I am a Senior Program Manager at a large manufacturing company.
I am currently researching both SonarQube and CAST AIP. What are the main differences between these two solutions? Does CAST AIP scan for design violations?
Thankyou for your help.
Hi Joe - SonarQube is essentially a static code quality tool and has multiple versions (community is free and then we have developer, enterprise, and data center versions which are paid). As per the latest branding from CAST, they don't market AIP as a separate product and are bundled with CAST Imaging. CAST AIP is used to onboard the code base and perform analysis and the actual products are Imaging for architecture analysis and health, engineering, and security dashboards. The dashboards in CAST are richer and have more security features compared to SonarQube. Also, CAST does not have any free community version available. Both of them do static code analysis and do not look at run time code.
I work for a large tech services company. I am currently researching Application Security Tools.
Which software is ideal for code quality and security? Are SonarQube and Snyk a good choice? Are there any better alternatives?
Thank you for your help.
Hi Tej, as per my experience, SonarQube provides a better understanding of the code, it gives you a detailed analysis of the code up to the line level. It finds vulnerabilities in the code and runs test cases for you (if you add them). Also, you can customize the quality gate rules to define the parameters your code should pass like reliability, repetition of lines, etc. On the other hand, Snyk offers you an overview of the tools you are using, or the APIs you are using inside the code and gives vulnerability notifications and fixes. SonarQube doesn't fix or doesn't give any suggestions but Snyk will give you suggestions on which version of that dependency should be used and why. I have integrated both Snyk and SonarQube as both are open source up to a certain level.