We performed a comparison between SonarQube and Checkmarx based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Both solutions have intuitive interfaces and are easy to use. However, Checkmarx offers a more comprehensive feature set, including software composition scanning and a higher number of vulnerabilities detected. Checkmarx also provides better language support and more advanced reporting capabilities. SonarQube has a simpler pricing model and is generally considered more affordable. SonarQube focuses strongly on code quality and offers better integration with DevOps pipelines. The customer service and support experiences for both products vary, with some users praising the support and others reporting negative experiences.
"The most valuable feature is the application tracking reporting."
"From my point of view, it is the best product on the market."
"The UI is user-friendly."
"Both automatic and manual code review (CxQL) are valuable."
"The report function is the solution's greatest asset."
"It gives the proper code flow of vulnerabilities and the number of occurrences."
"Apart from software scanning, software composition scanning is valuable."
"The value you can get out of the speedy production may be worth the price tag."
"Provides local scanning for developers."
"We have the software metrics that SonarQube gives us, which is something we did not have before. This helps us work towards aiming coding standards to empower us to move in the direction of better code quality. SonarQube provides targets and metrics for that."
"It helps our developers work more efficiently as we can identify things in a code prior to it being pushed to where it needs to go."
"Integrate it into the developers' workbench so that they can bench check their code against what will be done in the server-based audit version."
"I like that it helps us maintain our work quality and code security."
"The product itself has a friendly UI."
"There is a free version."
"Can tweak rules and feed them into our build pipelines."
"Its pricing model can be improved. Sometimes, it is a little complex to understand its pricing model."
"Checkmarx could improve the REST APIs by including automation."
"The validation process needs to be sped up."
"Checkmarx could improve the speed of the scans."
"The integration could improve by including, for example, DevSecOps."
"Updating and debugging of queries is not very convenient."
"If it is a very large code base then we have a problem where we cannot scan it."
"Some of the descriptions were found to be missing or were not as elaborate as compared to other descriptions. Although, they could be found across various standard sources but it would save a lot of time for developers, if this was fixed."
"If you don't have any experience with the configuration or how to configure the files, it can be complicated."
"We've been using the Community Edition, which means that we get to use it at our leisure, and they're kind enough to literally give it to us. However, it takes a fair amount of effort to figure out how to get everything up and running. Since we didn't go with the professional paid version, we're not entitled to support. Of course that could be self-correcting if we were to make the step to buy into this and really use it. Then their technical support would be available to us to make strides for using it better."
"The product needs to integrate other security tools for security scanning."
"After scanning our code and generating a report, it would be helpful if SonarQube could also generate a solution to fix vulnerabilities in the report."
"The handling of the contents of Docker container images could be better."
"SonarQube needs to improve its ease of use, integration with third-party platforms, and scalability."
"Dynamic scanning is missing and there are some issues with security scanning."
"From a reporting perspective, we sometimes have problems interpreting the vulnerability scan reports. For example, if it finds a possible threat, our analysts have to manually check the provided reports, and sometimes we have issues getting all the data needed to properly verify if it's accurate or not."
Checkmarx One is ranked 3rd in Application Security Tools with 67 reviews while SonarQube is ranked 1st in Application Security Tools with 110 reviews. Checkmarx One is rated 7.6, while SonarQube is rated 8.0. The top reviewer of Checkmarx One writes "The report function is a great, configurable asset but sometimes yields false positives". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Checkmarx One is most compared with Veracode, Fortify on Demand, Snyk, Coverity and Mend.io, whereas SonarQube is most compared with SonarCloud, Coverity, Veracode, Snyk and GitHub Advanced Security. See our Checkmarx One vs. SonarQube report.
See our list of best Application Security Tools vendors and best Application Security Testing (AST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
SonarQube depends on completely what you configure the Rules. You will have the option of the Profile creation and can be assigned to the Projects. If you configure the project --> under them services configuration it is good to go. Proper configuration is important in the Sonat Qube. Yes, Sonarqube allows developers to delint their code before SAST.
Veracode recently introduced it. But this integration at developer Machine integration available for only JAVA coded Projets.
About the Vulnerability coverage, both are the same. OWASP TOP 10 is equal to Sans 25. sans25 is categorized with one category number and describes under that subsection. Refer to this. https://www.templarbit.com/blog/2018/02/08/owasp-top-10-vs-sans-cwe-25/
SonarQube can be used for SAST. However, based on our internal analysis, our team feel CheckMarx is better suited for Security compared to SonarQube. SoanrQube is used in day to day developer code scan and Checkmarx is used during code movement to staging or during release.