We performed a comparison between Rapid7 AppSpider and SonarQube based on real PeerSpot user reviews.
Find out in this report how the two Application Security Testing (AST) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."The initial deployment is very straightforward and simple. The product is stable if configured properly."
"Rapid7 AppSpider is good at managing different applications. It uses applets and generates reports to cover the PCA/GDPR compliance requirements."
"The most valuable feature of Rapid7 AppSpider is the vulnerability reporting data. Additionally, the data is reported in a convenient way rather than seeing them as a PDF. We are able to generate all the reports exactly what we want in a flexible way."
"AppSpider's most valuable feature is reporting - everything is stored in the local database so it can be sent to other machines."
"When it is set up properly, it can do scanning on web apps with multiple engines automatically."
"It is really accurate and the rate of false positives is very low."
"It scans all the components developed within a web application."
"What I like most about AppSpider is that it's easy to use and its automated scan gives me all the details I need to know when it comes to vulnerabilities and their solutions."
"It's a great product. If you are in a hurry and just want to focus on the functional requirements of any kind of project, SonarQube is highly helpful. It enables the developers to code securely. SonarQube has a Community edition, which is open source and free. There are also three proprietary or paid versions: Enterprise edition, Data Center edition, and Developer edition."
"SonarQube is good for checking and maintaining code quality."
"It provides the security that is required from a solution for financial businesses."
"The SonarQube dashboard looks great."
"It assists during the development with SonarLint and helps the developer to change his approach or rather improve his coding pattern or style. That's one advantage I've seen. Another advantage is that we can customize the rules."
"We advise all of our developers to have this solution in place."
"The customizable dashboard and ability to include results and coverage from unit test and other static analysis code tools."
"There's plenty of documentation available to users."
"The performance of the solution could improve. When I compare the speed it is slower than others on the market. There are some tricks we use to help speed up the solution."
"AppSpider could improve in the area of integration. They need to add more integration opportunities."
"The enterprise interface is too simple. It should be more customizable."
"There are some glitches with stability, and it is an area for improvement."
"The tech support is responsive but issues remain unresolved."
"It needs better integration with mobile applications."
"Support response times are slow and can be improved."
"The product needs to be able to scale for large companies, like ours. We have millions of IP addresses that need to be scanned, and the scalability is not great."
"Having performance regression would be a helpful add on or ability to be able to do during the scan."
"SonarQube can improve by scanning the internal library which currently it does not do. We are looking for a solution for this."
"An improvement is with false positives. Sometimes the tool can say there is an issue in your code but, really, you have to do things in a certain way due to external dependencies, and I think it's very hard to indicate this is the case."
"Although it has Sonar built into it, it is still lacking. Customization features of identifying a particular attack still need to be worked on. To give you an example: if we want to scan and do a false positive analysis, those types of features are missing. If we want to rescan something from a particular point that is a feature that is also missing. It’s in our queue. That will hopefully save a lot of time."
"Technical support and the price could be better."
"If I configure a project in SonarQube, it generates a token. When we're compiling our code with SonarQube, we have to provide the token for security reasons. If IP-based connectivity is established with the solution, the project should automatically be populated without providing any additional token. It will be easy to provide just the IP address. It currently supports this functionality, but it makes a different branch in the project dashboard. From the configuration and dashboard point of view, it should have some transformations. There can be dashboard integration so that we can configure the dashboard for different purposes."
"I would like to see dynamic code analysis in the next version of the software."
"This solution finds issues that are similar to what is found by Checkmarx, and it would be nice if the overlap could be eliminated."
Rapid7 AppSpider is ranked 25th in Application Security Testing (AST) with 13 reviews while SonarQube is ranked 1st in Application Security Testing (AST) with 108 reviews. Rapid7 AppSpider is rated 7.8, while SonarQube is rated 8.0. The top reviewer of Rapid7 AppSpider writes "Useful vulnerability reporting data, flexible, and simple implementation". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Rapid7 AppSpider is most compared with Rapid7 InsightAppSec, OWASP Zap, Acunetix, Invicti and Checkmarx One, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Veracode and Snyk. See our Rapid7 AppSpider vs. SonarQube report.
See our list of best Application Security Testing (AST) vendors.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
