We performed a comparison between Qualys Web Application Scanning and SonarQube based on real PeerSpot user reviews.
Find out in this report how the two Application Security Tools solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."The feature that I have found most valuable is the progressive scan. It is good. It's done in 24 hours."
"It is a good product for website penetration testing to detect vulnerabilities."
"By using QualysGuard, we are able to finish external scans with assured results in half the time."
"The simplicity of exporting reports and the simplicity and clarity of the reports included with the product are good."
"QualysGuard web-based scanner is very useful for performing external penetration and PCI scans from remote locations."
"The vulnerability management feature is a strong one. And also the patch management feature."
"The most valuable feature of Qualys Web Application Scanning is the effective scanning that can be done."
"We have experienced quick customer support. They have a complete list of our previous issues along with our history, which makes it faster for them to solve issues."
"Code Convention: Using the tool to implement some sort of coding convention is really useful and ensures that the code is consistent no matter how many contributors."
"I like that it has a better dashboard compared to Clockwork. It's also stable."
"One of the most valuable features of SonarQube is its ability to detect code quality during development. There are rules that define various technologies—Java, C#, Python, everything—and these rules declare the coding standards and code quality. With SonarQube, everything is detectable during the time of development and continuous integration, which is an advantage. SonarQube also has a Quality Gate, where the code should reach 85%. Below that, the code cannot be promoted to a further environment, it should be in a development environment only. So the checks are there, and SonarQube will provide that increase. It also provides suggestions on how the code can be fixed and methods of going about this, without allowing hackers to exploit the code. Another valuable feature is that it is tightly integrated with third-party tools. For example, we can see the SonarQube metrics in Bitbucket, the code repository. Once I raise the full request, the developer, team lead, or even the delivery lead can see the code quality metrics of the deliverable so that they can make a decision. SonarQube will also cover all of the top OWASP vulnerabilities, however it doesn't have penetration testing or hacker testing. We use other tools, like Checkmarx, to do penetration testing from the outside."
"It is a very good tool for analysis and security vulnerability checking."
"The solution offers a very good community edition."
"The code coverage feature is very good."
"It assists during the development with SonarLint and helps the developer to change his approach or rather improve his coding pattern or style. That's one advantage I've seen. Another advantage is that we can customize the rules."
"SonarQube is designed well making it easy to use, simple to identify issues and find solutions to problems."
"The reporting contains too many false positives."
"They should try to include business logic vulnerabilities in the scanner testing."
"The software’s pricing could be improved."
"The scanner reports a lot of false positives, which is something that needs to be improved."
"There could be better management and faster scanning."
"The virus code updates are not frequent enough."
"The product's pricing could be better."
"Qualys Web Application Scanning is very complex to use, and its graphical interface is not very user-friendly."
"We're in the process of figuring out how to automate the workflow for QA audit controls on it. I think that's perhaps an area that we could use some buffing. We're a Kubernetes shop, so there are some things that aren't direct fits, which we're struggling with on the component Docker side. But nothing major."
"I would like to see more options for security, beyond the basics like SQL injection."
"If there was an official Docker image of SonarQube that could easily integrate into the pipeline would help the user to plug in and plug out and use it directly without any custom configuration. I am not sure if this is being offered already in an update but it would be very helpful."
"When we have a thousand products published over it, we expect it to be more efficient in terms of serving requests from the browser."
"There is need for support for the additional languages and ease of use in adding new rules for detecting issues."
"We could use some team support, but since we are using the community version, it's not available."
"We found a solution with dynamic testing, and are looking to find a solution that can be used for both types of testing."
"The handling of the contents of Docker container images could be better."
More Qualys Web Application Scanning Pricing and Cost Advice →
Qualys Web Application Scanning is ranked 19th in Application Security Tools with 31 reviews while SonarQube is ranked 1st in Application Security Tools with 108 reviews. Qualys Web Application Scanning is rated 7.8, while SonarQube is rated 8.0. The top reviewer of Qualys Web Application Scanning writes "A stable solution that can be used for infrastructure vulnerability scanning and web application scanning". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Qualys Web Application Scanning is most compared with OWASP Zap, Veracode, PortSwigger Burp Suite Professional, Fortify WebInspect and Tenable.io Web Application Scanning, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Veracode and Snyk. See our Qualys Web Application Scanning vs. SonarQube report.
See our list of best Application Security Tools vendors and best Application Security Testing (AST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.