2018-04-03 12:26:00 UTC

Checkmarx vs SonarQube​: How Do I Choose?


One of the most popular comparisons on IT Central Station is Checkmarx vs SonarQube.

One user said about Checkmarx that "It pinpoints the vulnerability in the code and also presents the flow of malicious input across the application."

However, a user with experience with SonarQube has said "With SonarQube's web interface, it is easy to drill down to see the individual problems, but also to look at the project from above and get the big picture, with possible larger problem areas."

Which of these two solutions would you recommend and why?

Thanks for your help!

--Rhea

Guest
1212 Answers
author avatar
Real User

SonarQube is not really an AppSec tool. It is widely used by developers and has security plugins that offer a limited visibility for vulnerabilities.
Checkmarx is a real AppSec tool, with deep insight for vulnerabilities in all current languages.

Security manager should consider only Checkmarx, and eventually compare with same quality tools, but should drop SonarQube plugins.
On the other hand, Checkmarx is expensive, while SonarQube plugins are cheap and easy to setup if the base product is already used.

The choice depends on budget and scope: if you have money and really want to reduce risk, choose Checkmarx. If you do not have the money or if your goal is just to show management you are doing something for AppSec, without bothering to lower risk, then choose SonarQube plugins.

2018-04-03 17:13:25 UTC
author avatar
Vendor

SonarQube likely should be removed from your site's AppSec category. Read the other comments to understand why. It's a good tool, but this is not its category.

2018-08-14 21:32:56 UTC
author avatar
User

SonarQube is a hub for code quality, its own security analysis capabilities are very limited, as it doesn’t perform in-depth data and code flow analysis.

Checkmarx SAST (Static Application Security Testing) AppSec static code analysis is done on top of data and code flows thoroughly built from the source.

So these two products don’t compete in the same space. For pure SAST, Checkmarx is a far more superior solution.

However, Checkmarx SAST results can be reported together with other code quality metrics back into the SonarQube dashboard using the provided integration.

You can find more information from https://checkmarx.atlassian.net.

2018-04-04 12:21:27 UTC
author avatar
Real User

Checkmarx (costly commercial license) is for application security and SonalQube is for code quality. You can write security rules in sonarQube. However, that will require time and effort. Selecting either of these two depends on your requirement.

2018-04-04 08:17:22 UTC
author avatar
TOP 20POPULARReal User

I'm not sure what the coverage of SonarQube is. But Checkmarx provides a wide portfolio of technologies and also frameworks from different platforms. What I mean is that, for consulting, Checkmarx is very flexible and its interface really friendly.

From my point of view, Checkmarx is the top option for SAST.

2018-04-04 19:51:50 UTC
author avatar
Vendor

I would recommend Checkmarx product for application security. The Checkmarx product is primarily focused to identify the security issues.
The SonarQube offers very limited rules for application security and it is basically used for code quality metrics.

2018-04-04 13:56:42 UTC
author avatar
Vendor

As already answered these are two different things. Sonar is good and unlikely you will find an alternative. As fo Checkmarx there are some other appsec products which deserve looking at. First of all ImmuniWeb, also Qualys, Acunetix, Veracode.

2018-04-04 09:22:57 UTC
author avatar
Vendor

If you are interested in application security (AppSec) then definitely Checkmarx is the way to go. Checkmarx SAST product scans your source code (even if it doesn't compile) and detects possible security vulnerabilities, prioritizes them, and presents them in a convenient way, and even suggests a fix, so you can take action on these items. It's possible to adjust Checkmarx SAST to spot also code quality issues, but this is not the product's focus.

2018-04-04 08:13:23 UTC
author avatar
User

Checkmarx is look for security vulnerability such as OWASP top 10. Sonar is for Software Quality. They are two different kind of tool.

2018-04-03 19:53:23 UTC
author avatar
User

Have to give Sandro Artioli right. Q&A: Sonarqube. Security: Checkmarx. If you have the time and money you could as well create the necessary rules for Sonarqube to turn it into a security assessment tool, but that may be complicated ( depends on the language you are using). It is possible though, may offer quite some benefits. But takes time.

2018-04-03 17:49:55 UTC
author avatar
User

Our experience with SonarQube & the journey has been really wonderful so far. It exactly pin points to line of code, from the web interface, which is highly intuitive. Helps developer at the development level with Sonarlint which integrates right into the IDE be it Eclipse or Visual studio and helps developer to be consistent in coding practices right from bottom up. At the same time gives the complete high level view from the top. Bottom line -quite easy to integrate into the development life cycle in non-intrusive way and streamlining the Software quality & security process.

2018-04-03 16:50:27 UTC
author avatar
Vendor

The main question is to understand which is the target you want to achieve: if you're talking of Application Security (Vulnerability Assessment) the choice, between the two, is Checkmarx; in case of Software Quality is Sonar.
I suggest to evaluate also Kiuwan: on the same platform you can cover, together and through an integrated way, both themes having a unique tool where to manage the whole.

2018-04-03 15:46:01 UTC
Find out what your peers are saying about Checkmarx vs. SonarQube and other solutions. Updated: November 2019.
384,147 professionals have used our research since 2012.
Sign Up with Email