We performed a comparison between Qualys Web Application Scanning and SonarQube based on real PeerSpot user reviews.
Find out in this report how the two Application Security Tools solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."It is a good product for website penetration testing to detect vulnerabilities."
"This product is designed for easy scalability and can easily scale up without major challenges."
"The interface is user-friendly and easy to understand."
"The vulnerability management feature is a strong one. And also the patch management feature."
"The Qualys Web Application Scanning solution offers a single comprehensive console and consolidated reporting, covering all aspects from on-prem to cloud and compliance, etcetera."
"It is easy to use."
"It works with many different products."
"We can do scanning and submit reports straight to the customers when there are new vulnerabilities, then tell them whether they are affected or not."
"It automatically scans for code, detects vulnerabilities, and generates daily reports."
"The solution offers a very good community edition."
"I am only interested in the security features in SonarQube. There are plenty of features other features, such as test coverage, code anomalies, and pointer access are handled by the business logic teams. They get the reports and they have to fix them in JIRA or Bugzilla."
"The most valuable feature of SonarQube I have found to be the configuration that has allowed us to can make adjusts to the demands of the code review. It gives a specified classification regarding the skill, prioritization, and it is easy for me to review and make my code."
"The tool helps us to monitor and manage violations. It manages the bugs and security violations."
"There are many options and examples available in the tool that help us fix the issues it shows us."
"Can tweak rules and feed them into our build pipelines."
"The SonarQube dashboard looks great."
"We receive false positives sometimes when using a solution that could be improved. However, the technical team provides us with the exact explanation why it was giving us that kind of error."
"In certain cases, this product does have false positives, which the company should work on."
"The GUI could be a little less complicated as it opens a lot of new windows for creating search lists, templates, reports, or for scanning purposes."
"The UI is not user-friendly and you don't have a yearly reporting facility where you can slice and dice in different jobs."
"When comparing this solution to Veracode, Veracode has good interactive features and gives a clear understanding of what the vulnerabilities are, which error line of the vulnerability is on and what can be done. It gives interactive features, whereas this solution does not give a clear understanding of where or how to fix the problem."
"There should be better visibility into the application."
"The software’s pricing could be improved."
"We procured around 110 licenses for Web Application Scanning, but we have issues running concurrent scans. I don't currently have the option to trigger scans for all 100-plus websites. The default limit is around 10 conference scans. It's not very scalable, to be honest, because of the limitation that they put on concurrent scans."
"If the product could assist us with fixing issues by giving us more pointers then it would help to resolve more of the warnings without such a commitment in terms of time."
"We found a solution with dynamic testing, and are looking to find a solution that can be used for both types of testing."
"SonarQube needs to improve its support model. They do not work 24/7, and they do not provide weekend support in case things go wrong. They only have a standard 8:00 am to 5:00 pm support model in which you have to raise a support ticket and wait. The support model is not effective for premium customers."
"A robust credential scanner would be a huge bonus as it would remove the need for yet another niche product."
"In terms of what can be improved, the areas that need more attention in the solution are its architecture and development."
"The exporting capabilities could be improved. Currently, exporting is fully dependent on the SonarQube environment."
"If I configure a project in SonarQube, it generates a token. When we're compiling our code with SonarQube, we have to provide the token for security reasons. If IP-based connectivity is established with the solution, the project should automatically be populated without providing any additional token. It will be easy to provide just the IP address. It currently supports this functionality, but it makes a different branch in the project dashboard. From the configuration and dashboard point of view, it should have some transformations. There can be dashboard integration so that we can configure the dashboard for different purposes."
"You may need to purchase add-ons to get the useability you desire."
More Qualys Web Application Scanning Pricing and Cost Advice →
Qualys Web Application Scanning is ranked 19th in Application Security Tools with 31 reviews while SonarQube is ranked 1st in Application Security Tools with 110 reviews. Qualys Web Application Scanning is rated 7.8, while SonarQube is rated 8.0. The top reviewer of Qualys Web Application Scanning writes "A stable solution that can be used for infrastructure vulnerability scanning and web application scanning". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Qualys Web Application Scanning is most compared with OWASP Zap, Veracode, PortSwigger Burp Suite Professional, Fortify WebInspect and Tenable.io Web Application Scanning, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Veracode and Snyk. See our Qualys Web Application Scanning vs. SonarQube report.
See our list of best Application Security Tools vendors and best Application Security Testing (AST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.