We performed a comparison between Coverity and SonarQube based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.
Comparison Result: Based on the parameters we compared, SonarQube comes out ahead of Coverity. Although both products have valuable features and can be estimated as high-end solutions, our reviewers found that Coverity is an expensive solution with an unfriendly licensing mechanism and a difficult exit process, which may make it less accessible for smaller teams or companies with budgetary constraints.
"The ability to scan code gives us details of existing and potential vulnerabilities. What really matters for us is to ensure that we are able to catch vulnerabilities ahead of time."
"The most valuable feature of Coverity is that it shows examples of what is actually wrong with the code."
"I encountered a bug with Coverity, and I opened a ticket. Support provided me with a workaround. So it's working at the moment, or at least it seems to be."
"The security analysis features are the most valuable features of this solution."
"The app analysis is the most valuable feature as I know other solutions don't have that."
"The interface of Coverity is quite good, and it is also easy to use."
"Coverity is easy to set up and has a less lengthy process to find vulnerabilities."
"The solution has improved our code quality and security very well."
"We can create a Quality Gate in order to fail Jenkins jobs where the code coverage is lower than the set percentage."
"The static code analysis of the solution is the most important aspect for us. When it comes to security breaches within the code, we can leverage some rules to allow us to identify the repetition in our code and the possible targets that we may have. It makes it very easy to review our code for security purposes."
"The most valuable features are that it is user-friendly, easy to access, and they provide good training files."
"Some of the most valuable features have been the latest up-to-date of the OWASP, the monitoring, the reporting, and the ease of use with the IDE plugins, in terms of integration."
"The product is simple."
"I like the by-default policies that are they, as they seem to cover most of what I need."
"We consider it a handy tool that helps to resolve our issues immediately."
"SonarQube is good in terms of code review and to report on basic vulnerabilities in your applications."
"Sometimes it's a bit hard to figure out how to use the product’s UI."
"When I put my code into Coverity for scanning, the code information of the product is in the system. The solution could be improved by providing a SBOM, a software bill of material."
"The product could be enhanced by providing video troubleshooting guides, making issue resolution more accessible. Troubleshooting without visual guides can be time-consuming."
"Right now, the Coverity executable is around 1.2GB to download. If they can reduce it to approximately 600 or 700MB, that would be great. If they decrease the executable, it will be much easier to work in an environment like Docker."
"We use GitHub and Gitflow, and Coverity does not fit with Gitflow. I have to create a screen for our branches, and it's a pain for developers. It has been difficult to integrate Coverity with our system."
"The product should include more customization options. The analytics is not as deep as compared to SonarQube."
"They could improve the usability. For example, how you set things up, even though it's straightforward, it could be still be easier."
"The solution is a bit complex to use in comparison to other products that have many plugins."
"The documentation is not clear and it needs to be updated."
"In terms of what can be improved, the areas that need more attention in the solution are its architecture and development."
"There could be better integration with other products."
"The interface could be a little better and should be enhanced."
"In the next release, I would like to have notifications because now, it is a bit difficult. I think that's a feature which we could add there and it would benefit the users as well. For every full request, they should be able to see their bugs or vulnerability directly on the surface."
"We previously experienced issues with security but a segregated security violation has been implemented and the issues we experienced are being fixed."
"Expression of common vulnerabilities and exposures is not always current."
"Dynamic scanning is missing and there are some issues with security scanning."
Coverity is ranked 4th in Static Application Security Testing (SAST) with 33 reviews while SonarQube is ranked 1st in Static Application Security Testing (SAST) with 110 reviews. Coverity is rated 7.8, while SonarQube is rated 8.0. The top reviewer of Coverity writes "Best SAST tool to check software quality issues". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Coverity is most compared with Klocwork, Fortify on Demand, Checkmarx One, Veracode and Polyspace Code Prover, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Veracode, Snyk and GitHub Advanced Security. See our Coverity vs. SonarQube report.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.