We performed a comparison between HCL AppScan and Sonarqube based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Sonarqube offers better integration capabilities than HCL AppScan. Additionally, Sonarqube users are happier with the pricing. For these reasons, Sonarqube is the more desirable product in this comparison.
"We leverage it as a quality check against code."
"This solution saves us time due to the low number of false positives detected."
"The HCL AppScan turnaround time for Burp Suite or any new feature request is pretty good, and that is why we are sticking with the HCL."
"It has certainly helped us find vulnerabilities in our software, so this is priceless in the end."
"Usually when we deploy the application, there is a process for ethical hacking. The main benefit is that, the ethical hacking is almost clean, every time. So it's less cost, less effort, less time to production."
"It highlights, with several grades of severity, the types of vulnerabilities, so we can focus on the most severe security vulnerabilities in the code."
"The product is useful, particularly in its sensitivity and scanning capabilities."
"IBM AppScan has made our work easy, as we can do four to five scans of websites at a time, which saves time when it comes to vulnerability."
"It is working fine. It provides a good value for money."
"SonarQube is one of the more popular solutions because it supports 29 languages."
"Before you even compile, it can catch known vulnerability issues or patterns."
"The most valuable features are that it is user-friendly, easy to access, and they provide good training files."
"There are many options and examples available in the tool that help us fix the issues it shows us."
"We can create a Quality Gate in order to fail Jenkins jobs where the code coverage is lower than the set percentage."
"We advise all of our developers to have this solution in place."
"This solution is simple to use and can be quickly deployed."
"The pricing has room for improvement."
"AppScan is too complicated and should be made more user-friendly."
"The tool should improve its output. Scanning is not a challenge anymore since there are many such tools available in the market. The product needs to focus on how its output is being used by end users. It should be also more user-friendly. One of the major challenges is in the tool's integration with applications that need to be scanned. Sometimes, the scanning is not proper."
"There are so many lines of code with so many different categories that I am likely to get lost. "
"The solution often has a high number of false positives. It's an aspect they really need to improve upon."
"There is not a central management for static and dynamic."
"A desktop version should be added."
"There is room for improvement in the pricing model."
"Code security could be better. They are already focusing on it, but I see a lot of improvement opportunities over there. I can see a lot of false positives in terms of security. They need to make the tests more accurate so that the false positives are not detected so frequently. It would also help if they provided us with an installer."
"There is no automation. You need to put the code there and test. You then pull the results and put them back in the development environment. There is no integration with the development environment. We would like it to be integrated with our development environment, which is basically the CI/CD pipeline or the IDE that we have."
"Code security scanning could be improved."
"The learning curve can be fairly steep at first, but then, it's not an entry-level type of application. It's not like an introduction to C programming. You should know not just C programming and how to make projects but also how to apply its findings to the bigger picture. I've had users who said that they wish it was easier to understand how to configure, but I don't know if that's doable because what it's doing is a very complicated thing. I don't know if it is possible to make a complicated thing trivially simple."
"It would be better if SonarQube provided a good UI for external configuration."
"SonarQube is not development-centric like Snyk."
"The exporting capabilities could be improved. Currently, exporting is fully dependent on the SonarQube environment."
"This is a well-rounded solution, however, some features could be made available on the free version. The price of the solution could be reduced."
HCL AppScan is ranked 15th in Application Security Tools with 41 reviews while SonarQube is ranked 1st in Application Security Tools with 112 reviews. HCL AppScan is rated 7.8, while SonarQube is rated 8.0. The top reviewer of HCL AppScan writes " A stable and scalable product useful for application security scanning". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". HCL AppScan is most compared with Veracode, Acunetix, PortSwigger Burp Suite Professional, OWASP Zap and Fortify on Demand, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity and Veracode. See our HCL AppScan vs. SonarQube report.
See our list of best Application Security Tools vendors and best Static Application Security Testing (SAST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.