2023-05-11T10:49:00Z

Which software is ideal for code quality and security?

Hello peers, 

I work for a large tech services company. I am currently researching Application Security Tools.

Which software is ideal for code quality and security? Are SonarQube and Snyk a good choice? Are there any better alternatives?

Thank you for your help.

TM
User at Network Appliance ASIAPAC
  • 3
  • 138
3
PeerSpot user
3 Answers
VG
Chief Architect at Peristent Systems
Real User
Top 5Leaderboard
2023-05-16T03:51:28Z
May 16, 2023

@Tej Muchhala ​: Code Quality and Security are 2 different domains and depending on how deep you want to go, the choice of tools will vary.

1. SonarQube - This has both community editions and commercial editions. The community has limited scope and no reporting. The enterprise version has a far broader scope covered with excellent reporting capabilities. SQ does have rules to compare against OWASP's Top 10 for both 2017 and 2021. Wrt Code Quality, SQ looks at unit-level issues and not necessarily module/design issues.

2. CAST Software Intelligence - This has 2 products - CAST Highlights can do very rapid analysis and provide you software health and also open source safety assessment for 3rd party libraries you might be using. SQ does not look into 3rd party libraries' assessment. CAST also has a dedicated security dashboard that checks code against various industry standards like OWASP, ISO 5055, CWE Top 25, NIST, etc.

3. Snyk again has multiple products to cater to different areas of security. This is a great product and has seamless integrations into your CI pipeline.

Regards,
Vishal.

Product comparison that may be of interest to you
LL
Board Member at a tech vendor with 1,001-5,000 employees
Real User
2023-05-15T21:30:21Z
May 15, 2023

Hi Tej, you should also check out CAST (castsoftware.com). Their kit does a very thorough analysis that may be a good option depending on the complexity of your codebase. 

Real User
2023-05-15T11:52:20Z
May 15, 2023

Hi Tej, as per my experience, SonarQube provides a better understanding of the code, it gives you a detailed analysis of the code up to the line level. It finds vulnerabilities in the code and runs test cases for you (if you add them). Also, you can customize the quality gate rules to define the parameters your code should pass like reliability, repetition of lines, etc. On the other hand, Snyk offers you an overview of the tools you are using, or the APIs you are using inside the code and gives vulnerability notifications and fixes. SonarQube doesn't fix or doesn't give any suggestions but Snyk will give you suggestions on which version of that dependency should be used and why. I have integrated both Snyk and SonarQube as both are open source up to a certain level. 

Find out what your peers are saying about Snyk vs. SonarQube and other solutions. Updated: September 2023.
735,432 professionals have used our research since 2012.
Related Questions
JB
Senior Program Manager at Oasis TE
May 23, 2023
Hello peers,  I am a Senior Program Manager at a large manufacturing company. I am currently researching both SonarQube and CAST AIP. What are the main differences between these two solutions? Does CAST AIP scan for design violations? Thankyou for your help.
See 1 answer
VG
Chief Architect at Peristent Systems
May 23, 2023
Hi Joe - SonarQube is essentially a static code quality tool and has multiple versions (community is free and then we have developer, enterprise, and data center versions which are paid). As per the latest branding from CAST, they don't market AIP as a separate product and are bundled with CAST Imaging. CAST AIP is used to onboard the code base and perform analysis and the actual products are Imaging for architecture analysis and health, engineering, and security dashboards. The dashboards in CAST are richer and have more security features compared to SonarQube. Also, CAST does not have any free community version available. Both of them do static code analysis and do not look at run time code.
Meri Harutyunyan - PeerSpot reviewer
DevSecOps Engineer at a financial services firm with 1,001-5,000 employees
Sep 15, 2023
Hello community,  After the first full scan with Snyk, when the programmer changes something in the code, does he scan the code again completely or only the changes? Thank you for your help.
See 1 answer
AC
Content Editor at PeerSpot
Sep 15, 2023
After the first full scan with Snyk, when the programmer changes something in the code, he can choose to scan the code again entirely or only the changes. Completely scanning the code again may be the most comprehensive option, as it will identify all potential security vulnerabilities, even those introduced in the most recent changes. However, this option can be resource-intensive and time-consuming. Scanning the changes only may be quicker and more efficient, as it will only identify the potential security vulnerabilities introduced in the most recent changes. It may not identify all of the potential security vulnerabilities, however. The best option for a programmer will depend on the specific circumstances. For example, completely scanning the code again may be best if the programmer is concerned about missing any potential security vulnerabilities. However, if the programmer is looking for a more efficient and quicker option, scanning only the changes may be the best option. Here are some additional things to keep in mind: Snyk offers various scanning options, including full, incremental, and targeted scans. The specific scanning option best for you will depend on your particular needs and requirements. It may be best to consult a Snyk expert to determine the best scanning option for your organization.
Related Articles
NC
Content Manager at PeerSpot (formerly IT Central Station)
Apr 25, 2022
PeerSpot’s crowdsourced user review platform helps technology decision-makers around the world to better connect with peers and other independent experts who provide advice without vendor bias. Our users have ranked these solutions according to their valuable features, and discuss which features they like most and why. You can read user reviews for the Top 8 Container Security Tools to help y...
NC
Content Manager at PeerSpot (formerly IT Central Station)
Apr 19, 2022
PeerSpot’s crowdsourced user review platform helps technology decision-makers around the world to better connect with peers and other independent experts who provide advice without vendor bias. Our users have ranked these solutions according to their valuable features, and discuss which features they like most and why. You can read user reviews for the Top 5 Software Composition Analysis (SCA...
Product Comparisons
Related Articles
NC
Content Manager at PeerSpot (formerly IT Central Station)
Apr 25, 2022
Top 6 Container Security Tools 2022
PeerSpot’s crowdsourced user review platform helps technology decision-makers around the world to...
NC
Content Manager at PeerSpot (formerly IT Central Station)
Apr 19, 2022
Top 5 Software Composition Analysis (SCA) Solutions 2022
PeerSpot’s crowdsourced user review platform helps technology decision-makers around the world to...
Download Free Report
Download our FREE report comparing Snyk and SonarQube based on reviews, features, and more! Updated: September 2023.
DOWNLOAD NOW
735,432 professionals have used our research since 2012.