I work for a midsized software startup and I am currently evaluating Checkmarx and Fortify.
What are the biggest differences between the two? Which would you recommend?
Thanks! I appreciate the help.
Checkmarx SAST is a product supporting 20+ languages, including the modern ones (GoLang, Kotlin, Swift, Scala, Typescript, React). Its language support is constantly kept up with the current versions of the respective languages/frameworks (e.g. .NET Core 2.x etc.).
Unlike Fortify, Checkmarx analyses raw (uncompiled) source code, which makes it less susceptible to changes in the built environment (e.g. no dependency on the specific version of XCode).
Finally, the Checkmarx solution is available both as an on-premise and in the cloud (hosted) solution with the same capabilities. Fortify on demand (which is the cloud-only solution) is different from the on-prem one.
Fewer false positives with CX than Fortify. More integrated.
Looking at the Gartner report I would say that Checkmarx is way easier to set up (initial setup) compared to Micro Focus Fortify.
Also, the financial strength of the Micro Focus Fortify spin/merger is a concern so investments could be at risk.
The major difference is that Checkmarx scans the code without compiling the code. This has a great advantage as code building issues are eliminated,
scan time is very less and false positive is less to some extent. One more major this is Checkmarx learns as you eliminate false positives and does not show the same issue again. We can perform incremental scans on the codebase where the old issue is nicely marked as "Recurring" and new ones in Red as NEW. Checkmarx has a highly customizable filter creation where you can create a filter that can eliminate the common recurring issues in
scans. This feature is very flexible and you can write your own filters and also, write specific patterns that are found in manual review which is a
great help as coding styles differ form teams to teams.
Thanks a lot. Thank you for the information.
I am looking for pros and cons for the Checkmarx vs SonarQube, in particular regarding:
I am also wondering if SonarQube could allow developers to delint their code before submitting it to SAST with either Checkmarx or Veracode.
Let the community know what you think. Share your opinions now!