQube does everything that we need it to."

"SonarQube is a fairly affordable solution for a larger scale if you have a specific role or specific department for secure code."

"We're using the Community Edition, and we don't pay for anything."

"The price of this solution is more expensive than competitors. However, it works better than competitors."

"There is both a free and licensed version. The free version has limitations on development languages and support."

"It is very expensive. Its price should be improved."

More SonarQube Server (formerly SonarQube) pricing and cost advice

See which vendors are best for you

Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.

See recommendations

858,649 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Computer Software Company

18%

Financial Services Firm

14%

Government

12%

Manufacturing Company

Educational Organization

32%

Financial Services Firm

13%

Computer Software Company

10%

Manufacturing Company

Financial Services Firm

16%

Computer Software Company

15%

Manufacturing Company

13%

Government

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

Questions from the Community

What do you like most about HCL AppScan?

The most valuable feature of HCL AppScan is its integration with the SDLC, particularly during the coding phase.

What needs improvement with HCL AppScan?

AppScan needs to improve its handling of false positives. It also requires enhancements in customer support, similar ...

What is your primary use case for HCL AppScan?

The primary use case for AppScan is for security purposes. I compare AppScan with other tools such as Veracode. We us...

What is your experience regarding pricing and costs for Netsparker Web Application Security Scanner?

As a technical user, I do not handle pricing or licensing, but I am aware that Invicti offers flexible licensing mode...

What do you like most about Invicti?

The most valuable feature of Invicti is getting baseline scanning and incremental scan.

What needs improvement with Invicti?

Invicti's reporting capabilities need enhancement. We need enterprise-level information instead of repo-level details...

Is SonarQube the best tool for static analysis?

I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which ...

Which gives you more for your money - SonarQube or Veracode?

SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. Son...

How would you decide between Coverity and Sonarqube?

We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and securi...

OpenText Core Application Security vs HCL AppScan

Comparisons

Acunetix vs HCL AppScan

Compared 15% of the time

Veracode vs HCL AppScan

Compared 10% of the time

Compared 7% of the time

OWASP Zap vs HCL AppScan

Compared 7% of the time

Snyk vs HCL AppScan

Compared 3% of the time

More HCL AppScan Competitors

Acunetix vs Invicti

Compared 19% of the time

OWASP Zap vs Invicti

Compared 12% of the time

Veracode vs Invicti

Compared 6% of the time

Snyk vs Invicti

Compared 5% of the time

Qualys Web Application Scanning vs Invicti

Compared 5% of the time

More Invicti Competitors

Coverity vs SonarQube Server (formerly SonarQube)

Compared 13% of the time

Checkmarx One vs SonarQube Server (formerly SonarQube)

Compared 12% of the time

GitHub Advanced Security vs SonarQube Server (formerly SonarQube)

Compared 11% of the time

SonarQube Cloud (formerly SonarCloud) vs SonarQube Server (formerly SonarQube)

Compared 7% of the time

Veracode vs SonarQube Server (formerly SonarQube)

Compared 7% of the time

More SonarQube Server (formerly SonarQube) Competitors

Product Reports

HCL AppScan

Download HCL AppScan product report

Download Invicti product report

SonarQube Server (formerly SonarQube)

May 2025

SonarQube Server (formerly SonarQube) report

Download SonarQube Server (formerly SonarQube) product report

Also Known As

IBM Security AppScan, Rational AppScan, AppScan

Netsparker

Sonar

Interactive Demo

Demo not available

HCLSoftware

Demo not available

Sonar

Overview

IBM Security AppScan enhances web application security and mobile application security, improves application security program management and strengthens regulatory compliance. By scanning your web and mobile applications prior to deployment, AppScan enables you to identify security vulnerabilities and generate reports and fix recommendations.

HCLSoftware

Invicti helps DevSecOps teams automate security tasks and save hundreds of hours each month by identifying web vulnerabilities that matter. Combining dynamic with interactive testing (DAST + IAST) and software composition analysis (SCA), Invicti scans every corner of an app to find what other tools miss with 99.98% accuracy, delivering on the promise of Zero Noise AppSec. Invicti helps discover all web assets — even ones that are lost, forgotten, or created by rogue departments. With an array of out-of-the-box integrations, DevSecOps teams can get ahead of their workloads to hit critical deadlines, improve processes, and communicate more effectively while reducing risk and hitting the ROI goals.

SonarQube Server enhances code quality and security via static code analysis. It detects vulnerabilities, improves standards, and reduces technical debt, integrating into CI/CD pipelines.

SonarQube Server is a comprehensive tool for enhancing code quality and security. It offers static code analysis to identify vulnerabilities, improve coding standards, and reduce technical debt. By integrating into CI/CD pipelines, it provides automated checks for adherence to best practices. Organizations use it for code inspection, security testing, and compliance, ensuring development environments with better maintainability and fewer issues.

What are the key features of SonarQube Server?

Support for 20+ languages: Extensive programming language support suitable for diverse coding environments.
Custom coding rules: Allows for tailored rule sets to match specific coding standards.
Flexible quality gates: Define criteria for code acceptance at various intervals.
CI/CD integration: Seamless integration with Continuous Integration/Continuous Deployment tools.
Rich interface: User-friendly dashboard with detailed visual insights.

What benefits should users expect from SonarQube Server?

Improved code quality: Enhanced analysis contributes to fewer bugs and improved coding practices.
Security enhancements: Identifies and mitigates security vulnerabilities pre-emptively.
Maintainability: Reduces technical debt, yielding long-term development efficiency.
Customizable: Flexibility in configuration aligns with specific project needs.

Many industries implement SonarQube Server to uphold coding standards, maintain security protocols, and streamline their software development lifecycle. In sectors like finance and healthcare, adhering to regulations and ensuring reliable software is critical, making SonarQube Server invaluable. It is often integrated into CI/CD pipelines, ensuring that code changes meet set standards before deployment. This approach enhances productivity and maintains compliance with industry-specific requirements.

Sonar

Sample Customers

Essex Technology Group Inc., Cisco, West Virginia University, APIS IT

Samsung, The Walt Disney Company, T-Systems, ING Bank

Information Not Available

Static Application Security Testing (SAST)