We performed a comparison between OWASP Zap and SonarQube based on real PeerSpot user reviews.Find out in this report how the two Application Security Testing (AST) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI.
"It's great that we can use it with Portswigger Burp."
"The HUD is a good feature that provides on-site testing and saves a lot of time."
"You can run it against multiple targets."
"The product discovers more vulnerabilities compared to other tools."
"The solution has tightened our security."
"ZAP is easy to use. The automated scan is a powerful feature. You can simulate attacks with various parameters. ZAP integrates well with SonarQube."
"The product helps users to scan and fix vulnerabilities in the pipeline."
"It updates repositories and libraries quickly."
"SonarQube is one of the more popular solutions because it supports 29 languages."
"The SonarQube dashboard looks great."
"This solution has helped with the integration and building of our CICD pipeline."
"The product is simple."
"This solution has the capability to analyze source code in almost all the languages in the market."
"SonarQube is admin friendly."
"My focus is mainly on the DevOps pipeline side of things, and from my perspective, the ease of use and configuration is valuable. It is pretty straightforward to take a deployment pipeline or CI/CD pipeline and integrate SonarQube into it."
"All the features of the solution are quite good."
"They stopped their support for a short period. They've recently started to come back again. In the early days, support was much better."
"There isn't too much information about it online."
"The product should allow users to customize the report based on their needs."
"Lacks resources where users can internally access a learning module from the tool."
"The technical support team must be proactive."
"The solution is somewhat unreliable because after we get the finding, we have to manually verify each of its findings to see whether it's a false positive or a true finding, and it takes time."
"The product reporting could be improved."
"There are too many false positives."
"The implementation of the solution is straightforward. However, we did have some initial initialization issues at the of the projects. I don't think it was SonarQube's fault. It was the way it was implemented in our organization because it's mainly integrated with many software, such as Jira, Confluence, and Butler."
"We called support and complained but have not received any information as we use the free version. We had to fix it on our own and could not escalate it to the tool's developer."
"It would be better if SonarQube provided a good UI for external configuration."
"A little bit more emphasis on security and a bit more security scanning features would be nice."
"This is a well-rounded solution, however, some features could be made available on the free version. The price of the solution could be reduced."
"SonarQube is not development-centric like Snyk."
"During the setup process, we only had one issue related to the number of available files. To perform the analysis, you have quite a lot of available file handles, so we had to increase that limit."
"SonarQube needs to improve its support model. They do not work 24/7, and they do not provide weekend support in case things go wrong. They only have a standard 8:00 am to 5:00 pm support model in which you have to raise a support ticket and wait. The support model is not effective for premium customers."
OWASP Zap is a free and open-source web application security scanner.
The solution helps developers identify vulnerabilities in their web applications by actively scanning for common security issues.
With its user-friendly interface and powerful features, Zap is a popular choice among developers for ensuring the security of their web applications.
SonarQube, a core component of the Sonar solution, is an open source, self managed tool that systematically helps developers and organizations deliver Clean Code. SonarQube integrates into the developers' CI/CD pipeline and DevOps platform to detect and help fix issues in the code while performing continuous inspections of projects. Learn more:https://www.sonarsource.com/
Supported by Sonar Clean as You Code methodology, only code that meets the defined quality standard can be released to production. SonarQube analyzes the most popular programming languages, frameworks, and infrastructure technologies and supports over 5,000 Clean Code rules.
Trusted by 7 million developers and 400,000 organizations globally to clean more than half a trillion lines of code, Sonar has become integral to delivering better software.
OWASP Zap is ranked 8th in Application Security Testing (AST) with 11 reviews while SonarQube is ranked 1st in Application Security Testing (AST) with 27 reviews. OWASP Zap is rated 7.2, while SonarQube is rated 8.2. The top reviewer of OWASP Zap writes "Stable dynamic testing solution with unreliable manual processes". On the other hand, the top reviewer of SonarQube writes "Open-source, stable, and finds the problems for you and tells you where they are". OWASP Zap is most compared with PortSwigger Burp Suite Professional, Acunetix, Qualys Web Application Scanning, Veracode and Fortify WebInspect, whereas SonarQube is most compared with Checkmarx, SonarCloud, Coverity, Veracode and CAST Highlight. See our OWASP Zap vs. SonarQube report.
See our list of best Application Security Testing (AST) vendors.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.