We performed a comparison between Fortify on Demand and SonarCloud based on real PeerSpot user reviews.
Find out in this report how the two Static Application Security Testing (SAST) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."The UL is easy to use compared to that of other tools, and it is highly reliable. The findings provide a lower number of false positives."
"t's a cloud-based solution, so there was no installation involved."
"Fortify supports most languages. Other tools are limited to Java and other typical languages. IBM's solutions aren't flexible enough to support any language. Fortify also integrates with lots of tools because it has API support."
"The user interface is good."
"Audit workbench: for on-the-fly defect auditing."
"The most valuable features are the server, scanning, and it has helped identify issues with the security analysis."
"The quality of application security testing reduces risk and gives very few false positives."
"One of the valuable features is the ability to submit your code and have it run in the background. Then, if something comes up that is more specific, you have the security analyst who can jump in and help, if needed."
"For what it is meant to do, it works pretty well."
"The solution provides continuous code analysis which has improved the quality of our code. It can raise alarms on vulnerabilities with immediate reports on the dashboard. Few things are false positives and we can customize the rules."
"SonarCloud is overall a good tool for identifying code smells, bugs, and code duplication, but we've found that using Android Lint is more effective for our needs."
"The most valuable feature of SonarCloud is its overall performance."
"The solution can be installed locally."
"The reports from SonarCloud are very good."
"I'm not implementing the solutions. However, I've talked to the people who deploy the tools, and they are happy with how easy setting up SonarCloud is."
"Recently, they introduced support for mono reports and microservices, which is a noteworthy development as it provides a more detailed view of each service."
"The thing that could be improved is reducing the cost of usage and including some of the most pricey features, such as dynamic analysis and that sort of functionality, which makes the difference between different types of tools."
"We have some stability issues, but they are minimal."
"There's a bit of a learning curve. Our development team is struggling with following the rules and following the new processes."
"An improvement would be the ability to get vulnerabilities flowing automatically into another system."
"We want a user-based control and role-based access for developers. We want to give limited access to developers so that it only pertains to the code that they write and scanning of the codes for any vulnerabilities as they're progressing with writing the code. As of now, the interface to give restricted access to the developers is not the best. It gives them more access than what is basically required, but we don't want over-provisioning and over-access."
"There were some regulated compliances, which were not there."
"Integration to CI/CD pipelines could be improved. The reporting format could be more user friendly so that it is easy to read."
"It lacks of some important features that the competitors have, such as Software Composition Analysis, full dead code detection, and Agile Alliance's Best Practices and Technical Debt."
"It would be helpful if notifications could go out to an extra person."
"There's room for improvement in the configuration process, particularly during the initial setup phase."
"The reports could improve by providing more information. We are not able to use the reports in our operation until they are improved. Additionally, if the vendor provided more customization capabilities it would be a benefit."
"SonarCloud can improve the false positives. Sometimes the gates sometimes act a little weird. We then need to manually go and mark the false positive."
"SonarCloud's UI needs enhancement."
"CI/CD pipeline is part of a whole chain of design, development, and production, and it's becoming increasingly crucial to optimize the various tools across different stages. However, it's still a silo approach because the full integration is missing. This isn't just an issue with SonarCloud. It's a general problem with tooling."
"The solution needs to improve its customization and flexibility."
"The documentation needs improvement on optimizing build time for seamless CI/CD integration with our Android apps."
Fortify on Demand is ranked 9th in Static Application Security Testing (SAST) with 57 reviews while SonarCloud is ranked 10th in Static Application Security Testing (SAST) with 10 reviews. Fortify on Demand is rated 8.0, while SonarCloud is rated 8.4. The top reviewer of Fortify on Demand writes "Provides good depth of scanning but is unfortunately not fully integrated with CIT processes ". On the other hand, the top reviewer of SonarCloud writes "Beneficial vulnerability discovery, simple to maintain, and proactive support". Fortify on Demand is most compared with SonarQube, Veracode, Checkmarx One and Coverity, whereas SonarCloud is most compared with SonarQube, Veracode, Checkmarx One, GitLab and GitHub Code Scanning. See our Fortify on Demand vs. SonarCloud report.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.