Try our new research platform with insights from 80,000+ expert users

HCL AppScan vs SonarQube Server (formerly SonarQube) comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Mar 9, 2025

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

HCL AppScan
Ranking in Application Security Tools
14th
Ranking in Static Application Security Testing (SAST)
10th
Average Rating
7.8
Reviews Sentiment
6.9
Number of Reviews
43
Ranking in other categories
Dynamic Application Security Testing (DAST) (1st)
SonarQube Server (formerly ...
Ranking in Application Security Tools
1st
Ranking in Static Application Security Testing (SAST)
1st
Average Rating
8.0
Reviews Sentiment
7.2
Number of Reviews
114
Ranking in other categories
Software Development Analytics (1st)
 

Mindshare comparison

As of April 2025, in the Application Security Tools category, the mindshare of HCL AppScan is 2.6%, down from 2.7% compared to the previous year. The mindshare of SonarQube Server (formerly SonarQube) is 25.1%, down from 26.9% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Application Security Tools
 

Featured Reviews

Rishi Anupam - PeerSpot reviewer
A stable and scalable scanning solution with good reporting feature
The solution is used for the vulnerabilities scan on the network side The reporting part is the most valuable feature. The penetration testing feature should be included. I have been using the solution for four years. It is a stable solution. I rate it seven out of ten. It is a scalable…
Wang Dayong - PeerSpot reviewer
Easy to integrate and has a plug-in that supports both C and C++ languages
The product provides false reports sometimes. It also fails to understand the context of the code. It reports that a line of code has issues without considering its relation with the previous line. The product should improve the report quality. While it asks us to improve the code quality, it would be good if it also suggests how to improve the quality.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"I like the recording feature."
"The most valuable feature of the solution is the scanning or security part."
"IBM AppScan has made our work easy, as we can do four to five scans of websites at a time, which saves time when it comes to vulnerability."
"The platform has valuable security features, helping us identify sensitive code issues and the possibility of internal applications' exposure to external threats."
"You can easily find particular features and functions through the UI."
"We are now deploying less defects to production."
"The solution is easy to install. I would rate the product's setup between six to seven out of ten. The deployment time depends on the applications that need to be scanned. We have a development and operations team to take care of the product's maintenance."
"Compared to other tools only AppScan supports special language."
"We have the software metrics that SonarQube gives us, which is something we did not have before. This helps us work towards aiming coding standards to empower us to move in the direction of better code quality. SonarQube provides targets and metrics for that."
"The stability is good."
"There's plenty of documentation available to users."
"Strong code evaluation for budget-minded clients."
"The product itself has a friendly UI."
"The most valuable feature is the security hotspot feature that identifies where your code is prone to have security issues."
"The product has a friendly UI that is easy to use and understand."
"Apart from the security point of view, I like that it makes it easy to detect code smells and other issues in terms of code quality and standards."
 

Cons

"It's a little bit basic when you talk about the Web Services. If AppScan improved its maturity on Web Services testing, that would be good."
"They could add a software component analysis tool."
"There are so many lines of code with so many different categories that I am likely to get lost. ​"
"The dashboard, for AppScan or the Fortified fast tool, which we use needs to be improved."
"AppScan needs to improve its handling of false positives."
"Sometimes it doesn't work so well."
"Visibility is an issue for us. Our partners do not know we have integrations with some of IBM products."
"The penetration testing feature should be included."
"Our developers have complained about the Quality Gates and the number of false positives that this product reports."
"The product provides false reports sometimes."
"The interface could be a little better and should be enhanced."
"Code security could be better. They are already focusing on it, but I see a lot of improvement opportunities over there. I can see a lot of false positives in terms of security. They need to make the tests more accurate so that the false positives are not detected so frequently. It would also help if they provided us with an installer."
"There are limitations to the free version that limit development options as far as languages."
"SonarQube could improve its static application security testing as per the industry standard."
"I think the code security can be improved."
"Lacks sufficient visibility and documentation."
 

Pricing and Cost Advice

"The product has premium pricing and could be more competitive."
"Pricing was the main reason that we went ahead with this solution as they were the lowest in the market."
"The tool was expensive."
"I rate the product's price a seven on a scale of one to ten, where one is low, and ten is high. HCL AppScan is an expensive tool."
"The price of HCL AppScan is okay, in my opinion. You just buy HCL AppScan and don't pay anything anymore, meaning it is just a one-time purchase."
"AppScan is a little bit expensive. IBM needs to work a little bit on the pricing model, decreasing the license cost."
"Our clients are willing to pay the extra money. It is expensive."
"The price is very expensive."
"Can try developer version for 14 days on the free trial."
"We use the tool's community edition."
"We pay €10 per month for this solution, which is good. It provides a good value for money."
"We are using the Community edition of SonarQube."
"As a user and a consumer of this solution, it can be pricey for my company to support and use, even though there are many benefits. For this reason, we use the free version. In the future, as our product cycles develop and evolve at a more steady pace, we hope to invest in the licensing for this tool."
"My guess is that we have a yearly subscription. We use it quite extensively, so a monthly license wouldn't make sense. Yearly subscriptions are usually cheaper. In addition to the standard licensing fee, there is just the cost of running the hardware where it is hosted."
"A low cost long-term solution for non-critical situations."
"The costs for this application, for the kind of job it does, are pretty decent."
report
Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
842,767 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Computer Software Company
19%
Financial Services Firm
15%
Government
11%
Manufacturing Company
9%
Financial Services Firm
17%
Computer Software Company
15%
Manufacturing Company
13%
Government
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

What do you like most about HCL AppScan?
The most valuable feature of HCL AppScan is its integration with the SDLC, particularly during the coding phase.
What needs improvement with HCL AppScan?
AppScan needs to improve its handling of false positives. It also requires enhancements in customer support, similar to what Veracode provides. Regularly scheduling calls with clients to discuss fe...
What is your primary use case for HCL AppScan?
The primary use case for AppScan is for security purposes. I compare AppScan with other tools such as Veracode. We use AppScan for vulnerability detection and auto-remediation of vulnerabilities wi...
Is SonarQube the best tool for static analysis?
I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have a look...
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
How would you decide between Coverity and Sonarqube?
We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing rem...
 

Also Known As

IBM Security AppScan, Rational AppScan, AppScan
Sonar
 

Interactive Demo

Demo not available
 

Overview

 

Sample Customers

Essex Technology Group Inc., Cisco, West Virginia University, APIS IT
Information Not Available
Find out what your peers are saying about HCL AppScan vs. SonarQube Server (formerly SonarQube) and other solutions. Updated: March 2025.
842,767 professionals have used our research since 2012.