We just raised a $30M Series A: Read our story

Compare CAST Highlight vs. SonarQube

Cancel
You must select at least 2 products to compare!
Veracode Logo
61,411 views|33,718 comparisons
CAST Highlight Logo
1,141 views|817 comparisons
SonarQube Logo
89,055 views|73,138 comparisons
Featured Review
Find out what your peers are saying about CAST Highlight vs. SonarQube and other solutions. Updated: November 2021.
554,382 professionals have used our research since 2012.
Quotes From Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros
"Integrations into our developer's IDE (Greenlight) and the DevOps Pipeline SAST / SourceClear Integrations has particularly increased our time to market and confidence.""There are quite a few features that are very reliable, like the newly launched Veracode Pipelines Scan, which is pretty awesome. It supports the synchronous pipeline pretty well. We been using it out of the Jira plugin, and that is fantastic.""It is easy to use for us developers. It supports so many languages: C#, .NET Core, .NET Framework, and it even scans some of our JavaScript. You just need the extension to upload the files and the reports are generated with so much detail.""Veracode's cloud-based approach, coupled with the appliance that lets us use Veracode to scan internal-only web applications, has provided a seamless, always-up-to-date application security scanning solution.""The most valuable features are that you can do static analysis and dynamic analysis on a scheduled basis and that you can push the findings into JIRA.""There is a single area on the dashboard where you can get a full view of all of the tests and the results from everything. There is a nice, very simple graphic that shows you the types of vulnerabilities that were found, their severity, the scoring, and in what part of the code they were found. All the details are together in one place.""My experience with Veracode across the board every time, in all products, the technology, the product, the service, and the salespeople is fabulous.""The visibility into application status helps reduce risk exposure for our software. Today, any findings provided by the DAST are reviewed by the developers and we have internal processes in place to correct those findings before there can be a release. So it absolutely does prevent us from releasing weak code."

More Veracode Pros »

"The way it tells you which codebase is more ready for the cloud and which codebase is less ready is very valuable. It works seamlessly with most languages.""CAST Highlight is easy to use and has a good dashboard."

More CAST Highlight Pros »

"Apart from the security point of view, I like that it makes it easy to detect code smells and other issues in terms of code quality and standards.""I like that it helps us maintain our work quality and code security.""I like the by-default policies that are they, as they seem to cover most of what I need.""The product itself has a friendly UI.""The product has a friendly UI that is easy to use and understand.""The most valuable features are the analysis and detection of issues within the application code.""I am only interested in the security features in SonarQube. There are plenty of features other features, such as test coverage, code anomalies, and pointer access are handled by the business logic teams. They get the reports and they have to fix them in JIRA or Bugzilla.""SonarQube is good in terms of code review and to report on basic vulnerabilities in your applications."

More SonarQube Pros »

Cons
"I think for us the biggest improvement would be to have an indicator when there's something wrong with a scan.""I would like to see them provide more content in the developer training section. This field is really changing each day and there are flaws that are detected each day. Some sort of regular updates to the learning would help.""Sometimes, I get feedback from a developer saying, "They are scanning a Python code, but getting feedback around Java code." While the remediation and guidelines are there, improvement is still required, e.g., you won't get the exact guidelines, but you can get some sort of a high-level insights.""Veracode has plenty of data. The problem is the information on the dashboards of Veracode, as the user interface is not great. It's not immediately usable. Most of the time, the best way to use it is to just create issues and put them in JIRA... But if I were a startup, and only had products with a good user interface, I wouldn't use Veracode because the UI is very dated.""One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive.""Another problem we have is that, while it is integrated with single sign-on—we are using Okta—the user interface is not great. That's especially true for a permanent link of a report of a page. If you access it, it goes to the normal login page that has nothing that says "Log in with single sign-on," unlike other software as a service that we use. It's quite bothersome because it means that we have to go to the Okta dashboard, find the Veracode link, and log in through it. Only at that point can we go to the permanent link of the page we wanted to access.""We tried to create an automatic scanning process for Veracode and integrate it into our billing process, but it was easier to adopt it to repositories based on GIT. Until now, our source control repository was Azure DevOps Server (Microsoft TFS) to managing our resources. This was not something that they supported. It took us some sessions together before we successfully implemented it.""The product has issues with scanning."

More Veracode Cons »

"Its price should be better. It is a pretty costly tool. They have two products: CAST Highlight and CAST AIP. I would expect CAST Highlight to have the Help dashboard and the Engineering dashboard. These dashboards are currently a part of CAST AIP, and if these are made available in CAST Highlight, customers won't have to use two different products all the time.""The reports that describe the issues of concern are rather abstract and the issues should be more clearly described to the user."

More CAST Highlight Cons »

"Monitoring is a feature that can be improved in the next version.""Having performance regression would be a helpful add on or ability to be able to do during the scan.""The pricing could be reduced a bit. It's a little expensive.""The software testing tool capability could improve. It does not always integrate well. You have to use a specific plugin and the plugin does not always go in Apple's applications.""If I configure a project in SonarQube, it generates a token. When we're compiling our code with SonarQube, we have to provide the token for security reasons. If IP-based connectivity is established with the solution, the project should automatically be populated without providing any additional token. It will be easy to provide just the IP address. It currently supports this functionality, but it makes a different branch in the project dashboard. From the configuration and dashboard point of view, it should have some transformations. There can be dashboard integration so that we can configure the dashboard for different purposes.""If the product could assist us with fixing issues by giving us more pointers then it would help to resolve more of the warnings without such a commitment in terms of time.""The exporting capabilities could be improved. Currently, exporting is fully dependent on the SonarQube environment.""We could use some team support, but since we are using the community version, it's not available."

More SonarQube Cons »

Pricing and Cost Advice
"I don't really know about the pricing, but I'd say it's worth whatever Veracode is charging, because the solution is that good.""For the value we get out of it, coupled with the live defect review sessions, we find it an effective value for the money. We are a larger organization.""The pricing is really fair compared to a lot of other tools on the market.""We use this product per project rather than per developer... Your development model will really determine what the best fit is for you in terms of licensing, because of the project-based licensing. If you do a few projects, that's more attractive. If you have a large number of developers, that would also make the product a little more attractive.""Veracode's price is high. I would like them to better optimize their pricing.""Veracode is one of the more expensive solutions in the market, but it is worth the expense because of the eLearning and the security consultations; everything is included in the license.""From a cost perspective, it seems okay, although we will probably evaluate alternatives next time it's up for renewal because for us, it's a relatively high cost, and we want to make sure that we are using our resources most appropriately.""Licensing cost is on a yearly basis and there are no additional costs, the pricing is straightforward."

More Veracode Pricing and Cost Advice »

"It is a pretty costly tool. A lot of customers are resistant to using it.""Basic support is included with the standard licensing feed but it can be upgraded for an additional cost."

More CAST Highlight Pricing and Cost Advice »

"This solution is free.""We are using the community version of the solution and we plan on purchasing licenses for the upgraded version soon. There is a limitation on how many lines of code can be scanned and this is why we are going to purchase a license for an increased amount.""SonarQube price is a little bit higher than Kiuwan's. Kiuwan also gives a little bit of flexibility in terms of pricing.""I think comparing the product to competitors it should be less expensive.""We're using the Community Edition, and we don't pay for anything.""It is very expensive. Its price should be improved.""There are many different packages with different pricing options available. We are able to try what we have and if we need extra features we can upgrade the license.""We are using the open-source community version, but there are enterprise licenses available."

More SonarQube Pricing and Cost Advice »

report
Use our free recommendation engine to learn which Application Security solutions are best for your needs.
554,382 professionals have used our research since 2012.
Questions from the Community
Top Answer: SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis… more »
Top Answer: The visibility into application status helps reduce risk exposure for our software. Today, any findings provided by the… more »
Top Answer: Veracode is very, very expensive, one of the most expensive security scanning tools available. We pay an annual license… more »
Top Answer: The way it tells you which codebase is more ready for the cloud and which codebase is less ready is very valuable. It… more »
Top Answer: It is a pretty costly tool. A lot of customers are resistant to using it.
Top Answer: Its price should be better. It is a pretty costly tool. They have two products: CAST Highlight and CAST AIP. Both are… more »
Top Answer: I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which… more »
Top Answer: We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security… more »
Top Answer: Snyk does a great job identifying and reducing vulnerabilities. This solution is fully automated and monitors 24/7 to… more »
Comparisons
Also Known As
Sonar
Learn More
Overview

Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.

CAST Highlight is a leading SaaS Application Portfolio Analysis platform that delivers Software Intelligence at the intersection of IT and business to accelerate and secure your digital journey. It enables enterprise leaders to track hidden risks in custom and open source software rapidly and in a non-intrusive manner.

SonarQube is the leading tool for continuously inspecting Code Quality and Code Security, and guiding development teams during code reviews. SonarQube provides clear remediation guidance for 27 languages so developers can understand and fix issues, and so teams can deliver better and safer software. SonarQube integrates into your workflow to provide the right feedback at the right time: in-IDE with SonarLint, in pull requests, and in SonarQube itself. With over 225,000 deployments helping small development teams and global organizations, SonarQube provides the means for teams and companies around the world to own and impact their Code Quality and Code Security.

Offer
Keep your software secure

Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.

Learn more about CAST Highlight
Learn more about SonarQube
Sample Customers
State of Missouri, Rekner
Atos, David Consulting Group, Tech Mahindra, BCG, Capgemini
Bank of America, Siemens, Cognizant, Thales, Cisco, eBay
Top Industries
REVIEWERS
Financial Services Firm30%
Computer Software Company12%
Insurance Company9%
Healthcare Company7%
VISITORS READING REVIEWS
Computer Software Company30%
Comms Service Provider16%
Financial Services Firm10%
Manufacturing Company6%
VISITORS READING REVIEWS
Computer Software Company38%
Comms Service Provider14%
Government9%
Financial Services Firm7%
REVIEWERS
Computer Software Company24%
Financial Services Firm20%
Comms Service Provider10%
Insurance Company8%
VISITORS READING REVIEWS
Computer Software Company28%
Comms Service Provider17%
Financial Services Firm12%
Manufacturing Company7%
Company Size
REVIEWERS
Small Business24%
Midsize Enterprise25%
Large Enterprise51%
VISITORS READING REVIEWS
Small Business24%
Midsize Enterprise31%
Large Enterprise45%
No Data Available
REVIEWERS
Small Business28%
Midsize Enterprise18%
Large Enterprise53%
VISITORS READING REVIEWS
Small Business29%
Midsize Enterprise19%
Large Enterprise52%
Find out what your peers are saying about CAST Highlight vs. SonarQube and other solutions. Updated: November 2021.
554,382 professionals have used our research since 2012.

CAST Highlight is ranked 21st in Application Security with 2 reviews while SonarQube is ranked 1st in Application Security with 46 reviews. CAST Highlight is rated 7.0, while SonarQube is rated 8.0. The top reviewer of CAST Highlight writes "Excellent support, works seamlessly with most languages, and useful for knowing about the readiness of the codebase for cloud migration". On the other hand, the top reviewer of SonarQube writes "This is a very capable analysis tool for development projects but the free version has limitations". CAST Highlight is most compared with WhiteSource, Coverity, Sonatype Nexus Lifecycle, Checkmarx and HCL AppScan, whereas SonarQube is most compared with Checkmarx, Coverity, Sonatype Nexus Lifecycle, Micro Focus Fortify on Demand and Semmle QL. See our CAST Highlight vs. SonarQube report.

See our list of best Application Security vendors.

We monitor all Application Security reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.