We performed a comparison between HCL AppScan and Sonarqube based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Sonarqube offers better integration capabilities than HCL AppScan. Additionally, Sonarqube users are happier with the pricing. For these reasons, Sonarqube is the more desirable product in this comparison.
"For me, as a manager, it was the ease of use. Inserting security into the development process is not normally an easy project to do. The ability for the developer to actually use it and get results and focuses, that's what counted."
"The most valuable feature of the solution is Postman."
"There's extensive functionality with custom rules and a custom knowledge base."
"This is a stable solution."
"It comes with all of the templates that we need. For example, we are a company that is regulated by PCI. In order to be PCI compliant, we have a lot of checks and procedures to which we have to comply."
"The security and the dashboard are the most valuable features."
"It highlights, with several grades of severity, the types of vulnerabilities, so we can focus on the most severe security vulnerabilities in the code."
"The solution is easy to use."
"This solution has helped with the integration and building of our CICD pipeline."
"The most valuable function is its usability."
"The solution's user interface is very user-friendly."
"It assists during the development with SonarLint and helps the developer to change his approach or rather improve his coding pattern or style. That's one advantage I've seen. Another advantage is that we can customize the rules."
"The initial setup is simple. It requires some security, but it's simple."
"Provides local scanning for developers."
"The most valuable features are the segregation containment and the suspension of product services."
"The SonarQube dashboard looks great."
"Scans become slow on large websites."
"I would like to see the roadmap for this product. We are still waiting to see it as we have only so many resources."
"Many silly false positives are produced."
"Visibility is an issue for us. Our partners do not know we have integrations with some of IBM products."
"The pricing has room for improvement."
"The solution needs to improve in some areas. The tool needs to add more languages. It also needs to improve its speed."
"IBM Security AppScan needs to add performance optimization for quickly scanning the target web applications."
"There are so many lines of code with so many different categories that I am likely to get lost. "
"We have tens of millions of code to be analyzed and processed. There can be some performance degradation if we are applying Sonar Link to large code or code that is complex. When the code had to be analyzed is when we ran into the main issues. There were several routines involved to solve those performance issues but this process should be improved."
"If the product could assist us with fixing issues by giving us more pointers then it would help to resolve more of the warnings without such a commitment in terms of time."
"If I configure a project in SonarQube, it generates a token. When we're compiling our code with SonarQube, we have to provide the token for security reasons. If IP-based connectivity is established with the solution, the project should automatically be populated without providing any additional token. It will be easy to provide just the IP address. It currently supports this functionality, but it makes a different branch in the project dashboard. From the configuration and dashboard point of view, it should have some transformations. There can be dashboard integration so that we can configure the dashboard for different purposes."
"SonarQube is not development-centric like Snyk."
"Although it has Sonar built into it, it is still lacking. Customization features of identifying a particular attack still need to be worked on. To give you an example: if we want to scan and do a false positive analysis, those types of features are missing. If we want to rescan something from a particular point that is a feature that is also missing. It’s in our queue. That will hopefully save a lot of time."
"A little bit more emphasis on security and a bit more security scanning features would be nice."
"If you don't have any experience with the configuration or how to configure the files, it can be complicated."
"The reporting is good, but I am not able to download a specific report as a PDF, so downloading reports is something that should be looked at."
HCL AppScan is ranked 14th in Application Security Tools with 41 reviews while SonarQube is ranked 1st in Application Security Tools with 112 reviews. HCL AppScan is rated 7.8, while SonarQube is rated 8.0. The top reviewer of HCL AppScan writes " A stable and scalable product useful for application security scanning". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". HCL AppScan is most compared with Veracode, Acunetix, PortSwigger Burp Suite Professional, OWASP Zap and Fortify on Demand, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity and Veracode. See our HCL AppScan vs. SonarQube report.
See our list of best Application Security Tools vendors and best Static Application Security Testing (SAST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.