We performed a comparison between HCL AppScan and Sonarqube based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Sonarqube offers better integration capabilities than HCL AppScan. Additionally, Sonarqube users are happier with the pricing. For these reasons, Sonarqube is the more desirable product in this comparison.
"The solution is easy to install. I would rate the product's setup between six to seven out of ten. The deployment time depends on the applications that need to be scanned. We have a development and operations team to take care of the product's maintenance."
"The solution is cheap."
"It provides a better integration for our ecosystem."
"The static scans are good, and the SaaS as well."
"The UI was very intuitive."
"The reporting part is the most valuable feature."
"It's generally a very user-friendly tool. Anyone can easily learn how to scan"
"IBM AppScan has made our work easy, as we can do four to five scans of websites at a time, which saves time when it comes to vulnerability."
"If you want to have your code scanned and timed then this is a good tool."
"It is a very good tool for analysis despite its limitations."
"It assists during the development with SonarLint and helps the developer to change his approach or rather improve his coding pattern or style. That's one advantage I've seen. Another advantage is that we can customize the rules."
"The depth features I have found most valuable. You receive a quick comprehensive comparison overview regarding the current release and the last release and what type of depths dependency or duplication should be used. This is going to help you to make a more readable code and have more flexibility for the engineers to understand how things should work when they do not know."
"It has very good scalability and stability."
"I like the by-default policies that are they, as they seem to cover most of what I need."
"This solution is simple to use and can be quickly deployed."
"The code coverage feature is very good."
"IBM Security AppScan Source is rather hard to use."
"The solution's scalability can be a matter of concern because one license runs on one machine only."
"If HCL AppScan is able to alert the clients over email once the scan is complete, it would be great. Right now, HCL AppScan doesn't let me know if the scanning part is finished or not, because of which I have to come back and check mostly."
"We would like to integrate with some of the other reporting tools that we're planning to use in the future."
"The penetration testing feature should be included."
"It's a little bit basic when you talk about the Web Services. If AppScan improved its maturity on Web Services testing, that would be good."
"There are so many lines of code with so many different categories that I am likely to get lost. "
"There is room for improvement in the pricing model."
"SonarQube needs to improve its ease of use, integration with third-party platforms, and scalability."
"I would also like SonarQube to be able to write custom scanning rules. More documentation would be helpful as well because some of our guys were struggling with the customization script."
"I would like to see improvements in defining the quality sets of rules and the quality to ensure code with low-performance does not end up in production."
"There are sometimes security breaches in our code, which aren't be caught by SonarQube. In the security area, SonarCube has to improve. It needs to better compete with other products."
"If there was an official Docker image of SonarQube that could easily integrate into the pipeline would help the user to plug in and plug out and use it directly without any custom configuration. I am not sure if this is being offered already in an update but it would be very helpful."
"The product must improve security analysis."
"There is no automation. You need to put the code there and test. You then pull the results and put them back in the development environment. There is no integration with the development environment. We would like it to be integrated with our development environment, which is basically the CI/CD pipeline or the IDE that we have."
"We previously experienced issues with security but a segregated security violation has been implemented and the issues we experienced are being fixed."
HCL AppScan is ranked 14th in Application Security Tools with 41 reviews while SonarQube is ranked 1st in Application Security Tools with 112 reviews. HCL AppScan is rated 7.8, while SonarQube is rated 8.0. The top reviewer of HCL AppScan writes " A stable and scalable product useful for application security scanning". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". HCL AppScan is most compared with Veracode, Acunetix, PortSwigger Burp Suite Professional, OWASP Zap and Fortify on Demand, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity and Veracode. See our HCL AppScan vs. SonarQube report.
See our list of best Application Security Tools vendors and best Static Application Security Testing (SAST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.