Try our new research platform with insights from 80,000+ expert users

HCL AppScan vs SonarQube Server (formerly SonarQube) comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Mar 9, 2025

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

HCL AppScan
Ranking in Application Security Tools
14th
Ranking in Static Application Security Testing (SAST)
10th
Average Rating
7.8
Reviews Sentiment
6.9
Number of Reviews
43
Ranking in other categories
Dynamic Application Security Testing (DAST) (1st)
SonarQube Server (formerly ...
Ranking in Application Security Tools
1st
Ranking in Static Application Security Testing (SAST)
1st
Average Rating
8.0
Reviews Sentiment
7.2
Number of Reviews
114
Ranking in other categories
Software Development Analytics (1st)
 

Mindshare comparison

As of April 2025, in the Application Security Tools category, the mindshare of HCL AppScan is 2.6%, down from 2.7% compared to the previous year. The mindshare of SonarQube Server (formerly SonarQube) is 25.1%, down from 26.9% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Application Security Tools
 

Featured Reviews

Rishi Anupam - PeerSpot reviewer
A stable and scalable scanning solution with good reporting feature
The solution is used for the vulnerabilities scan on the network side The reporting part is the most valuable feature. The penetration testing feature should be included. I have been using the solution for four years. It is a stable solution. I rate it seven out of ten. It is a scalable…
Wang Dayong - PeerSpot reviewer
Easy to integrate and has a plug-in that supports both C and C++ languages
The product provides false reports sometimes. It also fails to understand the context of the code. It reports that a line of code has issues without considering its relation with the previous line. The product should improve the report quality. While it asks us to improve the code quality, it would be good if it also suggests how to improve the quality.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"This solution saves us time due to the low number of false positives detected."
"You can easily find particular features and functions through the UI."
"Compared to other tools only AppScan supports special language."
"It was easy to set up."
"IBM AppScan has made our work easy, as we can do four to five scans of websites at a time, which saves time when it comes to vulnerability."
"We are now deploying less defects to production."
"The HCL AppScan turnaround time for Burp Suite or any new feature request is pretty good, and that is why we are sticking with the HCL."
"The static scans are good, and the SaaS as well."
"Can tweak rules and feed them into our build pipelines."
"The customizable dashboard and ability to include results and coverage from unit test and other static analysis code tools."
"Code Convention: Using the tool to implement some sort of coding convention is really useful and ensures that the code is consistent no matter how many contributors."
"The solution's user interface is very user-friendly."
"One of the most valuable features of SonarQube is its ability to detect code quality during development. There are rules that define various technologies—Java, C#, Python, everything—and these rules declare the coding standards and code quality. With SonarQube, everything is detectable during the time of development and continuous integration, which is an advantage. SonarQube also has a Quality Gate, where the code should reach 85%. Below that, the code cannot be promoted to a further environment, it should be in a development environment only. So the checks are there, and SonarQube will provide that increase. It also provides suggestions on how the code can be fixed and methods of going about this, without allowing hackers to exploit the code. Another valuable feature is that it is tightly integrated with third-party tools. For example, we can see the SonarQube metrics in Bitbucket, the code repository. Once I raise the full request, the developer, team lead, or even the delivery lead can see the code quality metrics of the deliverable so that they can make a decision. SonarQube will also cover all of the top OWASP vulnerabilities, however it doesn't have penetration testing or hacker testing. We use other tools, like Checkmarx, to do penetration testing from the outside."
"I like that it has a better dashboard compared to Clockwork. It's also stable."
"The solution offers a very good community edition."
"Improve the code coverage and evaluates the technical steps and percentage of code being resolved."
 

Cons

"Visibility is an issue for us. Our partners do not know we have integrations with some of IBM products."
"It's a little bit basic when you talk about the Web Services. If AppScan improved its maturity on Web Services testing, that would be good."
"One thing which I think can be improved is the CI/CD Integration"
"The databases for HCL are small and have room for improvement."
"They could add a software component analysis tool."
"I would like to see the roadmap for this product. We are still waiting to see it as we have only so many resources."
"It has crashed at times."
"They could incorporate AI to enhance vulnerability detection and improve the product's reporting capabilities."
"Expression of common vulnerabilities and exposures is not always current."
"Having performance regression would be a helpful add on or ability to be able to do during the scan."
"SonarQube can improve by scanning the internal library which currently it does not do. We are looking for a solution for this."
"A robust credential scanner would be a huge bonus as it would remove the need for yet another niche product."
"If I configure a project in SonarQube, it generates a token. When we're compiling our code with SonarQube, we have to provide the token for security reasons. If IP-based connectivity is established with the solution, the project should automatically be populated without providing any additional token. It will be easy to provide just the IP address. It currently supports this functionality, but it makes a different branch in the project dashboard. From the configuration and dashboard point of view, it should have some transformations. There can be dashboard integration so that we can configure the dashboard for different purposes."
"Code security scanning could be improved."
"A little bit more emphasis on security and a bit more security scanning features would be nice."
"The pricing could be reduced a bit. It's a little expensive."
 

Pricing and Cost Advice

"HCL AppScan is expensive."
"I rate the product's price a seven on a scale of one to ten, where one is low, and ten is high. HCL AppScan is an expensive tool."
"The solution is moderately priced."
"The price of HCL AppScan is okay, in my opinion. You just buy HCL AppScan and don't pay anything anymore, meaning it is just a one-time purchase."
"I would rate the product's pricing a nine out of ten. The product's pricing is expensive compared to the features that they offer."
"The solution is cheap."
"The product is moderately priced, though it's an investment due to extensive code analysis needs."
"With the features, that they offer, and the support, they offer, AppScan pricing is on a higher level."
"It's a bit expensive for us. The currency rate of the dollar is a problem but it may be fine for other countries."
"The free version of SonarQube does everything that we need it to."
"The price of this solution is more expensive than competitors. However, it works better than competitors."
"For the Community edition, there is no extra cost. It's totally free. The Enterprise edition, Data Center edition, and Developer edition are the paid versions."
"This product is open source and very convenient."
"It is very expensive. Its price should be improved."
"The solution is cheaper than other products."
"We are using the Community edition of SonarQube."
report
Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
844,944 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Computer Software Company
19%
Financial Services Firm
15%
Government
11%
Manufacturing Company
9%
Financial Services Firm
17%
Computer Software Company
15%
Manufacturing Company
13%
Government
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

What do you like most about HCL AppScan?
The most valuable feature of HCL AppScan is its integration with the SDLC, particularly during the coding phase.
What needs improvement with HCL AppScan?
AppScan needs to improve its handling of false positives. It also requires enhancements in customer support, similar to what Veracode provides. Regularly scheduling calls with clients to discuss fe...
What is your primary use case for HCL AppScan?
The primary use case for AppScan is for security purposes. I compare AppScan with other tools such as Veracode. We use AppScan for vulnerability detection and auto-remediation of vulnerabilities wi...
Is SonarQube the best tool for static analysis?
I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have a look...
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
How would you decide between Coverity and Sonarqube?
We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing rem...
 

Also Known As

IBM Security AppScan, Rational AppScan, AppScan
Sonar
 

Interactive Demo

Demo not available
 

Overview

 

Sample Customers

Essex Technology Group Inc., Cisco, West Virginia University, APIS IT
Information Not Available
Find out what your peers are saying about HCL AppScan vs. SonarQube Server (formerly SonarQube) and other solutions. Updated: March 2025.
844,944 professionals have used our research since 2012.