OWASP Zap vs SonarCloud comparison

OWASP Zap
Read 37 OWASP Zap reviews
  • 18,630 Views
  • 8,671 Comparison Views
87% willing to recommend
SonarCloud
Read 10 SonarCloud reviews
  • 10,734 Views
  • 8,277 Comparison Views
100% willing to recommend
 

Comparison Buyer's Guide

Download the report
Executive Summary
We performed a comparison between OWASP Zap and SonarCloud based on real PeerSpot user reviews.

Find out in this report how the two Static Application Security Testing (SAST) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI.

DOWNLOAD THE COMPLETE REPORT
To learn more, read our detailed OWASP Zap vs. SonarCloud Report (Updated: July 2024).
Buyer's Guide
OWASP Zap vs. SonarCloud
July 2024
Download the complete report
Helped 793,295 peers since 2012
 

Categories and Ranking

OWASP Zap
Ranking in Static Application Security Testing (SAST)
8th
Average Rating
7.6
Number of Reviews
37
Ranking in other categories
No ranking in other categories
SonarCloud
Ranking in Static Application Security Testing (SAST)
10th
Average Rating
8.4
Number of Reviews
10
Ranking in other categories
No ranking in other categories
 

Mindshare comparison

As of July 2024, in the Static Application Security Testing (SAST) category, the mindshare of OWASP Zap is 4.7%, down from 6.8% compared to the previous year. The mindshare of SonarCloud is 9.0%, up from 6.5% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Static Application Security Testing (SAST)
Unique Categories:
No other categories found
No other categories found
 

Featured Reviews

YK
May 4, 2023
Stable dynamic testing solution with unreliable manual processes
Since it is a community-based tool, I am unsure if OWASP Zap is quite up to date with recent weaknesses currently exploitable in work. So, sometimes we have to add to do it manually. How to differentiate between the false positive and the true findings need improvement. In general, the shortcomings in the accuracy of the findings need to be improved. The automation process can help us perform website attacks using the latest exploit techniques and procedures, often used in reverse scenarios. Although other commercial solutions have this feature, I hope OWASP Zap can catch up and offer similar capabilities.
Read full review
Huzaifa Asif - PeerSpot reviewer
Dec 12, 2023
A comprehensive code quality management offering all-in-one functionality, including static code analysis, security assessments, and code optimization, while providing valuable insights for developers
There's room for improvement in the configuration process, particularly during the initial setup phase. Setting up features like mono reports can be challenging, and the existing documentation could use improvement in providing clearer instructions. I found myself needing to engage with support multiple times to navigate through certain aspects. Additionally, it would be beneficial if it could streamline the integration process for new features. Enhancing documentation on how to integrate these features seamlessly would go a long way in improving user experience. The introduction of an auto-commit functionality would be a valuable addition. Some other tools offer this feature, allowing for the automatic creation of pull requests to address identified issues. This functionality significantly reduces the manual effort required.
Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool."
"It's great that we can use it with Portswigger Burp."
"The application scanning feature is the most valuable feature."
"Automatic scanning is a valuable feature and very easy to use."
"The product discovers more vulnerabilities compared to other tools."
"The API is exceptional."
"Fuzzer and Java APIs help a lot with our custom needs."
"​It has improved my organization with faster security tests.​"
More OWASP Zap pros
"The reports from SonarCloud are very good."
"The most valuable feature of SonarCloud is its overall performance."
"The solution can be installed locally."
"Recently, they introduced support for mono reports and microservices, which is a noteworthy development as it provides a more detailed view of each service."
"I'm not implementing the solutions. However, I've talked to the people who deploy the tools, and they are happy with how easy setting up SonarCloud is."
"For what it is meant to do, it works pretty well."
"SonarCloud is overall a good tool for identifying code smells, bugs, and code duplication, but we've found that using Android Lint is more effective for our needs."
"The most valuable features of SonarCloud are the ability to discover vulnerabilities, security weak points, security hotspots, and all the feedback that comes into the feature branch. You can deploy the code with the security, you can eliminate the problem at the developer level rather than identifying the problem in the productions."
More SonarCloud pros
 

Cons

"I'd like to see a kind of feature where we can just track what our last vulnerability was and how it has improved or not. More reports that can have some kind of base-lining, I think that would be a good feature too. I'm not sure whether it can be achieved and implement but I think that would really help."
"It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful."
"Lacks resources where users can internally access a learning module from the tool."
"There's very little documentation that comes with OWASP Zap."
"The product should allow users to customize the report based on their needs."
"If there was an easier to understand exactly what has been checked and what has not been checked, it would make this solution better. We have to trust that it has checked all known vulnerabilities but it's a bit hard to see after the scanning."
"It would be a great improvement if they could include a marketplace to add extra features to the tool."
"OWASP Zap needs to extend to mobile application testing."
More OWASP Zap cons
"The documentation needs improvement on optimizing build time for seamless CI/CD integration with our Android apps."
"We had some issues with the scanner."
"SonarCloud can improve the false positives. Sometimes the gates sometimes act a little weird. We then need to manually go and mark the false positive."
"CI/CD pipeline is part of a whole chain of design, development, and production, and it's becoming increasingly crucial to optimize the various tools across different stages. However, it's still a silo approach because the full integration is missing. This isn't just an issue with SonarCloud. It's a general problem with tooling."
"The reports could improve by providing more information. We are not able to use the reports in our operation until they are improved. Additionally, if the vendor provided more customization capabilities it would be a benefit."
"It would be helpful if notifications could go out to an extra person."
"SonarCloud's UI needs enhancement."
"I've been told by the developers that the solution is too limited. It's not testing enough within the containers."
More SonarCloud cons
 

Pricing and Cost Advice

"As Zap is free and open-source, with tons of features similar to those of commercial solutions, I would definitely recommend trying it out."
"It is open source, and we can scan freely."
"The tool is open-source."
"The solution’s pricing is high."
"This app is completely free and open source. So there is no question about any pricing."
"OWASP ZAP is a free tool provided by OWASP’s engineers and experts. There is an option to donate."
"OWASP Zap is free to use."
"It is highly recommended as it is an open source tool."
More OWASP Zap pricing and cost advice
"The price of SonarCloud is not expensive, it goes by the lines of code. 1 million lines per code are approximately 4,000 USD per year. If you need 2 million lines of code you would double the annual cost."
"The price of SonarCloud could be less expensive. We are using the community version and the price should be more reasonable."
"The current pricing is quite cheap."
"While not extremely cheap, it aligns well with market standards and offers good value."
"I rate the pricing a five out of ten."
"I am using the free version of the solution."
report
See which vendors are best for you
Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.
See recommendations
793,295 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Computer Software Company
19%
Financial Services Firm
11%
Government
8%
Manufacturing Company
7%
Computer Software Company
18%
Financial Services Firm
10%
Manufacturing Company
9%
Healthcare Company
5%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

Is OWASP Zap better than PortSwigger Burp Suite Pro?
OWASP Zap and PortSwigger Burp Suite Pro have many similar features. OWASP Zap has web application scanning available with basic security vulnerabilities while Burp Suite Pro has it available with ...
See all answers
What do you like most about OWASP Zap?
The best feature is the Zap HUD (Heads Up Display) because the customers can use the website normally. If we scan websites with automatic scanning, and the website has a web application firewall, i...
See all answers
What is your experience regarding pricing and costs for OWASP Zap?
The tool is open source.
See all answers
What do you like most about SonarCloud?
Recently, they introduced support for mono reports and microservices, which is a noteworthy development as it provides a more detailed view of each service.
See all answers
What is your experience regarding pricing and costs for SonarCloud?
I would rate the price an eight out of ten because it's reasonable. While not extremely cheap, it aligns well with market standards and offers good value. It's an all-inclusive package where you pa...
See all answers
What needs improvement with SonarCloud?
There's room for improvement in the configuration process, particularly during the initial setup phase. Setting up features like mono reports can be challenging, and the existing documentation coul...
See all answers
 

Comparisons

SonarQube vs OWASP Zap Logo
SonarQube vs OWASP Zap
Compared 22% of the time
Acunetix vs OWASP Zap Logo
Acunetix vs OWASP Zap
Compared 13% of the time
Qualys Web Application Scanning vs OWASP Zap Logo
Qualys Web Application Scanning vs OWASP Zap
Compared 11% of the time
Veracode vs OWASP Zap Logo
Veracode vs OWASP Zap
Compared 9% of the time
Rapid7 InsightAppSec vs OWASP Zap Logo
Rapid7 InsightAppSec vs OWASP Zap
Compared 3% of the time
More OWASP Zap Competitors
SonarQube vs SonarCloud Logo
SonarQube vs SonarCloud
Compared 78% of the time
Veracode vs SonarCloud Logo
Veracode vs SonarCloud
Compared 7% of the time
Checkmarx One vs SonarCloud Logo
Checkmarx One vs SonarCloud
Compared 4% of the time
GitLab vs SonarCloud Logo
GitLab vs SonarCloud
Compared 3% of the time
Coverity vs SonarCloud Logo
Coverity vs SonarCloud
Compared 2% of the time
More SonarCloud Competitors
 

Product Reports

Buyer's Guide
OWASP Zap
July 2024
OWASP Zap reportDownload OWASP Zap product report
Buyer's Guide
SonarCloud
June 2024
SonarCloud reportDownload SonarCloud product report
 

Learn More

OWASP
Sonar
 

Interactive Demo

Demo not available
OWASP
Sonar
 

Overview

OWASP Zap is a free and open-source web application security scanner. 

The solution helps developers identify vulnerabilities in their web applications by actively scanning for common security issues. 

With its user-friendly interface and powerful features, Zap is a popular choice among developers for ensuring the security of their web applications.

SonarCloud is a cloud-based alternative of the SonarQube platform, offering continuous code quality and security analysis as a service. SonarCloud integrates seamlessly with popular version control and CI/CD platforms such as GitHub, Bitbucket, and Azure DevOps. It provides static code analysis to identify and help remediate issues such as bugs and security vulnerabilities. SonarCloud enables developers to receive immediate feedback on their code within their development environment, facilitating the maintenance of high-quality code standards, and promoting a culture of continuous improvement in software development projects. It helps produce software that is secure, reliable, and maintainable. SonarCloud is free for open-source projects and is offered as a paid subscription for private projects, priced per lines of code.

 

Sample Customers

1. Google 2. Microsoft 3. IBM 4. Amazon 5. Facebook 6. Twitter 7. LinkedIn 8. Netflix 9. Adobe 10. PayPal 11. Salesforce 12. Cisco 13. Oracle 14. Intel 15. HP 16. Dell 17. VMware 18. Symantec 19. McAfee 20. Citrix 21. Red Hat 22. Juniper Networks 23. SAP 24. Accenture 25. Deloitte 26. Ernst & Young 27. PwC 28. KPMG 29. Capgemini 30. Infosys 31. Wipro 32. TCS
Buyer's Guide
OWASP Zap vs. SonarCloud
July 2024
Free Report: OWASP Zap vs. SonarCloud
Find out what your peers are saying about OWASP Zap vs. SonarCloud and other solutions. Updated: July 2024.
DOWNLOAD NOW
793,295 professionals have used our research since 2012.
See our OWASP Zap vs. SonarCloud report.
See our list of best Static Application Security Testing (SAST) vendors.

We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.