• Home
  • Checkmarx One vs. SonarQube

Checkmarx One vs SonarQube comparison

Cancel
You must select at least 2 products to compare!
Checkmarx Logo
Checkmarx One
Read 67 Checkmarx One reviews
34,421 views|22,362 comparisons
86% willing to recommend
Sonar Logo
SonarQube
Read 110 SonarQube reviews
53,062 views|42,321 comparisons
80% willing to recommend
Comparison Buyer's Guide
Download the complete report
Buyer's Guide
Checkmarx One vs. SonarQube
May 2024
Executive Summary
Updated on Sep 14, 2023

We performed a comparison between SonarQube and Checkmarx based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.

  • Ease of Deployment: SonarQube's setup is generally considered straightforward, with users finding it simple and quick. Some users said that Checkmarx is easy to set up, while others faced difficulties. Proper documentation and a dedicated team helped make the process smoother.   
  • Features: Most SonarQube reviewers mentioned how easy it is to integrate with other products. Checkmarx reviewers noted the benefits of the solution’s application security, scanning, and tracking.
  • Room for Improvement: SonarQube should enhance management reports, improve the scanning process, and expand language support. Checkmarx has room to improve in terms of its REST APIs, vulnerability scanning accuracy, and integration with third-party software. 
  • Pricing: Most SonarQube reviewers feel satisfied with the pricing, especially with its free Community Edition. .Checkmarx reviewers say it is expensive.
  • Service and Support: Some reviewers of SonarQube feel that support leaves room for improvement. Most reviewers of Checkmarx are satisfied with the support levels but would like faster response times. 

Comparison Results: Both solutions have intuitive interfaces and are easy to use. However, Checkmarx offers a more comprehensive feature set, including software composition scanning and a higher number of vulnerabilities detected. Checkmarx also provides better language support and more advanced reporting capabilities. SonarQube has a simpler pricing model and is generally considered more affordable. SonarQube focuses strongly on code quality and offers better integration with DevOps pipelines. The customer service and support experiences for both products vary, with some users praising the support and others reporting negative experiences.

To learn more, read our detailed Checkmarx One vs. SonarQube Report (Updated: May 2024).
Download the complete report
769,976 professionals have used our research since 2012.
Q&A Highlights
Question: Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
Answer: My opinions are my own and do not represent any other entities that I may be or have been affiliated with.  On this topic I think it is important to acknowledge that no matter which solution you go for you will have false positives. I don't think there will be any solution that properly solves this anytime soon.  As for Checkmarx vs SonarQube...  Checkmarx may cover more rules over a wider landscape, however I personally found this extra breadth covered outlyer rules and mostly lower priority issues. Both Checkmarx and SonarQube cover the OWASP top 10 and Sans25. Both tools can be tuned to help reduce false positives, for both you will need to analyse your tuning to ensure you are not introducing false negatives. Any tools that provide you customisation come with the risk that you could make things worse.  SonarQube has very good integration into most development IDEs empowering the engineers to run scans against the company rules on their local machine before submitting your source control and further tooling. In some it will even check the code automatically while you type it.  I see you also included Veracode in here. In my opinion that is a far superior tool to Checkmarx, this is down to their more modern approach to this problem. They also allow local developer integration to self lint code before submission.  In a perfect world, I would use Sonar for development bugs, test coverage and technical debt measurements. Then veracode to handle the SAST side for me. In short I would not duplicate the security scans in Sonar and Veracode.  Hope that helps
Read more →
Featured Review
Anonymous User
Researched SonarQube but chose Checkmarx One: Reasonably price, high performance, and simple installation
Anonymous User
Researched Checkmarx One but chose SonarQube: Good static code analysis and benchmarking but the library could support more languages
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"The only thing I like is that Checkmarx does not need to compile.""Checkmarx pinpoints the vulnerability in the code and also presents the flow of malicious input across the application.""Checkmarx has helped us deliver more secure products. We are able to do static code analysis with the tool before shipping our code to production. When the integration is in the pipeline, this tool gives us early notifications on code fixes.""The user interface is excellent. It's very user friendly.""The report function is the solution's greatest asset.""I like that you don't have to compile the code in order to execute static code analysis. So, it's very handy.""The solution is scalable, but other solutions are better.""The most valuable features of Checkmarx are difficult to pinpoint because of the way the functionalities and the features are intertwined, it's difficult to say which part of them I prefer most. You initiate the scan, you have a scan, you have the review set, and reporting, they all work together as one whole process. It's not like accounting software, where you have the different features, et cetera."

More Checkmarx One Pros →

"SonarQube is useful for controlling all of our Azure task tracking and scanning.""We use this solution for qualitative coding. We make use of the SonarLint plugin as well as the dashboard.""It provides the security that is required from a solution for financial businesses.""Apart from the security point of view, I like that it makes it easy to detect code smells and other issues in terms of code quality and standards.""This solution has helped with the integration and building of our CICD pipeline.""The overall quality of the indicator is good.""The most valuable features are the dashboard, the ability to drill down to the code, user-friendly, and the technical debt estimation.""Improve the code coverage and evaluates the technical steps and percentage of code being resolved."

More SonarQube Pros →

Cons
"We would like to be able to run scans from our local system, rather than having to always connect to the product server, which is a longer process.""Its user interface could be improved and made more friendly.""They could work to improve the user interface. Right now, it really is lacking.""Checkmarx could improve the REST APIs by including automation.""I would like to see the DAST solution in the future.""Checkmarx could improve by reducing the price.""I would like to see the rate of false positives reduced.""Integration into the SDLC (i.e. support for last version of SonarQube) could be added."

More Checkmarx One Cons →

"The interface could be a little better and should be enhanced.""Expression of common vulnerabilities and exposures is not always current.""There are limitations to the free version that limit development options as far as languages.""Although it has Sonar built into it, it is still lacking. Customization features of identifying a particular attack still need to be worked on. To give you an example: if we want to scan and do a false positive analysis, those types of features are missing. If we want to rescan something from a particular point that is a feature that is also missing. It’s in our queue. That will hopefully save a lot of time.""You may need to purchase add-ons to get the useability you desire.""Ease of use/interface.""We had some issues scanning the master branch but when we upgraded to version 7.9 we noticed it does scan the master branch but we had to do a workaround for it to happen. This process could be improved in a future release.""There could be better integration with other products."

More SonarQube Cons →

Pricing and Cost Advice
  • "It is the right price for quality delivery."
  • "I believe pricing is better compared to other commercial tools."
  • "The pricing was not very good. This is just a framework which shouldn’t cost so much."
  • "The pricing is competitive and provides a lower TCO (total cost of ownership) for achieving application security."
  • "It is a good product but a little overpriced."
  • "The license has a vague language around P1 issues and the associated support. Make sure to review these in order to align them with your organizational policies."
  • "​Checkmarx is not a cheap scanning tool, but none of the security tools are cheap. Checkmarx is a powerful scanning tool, and it’s essential to have one of these products."
  • "We got a special offer for a 30% reduction for three years, after our first year. I think for a real source-code scanning tool, you have to add a lot of money for Open Source Analysis, and AppSec Coach (160 Euro per user per year)."

    • More Checkmarx One Pricing and Cost Advice →

  • "This is open source."
  • "We did not purchase a license (required for C++ support), but this option was considered."
  • "Get the paid version which allows the customized dashboard and provides technical support."
  • "People can try the free licenses and later can seek buying plugins/support, etc. once they started liking it."
  • "This product is open source and very convenient."
  • "The licence is standard open source licensing"
  • "The price point on SonarQube is good."
  • "Some of the plugins that were previously free are not free now."

    • More SonarQube Pricing and Cost Advice →

    report
    See Which Vendors Are Best For You
    Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
    See Recommendations
    769,976 professionals have used our research since 2012.
    Answers from the Community
    William Hayes
    Question: Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
    Swapna Ragi - PeerSpot reviewerSwapna Ragi
    Real User

    SonarQube depends on completely what you configure the Rules. You will have the option of the Profile creation and can be assigned to the Projects. If you configure the project --> under them services configuration it is good to go. Proper configuration is important in the Sonat Qube. Yes, Sonarqube allows developers to delint their code before SAST.


    Veracode recently introduced it. But this integration at developer Machine integration available for only JAVA coded Projets.


    About the Vulnerability coverage, both are the same. OWASP TOP 10 is equal to Sans 25. sans25 is categorized with one category number and describes under that subsection. Refer to this.  https://www.templarbit.com/blog/2018/02/08/owasp-top-10-vs-sans-cwe-25/

    Durga Gudimetla - PeerSpot reviewerDurga Gudimetla
    Real User

    SonarQube can be used for SAST. However, based on our internal analysis, our team feel CheckMarx is better suited for Security compared to SonarQube. SoanrQube is used in day to day developer code scan and Checkmarx is used during code movement to staging or during release.

    See all 3 answers »
    Questions from the Community
    What alternatives are there for Fortify WebInspect and Fortify SCA?
    Top Answer:I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as well. Veracode is only a cloud solution. Hope this helps.
    Read all 4 answers   →
    What do you like most about Checkmarx?
    Top Answer:Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%.
    Read all 38 answers   →
    What is your experience regarding pricing and costs for Checkmarx?
    Top Answer:The solution's price is high and you pay based on the number of users.
    Read all 25 answers   →
    Is SonarQube the best tool for static analysis?
    Top Answer:I am not very familiar with SonarQube and their solutions, so I can not answer But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have  a look… more »
    Read all 10 answers   →
    Which gives you more for your money - SonarQube or Veracode?
    Top Answer:SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use… more »
    Read all 6 answers   →
    How would you decide between Coverity and Sonarqube?
    Top Answer:We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing… more »
    Ranking
    3rd
    out of 74 in Application Security Tools
    Views
    34,421
    Comparisons
    22,362
    Reviews
    21
    Average Words per Review
    513
    Rating
    7.7
    1st
    out of 74 in Application Security Tools
    Views
    53,062
    Comparisons
    42,321
    Reviews
    18
    Average Words per Review
    358
    Rating
    8.1
    Comparisons
    Veracode logo
    Veracode vs. Checkmarx One
    Compared 13% of the time.
    Fortify on Demand logo
    Fortify on Demand vs. Checkmarx One
    Compared 6% of the time.
    Snyk logo
    Snyk vs. Checkmarx One
    Compared 4% of the time.
    Coverity logo
    Coverity vs. Checkmarx One
    Compared 3% of the time.
    Mend.io logo
    Mend.io vs. Checkmarx One
    Compared 2% of the time.
    More Checkmarx One Competitors   →
    SonarCloud logo
    SonarCloud vs. SonarQube
    Compared 12% of the time.
    Coverity logo
    Coverity vs. SonarQube
    Compared 11% of the time.
    Veracode logo
    Veracode vs. SonarQube
    Compared 10% of the time.
    Snyk logo
    Snyk vs. SonarQube
    Compared 6% of the time.
    More SonarQube Competitors   →
    Also Known As
    Sonar
    Learn More
    Checkmarx
    Sonar
    Interactive Demo
    Checkmarx
    Demo Not Available
    Sonar
    Watch a demo
    Overview

    Checkmarx is a highly accurate and flexible static code analysis product that allows organizations to automatically scan uncompiled code and identify hundreds of security vulnerabilities in all major coding languages and software frameworks. Checkmarx is available as a standalone product and can be effectively integrated into the software development lifecycle (SDLC) to streamline vulnerability detection and remediation. Checkmarx is trusted by leading organizations such as SAP, Samsung, and Salesforce.com.

    Checkmarx is a global leader in software security solutions for modern software development. Checkmarx delivers a comprehensive software security platform that unites with DevOps by scanning uncompiled source code for security vulnerabilities early in the development life cycle to reduce and remediate risk from software vulnerabilities. Using Checkmarx, teams avoid software security vulnerabilities managed via a single and unified dashboard without slowing down their delivery schedule.

    Checkmarx balances the needs of the entire organization, delivering seamless security from the start and throughout the entire software development life cycle. Checkmarx can be deployed on-premises in a private data center or hosted via a public cloud.

    Checkmarx Features

    Some of Checkmarx’s features include:

    • Source code scanning: Detect and repair more vulnerabilities before you release your code.

    • Open-source scanning: Find and eliminate the risks in your open-source code.

    • Interactive code scanning: Scan for vulnerabilities and runtime threats.

    • Open-source security for infrastructure as code: Identify and fix insecure IaC configurations that put your application at risk.

    Reviews from Real Users

    Checkmarx stands out among its competitors for a number of reasons. Two major ones are its ability to enable developers to secure their code with a single management dashboard and its high-speed scanning abilities.

    PeerSpot users note the effectiveness of these features. A CEO at a tech services company writes, “The most valuable features are the easy-to-understand interface, and it’s very user-friendly. We spend some time tuning to start scanning a new project, which is only a few clicks. A few simple tunes for custom rules and we can start our scan. We can do the work quickly and we don't need to compile the source code because Checkmarx does the work without compiling the project. The scanning is very quick. It's about 20,000 lines per hour, which is a good speed for scanning.”

    A director at a tech services company notes, “The features and technologies are very good. The flexibility and the roadmap have also been very good. They're at the forefront of delivering the additional capabilities that are required with cloud delivery, etc. Their ability to deliver what customers require and when they require is very important.”

    A senior manager at a manufacturing company writes, “The identification of verification-related security vulnerabilities is really important and one of the key things. It also identifies vulnerabilities for any kind of third-party tool coming into the system or any third-party tools that you are using, which is very useful for avoiding random hacking."

    SonarQube is a self-managed open-source platform that helps developers create code devoid of quality and vulnerability issues. By integrating seamlessly with the top DevOps platforms in the Continuous Integration (CI) pipeline, SonarQube continuously inspects projects across multiple programming languages, providing immediate status feedback while coding. SonarQube’s quality gates become part of your release pipeline, displaying pass/fail results for new code based on quality profiles you customize to your company standards. Following Sonar’s Clean as You Code methodology guarantees that only software of the highest quality makes it to production.

    At its core, SonarQube includes a static code analyzer that identifies bugs, security vulnerabilities, hidden secrets, and code smells. The platform guides you through issue resolution, fostering a culture of continuous improvement. SonarQube’s comprehensive reporting is a valuable tool for dev teams to monitor their codebase's overall health and quality across multiple projects in their portfolio. With SonarQube, you can achieve a state of Clean Code, leading to secure, reliable, and maintainable software.

    Sonar is the only solution combining the power of industry-leading software quality analysis with static application security testing (SAST) and real-time coding guidance in the IDE (with SonarLint) to meet the DevOps and DevSecOps demand of putting agility, automation, and security in the hands of developers. Further accelerate DevOps continuous integration by helping developers find and fix issues in code before the software testing stage, reducing the churn of finding, fixing, rebuilding, and retesting your app.

    With over 5,000 Clean Code rules, SonarQube analyzes 30+ of the most popular programming languages, including dozens of frameworks, the top DevOps platforms (GitLab, GitHub, Azure DevOps, and Bitbucket, and more), and the leading infrastructure as code (IaC) platforms.

    SonarQube is the most trusted static code analyzer used by over 7 million developers and 400,000 organizations globally to clean over half a trillion lines of code.

    Sample Customers
    YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC
    Top Industries
    REVIEWERS
    Computer Software Company31%
    Financial Services Firm19%
    Comms Service Provider9%
    Manufacturing Company9%
    VISITORS READING REVIEWS
    Financial Services Firm21%
    Computer Software Company15%
    Manufacturing Company9%
    Insurance Company5%
    REVIEWERS
    Computer Software Company30%
    Financial Services Firm21%
    Comms Service Provider7%
    Manufacturing Company7%
    VISITORS READING REVIEWS
    Financial Services Firm17%
    Computer Software Company15%
    Manufacturing Company11%
    Government6%
    Company Size
    REVIEWERS
    Small Business38%
    Midsize Enterprise13%
    Large Enterprise50%
    VISITORS READING REVIEWS
    Small Business17%
    Midsize Enterprise11%
    Large Enterprise72%
    REVIEWERS
    Small Business25%
    Midsize Enterprise16%
    Large Enterprise59%
    VISITORS READING REVIEWS
    Small Business17%
    Midsize Enterprise13%
    Large Enterprise70%
    Buyer's Guide
    Checkmarx One vs. SonarQube
    May 2024
    Free Report: Checkmarx One vs. SonarQube
    Find out what your peers are saying about Checkmarx One vs. SonarQube and other solutions. Updated: May 2024.
    DOWNLOAD NOW
    769,976 professionals have used our research since 2012.

    Checkmarx One is ranked 3rd in Application Security Tools with 67 reviews while SonarQube is ranked 1st in Application Security Tools with 110 reviews. Checkmarx One is rated 7.6, while SonarQube is rated 8.0. The top reviewer of Checkmarx One writes "The report function is a great, configurable asset but sometimes yields false positives". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Checkmarx One is most compared with Veracode, Fortify on Demand, Snyk, Coverity and Mend.io, whereas SonarQube is most compared with SonarCloud, Coverity, Veracode, Snyk and GitHub Advanced Security. See our Checkmarx One vs. SonarQube report.

    See our list of best Application Security Tools vendors and best Application Security Testing (AST) vendors.

    We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.