We performed a comparison between SonarQube and Checkmarx based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Both solutions have intuitive interfaces and are easy to use. However, Checkmarx offers a more comprehensive feature set, including software composition scanning and a higher number of vulnerabilities detected. Checkmarx also provides better language support and more advanced reporting capabilities. SonarQube has a simpler pricing model and is generally considered more affordable. SonarQube focuses strongly on code quality and offers better integration with DevOps pipelines. The customer service and support experiences for both products vary, with some users praising the support and others reporting negative experiences.
"Both automatic and manual code review (CxQL) are valuable."
"The solution communicates where to fix the issue for the purpose of less iterations."
"The reports are very good because they include details on the code level, and make suggestions about how to fix the problems."
"It allows for SAST scanning of uncompiled code. Further, it natively integrates with all key repos formats (Git, TFS, SVN, Perforce, etc)."
"The most valuable feature is the simple user interface."
"The value you can get out of the speedy production may be worth the price tag."
"From my point of view, it is the best product on the market."
"The most valuable feature of Checkmarx is the user interface, it is very easy to use. We do not need to configure anything, we only have to scan to see the results."
"There are many options and examples available in the tool that help us fix the issues it shows us."
"It's enabled us to improve software quality and help us to disseminate best practices."
"SonarQube has a lot of value, it reviews the basic coding standards and security vulnerabilities of code that help to reduce issues."
"It has very good scalability and stability."
"The most valuable features are that it is user-friendly, easy to access, and they provide good training files."
"This solution has the capability to analyze source code in almost all the languages in the market."
"My focus is mainly on the DevOps pipeline side of things, and from my perspective, the ease of use and configuration is valuable. It is pretty straightforward to take a deployment pipeline or CI/CD pipeline and integrate SonarQube into it."
"The most valuable features are code scanning and Quality Gates."
"Creating and editing custom rules in Checkmarx is difficult because the license for the editor comes at an additional cost, and there is a steep learning curve."
"The lack of ability to review compiled source code. It would then be able to compete with other scanning tools, such as Veracode."
"There is nothing particular that I don't like in this solution. It can have more integrations, but the integrations that we would like are in the roadmap anyway, and they just need to deliver the roadmap. What I like about the roadmap is that it is going where it needs to go. If I were to look at the roadmap, there is nothing that is jumping out there that says to me, "Yeah. I'd like something else on the roadmap." What they're looking to deliver is what I would expect and forecast them to deliver."
"You can't use it in the continuous delivery pipeline because the scanning takes too much time."
"Checkmarx has a slightly difficult compilation with the CI/CD pipeline."
"The product's reporting feature could be better. The feature works well for developers, but reports generated to be shared with external parties are poor, it lacks the details one gets when viewing the results directly from the Checkmarx One platform."
"One area for improvement in Checkmarx is pricing, as it's more expensive than other products."
"I would like to see the tool’s pricing improved."
"There could be better integration with other products."
"If the product could assist us with fixing issues by giving us more pointers then it would help to resolve more of the warnings without such a commitment in terms of time."
"There needs to be a shareable reporting piece or something we can click and generate easily."
"Currently requires multiple tools, lacking one overall tool."
"Technical support and the price could be better."
"This is a well-rounded solution, however, some features could be made available on the free version. The price of the solution could be reduced."
"We previously experienced issues with security but a segregated security violation has been implemented and the issues we experienced are being fixed."
"If I configure a project in SonarQube, it generates a token. When we're compiling our code with SonarQube, we have to provide the token for security reasons. If IP-based connectivity is established with the solution, the project should automatically be populated without providing any additional token. It will be easy to provide just the IP address. It currently supports this functionality, but it makes a different branch in the project dashboard. From the configuration and dashboard point of view, it should have some transformations. There can be dashboard integration so that we can configure the dashboard for different purposes."
Checkmarx One is ranked 3rd in Application Security Tools with 67 reviews while SonarQube is ranked 1st in Application Security Tools with 110 reviews. Checkmarx One is rated 7.6, while SonarQube is rated 8.0. The top reviewer of Checkmarx One writes "The report function is a great, configurable asset but sometimes yields false positives". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Checkmarx One is most compared with Veracode, Fortify on Demand, Snyk, Coverity and Mend.io, whereas SonarQube is most compared with SonarCloud, Coverity, Veracode, Snyk and GitHub Advanced Security. See our Checkmarx One vs. SonarQube report.
See our list of best Application Security Tools vendors and best Application Security Testing (AST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
SonarQube depends on completely what you configure the Rules. You will have the option of the Profile creation and can be assigned to the Projects. If you configure the project --> under them services configuration it is good to go. Proper configuration is important in the Sonat Qube. Yes, Sonarqube allows developers to delint their code before SAST.
Veracode recently introduced it. But this integration at developer Machine integration available for only JAVA coded Projets.
About the Vulnerability coverage, both are the same. OWASP TOP 10 is equal to Sans 25. sans25 is categorized with one category number and describes under that subsection. Refer to this. https://www.templarbit.com/blog/2018/02/08/owasp-top-10-vs-sans-cwe-25/
SonarQube can be used for SAST. However, based on our internal analysis, our team feel CheckMarx is better suited for Security compared to SonarQube. SoanrQube is used in day to day developer code scan and Checkmarx is used during code movement to staging or during release.