OWASP Zap vs SonarQube comparison

You must select at least 2 products to compare!
24,584 views|11,853 comparisons
Sonar Logo
57,447 views|45,232 comparisons
Comparison Buyer's Guide
Executive Summary

We performed a comparison between OWASP Zap and SonarQube based on real PeerSpot user reviews.

Find out in this report how the two Application Security Testing (AST) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI.
To learn more, read our detailed OWASP Zap vs. SonarQube Report (Updated: November 2023).
745,341 professionals have used our research since 2012.
Featured Review
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
"It's great that we can use it with Portswigger Burp.""The HUD is a good feature that provides on-site testing and saves a lot of time.""You can run it against multiple targets.""The product discovers more vulnerabilities compared to other tools.""The solution has tightened our security.""ZAP is easy to use. The automated scan is a powerful feature. You can simulate attacks with various parameters. ZAP integrates well with SonarQube.""The product helps users to scan and fix vulnerabilities in the pipeline.""It updates repositories and libraries quickly."

More OWASP Zap Pros →

"SonarQube is one of the more popular solutions because it supports 29 languages.""The SonarQube dashboard looks great.""This solution has helped with the integration and building of our CICD pipeline.""The product is simple.""This solution has the capability to analyze source code in almost all the languages in the market.""SonarQube is admin friendly.""My focus is mainly on the DevOps pipeline side of things, and from my perspective, the ease of use and configuration is valuable. It is pretty straightforward to take a deployment pipeline or CI/CD pipeline and integrate SonarQube into it.""All the features of the solution are quite good."

More SonarQube Pros →

"They stopped their support for a short period. They've recently started to come back again. In the early days, support was much better.""There isn't too much information about it online.""The product should allow users to customize the report based on their needs.""Lacks resources where users can internally access a learning module from the tool.""The technical support team must be proactive.""The solution is somewhat unreliable because after we get the finding, we have to manually verify each of its findings to see whether it's a false positive or a true finding, and it takes time.""The product reporting could be improved.""There are too many false positives."

More OWASP Zap Cons →

"The implementation of the solution is straightforward. However, we did have some initial initialization issues at the of the projects. I don't think it was SonarQube's fault. It was the way it was implemented in our organization because it's mainly integrated with many software, such as Jira, Confluence, and Butler.""We called support and complained but have not received any information as we use the free version. We had to fix it on our own and could not escalate it to the tool's developer.""It would be better if SonarQube provided a good UI for external configuration.""A little bit more emphasis on security and a bit more security scanning features would be nice.""This is a well-rounded solution, however, some features could be made available on the free version. The price of the solution could be reduced.""SonarQube is not development-centric like Snyk.""During the setup process, we only had one issue related to the number of available files. To perform the analysis, you have quite a lot of available file handles, so we had to increase that limit.""SonarQube needs to improve its support model. They do not work 24/7, and they do not provide weekend support in case things go wrong. They only have a standard 8:00 am to 5:00 pm support model in which you have to raise a support ticket and wait. The support model is not effective for premium customers."

More SonarQube Cons →

Pricing and Cost Advice
  • "We have used the freeware version. I believe Zap only has freeware."
  • "The solution’s pricing is high."
  • More OWASP Zap Pricing and Cost Advice →

  • "My guess is that we have a yearly subscription. We use it quite extensively, so a monthly license wouldn't make sense. Yearly subscriptions are usually cheaper. In addition to the standard licensing fee, there is just the cost of running the hardware where it is hosted."
  • "Compared to similar solutions, SonarQube was more accessible to us and had more benefits, with regards to size of the code base and supported languages. Apart from the Enterprise licensing fee, there are no additional costs."
  • "SonarQube enterprise, I am not sure of the price but from what I understand they are charging a fee. It's is not clear if it is an annual fee or a one-off."
  • "The free version of SonarQube does everything that we need it to."
  • "We're using an older version because it is the open-source flavor of it and we can continue using it at no cost. We're not paying any licensing at all, which was another factor in choosing this route so that we can learn and grow with it and not be committed to licenses and other similar things. If we choose to get something else, we have to relearn, but we don't have to relicense. Basically, we're paying no license costs."
  • "We are using the Developer Edition and the cost is based on the amount of code that is being processed."
  • "As a user and a consumer of this solution, it can be pricey for my company to support and use, even though there are many benefits. For this reason, we use the free version. In the future, as our product cycles develop and evolve at a more steady pace, we hope to invest in the licensing for this tool."
  • "We are using the Community edition of SonarQube."
  • More SonarQube Pricing and Cost Advice →

    Use our free recommendation engine to learn which Application Security Testing (AST) solutions are best for your needs.
    745,341 professionals have used our research since 2012.
    Questions from the Community
    Top Answer:OWASP Zap and PortSwigger Burp Suite Pro have many similar features. OWASP Zap has web application scanning available with basic security vulnerabilities while Burp Suite Pro has it available with… more »
    Top Answer:The product helps users to scan and fix vulnerabilities in the pipeline.
    Top Answer:I am not very familiar with SonarQube and their solutions, so I can not answer But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have  a look… more »
    Top Answer:SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use… more »
    Top Answer:We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing… more »
    Average Words per Review
    Average Words per Review
    Also Known As
    Learn More

    OWASP Zap is a free and open-source web application security scanner. 

    The solution helps developers identify vulnerabilities in their web applications by actively scanning for common security issues. 

    With its user-friendly interface and powerful features, Zap is a popular choice among developers for ensuring the security of their web applications.

    SonarQube, a core component of the Sonar solution, is an open source, self managed tool that systematically helps developers and organizations deliver Clean Code. SonarQube integrates into the developers' CI/CD pipeline and DevOps platform to detect and help fix issues in the code while performing continuous inspections of projects. Learn more:https://www.sonarsource.com/

    Supported by Sonar Clean as You Code methodology, only code that meets the defined quality standard can be released to production. SonarQube analyzes the most popular programming languages, frameworks, and infrastructure technologies and supports over 5,000 Clean Code rules. 

    Trusted by 7 million developers and 400,000 organizations globally to clean more than half a trillion lines of code, Sonar has become integral to delivering better software.

    Learn more about OWASP Zap
    Learn more about SonarQube
    Sample Customers
    1. Google 2. Microsoft 3. IBM 4. Amazon 5. Facebook 6. Twitter 7. LinkedIn 8. Netflix 9. Adobe 10. PayPal 11. Salesforce 12. Cisco 13. Oracle 14. Intel 15. HP 16. Dell 17. VMware 18. Symantec 19. McAfee 20. Citrix 21. Red Hat 22. Juniper Networks 23. SAP 24. Accenture 25. Deloitte 26. Ernst & Young 27. PwC 28. KPMG 29. Capgemini 30. Infosys 31. Wipro 32. TCS
    Bank of America, Siemens, Cognizant, Thales, Cisco, eBay
    Top Industries
    Computer Software Company29%
    Financial Services Firm18%
    Energy/Utilities Company12%
    Computer Software Company19%
    Financial Services Firm10%
    Comms Service Provider8%
    Computer Software Company31%
    Financial Services Firm21%
    Comms Service Provider7%
    Insurance Company6%
    Financial Services Firm18%
    Computer Software Company15%
    Manufacturing Company10%
    Company Size
    Small Business15%
    Midsize Enterprise30%
    Large Enterprise55%
    Small Business21%
    Midsize Enterprise15%
    Large Enterprise64%
    Small Business25%
    Midsize Enterprise17%
    Large Enterprise58%
    Small Business17%
    Midsize Enterprise12%
    Large Enterprise71%
    Buyer's Guide
    OWASP Zap vs. SonarQube
    November 2023
    Find out what your peers are saying about OWASP Zap vs. SonarQube and other solutions. Updated: November 2023.
    745,341 professionals have used our research since 2012.

    OWASP Zap is ranked 8th in Application Security Testing (AST) with 11 reviews while SonarQube is ranked 1st in Application Security Testing (AST) with 27 reviews. OWASP Zap is rated 7.2, while SonarQube is rated 8.2. The top reviewer of OWASP Zap writes "Stable dynamic testing solution with unreliable manual processes". On the other hand, the top reviewer of SonarQube writes "Open-source, stable, and finds the problems for you and tells you where they are". OWASP Zap is most compared with PortSwigger Burp Suite Professional, Acunetix, Qualys Web Application Scanning, Veracode and Fortify WebInspect, whereas SonarQube is most compared with Checkmarx, SonarCloud, Coverity, Veracode and CAST Highlight. See our OWASP Zap vs. SonarQube report.

    See our list of best Application Security Testing (AST) vendors.

    We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.