Checkmarx (costly commercial license) is for application security and SonalQube is for code quality. You can write security rules in sonarQube. However, that will require time and effort. Selecting either of these two depends on your requirement.

ZAP is free and does a fairly good job...However, it requires manual intervention and lacks many of the features that a commertial tool provides..If cost is not a factor, you should go for Netsparker/ AppScan etc. Alternatively you can start with ZAP and see if it meets your…