HCL AppScan and SonarQube compete in the application security and code quality market. Each offers distinct capabilities, but SonarQube may have the edge in integration capabilities, particularly within continuous integration pipelines, which is a significant advantage for development teams.
Features: HCL AppScan provides extensive vulnerability detection, dynamic scanning, and supports multiple languages with a low false-positive rate. SonarQube excels in integrating with continuous integration pipelines and offers comprehensive code quality analysis, customization, and static code analysis across various languages.
Room for Improvement: HCL AppScan could enhance false-positive handling, mobile application detection, and user interface design. Improvements in technical support and tool integration are also desired. SonarQube could expand language support, improve security features, reduce false positives, and enhance integration with development tools.
Ease of Deployment and Customer Service: HCL AppScan is deployable on-premises and across cloud configurations, with dedicated support channels, though some users report needing better service responsiveness. SonarQube offers flexible on-premises and cloud deployments, with users appreciating its efficient setup and supportive community, though documentation and integration with other tools could be improved.
Pricing and ROI: HCL AppScan is considered expensive, with various licensing models, yet users report a positive ROI due to fewer vulnerabilities and cost savings. SonarQube’s open-source nature offers cost-effectiveness, especially for community users, and its modular pricing model provides flexibility, leading to improved code quality assurance and positive ROI.
I have seen a return on the investment from SonarQube Server (formerly SonarQube) because the value it adds relates to static code analysis and vulnerability assessments needed for our FDA approval process.
We see productivity increasing based on the fact that the code review is mostly automated, allowing the developer to fix the code themselves before assigning it to someone else to review, thus receiving that ROI.
Veracode provides excellent assistance and regularly scheduled calls to address customer concerns and updates.
They showed us where we can actually get those granular level reporting extracted for Excel, which was a quick guide.
I would rate the technical support for SonarQube Server (formerly SonarQube) as a 10 because we have not faced any specific issues that required us to contact tech support, which is a very rare case.
The community support is quite effective.
I find SonarQube Server (formerly SonarQube) very scalable because we're able to create a new repository and integrate all the tools on that project and it just works.
I would rate the scalability of SonarQube Server as a 10 because we can configure the server to scan multiple projects based on the number of lines.
I think SonarQube Server (formerly SonarQube) is stable, and we did not face any problems unless there was a power outage or if the LAN cable was plugged out.
Currently, it should also be able to analyze the code and generate and fix the code for specific developers or features that the developers are tracking.
If I fix some vulnerabilities today, they reappear in the next scan, and there will be completely different issues that need to be fixed.
Companies often choose based on budget constraints, with Veracode being on the higher end cost-wise.
I would rate the pricing for SonarQube Server (formerly SonarQube) as an 8, where 1 is very cheap and 10 is very expensive, because Coverity is very expensive, and while SonarQube is not cheap, it is still less expensive than Coverity.
They always offer around a two-year contract, but we always take a one-year contract because it's expensive.
The freemium version of SonarQube Server offers excellent value, especially compared to the high costs of Snyk.
AppScan's most valuable features include its ability to identify vulnerabilities accurately, provide detailed remediation steps, and the newly introduced AI-powered features that enhance its functionality further.
We use SonarQube Server's centralized management and visualization of code quality metrics on the dashboard because that's the executive dashboard that we send to the executives to show where we are in terms of quality, security, and where the company can improve.
Some of the static code analysis capabilities are the most beneficial.
The most valuable features of SonarQube Server (formerly SonarQube) for us include having control of the rules, enabling and disabling them.
IBM Security AppScan enhances web application security and mobile application security, improves application security program management and strengthens regulatory compliance. By scanning your web and mobile applications prior to deployment, AppScan enables you to identify security vulnerabilities and generate reports and fix recommendations.
SonarQube Server enhances code quality and security via static code analysis. It detects vulnerabilities, improves standards, and reduces technical debt, integrating into CI/CD pipelines.
SonarQube Server is a comprehensive tool for enhancing code quality and security. It offers static code analysis to identify vulnerabilities, improve coding standards, and reduce technical debt. By integrating into CI/CD pipelines, it provides automated checks for adherence to best practices. Organizations use it for code inspection, security testing, and compliance, ensuring development environments with better maintainability and fewer issues.
What are the key features of SonarQube Server?Many industries implement SonarQube Server to uphold coding standards, maintain security protocols, and streamline their software development lifecycle. In sectors like finance and healthcare, adhering to regulations and ensuring reliable software is critical, making SonarQube Server invaluable. It is often integrated into CI/CD pipelines, ensuring that code changes meet set standards before deployment. This approach enhances productivity and maintains compliance with industry-specific requirements.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
