• Home
  • OWASP Zap vs. SonarQube

OWASP Zap vs SonarQube comparison

Cancel
You must select at least 2 products to compare!
OWASP Logo

OWASP Zap

Read 11 OWASP Zap reviews
24,584 views|11,853 comparisons
Sonar Logo

SonarQube

Read 27 SonarQube reviews
57,447 views|45,232 comparisons
Comparison Buyer's Guide
Download the complete report
Buyer's Guide
OWASP Zap vs. SonarQube
November 2023
Executive Summary

We performed a comparison between OWASP Zap and SonarQube based on real PeerSpot user reviews.

Find out in this report how the two Application Security Testing (AST) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI.
To learn more, read our detailed OWASP Zap vs. SonarQube Report (Updated: November 2023).
Download the complete report
745,341 professionals have used our research since 2012.
Featured Review
Yudhistiro Kusumonegoro
Stable dynamic testing solution with unreliable manual processes
It improved our company's functioning because it integrates and can automate most of our workflow, so it helps. Based on its automation abilities,... Read more →
Anonymous User
Code quality assurance solution that supports many coding languages
This solution has helped with the integration and building of our CICD pipeline. Without any scans or assessments, the pipeline and build are not... Read more →
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"It's great that we can use it with Portswigger Burp.""The HUD is a good feature that provides on-site testing and saves a lot of time.""You can run it against multiple targets.""The product discovers more vulnerabilities compared to other tools.""The solution has tightened our security.""ZAP is easy to use. The automated scan is a powerful feature. You can simulate attacks with various parameters. ZAP integrates well with SonarQube.""The product helps users to scan and fix vulnerabilities in the pipeline.""It updates repositories and libraries quickly."

More OWASP Zap Pros →

"SonarQube is one of the more popular solutions because it supports 29 languages.""The SonarQube dashboard looks great.""This solution has helped with the integration and building of our CICD pipeline.""The product is simple.""This solution has the capability to analyze source code in almost all the languages in the market.""SonarQube is admin friendly.""My focus is mainly on the DevOps pipeline side of things, and from my perspective, the ease of use and configuration is valuable. It is pretty straightforward to take a deployment pipeline or CI/CD pipeline and integrate SonarQube into it.""All the features of the solution are quite good."

More SonarQube Pros →

Cons
"They stopped their support for a short period. They've recently started to come back again. In the early days, support was much better.""There isn't too much information about it online.""The product should allow users to customize the report based on their needs.""Lacks resources where users can internally access a learning module from the tool.""The technical support team must be proactive.""The solution is somewhat unreliable because after we get the finding, we have to manually verify each of its findings to see whether it's a false positive or a true finding, and it takes time.""The product reporting could be improved.""There are too many false positives."

More OWASP Zap Cons →

"The implementation of the solution is straightforward. However, we did have some initial initialization issues at the of the projects. I don't think it was SonarQube's fault. It was the way it was implemented in our organization because it's mainly integrated with many software, such as Jira, Confluence, and Butler.""We called support and complained but have not received any information as we use the free version. We had to fix it on our own and could not escalate it to the tool's developer.""It would be better if SonarQube provided a good UI for external configuration.""A little bit more emphasis on security and a bit more security scanning features would be nice.""This is a well-rounded solution, however, some features could be made available on the free version. The price of the solution could be reduced.""SonarQube is not development-centric like Snyk.""During the setup process, we only had one issue related to the number of available files. To perform the analysis, you have quite a lot of available file handles, so we had to increase that limit.""SonarQube needs to improve its support model. They do not work 24/7, and they do not provide weekend support in case things go wrong. They only have a standard 8:00 am to 5:00 pm support model in which you have to raise a support ticket and wait. The support model is not effective for premium customers."

More SonarQube Cons →

Pricing and Cost Advice
  • "We have used the freeware version. I believe Zap only has freeware."
  • "The solution’s pricing is high."

    • More OWASP Zap Pricing and Cost Advice →

  • "My guess is that we have a yearly subscription. We use it quite extensively, so a monthly license wouldn't make sense. Yearly subscriptions are usually cheaper. In addition to the standard licensing fee, there is just the cost of running the hardware where it is hosted."
  • "Compared to similar solutions, SonarQube was more accessible to us and had more benefits, with regards to size of the code base and supported languages. Apart from the Enterprise licensing fee, there are no additional costs."
  • "SonarQube enterprise, I am not sure of the price but from what I understand they are charging a fee. It's is not clear if it is an annual fee or a one-off."
  • "The free version of SonarQube does everything that we need it to."
  • "We're using an older version because it is the open-source flavor of it and we can continue using it at no cost. We're not paying any licensing at all, which was another factor in choosing this route so that we can learn and grow with it and not be committed to licenses and other similar things. If we choose to get something else, we have to relearn, but we don't have to relicense. Basically, we're paying no license costs."
  • "We are using the Developer Edition and the cost is based on the amount of code that is being processed."
  • "As a user and a consumer of this solution, it can be pricey for my company to support and use, even though there are many benefits. For this reason, we use the free version. In the future, as our product cycles develop and evolve at a more steady pace, we hope to invest in the licensing for this tool."
  • "We are using the Community edition of SonarQube."

    • More SonarQube Pricing and Cost Advice →

    report
    See Which Vendors Are Best For You
    Use our free recommendation engine to learn which Application Security Testing (AST) solutions are best for your needs.
    See Recommendations
    745,341 professionals have used our research since 2012.
    Questions from the Community
    Is OWASP Zap better than PortSwigger Burp Suite Pro?
    Top Answer:OWASP Zap and PortSwigger Burp Suite Pro have many similar features. OWASP Zap has web application scanning available with basic security vulnerabilities while Burp Suite Pro has it available with… more »
    Read all 3 answers   →
    What do you like most about OWASP Zap?
    Top Answer:The product helps users to scan and fix vulnerabilities in the pipeline.
    Read all 24 answers   →
    What is your experience regarding pricing and costs for OWASP Zap?
    Top Answer:We use the community version.
    Read all 13 answers   →
    Is SonarQube the best tool for static analysis?
    Top Answer:I am not very familiar with SonarQube and their solutions, so I can not answer But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have  a look… more »
    Read all 10 answers   →
    Which gives you more for your money - SonarQube or Veracode?
    Top Answer:SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use… more »
    Read all 6 answers   →
    How would you decide between Coverity and Sonarqube?
    Top Answer:We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing… more »
    Ranking
    8th
    out of 58 in Application Security Testing (AST)
    Views
    24,584
    Comparisons
    11,853
    Reviews
    10
    Average Words per Review
    410
    Rating
    7.2
    1st
    out of 58 in Application Security Testing (AST)
    Views
    57,447
    Comparisons
    45,232
    Reviews
    29
    Average Words per Review
    502
    Rating
    8.2
    Comparisons
    Also Known As
    Sonar
    Learn More
    OWASP
    Sonar
    Overview

    OWASP Zap is a free and open-source web application security scanner. 

    The solution helps developers identify vulnerabilities in their web applications by actively scanning for common security issues. 

    With its user-friendly interface and powerful features, Zap is a popular choice among developers for ensuring the security of their web applications.

    SonarQube, a core component of the Sonar solution, is an open source, self managed tool that systematically helps developers and organizations deliver Clean Code. SonarQube integrates into the developers' CI/CD pipeline and DevOps platform to detect and help fix issues in the code while performing continuous inspections of projects. Learn more:https://www.sonarsource.com/

    Supported by Sonar Clean as You Code methodology, only code that meets the defined quality standard can be released to production. SonarQube analyzes the most popular programming languages, frameworks, and infrastructure technologies and supports over 5,000 Clean Code rules. 

    Trusted by 7 million developers and 400,000 organizations globally to clean more than half a trillion lines of code, Sonar has become integral to delivering better software.


    Offer
    Learn more about OWASP Zap
    Learn More
    Learn more about SonarQube
    Learn More
    Sample Customers
    1. Google 2. Microsoft 3. IBM 4. Amazon 5. Facebook 6. Twitter 7. LinkedIn 8. Netflix 9. Adobe 10. PayPal 11. Salesforce 12. Cisco 13. Oracle 14. Intel 15. HP 16. Dell 17. VMware 18. Symantec 19. McAfee 20. Citrix 21. Red Hat 22. Juniper Networks 23. SAP 24. Accenture 25. Deloitte 26. Ernst & Young 27. PwC 28. KPMG 29. Capgemini 30. Infosys 31. Wipro 32. TCS
    Bank of America, Siemens, Cognizant, Thales, Cisco, eBay
    Top Industries
    REVIEWERS
    Computer Software Company29%
    Financial Services Firm18%
    Retailer12%
    Energy/Utilities Company12%
    VISITORS READING REVIEWS
    Computer Software Company19%
    Financial Services Firm10%
    Comms Service Provider8%
    Government7%
    REVIEWERS
    Computer Software Company31%
    Financial Services Firm21%
    Comms Service Provider7%
    Insurance Company6%
    VISITORS READING REVIEWS
    Financial Services Firm18%
    Computer Software Company15%
    Manufacturing Company10%
    Government6%
    Company Size
    REVIEWERS
    Small Business15%
    Midsize Enterprise30%
    Large Enterprise55%
    VISITORS READING REVIEWS
    Small Business21%
    Midsize Enterprise15%
    Large Enterprise64%
    REVIEWERS
    Small Business25%
    Midsize Enterprise17%
    Large Enterprise58%
    VISITORS READING REVIEWS
    Small Business17%
    Midsize Enterprise12%
    Large Enterprise71%
    Buyer's Guide
    OWASP Zap vs. SonarQube
    November 2023
    Free Report: OWASP Zap vs. SonarQube
    Find out what your peers are saying about OWASP Zap vs. SonarQube and other solutions. Updated: November 2023.
    DOWNLOAD NOW
    745,341 professionals have used our research since 2012.

    OWASP Zap is ranked 8th in Application Security Testing (AST) with 11 reviews while SonarQube is ranked 1st in Application Security Testing (AST) with 27 reviews. OWASP Zap is rated 7.2, while SonarQube is rated 8.2. The top reviewer of OWASP Zap writes "Stable dynamic testing solution with unreliable manual processes". On the other hand, the top reviewer of SonarQube writes "Open-source, stable, and finds the problems for you and tells you where they are". OWASP Zap is most compared with PortSwigger Burp Suite Professional, Acunetix, Qualys Web Application Scanning, Veracode and Fortify WebInspect, whereas SonarQube is most compared with Checkmarx, SonarCloud, Coverity, Veracode and CAST Highlight. See our OWASP Zap vs. SonarQube report.

    See our list of best Application Security Testing (AST) vendors.

    We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.