Try our new research platform with insights from 80,000+ expert users

HCL AppScan vs SonarQube Server (formerly SonarQube) comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Mar 9, 2025

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

HCL AppScan
Ranking in Application Security Tools
14th
Ranking in Static Application Security Testing (SAST)
10th
Average Rating
7.8
Reviews Sentiment
6.9
Number of Reviews
43
Ranking in other categories
Dynamic Application Security Testing (DAST) (1st)
SonarQube Server (formerly ...
Ranking in Application Security Tools
1st
Ranking in Static Application Security Testing (SAST)
1st
Average Rating
8.0
Reviews Sentiment
7.2
Number of Reviews
114
Ranking in other categories
Software Development Analytics (1st)
 

Mindshare comparison

As of April 2025, in the Application Security Tools category, the mindshare of HCL AppScan is 2.6%, down from 2.7% compared to the previous year. The mindshare of SonarQube Server (formerly SonarQube) is 25.1%, down from 26.9% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Application Security Tools
 

Featured Reviews

Rishi Anupam - PeerSpot reviewer
A stable and scalable scanning solution with good reporting feature
The solution is used for the vulnerabilities scan on the network side The reporting part is the most valuable feature. The penetration testing feature should be included. I have been using the solution for four years. It is a stable solution. I rate it seven out of ten. It is a scalable…
Wang Dayong - PeerSpot reviewer
Easy to integrate and has a plug-in that supports both C and C++ languages
The product provides false reports sometimes. It also fails to understand the context of the code. It reports that a line of code has issues without considering its relation with the previous line. The product should improve the report quality. While it asks us to improve the code quality, it would be good if it also suggests how to improve the quality.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The platform has valuable security features, helping us identify sensitive code issues and the possibility of internal applications' exposure to external threats."
"The most valuable feature of HCL AppScan is its integration with the SDLC, particularly during the coding phase."
"The solution is easy to use."
"The solution is cheap."
"The product has valuable features for static and dynamic testing."
"There's extensive functionality with custom rules and a custom knowledge base."
"Usually when we deploy the application, there is a process for ethical hacking. The main benefit is that, the ethical hacking is almost clean, every time. So it's less cost, less effort, less time to production."
"We leverage it as a quality check against code."
"Offers multi-programming language support"
"The static code analysis is very good."
"We consider it a handy tool that helps to resolve our issues immediately."
"We can create a Quality Gate in order to fail Jenkins jobs where the code coverage is lower than the set percentage."
"The tool helps us to monitor and manage violations. It manages the bugs and security violations."
"The most valuable features are the dashboard reports and the ease of integrating it with Jenkins."
"SonarQube is one of the more popular solutions because it supports 29 languages."
"I like that it has a better dashboard compared to Clockwork. It's also stable."
 

Cons

"If HCL AppScan is able to alert the clients over email once the scan is complete, it would be great. Right now, HCL AppScan doesn't let me know if the scanning part is finished or not, because of which I have to come back and check mostly."
"I think being able to search across more containers, especially some of the docker elements. We need a little tighter integration there. That's the only thing I can see at this point."
"Visibility is an issue for us. Our partners do not know we have integrations with some of IBM products."
"The product has some technical limitations."
"They could add a software component analysis tool."
"AppScan needs to improve its handling of false positives."
"Improvement can be done as per customer requirements."
"IBM Security AppScan needs to add performance optimization for quickly scanning the target web applications."
"SonarQube could be improved with more dynamic testing—basically, now, it's a static code analysis scan. For example, when the developer writes the code and does the corresponding unit test, he can cover functional and non-functional. So the SonarQube could be improved by helping to execute unit tests and test dynamically, using various parameters, and to help detect any vulnerabilities. Currently, it'll just give the test case and say whether it passes or fails—it won't give you any other input or dynamic testing. They could use artificial intelligence to build a feature that would help developers identify and fix issues in the early stages, which would help us deliver the product and reduce costs. Another area with room for improvement is in regard to automating things, since the process currently needs to be done manually."
"SonarQube could improve by adding automatic creation of tasks after scanning and more support for the Czech language."
"If the product could assist us with fixing issues by giving us more pointers then it would help to resolve more of the warnings without such a commitment in terms of time."
"SonarQube could be improved by implementing inter-procedural code analysis capabilities, allowing for a more comprehensive detection of defects and vulnerabilities across the entire codebase."
"Dynamic scanning is missing and there are some issues with security scanning."
"The solution could improve by providing more advanced technologies."
"Code security could be better. They are already focusing on it, but I see a lot of improvement opportunities over there. I can see a lot of false positives in terms of security. They need to make the tests more accurate so that the false positives are not detected so frequently. It would also help if they provided us with an installer."
"I would like to see more options for security, beyond the basics like SQL injection."
 

Pricing and Cost Advice

"I rate the product's price a seven on a scale of one to ten, where one is low, and ten is high. HCL AppScan is an expensive tool."
"Our clients are willing to pay the extra money. It is expensive."
"I would rate the product's pricing a nine out of ten. The product's pricing is expensive compared to the features that they offer."
"The solution is moderately priced."
"HCL AppScan is expensive."
"Pricing was the main reason that we went ahead with this solution as they were the lowest in the market."
"With the features, that they offer, and the support, they offer, AppScan pricing is on a higher level."
"The solution is cheap."
"It's an open-source solution, with no additional costs."
"We use the free version; there are no hidden costs or licensing required."
"SonarQube is a fairly affordable solution for a larger scale if you have a specific role or specific department for secure code."
"There is both a free and licensed version. The free version has limitations on development languages and support."
"We did not purchase a license (required for C++ support), but this option was considered."
"It is very expensive. Its price should be improved."
"The tool's pricing is reasonable."
"I think comparing the product to competitors it should be less expensive."
report
Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
845,040 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Computer Software Company
19%
Financial Services Firm
14%
Government
11%
Manufacturing Company
9%
Financial Services Firm
17%
Computer Software Company
15%
Manufacturing Company
13%
Government
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

What do you like most about HCL AppScan?
The most valuable feature of HCL AppScan is its integration with the SDLC, particularly during the coding phase.
What needs improvement with HCL AppScan?
AppScan needs to improve its handling of false positives. It also requires enhancements in customer support, similar to what Veracode provides. Regularly scheduling calls with clients to discuss fe...
What is your primary use case for HCL AppScan?
The primary use case for AppScan is for security purposes. I compare AppScan with other tools such as Veracode. We use AppScan for vulnerability detection and auto-remediation of vulnerabilities wi...
Is SonarQube the best tool for static analysis?
I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have a look...
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
How would you decide between Coverity and Sonarqube?
We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing rem...
 

Also Known As

IBM Security AppScan, Rational AppScan, AppScan
Sonar
 

Interactive Demo

Demo not available
 

Overview

 

Sample Customers

Essex Technology Group Inc., Cisco, West Virginia University, APIS IT
Information Not Available
Find out what your peers are saying about HCL AppScan vs. SonarQube Server (formerly SonarQube) and other solutions. Updated: March 2025.
845,040 professionals have used our research since 2012.