SonarQube Alternatives and Competitors

Get our free report covering Veracode, Checkmarx, Synopsys, and other competitors of SonarQube. Updated: January 2021.
455,301 professionals have used our research since 2012.

Read reviews of SonarQube alternatives and competitors

Aggelos Karonis
Technical Information Security Team Lead at Kaizen Gaming
Real User
Top 10
Sep 22, 2020
An easy, fast way to improve your code security and health

What is our primary use case?

Up to this point, as an information security company, we had very limited visibility over the testing of the code. We have 25 Scrum teams working but we were only included in very specific projects where information security feedback was required and mandatory to be there. With the use of Contrast, including the evaluation we did, and the applications we have included in the system, we now have clear visibility of the code.

Pros and Cons

  • "In our most critical applications, we have a deep dive in the code evaluation, which was something we usually did with periodic vulnerability assessments, code reviews, etc. Now, we have real time access to it. It's something that has greatly enhanced our code's quality. We have actually embedded a KPI in regards to the improvement of our code shell. For example, Contrast provides a baseline where libraries and the usability of the code are evaluated, and they produce a score. We always aim to improve that score. On a quarterly basis, we have added this to our KPIs."
  • "Personalization of the board and how to make it appealing to an organization is something that could be done on their end. The reports could be adaptable to the customer's preferences."

What other advice do I have?

I would recommend trying and buying it. This solution is something that everyone should try in order to enhance their security. It's a very easy, fast way to improve your code security and health. We do not use the solution’s OSS feature (through which you can look at third-party open-source software libraries) yet. We have not discussed that with our solutions architect, but it's something that we may use in the future when we have more applications onboard. At this point, we have a very specific path in order to raise the volume of those critical apps, then we will proceed to more features…
reviewer971370
CEO at a tech services company with 11-50 employees
Reseller
Top 5Leaderboard
Jun 22, 2020
Easy interface that is user friendly, quick scanning, and good technical support

What is our primary use case?

The primary use case is for a white-box penetration testing security. When we work with source code, it's a tool to help us conduct a deep analysis on a source code level. We push the zip file with source code to our own stent with the solution and receive a report. Also, we work with the interface to find the vulnerabilities we may have. The most popular projects for us are the mobile application security assessment. We propose this option to our customers to check source code for iOS and Android mobile applications.

Pros and Cons

  • "The most valuable features are the easy to understand interface, and it 's very user-friendly."
  • "We have received some feedback from our customers who are receiving a large number of false positives."

What other advice do I have?

We are resellers but we are also users of this product when we need to check source code because our main business activity is security assessments, not reselling. We have many customers who have purchased this solution from our company. One of them is Softcell, a Ukrainian company. With our approach, we need to find a way to reduce false positives. We don't have great resources to do this work long-term, and we need quick results. There are some projects that have a lot of false positives but we can reduce them by tuning during the scanning. Some of our customers like the Codebashing model…
Dionisio Valdés
Senior System Analyst at Azurian
Real User
Dec 20, 2020
Makes it easy to discover hidden vulnerabilities in our open source libraries

What is our primary use case?

We create technology solutions for clients and on one project we were requested to use Fortify on Demand after the client had read a good report about it. They sent us the report and recommended its use. In this case, we were using Java to program the client's solution and so we used Fortify on Demand alongside our Java development operations, for the purpose of improving the application's security. The work we were doing for the client involved creating a billing system that they would use to manage payments and taxes for other companies in Chile. We've only used Fortify on Demand for this… more »

Pros and Cons

  • "One of the top features is the source code review for vulnerabilities. When we look at source code, it's hard to see where areas may be weak in terms of security, and Fortify on Demand's source code review helps with that."
  • "During development, when our developer makes changes to their code, they typically use GitHub or GitLab to track those changes. However, proper integration between Fortify on Demand and GitHub and GitLab is not there yet. Improved integration would be very valuable to us."

What other advice do I have?

For us, Fortify on Demand is a good quality product that I can recommend for a few reasons, including: * Very useful source code review and vulnerability detection. * Clear and easy-to-read test results and reports. * Good integration with other platforms during development. I would rate Fortify on Demand a nine out of ten.
Nachu Subramanian
Head of DevOps Engineering Center of Excellence at OCBC Bank
Real User
Top 5Leaderboard
Apr 12, 2020
Improves security by detecting vulnerabilities in code, but it needs integration with popular development environments

What is our primary use case?

I am the administrator and I use this solution to do the calibrating and security scanning of the code in my bank. We are trying to find any vulnerabilities in our code and we are integrating the process with our DevOps.

Pros and Cons

  • "Coverity is quite stable and we haven’t had any issues or any downtime."
  • "I would like to see integration with popular IDEs, such as Eclipse."

What other advice do I have?

We also purchased Black Duck Binary Analysis and the Black Duck Hub from Synopsys. My advice for anybody who is implementing this solution is to try to best capture security issues while the code is being written, rather than waiting until it is compiling. It’s easier and much more cost-effective to find vulnerabilities at the earlier, code-writing stage. The other thing to keep in mind is that you should not rely on one approach to code security. You need to make sure that binary security is also in place, which is not done using Coverity. Any company that wants to secure its environment will…
reviewer1452225
Test Engineer at a tech company with 501-1,000 employees
Real User
Nov 20, 2020
A scalable tool with quality analysis and good technical support

What is our primary use case?

We analyze all the portfolio of applications from the customer. The customer is within the government of Spain. We analyze all their applications. On the portfolio of publications, we run analyses from all the applications.

Pros and Cons

  • "The solution offers very good technical support."
  • "The solution seems to give us a lot of false positives. This could be improved quite a bit."

What other advice do I have?

We're just a customer. We are using the latest version of the solution. Overall, I would rate the solution eight out of ten. It's worked quite well for us so far.
Get our free report covering Veracode, Checkmarx, Synopsys, and other competitors of SonarQube. Updated: January 2021.
455,301 professionals have used our research since 2012.