We performed a comparison between HCL AppScan and Sonarqube based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Sonarqube offers better integration capabilities than HCL AppScan. Additionally, Sonarqube users are happier with the pricing. For these reasons, Sonarqube is the more desirable product in this comparison.
"We are now deploying less defects to production."
"The most valuable feature of HCL AppScan is its integration with the SDLC, particularly during the coding phase."
"The solution is easy to install. I would rate the product's setup between six to seven out of ten. The deployment time depends on the applications that need to be scanned. We have a development and operations team to take care of the product's maintenance."
"It is a stable solution...It is a scalable solution...The initial setup or installation of HCL AppScan is easy."
"The product has valuable features for static and dynamic testing."
"There's extensive functionality with custom rules and a custom knowledge base."
"It's generally a very user-friendly tool. Anyone can easily learn how to scan"
"The reporting part is the most valuable feature."
"Strong code evaluation for budget-minded clients."
"It's a great product. If you are in a hurry and just want to focus on the functional requirements of any kind of project, SonarQube is highly helpful. It enables the developers to code securely. SonarQube has a Community edition, which is open source and free. There are also three proprietary or paid versions: Enterprise edition, Data Center edition, and Developer edition."
"SonarQube is good in terms of code review and to report on basic vulnerabilities in your applications."
"SonarQube is useful for controlling all of our Azure task tracking and scanning."
"We consider it a handy tool that helps to resolve our issues immediately."
"I like that it's easy to navigate not just in terms of code findings but you can actually see them in the context of your source code because it gives you a copy of your code with the items that it found and highlights them. You can see it directly in your code, so you can easily go back and make the corrections in the code. It basically finds the problems for you and tells you where they are."
"SonarQube has a lot of value, it reviews the basic coding standards and security vulnerabilities of code that help to reduce issues."
"Using SonarQube benefits us because we are able to avoid the inclusion of malware in our applications."
"If HCL AppScan is able to alert the clients over email once the scan is complete, it would be great. Right now, HCL AppScan doesn't let me know if the scanning part is finished or not, because of which I have to come back and check mostly."
"There is room for improvement in the pricing model."
"They should have a better UI for dashboards."
"I would like to see the roadmap for this product. We are still waiting to see it as we have only so many resources."
"IBM Security AppScan Source is rather hard to use."
"The dashboard, for AppScan or the Fortified fast tool, which we use needs to be improved."
"The solution often has a high number of false positives. It's an aspect they really need to improve upon."
"AppScan is too complicated and should be made more user-friendly."
"There needs to be a shareable reporting piece or something we can click and generate easily."
"Code security could be better. They are already focusing on it, but I see a lot of improvement opportunities over there. I can see a lot of false positives in terms of security. They need to make the tests more accurate so that the false positives are not detected so frequently. It would also help if they provided us with an installer."
"The product must improve security analysis."
"SonarQube needs to improve its ease of use, integration with third-party platforms, and scalability."
"If there was an official Docker image of SonarQube that could easily integrate into the pipeline would help the user to plug in and plug out and use it directly without any custom configuration. I am not sure if this is being offered already in an update but it would be very helpful."
"New plug-ins should be integrated into SonarCloud to give more flexibility to the product."
"I have found this solution creates more noise than competitors."
"The reporting can be improved."
HCL AppScan is ranked 15th in Application Security Tools with 40 reviews while SonarQube is ranked 1st in Application Security Tools with 110 reviews. HCL AppScan is rated 7.6, while SonarQube is rated 8.0. The top reviewer of HCL AppScan writes " A stable and scalable product useful for application security scanning". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". HCL AppScan is most compared with Veracode, Acunetix, PortSwigger Burp Suite Professional, Checkmarx One and OWASP Zap, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity and Veracode. See our HCL AppScan vs. SonarQube report.
See our list of best Application Security Tools vendors and best Application Security Testing (AST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.