We performed a comparison between HCL AppScan and Sonarqube based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Sonarqube offers better integration capabilities than HCL AppScan. Additionally, Sonarqube users are happier with the pricing. For these reasons, Sonarqube is the more desirable product in this comparison.
"The solution is easy to use."
"IBM AppScan has made our work easy, as we can do four to five scans of websites at a time, which saves time when it comes to vulnerability."
"It is easy it is to use. It is quick to find things, because of the code scanning tools. It's quite simple to use and it is very good the way it reports the findings."
"The product is useful, particularly in its sensitivity and scanning capabilities."
"This solution saves us time due to the low number of false positives detected."
"The security and the dashboard are the most valuable features."
"It highlights, with several grades of severity, the types of vulnerabilities, so we can focus on the most severe security vulnerabilities in the code."
"The HCL AppScan turnaround time for Burp Suite or any new feature request is pretty good, and that is why we are sticking with the HCL."
"I like the by-default policies that are they, as they seem to cover most of what I need."
"SonarQube has a lot of value, it reviews the basic coding standards and security vulnerabilities of code that help to reduce issues."
"The initial setup is simple. It requires some security, but it's simple."
"I like that it covers most programming languages for source code review."
"The product is simple."
"With SonarQube's web interface, it is easy to drill down to see the individual problems, but also to look at the project from above and get the big picture, with possible larger problem areas."
"Integrate it into the developers' workbench so that they can bench check their code against what will be done in the server-based audit version."
"The solution can verify vulnerabilities, code smells, and hotspots. It makes the software more secure and it helps make a junior or novice developer sharper."
"IBM Security AppScan needs to add performance optimization for quickly scanning the target web applications."
"I would love to see more containers. Many of the tools are great, they require an amount of configuration, setup and infrastructure. If most the applications were in a container, I think everything would be a little bit faster, because all our clients are now using containers."
"They should have a better UI for dashboards."
"There is room for improvement in the pricing model."
"The solution's scalability can be a matter of concern because one license runs on one machine only."
"The databases for HCL are small and have room for improvement."
"The solution often has a high number of false positives. It's an aspect they really need to improve upon."
"It's a little bit basic when you talk about the Web Services. If AppScan improved its maturity on Web Services testing, that would be good."
"The implementation of the solution is straightforward. However, we did have some initial initialization issues at the of the projects. I don't think it was SonarQube's fault. It was the way it was implemented in our organization because it's mainly integrated with many software, such as Jira, Confluence, and Butler."
"The product provides false reports sometimes."
"I would like to see improvements in defining the quality sets of rules and the quality to ensure code with low-performance does not end up in production."
"The solution is a bit lacking on the security side, in terms of finding and identifying vulnerabilities."
"SonarQube could be improved with more dynamic testing—basically, now, it's a static code analysis scan. For example, when the developer writes the code and does the corresponding unit test, he can cover functional and non-functional. So the SonarQube could be improved by helping to execute unit tests and test dynamically, using various parameters, and to help detect any vulnerabilities. Currently, it'll just give the test case and say whether it passes or fails—it won't give you any other input or dynamic testing. They could use artificial intelligence to build a feature that would help developers identify and fix issues in the early stages, which would help us deliver the product and reduce costs. Another area with room for improvement is in regard to automating things, since the process currently needs to be done manually."
"The interface could be a little better and should be enhanced."
"The solution could improve by providing more advanced technologies."
"Having performance regression would be a helpful add on or ability to be able to do during the scan."
HCL AppScan is ranked 15th in Application Security Tools with 41 reviews while SonarQube is ranked 1st in Application Security Tools with 112 reviews. HCL AppScan is rated 7.8, while SonarQube is rated 8.0. The top reviewer of HCL AppScan writes " A stable and scalable product useful for application security scanning". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". HCL AppScan is most compared with Veracode, Acunetix, PortSwigger Burp Suite Professional, OWASP Zap and Fortify on Demand, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity and Veracode. See our HCL AppScan vs. SonarQube report.
See our list of best Application Security Tools vendors and best Static Application Security Testing (SAST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.