Seeker vs SonarQube comparison

Seeker

Read 1 Seeker review

0 Views
0 Comparison Views

100% willing to recommend

SonarQube

Read 112 SonarQube reviews

48,783 Views
39,042 Comparison Views

81% willing to recommend

Seeker

SonarQube

Comparison Buyer's Guide

Download the report

Executive Summary

We performed a comparison between Seeker and SonarQube based on real PeerSpot user reviews.

Find out what your peers are saying about Cisco, Zscaler, Forcepoint and others in Internet Security.

To learn more, read our detailed Internet Security Report (Updated: July 2024).

Buyer's Guide

Internet Security

July 2024

Download the complete report

Helped 793,295 peers since 2012

Categories and Ranking

Seeker

Average Rating

7.0

Number of Reviews

Ranking in other categories

Internet Security (12th)

SonarQube

Average Rating

8.0

Number of Reviews

112

Ranking in other categories

Application Security Tools (1st), Static Application Security Testing (SAST) (1st), Software Development Analytics (1st)

Featured Reviews

San K

Senior Group Leader at Infosys

Nov 7, 2022

More effective than dynamic scanners, but is missing useful learning capabilities

One area that Seeker can improve is to make it more customizable. All security scanning tools have a defined set of rules that are based on certain criteria which they will use to detect issues. However, the criteria that you set initially is not something that all applications are going to need. The purposes for which applications are designed may differ in practice in the industry, and because of this, there will always be tools that sometimes report false positives. Thus, there should be some means with which I can customize the way that Seeker learns about our applications, possibly by using some kind of AI / ML capability within the tool that will automatically reduce the number of false positives that we get as we use the tool over time. Obviously, when we first start using the scanning tool there will be false positives, but as it keeps going and as I keep using the tool, there should be a period of time where either the application can learn how to ignore false positives, or I can customize it do so. Adding this type of functionality would definitely prevent future issues when it comes to reporting false positives, and this is a key area that we have already asked the vendor to improve on, in general. On a different note, there is one feature that isn't completely available right now where you can integrate Seeker with an open-source vulnerability scanner or composition analysis tool such as Black Duck. I would very much like this capability to be available to us out-of-the-box, so that we can easily integrate with tools like Black Duck in such a way that any open source components that are used in the front-end are easily identified. I think this would be a huge plus for Seeker. Another feature within Seeker which could benefit from improvement is active verification, which lets you actively verify a vulnerability. This feature currently doesn't work in certain applications, particularly in scenarios where you have requested tokens. When we bought the tool, we didn't realize this and we were not told about it by the vendor, so initially it was a big challenge for us to overcome it and properly begin our deployment.

Read full review

Wang Dayong

Senior Software Engineering Manager at Hill

May 10, 2023

Easy to integrate and has a plug-in that supports both C and C++ languages

We use the product to review our software codes. We have integrated the product to review our new delivery code When we deliver a code, the solution scans the code and reports whether the code has bugs or any other vulnerability issues. Thus the solution helps us identify issues and improve the…

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"A significant advantage of Seeker is that it is an interactive scanner, and we have found it to be much more effective in reducing the amount of false positives than dynamic scanners such as AppScan, Micro Focus Fortify, etc. Furthermore, with Seeker, we are finding more and more valid (i.e. "true") positives over time compared with the dynamic scanners."

"We've configured it to run on each commit, providing feedback on our software quality. ]"

"SonarQube is good in terms of code review and to report on basic vulnerabilities in your applications."

"The static code analysis of the solution is the most important aspect for us. When it comes to security breaches within the code, we can leverage some rules to allow us to identify the repetition in our code and the possible targets that we may have. It makes it very easy to review our code for security purposes."

"One of the most valuable features of SonarQube is its ability to detect code quality during development. There are rules that define various technologies—Java, C#, Python, everything—and these rules declare the coding standards and code quality. With SonarQube, everything is detectable during the time of development and continuous integration, which is an advantage. SonarQube also has a Quality Gate, where the code should reach 85%. Below that, the code cannot be promoted to a further environment, it should be in a development environment only. So the checks are there, and SonarQube will provide that increase. It also provides suggestions on how the code can be fixed and methods of going about this, without allowing hackers to exploit the code. Another valuable feature is that it is tightly integrated with third-party tools. For example, we can see the SonarQube metrics in Bitbucket, the code repository. Once I raise the full request, the developer, team lead, or even the delivery lead can see the code quality metrics of the deliverable so that they can make a decision. SonarQube will also cover all of the top OWASP vulnerabilities, however it doesn't have penetration testing or hacker testing. We use other tools, like Checkmarx, to do penetration testing from the outside."

"The most valuable features are the analysis and detection of issues within the application code."

"The most valuable features are the segregation containment and the suspension of product services."

"The reporting and the results are quick. It gets integrated within the pipeline well."

"The product itself has a friendly UI."

More SonarQube pros

Cons

"One area that Seeker can improve is to make it more customizable. All security scanning tools have a defined set of rules that are based on certain criteria which they will use to detect issues. However, the criteria that you set initially is not something that all applications are going to need."

"During the setup process, we only had one issue related to the number of available files. To perform the analysis, you have quite a lot of available file handles, so we had to increase that limit."

"SonarQube could improve its static application security testing as per the industry standard."

"The software testing tool capability could improve. It does not always integrate well. You have to use a specific plugin and the plugin does not always go in Apple's applications."

"Expression of common vulnerabilities and exposures is not always current."

"If I configure a project in SonarQube, it generates a token. When we're compiling our code with SonarQube, we have to provide the token for security reasons. If IP-based connectivity is established with the solution, the project should automatically be populated without providing any additional token. It will be easy to provide just the IP address. It currently supports this functionality, but it makes a different branch in the project dashboard. From the configuration and dashboard point of view, it should have some transformations. There can be dashboard integration so that we can configure the dashboard for different purposes."

"We're in the process of figuring out how to automate the workflow for QA audit controls on it. I think that's perhaps an area that we could use some buffing. We're a Kubernetes shop, so there are some things that aren't direct fits, which we're struggling with on the component Docker side. But nothing major."

"I have found this solution creates more noise than competitors."

"In terms of what can be improved, the areas that need more attention in the solution are its architecture and development."

More SonarQube cons

Pricing and Cost Advice

"The licensing for Seeker is user-based and for 50 users I believe it costs about $70,000 per year."

"I am satisfied with the pricing."

"The product’s price is lower than Veracode’s price."

"The beauty of this solution is the free open-source version is capable enough in doing pretty much what an enterprise-level version can do."

"We use the solution free of cost."

"The price point on SonarQube is good."

"The solution is cheaper than other products."

"I do not know about the pricing as I am using the community edition, which is free. But I compared the pricing with Sigma, and it is higher than SonarQube."

"A low cost long-term solution for non-critical situations."

More SonarQube pricing and cost advice

See which vendors are best for you

Use our free recommendation engine to learn which Internet Security solutions are best for your needs.

See recommendations

793,295 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Financial Services Firm

25%

Computer Software Company

16%

Manufacturing Company

11%

Retailer

Financial Services Firm

17%

Computer Software Company

15%

Manufacturing Company

12%

Government

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

No data available

Questions from the Community

What do you like most about Seeker?

A significant advantage of Seeker is that it is an interactive scanner, and we have found it to be much more effective in reducing the amount of false positives than dynamic scanners such as AppSca...

See all answers

What is your experience regarding pricing and costs for Seeker?

The licensing for Seeker is user-based and for 50 users I believe it costs about $70,000 per year.

See all answers

What needs improvement with Seeker?

See all answers

Is SonarQube the best tool for static analysis?

I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have a look...

See all answers

Which gives you more for your money - SonarQube or Veracode?

SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...

See all answers

How would you decide between Coverity and Sonarqube?

We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing rem...

See all answers

Comparisons

Coverity vs Seeker

Compared 24% of the time

Synopsys API Security Testing vs Seeker

Compared 22% of the time

Contrast Security Assess vs Seeker

Compared 18% of the time

Polaris Software Integrity Platform vs Seeker

Compared 8% of the time

Checkmarx One vs Seeker

Compared 7% of the time

More Seeker Competitors

Checkmarx One vs SonarQube

Compared 20% of the time

SonarCloud vs SonarQube

Compared 13% of the time

Coverity vs SonarQube

Compared 11% of the time

Veracode vs SonarQube

Compared 9% of the time

GitHub Advanced Security vs SonarQube

Compared 7% of the time

More SonarQube Competitors

Product Reports

Buyer's Guide

Internet Security

July 2024

Download Seeker product report

Buyer's Guide

SonarQube

June 2024

Download SonarQube product report

Also Known As

No data available

Sonar

Learn More

Synopsys

Sonar

Interactive Demo

Demo not available

Synopsys

Sonar

Overview

Seeker®, interactive application security testing (IAST) solution, gives you unparalleled visibility into your modern web, cloud based and microservices based app security posture. It automatically verifies, prioritizes and reports on critical vulnerabilities in real time. It identifies vulnerability trends against compliance standards (e.g., OWASP Top 10, PCI DSS, GDPR, CAPEC, and CWE/SANS Top 25). Seeker enables security teams to identify and track sensitive data to ensure that it is handled securely and not stored in log files or databases with weak or no encryption. Seeker’s seamless integration into CI/CD workflows enables fast interactive application security testing at DevOps speed.

SonarQube is a self-managed open-source platform that helps developers create code devoid of quality and vulnerability issues. By integrating seamlessly with the top DevOps platforms in the Continuous Integration (CI) pipeline, SonarQube continuously inspects projects across multiple programming languages, providing immediate status feedback while coding. SonarQube’s quality gates become part of your release pipeline, displaying pass/fail results for new code based on quality profiles you customize to your company standards. Following Sonar’s Clean as You Code methodology guarantees that only software of the highest quality makes it to production.

At its core, SonarQube includes a static code analyzer that identifies bugs, security vulnerabilities, hidden secrets, and code smells. The platform guides you through issue resolution, fostering a culture of continuous improvement. SonarQube’s comprehensive reporting is a valuable tool for dev teams to monitor their codebase's overall health and quality across multiple projects in their portfolio. With SonarQube, you can achieve a state of Clean Code, leading to secure, reliable, and maintainable software.

Sonar is the only solution combining the power of industry-leading software quality analysis with static application security testing (SAST) and real-time coding guidance in the IDE (with SonarLint) to meet the DevOps and DevSecOps demand of putting agility, automation, and security in the hands of developers. Further accelerate DevOps continuous integration by helping developers find and fix issues in code before the software testing stage, reducing the churn of finding, fixing, rebuilding, and retesting your app.

With over 5,000 Clean Code rules, SonarQube analyzes 30+ of the most popular programming languages, including dozens of frameworks, the top DevOps platforms (GitLab, GitHub, Azure DevOps, and Bitbucket, and more), and the leading infrastructure as code (IaC) platforms.

SonarQube is the most trusted static code analyzer used by over 7 million developers and 400,000 organizations globally to clean over half a trillion lines of code.

Sample Customers

El Al Airlines and Société Française du Radiotelephone

Find out what your peers are saying about Cisco, Zscaler, Forcepoint and others in Internet Security. Updated: July 2024.

DOWNLOAD NOW

793,295 professionals have used our research since 2012.

We monitor all Internet Security reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.