What is the biggest difference between Coverity and SonarQube?

One of the most popular comparisons on IT Central Station is Coverity vs SonarQube.

People like you are trying to decide which one is best for their company. Can you help them out?

What is the biggest difference between Coverity and SonarQube? Which of these two solutions would you recommend to a colleague evaluating application security tools and why?

Thanks for helping your peers make the best decision!

Miriam Tover - PeerSpot reviewer
Service Delivery Manager at PeerSpot
  • 0
  • 58
PeerSpot user
1 Answer
Technical Leader at FPT Software
Jul 15, 2019

Both of them are static analytic source tools but SonarQube focus on the quality of code, coding convention, and potential software logic bugs while Coverity focuses on security, it detects the code which may have a security risk and vulnerary for the attack. SonarQube is open-source and Coverity requires a license for production.

Find out what your peers are saying about Coverity vs. SonarQube and other solutions. Updated: September 2023.
734,678 professionals have used our research since 2012.
Product comparison that may be of interest to you
Related Questions
Senior Program Manager at Oasis TE
May 23, 2023
Hello peers,  I am a Senior Program Manager at a large manufacturing company. I am currently researching both SonarQube and CAST AIP. What are the main differences between these two solutions? Does CAST AIP scan for design violations? Thankyou for your help.
See 1 answer
Chief Architect at Peristent Systems
May 23, 2023
Hi Joe - SonarQube is essentially a static code quality tool and has multiple versions (community is free and then we have developer, enterprise, and data center versions which are paid). As per the latest branding from CAST, they don't market AIP as a separate product and are bundled with CAST Imaging. CAST AIP is used to onboard the code base and perform analysis and the actual products are Imaging for architecture analysis and health, engineering, and security dashboards. The dashboards in CAST are richer and have more security features compared to SonarQube. Also, CAST does not have any free community version available. Both of them do static code analysis and do not look at run time code.
User at Network Appliance ASIAPAC
May 16, 2023
Hello peers,  I work for a large tech services company. I am currently researching Application Security Tools. Which software is ideal for code quality and security? Are SonarQube and Snyk a good choice? Are there any better alternatives? Thank you for your help.
2 out of 3 answers
May 15, 2023
Hi Tej, as per my experience, SonarQube provides a better understanding of the code, it gives you a detailed analysis of the code up to the line level. It finds vulnerabilities in the code and runs test cases for you (if you add them). Also, you can customize the quality gate rules to define the parameters your code should pass like reliability, repetition of lines, etc. On the other hand, Snyk offers you an overview of the tools you are using, or the APIs you are using inside the code and gives vulnerability notifications and fixes. SonarQube doesn't fix or doesn't give any suggestions but Snyk will give you suggestions on which version of that dependency should be used and why. I have integrated both Snyk and SonarQube as both are open source up to a certain level. 
Board Member at a tech vendor with 1,001-5,000 employees
May 15, 2023
Hi Tej, you should also check out CAST (castsoftware.com). Their kit does a very thorough analysis that may be a good option depending on the complexity of your codebase. 
Product Comparisons
Download Free Report
Download our FREE report comparing Coverity and SonarQube based on reviews, features, and more! Updated: September 2023.
734,678 professionals have used our research since 2012.