We compared SonarQube and OWASP Zap based on our user's reviews in several parameters.
SonarQube and OWASP Zap both provide valuable features for detecting vulnerabilities and enhancing code security. SonarQube stands out for its comprehensive features, versatile language support, and seamless DevOps integration, while OWASP Zap is praised for its robust scanning capabilities and user-friendly interface. SonarQube offers strong customer service and positive ROI, while OWASP Zap is commended for its responsive support and affordable pricing. Areas for improvement include analysis speed for SonarQube and tool performance for OWASP Zap.
Features: SonarQube stands out for its support for multiple languages, integration with DevOps pipelines, ability to detect vulnerabilities, and usability enhancements. In contrast, OWASP Zap is praised for its robust scanning capabilities, effective interception and proxying features, comprehensive reporting options, ease of use, user-friendly interface, and strong community support.
Pricing and ROI: The setup cost for SonarQube is considered straightforward and easy, with users appreciating the simplicity of the process. On the other hand, OWASP Zap's setup cost is minimal and hassle-free, allowing for quick and easy installation., SonarQube has proven highly beneficial for ROI, improving code quality, fixing issues, enhancing project efficiency, and detecting vulnerabilities. OWASP Zap provides enhanced security measures, risk mitigation, and user-friendly flexibility.
Room for Improvement: SonarQube's room for improvement lies in enhancing analysis speed, refining UI for navigation, providing clearer setup instructions and advanced functionality documentation, addressing occasional performance issues, and improving integration options. On the other hand, OWASP Zap needs improvements in tool speed and performance, user interface usability, documentation clarity, tool stability, advanced features and customization options, and reporting capabilities.
Deployment and customer support: Users mentioned that it took them three months for deployment and an additional week for setup with SonarQube, while OWASP Zap users had varying timeframes. SonarQube's deployment and setup durations are longer compared to OWASP Zap., SonarQube is commended for its exceptional customer service, with prompt and knowledgeable assistance. Users express confidence in the reliability of its support. OWASP Zap's customer service is also highly praised, with helpful and responsive staff who ensure a positive user experience.
The summary above is based on 47 interviews we conducted recently with SonarQube and OWASP Zap users. To access the review's full transcripts, download our report.
"Stability-wise, I rate the solution a nine out of ten. I think it's stable enough. I don't see any crashes within the application, so its stability is high."
"The scalability of this product is very good."
"The stability of the solution is very good."
"The HUD is a good feature that provides on-site testing and saves a lot of time."
"Fuzzer and Java APIs help a lot with our custom needs."
"It's great that we can use it with Portswigger Burp."
"The vulnerabilities that it finds, because the primary goal is to secure applications and websites."
"The application scanning feature is the most valuable feature."
"It helps our developers work more efficiently as we can identify things in a code prior to it being pushed to where it needs to go."
"The product is simple."
"It is very good at identifying technical debt."
"The most valuable features are the segregation containment and the suspension of product services."
"Strong code evaluation for budget-minded clients."
"The most valuable features are the dashboard reports and the ease of integrating it with Jenkins."
"The software quality gate streamlines the product's quality."
"SonarQube is designed well making it easy to use, simple to identify issues and find solutions to problems."
"OWASP Zap needs to extend to mobile application testing."
"It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful."
"There are too many false positives."
"The product reporting could be improved."
"Zap could improve by providing better reports for security and recommendations for the vulnerabilities."
"The reporting feature could be more descriptive."
"If there was an easier to understand exactly what has been checked and what has not been checked, it would make this solution better. We have to trust that it has checked all known vulnerabilities but it's a bit hard to see after the scanning."
"The forced browse has been incorporated into the program and it is resource-intensive."
"There are sometimes security breaches in our code, which aren't be caught by SonarQube. In the security area, SonarCube has to improve. It needs to better compete with other products."
"Expression of common vulnerabilities and exposures is not always current."
"It should be user-friendly."
"The reporting is good, but I am not able to download a specific report as a PDF, so downloading reports is something that should be looked at."
"In terms of what can be improved, the areas that need more attention in the solution are its architecture and development."
"There needs to be a shareable reporting piece or something we can click and generate easily."
"We're in the process of figuring out how to automate the workflow for QA audit controls on it. I think that's perhaps an area that we could use some buffing. We're a Kubernetes shop, so there are some things that aren't direct fits, which we're struggling with on the component Docker side. But nothing major."
"I find it is light on the security side."
OWASP Zap is ranked 7th in Static Application Security Testing (SAST) with 37 reviews while SonarQube is ranked 1st in Static Application Security Testing (SAST) with 112 reviews. OWASP Zap is rated 7.6, while SonarQube is rated 8.0. The top reviewer of OWASP Zap writes "Great for automating and testing and has tightened our security ". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". OWASP Zap is most compared with Acunetix, Qualys Web Application Scanning, Veracode, PortSwigger Burp Suite Professional and Checkmarx One, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Veracode and GitLab. See our OWASP Zap vs. SonarQube report.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.