HCL AppScan and SonarQube are prominent tools in the software security and quality management domain. HCL AppScan holds an advantage in security feature effectiveness, while SonarQube excels in code quality analysis.
Features: HCL AppScan provides comprehensive security through XSS and SQL injection detection, dynamic and web scanning, and agile process integration. SonarQube offers valuable static code analysis, customizable quality profiles, and Jenkins integration, supported by its open-source model and extensive plugin options.
Room for Improvement: HCL AppScan requires better remediation guidance, mobile device vulnerability checks, improved CI/CD integration, and enhanced dashboard functionality. SonarQube can improve dynamic scanning, reporting capabilities, UI design, and security vulnerability accuracy.
Ease of Deployment and Customer Service: Both products support on-premises and cloud deployments. SonarQube offers greater flexibility for hybrid and public cloud environments. HCL has mixed support reviews post-IBM transition, while SonarQube is generally praised for resource availability and technical assistance.
Pricing and ROI: HCL AppScan is considered expensive with token-based fees but provides ROI through reduced vulnerabilities. SonarQube is more cost-effective, with an open-source version offering extensive free features and paid versions providing stable support and value for investment.
It is easily integrable with the CI/CD pipeline and supports multiple projects with its extensive plugin options.
I have seen a return on the investment from SonarQube Server (formerly SonarQube) because the value it adds relates to static code analysis and vulnerability assessments needed for our FDA approval process.
We see productivity increasing based on the fact that the code review is mostly automated, allowing the developer to fix the code themselves before assigning it to someone else to review, thus receiving that ROI.
Veracode provides excellent assistance and regularly scheduled calls to address customer concerns and updates.
The community support is quite effective.
The customer service and support for SonarQube Cloud are responsive and helpful.
Integrating it into different solutions is straightforward.
There are limitations, and it seems to have fewer capabilities than Veracode.
It has been used in multiple projects and performs well.
I would rate the scalability of SonarQube Server as a 10 because we can configure the server to scan multiple projects based on the number of lines.
I think SonarQube Server (formerly SonarQube) is stable, and we did not face any problems unless there was a power outage or if the LAN cable was plugged out.
From my team's feedback, it is almost an eight out of ten.
It is a quite stable solution.
I would like to see SonarQube Cloud provide more detailed solutions for fixing code issues, especially solutions related to CVEs.
I need a solution that can bring together three key areas: vulnerabilities, static scanning, and misarchitecture.
Static code analysis is good, but the product lacks dynamic code scanning capabilities, an area where Veracode excels.
Companies often choose based on budget constraints, with Veracode being on the higher end cost-wise.
I would rate the pricing for SonarQube Server (formerly SonarQube) as an 8, where 1 is very cheap and 10 is very expensive, because Coverity is very expensive, and while SonarQube is not cheap, it is still less expensive than Coverity.
They always offer around a two-year contract, but we always take a one-year contract because it's expensive.
The freemium version of SonarQube Server offers excellent value, especially compared to the high costs of Snyk.
AppScan's most valuable features include its ability to identify vulnerabilities accurately, provide detailed remediation steps, and the newly introduced AI-powered features that enhance its functionality further.
Some of the static code analysis capabilities are the most beneficial.
I find SonarQube Cloud very easy to use and simple to integrate initially.
It gives precise reports compared to Coverity and has a slightly lower number of false positives.
| Product | Market Share (%) |
|---|---|
| SonarQube Server (formerly SonarQube) | 20.5% |
| HCL AppScan | 2.4% |
| Other | 77.1% |
| Company Size | Count |
|---|---|
| Small Business | 13 |
| Midsize Enterprise | 6 |
| Large Enterprise | 31 |
| Company Size | Count |
|---|---|
| Small Business | 41 |
| Midsize Enterprise | 24 |
| Large Enterprise | 79 |
IBM Security AppScan enhances web application security and mobile application security, improves application security program management and strengthens regulatory compliance. By scanning your web and mobile applications prior to deployment, AppScan enables you to identify security vulnerabilities and generate reports and fix recommendations.
SonarQube provides comprehensive support for multi-language development, custom coding rules, and quality gates, integrated seamlessly into CI/CD pipelines. It empowers teams with clear insights through intuitive dashboards, identifying vulnerabilities, code smells, and technical debt.
SonarQube is renowned for its extensive capabilities in static code analysis, making it an invaluable tool for maintaining code quality. By fully integrating into development processes, it allows organizations to manage vulnerabilities and ensure compliance with coding standards. Its extensive community and open-source roots contribute to its accessibility, while robust dashboards facilitate code quality monitoring. Despite its strengths, feedback suggests enhancing analysis speed, better integration with DevOps tools, and refining the user interface. Users also point to the need for handling false positives effectively and expanding on AI-based features for dynamic code analysis.
What are SonarQube's main features?In industries like finance and healthcare, SonarQube aids in obtaining regulatory compliance through rigorous code quality assessments. It is implemented to enhance cybersecurity by identifying potential vulnerabilities, while ensuring code meets the stringent standards demanded in these fields. As part of a broader development ecosystem, its integration in CI/CD pipelines ensures smooth and efficient software delivery, catering to phases from code inception to deployment, effectively supporting large-scale and critical software applications.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
