Try our new research platform with insights from 80,000+ expert users

Checkmarx One vs SonarQube Server (formerly SonarQube) comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Oct 30, 2024
 

Categories and Ranking

Checkmarx One
Ranking in Application Security Tools
3rd
Ranking in Static Application Security Testing (SAST)
3rd
Average Rating
7.6
Reviews Sentiment
7.9
Number of Reviews
70
Ranking in other categories
Vulnerability Management (16th), Static Code Analysis (2nd), API Security (2nd), DevSecOps (2nd), Risk-Based Vulnerability Management (5th)
SonarQube Server (formerly ...
Ranking in Application Security Tools
1st
Ranking in Static Application Security Testing (SAST)
1st
Average Rating
8.0
Number of Reviews
113
Ranking in other categories
Software Development Analytics (1st)
 

Mindshare comparison

As of November 2024, in the Application Security Tools category, the mindshare of Checkmarx One is 12.9%, down from 15.0% compared to the previous year. The mindshare of SonarQube Server (formerly SonarQube) is 26.7%, down from 27.7% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Application Security Tools
 

Q&A Highlights

WH
Jul 08, 2020
 

Featured Reviews

Rohit Kesharwani - PeerSpot reviewer
Feb 19, 2024
Provides good security analysis and security identification within the source code
We use the solution to validate the source code and do SAST and security analysis. Checkmarx dynamics code analysis improved our software security posture by showcasing vulnerabilities within the code and identifying or providing recommendations on how to improve The solution's user interface…
Wang Dayong - PeerSpot reviewer
May 10, 2023
Easy to integrate and has a plug-in that supports both C and C++ languages
We use the product to review our software codes. We have integrated the product to review our new delivery code When we deliver a code, the solution scans the code and reports whether the code has bugs or any other vulnerability issues. Thus the solution helps us identify issues and improve the…

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"I like that you don't have to compile the code in order to execute static code analysis. So, it's very handy."
"Our static operation security has been able to identify more security issues since implementing this solution."
"It allows for SAST scanning of uncompiled code. Further, it natively integrates with all key repos formats (Git, TFS, SVN, Perforce, etc)."
"The only thing I like is that Checkmarx does not need to compile."
"The ability to track the vulnerabilities inside the code (origin and destination of weak variables or functions)."
"Both automatic and manual code review (CxQL) are valuable."
"The solution communicates where to fix the issue for the purpose of less iterations."
"The product's most valuable feature is static code and supply chain effect analysis. It provides a lot of visibility."
"Provides local scanning for developers."
"The product has a friendly UI that is easy to use and understand."
"We use this solution for qualitative coding. We make use of the SonarLint plugin as well as the dashboard."
"I like that it covers most programming languages for source code review."
"The solution has a plug-in that supports both C and C++ languages."
"We advise all of our developers to have this solution in place."
"SonarQube's unit test coverage and exhaustive information at the module, project, and overall code repo levels are quite good."
"The integrations SonarQube provides with our software delivery pipeline are very seamless."
 

Cons

"We want to have a holistic view of the portfolio-level dashboard and not just an individual technical project level."
"The interactive application security testing, or IAST, the interactive part where you're looking at an application that lives in a runtime environment on a server or virtual machine, needs improvement."
"The plugins for the development environment have room for improvements such as for Android Studio and X code."
"Licensing models and Swift language support are the aspects in which this product needs to improve. Swift is a new language, in which major customers require support for lower prices."
"The integration could improve by including, for example, DevSecOps."
"We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code. The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything."
"The solution sometimes reports a false auditable code or false positive."
"I expect application security vendors to cover all aspects of application security, including SAST, DAST, and even mobile application security testing. And it would be much better if they provided an on-premises and cloud option for all these main application security features."
"SonarQube could be improved with more dynamic testing—basically, now, it's a static code analysis scan. For example, when the developer writes the code and does the corresponding unit test, he can cover functional and non-functional. So the SonarQube could be improved by helping to execute unit tests and test dynamically, using various parameters, and to help detect any vulnerabilities. Currently, it'll just give the test case and say whether it passes or fails—it won't give you any other input or dynamic testing. They could use artificial intelligence to build a feature that would help developers identify and fix issues in the early stages, which would help us deliver the product and reduce costs. Another area with room for improvement is in regard to automating things, since the process currently needs to be done manually."
"One thing to improve would be the integration. There is a steep learning curve to get it integrated."
"Our developers have complained about the Quality Gates and the number of false positives that this product reports."
"Expression of common vulnerabilities and exposures is not always current."
"SonarQube can improve by scanning the internal library which currently it does not do. We are looking for a solution for this."
"I would like to see more options for security, beyond the basics like SQL injection."
"If the product could assist us with fixing issues by giving us more pointers then it would help to resolve more of the warnings without such a commitment in terms of time."
"We had some issues where the Quality Gate check sometimes gets stuck and it is unclear."
 

Pricing and Cost Advice

"For around 250 users or committers, the cost is approximately $500,000."
"The number of users and coverage for languages will have an impact on the cost of the license."
"Be cautious of the one-year subscription date. Once it expires, your price will go up."
"The license has a vague language around P1 issues and the associated support. Make sure to review these in order to align them with your organizational policies."
"The solution is costly."
"​Checkmarx is not a cheap scanning tool, but none of the security tools are cheap. Checkmarx is a powerful scanning tool, and it’s essential to have one of these products."
"The solution's price is high and you pay based on the number of users."
"We got a special offer for a 30% reduction for three years, after our first year. I think for a real source-code scanning tool, you have to add a lot of money for Open Source Analysis, and AppSec Coach (160 Euro per user per year)."
"As a user and a consumer of this solution, it can be pricey for my company to support and use, even though there are many benefits. For this reason, we use the free version. In the future, as our product cycles develop and evolve at a more steady pace, we hope to invest in the licensing for this tool."
"The free version of SonarQube does everything that we need it to."
"The costs for this application, for the kind of job it does, are pretty decent."
"We use the tool's community edition."
"We are using the Community edition of SonarQube."
"We did not purchase a license (required for C++ support), but this option was considered."
"SonarQube price is a little bit higher than Kiuwan's. Kiuwan also gives a little bit of flexibility in terms of pricing."
"We pay €10 per month for this solution, which is good. It provides a good value for money."
report
Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
815,690 professionals have used our research since 2012.
 

Answers from the Community

WH
Jul 8, 2020
Jul 8, 2020
My opinions are my own and do not represent any other entities that I may be or have been affiliated with. On this topic I think it is important to acknowledge that no matter which solution you go for you will have false positives. I don't think there will be any solution that properly solves this anytime soon. As for Checkmarx vs SonarQube... Checkmarx may cover more rules over a wider land...
2 out of 3 answers
DG
Jul 6, 2020
My opinions are my own and do not represent any other entities that I may be or have been affiliated with.  On this topic I think it is important to acknowledge that no matter which solution you go for you will have false positives. I don't think there will be any solution that properly solves this anytime soon.  As for Checkmarx vs SonarQube...  Checkmarx may cover more rules over a wider landscape, however I personally found this extra breadth covered outlyer rules and mostly lower priority issues. Both Checkmarx and SonarQube cover the OWASP top 10 and Sans25. Both tools can be tuned to help reduce false positives, for both you will need to analyse your tuning to ensure you are not introducing false negatives. Any tools that provide you customisation come with the risk that you could make things worse.  SonarQube has very good integration into most development IDEs empowering the engineers to run scans against the company rules on their local machine before submitting your source control and further tooling. In some it will even check the code automatically while you type it.  I see you also included Veracode in here. In my opinion that is a far superior tool to Checkmarx, this is down to their more modern approach to this problem. They also allow local developer integration to self lint code before submission.  In a perfect world, I would use Sonar for development bugs, test coverage and technical debt measurements. Then veracode to handle the SAST side for me. In short I would not duplicate the security scans in Sonar and Veracode.  Hope that helps
DG
Jul 7, 2020
SonarQube can be used for SAST. However, based on our internal analysis, our team feel CheckMarx is better suited for Security compared to SonarQube. SoanrQube is used in day to day developer code scan and Checkmarx is used during code movement to staging or during release.
 

Top Industries

By visitors reading reviews
Financial Services Firm
21%
Computer Software Company
15%
Manufacturing Company
10%
Government
5%
Financial Services Firm
17%
Computer Software Company
15%
Manufacturing Company
13%
Government
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

What alternatives are there for Fortify WebInspect and Fortify SCA?
I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as well. Veracode is only a cloud solution. Hope this helps.
What do you like most about Checkmarx?
Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%.
What is your experience regarding pricing and costs for Checkmarx?
The pricing is relatively expensive due to the product's quality and performance, but it is worth it.
Is SonarQube the best tool for static analysis?
I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have a look...
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
How would you decide between Coverity and Sonarqube?
We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing rem...
 

Also Known As

No data available
Sonar
 

Learn More

 

Interactive Demo

Demo not available
 

Overview

 

Sample Customers

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC
Information Not Available
Find out what your peers are saying about Checkmarx One vs. SonarQube Server (formerly SonarQube) and other solutions. Updated: October 2024.
815,690 professionals have used our research since 2012.