We performed a comparison between Qualys Web Application Scanning and SonarQube based on real PeerSpot user reviews.
Find out in this report how the two Application Security Tools solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."Licensing is the most valuable. Qualys provides the best licensing for companies. It is the best product for the development purposes of web applications. The product has a lot of integrations."
"It is a cloud-based solution, so it is easy to scale."
"Key features include: Cloud-based, so the installation is not so tedious. Easily deployed. Highly scalable. Comprehensive reporting."
"The vulnerability management feature is a strong one. And also the patch management feature."
"The most valuable feature is that we are able to scan the services and put credentials like a user ID password. We can verify the vulnerability level."
"We can do scanning and submit reports straight to the customers when there are new vulnerabilities, then tell them whether they are affected or not."
"Qualys Web Application Scanning has multiple features like threat protection and container security scanning in one box."
"I have found the detection of vulnerabilities tool thorough with good results and the graphical display output to be wonderful and full of colors. It allows many types of outputs, such as bar and chart previews."
"Code Convention: Using the tool to implement some sort of coding convention is really useful and ensures that the code is consistent no matter how many contributors."
"It is an easy tool that you can deploy and configure. After that you can measure the history of your obligation and integrate it with other tools like GitLab or GitHub or Azure DevOps to do quality code analysis."
"The overall quality of the indicator is good."
"If code coverage is a low number then that's of great value to me."
"This solution has the capability to analyze source code in almost all the languages in the market."
"I like that it helps us maintain our work quality and code security."
"The reporting and the results are quick. It gets integrated within the pipeline well."
"I am only interested in the security features in SonarQube. There are plenty of features other features, such as test coverage, code anomalies, and pointer access are handled by the business logic teams. They get the reports and they have to fix them in JIRA or Bugzilla."
"The software’s pricing could be improved."
"There could be better management and faster scanning."
"The GUI could be a little less complicated as it opens a lot of new windows for creating search lists, templates, reports, or for scanning purposes."
"When comparing this solution to Veracode, Veracode has good interactive features and gives a clear understanding of what the vulnerabilities are, which error line of the vulnerability is on and what can be done. It gives interactive features, whereas this solution does not give a clear understanding of where or how to fix the problem."
"The support could be faster."
"The scanner reports a lot of false positives, which is something that needs to be improved."
"The virus code updates are not frequent enough."
"We receive false positives sometimes when using a solution that could be improved. However, the technical team provides us with the exact explanation why it was giving us that kind of error."
"There are times that we have the database crash. However, this might be an issue with how we have configured it and not a software issue. Apart from this, I do not see any issues with the solution."
"Ease of use/interface."
"The implementation of the solution is straightforward. However, we did have some initial initialization issues at the of the projects. I don't think it was SonarQube's fault. It was the way it was implemented in our organization because it's mainly integrated with many software, such as Jira, Confluence, and Butler."
"New plug-ins should be integrated into SonarCloud to give more flexibility to the product."
"I am not very pleased with the technical debt computation."
"SonarQube needs to improve its support model. They do not work 24/7, and they do not provide weekend support in case things go wrong. They only have a standard 8:00 am to 5:00 pm support model in which you have to raise a support ticket and wait. The support model is not effective for premium customers."
"When we have a thousand products published over it, we expect it to be more efficient in terms of serving requests from the browser."
"There is no automation. You need to put the code there and test. You then pull the results and put them back in the development environment. There is no integration with the development environment. We would like it to be integrated with our development environment, which is basically the CI/CD pipeline or the IDE that we have."
More Qualys Web Application Scanning Pricing and Cost Advice →
Qualys Web Application Scanning is ranked 19th in Application Security Tools with 31 reviews while SonarQube is ranked 1st in Application Security Tools with 108 reviews. Qualys Web Application Scanning is rated 7.8, while SonarQube is rated 8.0. The top reviewer of Qualys Web Application Scanning writes "A stable solution that can be used for infrastructure vulnerability scanning and web application scanning". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Qualys Web Application Scanning is most compared with OWASP Zap, Veracode, PortSwigger Burp Suite Professional, Fortify WebInspect and Tenable.io Web Application Scanning, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Veracode and Snyk. See our Qualys Web Application Scanning vs. SonarQube report.
See our list of best Application Security Tools vendors and best Application Security Testing (AST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.