We compared SonarQube and OWASP Zap based on our user's reviews in several parameters.
SonarQube and OWASP Zap both provide valuable features for detecting vulnerabilities and enhancing code security. SonarQube stands out for its comprehensive features, versatile language support, and seamless DevOps integration, while OWASP Zap is praised for its robust scanning capabilities and user-friendly interface. SonarQube offers strong customer service and positive ROI, while OWASP Zap is commended for its responsive support and affordable pricing. Areas for improvement include analysis speed for SonarQube and tool performance for OWASP Zap.
Features: SonarQube stands out for its support for multiple languages, integration with DevOps pipelines, ability to detect vulnerabilities, and usability enhancements. In contrast, OWASP Zap is praised for its robust scanning capabilities, effective interception and proxying features, comprehensive reporting options, ease of use, user-friendly interface, and strong community support.
Pricing and ROI: The setup cost for SonarQube is considered straightforward and easy, with users appreciating the simplicity of the process. On the other hand, OWASP Zap's setup cost is minimal and hassle-free, allowing for quick and easy installation., SonarQube has proven highly beneficial for ROI, improving code quality, fixing issues, enhancing project efficiency, and detecting vulnerabilities. OWASP Zap provides enhanced security measures, risk mitigation, and user-friendly flexibility.
Room for Improvement: SonarQube's room for improvement lies in enhancing analysis speed, refining UI for navigation, providing clearer setup instructions and advanced functionality documentation, addressing occasional performance issues, and improving integration options. On the other hand, OWASP Zap needs improvements in tool speed and performance, user interface usability, documentation clarity, tool stability, advanced features and customization options, and reporting capabilities.
Deployment and customer support: Users mentioned that it took them three months for deployment and an additional week for setup with SonarQube, while OWASP Zap users had varying timeframes. SonarQube's deployment and setup durations are longer compared to OWASP Zap., SonarQube is commended for its exceptional customer service, with prompt and knowledgeable assistance. Users express confidence in the reliability of its support. OWASP Zap's customer service is also highly praised, with helpful and responsive staff who ensure a positive user experience.
The summary above is based on 47 interviews we conducted recently with SonarQube and OWASP Zap users. To access the review's full transcripts, download our report.
"This solution has improved my organization because it has made us feel safer doing frequent deployments for web applications. If we have something really big, we might get some professional company in to help us but if we're releasing small products, we will check it ourselves with Zap. It makes it easier and safer."
"The reporting is quite intuitive, which gives you a clear indication of what kind of vulnerability you have that you can drill down on to gather more information."
"The product discovers more vulnerabilities compared to other tools."
"The solution is scalable."
"ZAP is easy to use. The automated scan is a powerful feature. You can simulate attacks with various parameters. ZAP integrates well with SonarQube."
"The solution has tightened our security."
"The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool."
"It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display)."
"It's enabled us to improve software quality and help us to disseminate best practices."
"The product is simple."
"With SonarQube's web interface, it is easy to drill down to see the individual problems, but also to look at the project from above and get the big picture, with possible larger problem areas."
"The most valuable features are that it is user-friendly, easy to access, and they provide good training files."
"I like that it covers most programming languages for source code review."
"Provides local scanning for developers."
"The solution is stable."
"The most valuable feature of SonarQube I have found to be the configuration that has allowed us to can make adjusts to the demands of the code review. It gives a specified classification regarding the skill, prioritization, and it is easy for me to review and make my code."
"It doesn't run on absolutely every operating system."
"Online documentation can be improved to utilize all features of ZAP and API methods to make use in automation."
"It needs more robust reporting tools."
"The documentation needs to be improved because I had to learn everything from watching YouTube videos."
"If there was an easier to understand exactly what has been checked and what has not been checked, it would make this solution better. We have to trust that it has checked all known vulnerabilities but it's a bit hard to see after the scanning."
"The solution is unable to customize reports."
"It would be beneficial to enhance the algorithm to provide better summaries of automatic scanning results."
"I'd like to see a kind of feature where we can just track what our last vulnerability was and how it has improved or not. More reports that can have some kind of base-lining, I think that would be a good feature too. I'm not sure whether it can be achieved and implement but I think that would really help."
"The handling of the contents of Docker container images could be better."
"You may need to purchase add-ons to get the useability you desire."
"There could be better integration with other products."
"SonarQube could improve its static application security testing as per the industry standard."
"The solution could improve by having better-consulting services."
"SonarQube is not development-centric like Snyk."
"I am not very pleased with the technical debt computation."
"The solution could improve the management reports by making them easier to understand for the technical team that needs to review them."
OWASP Zap is ranked 8th in Static Application Security Testing (SAST) with 37 reviews while SonarQube is ranked 1st in Static Application Security Testing (SAST) with 112 reviews. OWASP Zap is rated 7.6, while SonarQube is rated 8.0. The top reviewer of OWASP Zap writes "Great for automating and testing and has tightened our security ". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". OWASP Zap is most compared with Acunetix, Qualys Web Application Scanning, Veracode, PortSwigger Burp Suite Professional and Checkmarx One, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Veracode and GitLab. See our OWASP Zap vs. SonarQube report.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
