We performed a comparison between SonarQube and Checkmarx based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Both solutions have intuitive interfaces and are easy to use. However, Checkmarx offers a more comprehensive feature set, including software composition scanning and a higher number of vulnerabilities detected. Checkmarx also provides better language support and more advanced reporting capabilities. SonarQube has a simpler pricing model and is generally considered more affordable. SonarQube focuses strongly on code quality and offers better integration with DevOps pipelines. The customer service and support experiences for both products vary, with some users praising the support and others reporting negative experiences.
"The most valuable feature for me is the Jenkins Plugin."
"Overall, the ability to find vulnerabilities in the code is better than the tool that we were using before."
"It can integrate very well with DAST solutions. So both of them are combined into an integrated solution for customers running application security."
"We use the solution to validate the source code and do SAST and security analysis."
"The UI is very intuitive and simple to use."
"The solution allows us to create custom rules for code checks."
"The best thing about Checkmarx is the amount of vulnerabilities that it can find compared to other free tools."
"The user interface is modern and nice to use."
"The initial setup is simple. It requires some security, but it's simple."
"Before you even compile, it can catch known vulnerability issues or patterns."
"The software quality gate streamlines the product's quality."
"Engineers have also learned from the results and have improved themselves as engineers. This will help them with their careers."
"The solution's user interface is very user-friendly."
"We have the software metrics that SonarQube gives us, which is something we did not have before. This helps us work towards aiming coding standards to empower us to move in the direction of better code quality. SonarQube provides targets and metrics for that."
"Issue Explanations: Documentation with detailed samples. Helps in growing technical knowledge and re-writing logic to conforming solutions."
"The code coverage feature is very good."
"They should make it more container-friendly and optimized for the CI pipeline. They should make it a little less heavy. Right now, it requires a SQL database, and the way the tool works is that it has an engine and then it has an analysis database in which it stores the information. So, it is pretty heavy from that perspective because you have to have a full SQL Server. They're working on something called Checkmarx Light, which is a slim-down version. They haven't released it yet, but that's what we need. There should be something a little more slimmed down that can just run the analysis and output the results in a format that's readable as opposed to having a full, really big, and thick deployment with a full database server."
"This product requires you to create your own rulesets. You have to do a lot of customization."
"It would be really helpful if the level of confidence was included, with respect to identified issues."
"You can't use it in the continuous delivery pipeline because the scanning takes too much time."
"Integration into the SDLC (i.e. support for last version of SonarQube) could be added."
"I really would like to integrate it as a service along with the SAP HANA Cloud Platform. It will then be easy to use it directly as a service."
"It is an expensive solution."
"I would like to see the DAST solution in the future."
"I think the code security can be improved."
"Dynamic scanning is missing and there are some issues with security scanning."
"The product's user documentation can be vastly improved."
"If the product could assist us with fixing issues by giving us more pointers then it would help to resolve more of the warnings without such a commitment in terms of time."
"We could use some team support, but since we are using the community version, it's not available."
"We called support and complained but have not received any information as we use the free version. We had to fix it on our own and could not escalate it to the tool's developer."
"There is need for support for the additional languages and ease of use in adding new rules for detecting issues."
"The security in SonarQube could be better."
Checkmarx One is ranked 3rd in Application Security Tools with 67 reviews while SonarQube is ranked 1st in Application Security Tools with 110 reviews. Checkmarx One is rated 7.6, while SonarQube is rated 8.0. The top reviewer of Checkmarx One writes "The report function is a great, configurable asset but sometimes yields false positives". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Checkmarx One is most compared with Veracode, Fortify on Demand, Snyk, Coverity and Mend.io, whereas SonarQube is most compared with SonarCloud, Coverity, Veracode, Snyk and GitHub Advanced Security. See our Checkmarx One vs. SonarQube report.
See our list of best Application Security Tools vendors and best Static Application Security Testing (SAST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
SonarQube depends on completely what you configure the Rules. You will have the option of the Profile creation and can be assigned to the Projects. If you configure the project --> under them services configuration it is good to go. Proper configuration is important in the Sonat Qube. Yes, Sonarqube allows developers to delint their code before SAST.
Veracode recently introduced it. But this integration at developer Machine integration available for only JAVA coded Projets.
About the Vulnerability coverage, both are the same. OWASP TOP 10 is equal to Sans 25. sans25 is categorized with one category number and describes under that subsection. Refer to this. https://www.templarbit.com/blog/2018/02/08/owasp-top-10-vs-sans-cwe-25/
SonarQube can be used for SAST. However, based on our internal analysis, our team feel CheckMarx is better suited for Security compared to SonarQube. SoanrQube is used in day to day developer code scan and Checkmarx is used during code movement to staging or during release.