We compared SonarQube and OWASP Zap based on our user's reviews in several parameters.
SonarQube and OWASP Zap both provide valuable features for detecting vulnerabilities and enhancing code security. SonarQube stands out for its comprehensive features, versatile language support, and seamless DevOps integration, while OWASP Zap is praised for its robust scanning capabilities and user-friendly interface. SonarQube offers strong customer service and positive ROI, while OWASP Zap is commended for its responsive support and affordable pricing. Areas for improvement include analysis speed for SonarQube and tool performance for OWASP Zap.
Features: SonarQube stands out for its support for multiple languages, integration with DevOps pipelines, ability to detect vulnerabilities, and usability enhancements. In contrast, OWASP Zap is praised for its robust scanning capabilities, effective interception and proxying features, comprehensive reporting options, ease of use, user-friendly interface, and strong community support.
Pricing and ROI: The setup cost for SonarQube is considered straightforward and easy, with users appreciating the simplicity of the process. On the other hand, OWASP Zap's setup cost is minimal and hassle-free, allowing for quick and easy installation., SonarQube has proven highly beneficial for ROI, improving code quality, fixing issues, enhancing project efficiency, and detecting vulnerabilities. OWASP Zap provides enhanced security measures, risk mitigation, and user-friendly flexibility.
Room for Improvement: SonarQube's room for improvement lies in enhancing analysis speed, refining UI for navigation, providing clearer setup instructions and advanced functionality documentation, addressing occasional performance issues, and improving integration options. On the other hand, OWASP Zap needs improvements in tool speed and performance, user interface usability, documentation clarity, tool stability, advanced features and customization options, and reporting capabilities.
Deployment and customer support: Users mentioned that it took them three months for deployment and an additional week for setup with SonarQube, while OWASP Zap users had varying timeframes. SonarQube's deployment and setup durations are longer compared to OWASP Zap., SonarQube is commended for its exceptional customer service, with prompt and knowledgeable assistance. Users express confidence in the reliability of its support. OWASP Zap's customer service is also highly praised, with helpful and responsive staff who ensure a positive user experience.
The summary above is based on 47 interviews we conducted recently with SonarQube and OWASP Zap users. To access the review's full transcripts, download our report.
"The reporting is quite intuitive, which gives you a clear indication of what kind of vulnerability you have that you can drill down on to gather more information."
"Simple to use, good user interface."
"The interface is easy to use."
"We use the solution for security testing."
"This solution has improved my organization because it has made us feel safer doing frequent deployments for web applications. If we have something really big, we might get some professional company in to help us but if we're releasing small products, we will check it ourselves with Zap. It makes it easier and safer."
"It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display)."
"You can run it against multiple targets."
"The HUD is a good feature that provides on-site testing and saves a lot of time."
"SonarQube is designed well making it easy to use, simple to identify issues and find solutions to problems."
"It has very good scalability and stability."
"The depth features I have found most valuable. You receive a quick comprehensive comparison overview regarding the current release and the last release and what type of depths dependency or duplication should be used. This is going to help you to make a more readable code and have more flexibility for the engineers to understand how things should work when they do not know."
"It is working fine. It provides a good value for money."
"It provides the security that is required from a solution for financial businesses."
"The most valuable features are the analysis and detection of issues within the application code."
"The software quality gate streamlines the product's quality."
"The SonarQube dashboard looks great."
"It doesn't run on absolutely every operating system."
"The documentation needs to be improved because I had to learn everything from watching YouTube videos."
"Lacks resources where users can internally access a learning module from the tool."
"There isn't too much information about it online."
"OWASP Zap needs to extend to mobile application testing."
"The product reporting could be improved."
"The solution is unable to customize reports."
"They stopped their support for a short period. They've recently started to come back again. In the early days, support was much better."
"Code security could be better. They are already focusing on it, but I see a lot of improvement opportunities over there. I can see a lot of false positives in terms of security. They need to make the tests more accurate so that the false positives are not detected so frequently. It would also help if they provided us with an installer."
"I would like to see improvements in defining the quality sets of rules and the quality to ensure code with low-performance does not end up in production."
"The product must improve security analysis."
"If the product could assist us with fixing issues by giving us more pointers then it would help to resolve more of the warnings without such a commitment in terms of time."
"An improvement is with false positives. Sometimes the tool can say there is an issue in your code but, really, you have to do things in a certain way due to external dependencies, and I think it's very hard to indicate this is the case."
"Although it has Sonar built into it, it is still lacking. Customization features of identifying a particular attack still need to be worked on. To give you an example: if we want to scan and do a false positive analysis, those types of features are missing. If we want to rescan something from a particular point that is a feature that is also missing. It’s in our queue. That will hopefully save a lot of time."
"The product needs to integrate other security tools for security scanning."
"We previously experienced issues with security but a segregated security violation has been implemented and the issues we experienced are being fixed."
OWASP Zap is ranked 8th in Application Security Testing (AST) with 37 reviews while SonarQube is ranked 1st in Application Security Testing (AST) with 108 reviews. OWASP Zap is rated 7.6, while SonarQube is rated 8.0. The top reviewer of OWASP Zap writes "Great for automating and testing and has tightened our security ". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". OWASP Zap is most compared with Acunetix, PortSwigger Burp Suite Professional, Qualys Web Application Scanning, Veracode and Checkmarx One, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Veracode and Mend.io. See our OWASP Zap vs. SonarQube report.
See our list of best Application Security Testing (AST) vendors.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
