Try our new research platform with insights from 80,000+ expert users

HCL AppScan vs SonarQube Server (formerly SonarQube) comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Mar 9, 2025

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

HCL AppScan
Ranking in Application Security Tools
14th
Ranking in Static Application Security Testing (SAST)
10th
Average Rating
7.8
Reviews Sentiment
6.9
Number of Reviews
43
Ranking in other categories
Dynamic Application Security Testing (DAST) (1st)
SonarQube Server (formerly ...
Ranking in Application Security Tools
1st
Ranking in Static Application Security Testing (SAST)
1st
Average Rating
8.0
Reviews Sentiment
7.2
Number of Reviews
114
Ranking in other categories
Software Development Analytics (1st)
 

Mindshare comparison

As of April 2025, in the Application Security Tools category, the mindshare of HCL AppScan is 2.6%, down from 2.7% compared to the previous year. The mindshare of SonarQube Server (formerly SonarQube) is 25.1%, down from 26.9% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Application Security Tools
 

Featured Reviews

Rishi Anupam - PeerSpot reviewer
A stable and scalable scanning solution with good reporting feature
The solution is used for the vulnerabilities scan on the network side The reporting part is the most valuable feature. The penetration testing feature should be included. I have been using the solution for four years. It is a stable solution. I rate it seven out of ten. It is a scalable…
Wang Dayong - PeerSpot reviewer
Easy to integrate and has a plug-in that supports both C and C++ languages
The product provides false reports sometimes. It also fails to understand the context of the code. It reports that a line of code has issues without considering its relation with the previous line. The product should improve the report quality. While it asks us to improve the code quality, it would be good if it also suggests how to improve the quality.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"There's extensive functionality with custom rules and a custom knowledge base."
"IBM AppScan has made our work easy, as we can do four to five scans of websites at a time, which saves time when it comes to vulnerability."
"It was easy to set up."
"It's generally a very user-friendly tool. Anyone can easily learn how to scan"
"We use it as a security testing application."
"The platform has valuable security features, helping us identify sensitive code issues and the possibility of internal applications' exposure to external threats."
"The solution is cheap."
"The reporting part is the most valuable feature."
"I like that it's easy to navigate not just in terms of code findings but you can actually see them in the context of your source code because it gives you a copy of your code with the items that it found and highlights them. You can see it directly in your code, so you can easily go back and make the corrections in the code. It basically finds the problems for you and tells you where they are."
"Code Convention: Using the tool to implement some sort of coding convention is really useful and ensures that the code is consistent no matter how many contributors."
"The static code analysis of the solution is the most important aspect for us. When it comes to security breaches within the code, we can leverage some rules to allow us to identify the repetition in our code and the possible targets that we may have. It makes it very easy to review our code for security purposes."
"We advise all of our developers to have this solution in place."
"This has improved our organization because it has helped to find Security Vulnerabilities."
"Provides local scanning for developers."
"I like that it helps us maintain our work quality and code security."
"My focus is mainly on the DevOps pipeline side of things, and from my perspective, the ease of use and configuration is valuable. It is pretty straightforward to take a deployment pipeline or CI/CD pipeline and integrate SonarQube into it."
 

Cons

"There is not a central management for static and dynamic."
"Scans become slow on large websites."
"I would love to see more containers. Many of the tools are great, they require an amount of configuration, setup and infrastructure. If most the applications were in a container, I think everything would be a little bit faster, because all our clients are now using containers."
"They have to improve support."
"Improving usability could enhance the overall experience with AppScan. It would be beneficial to make the solution more user-friendly, ensuring that everyone can easily navigate and utilize its features."
"The solution needs to improve in some areas. The tool needs to add more languages. It also needs to improve its speed."
"We have experienced challenges when trying to integrate this solution with other products. When you compare it with the other SecOps products, the quality of the output is too low. It is not a new-age product. It is very outdated."
"Many silly false positives are produced."
"This is a well-rounded solution, however, some features could be made available on the free version. The price of the solution could be reduced."
"I would like to see more options for security, beyond the basics like SQL injection."
"It should be user-friendly."
"SonarQube needs to improve its ease of use, integration with third-party platforms, and scalability."
"The solution is a bit lacking on the security side, in terms of finding and identifying vulnerabilities."
"The solution could improve by having better-consulting services."
"A better design of the interface and add some new rules."
"We're in the process of figuring out how to automate the workflow for QA audit controls on it. I think that's perhaps an area that we could use some buffing. We're a Kubernetes shop, so there are some things that aren't direct fits, which we're struggling with on the component Docker side. But nothing major."
 

Pricing and Cost Advice

"AppScan is a little bit expensive. IBM needs to work a little bit on the pricing model, decreasing the license cost."
"Pricing was the main reason that we went ahead with this solution as they were the lowest in the market."
"The price of HCL AppScan is okay, in my opinion. You just buy HCL AppScan and don't pay anything anymore, meaning it is just a one-time purchase."
"The tool was expensive."
"The solution is cheap."
"HCL AppScan is expensive."
"The solution is moderately priced."
"The price is very expensive."
"We use the free version; there are no hidden costs or licensing required."
"The costs for this application, for the kind of job it does, are pretty decent."
"We did not purchase a license (required for C++ support), but this option was considered."
"I use the full trial version of SonarQube."
"I think comparing the product to competitors it should be less expensive."
"We are using the open-source version, which is available free of cost."
"We are using the free, unlicensed version."
"We have a license with 125,000 lines of code. We did not purchase a lot of lines but it is specific to our code environment."
report
Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
848,716 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Computer Software Company
18%
Financial Services Firm
14%
Government
11%
Manufacturing Company
10%
Financial Services Firm
17%
Computer Software Company
15%
Manufacturing Company
13%
Government
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

What do you like most about HCL AppScan?
The most valuable feature of HCL AppScan is its integration with the SDLC, particularly during the coding phase.
What needs improvement with HCL AppScan?
AppScan needs to improve its handling of false positives. It also requires enhancements in customer support, similar to what Veracode provides. Regularly scheduling calls with clients to discuss fe...
What is your primary use case for HCL AppScan?
The primary use case for AppScan is for security purposes. I compare AppScan with other tools such as Veracode. We use AppScan for vulnerability detection and auto-remediation of vulnerabilities wi...
Is SonarQube the best tool for static analysis?
I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have a look...
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
How would you decide between Coverity and Sonarqube?
We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing rem...
 

Also Known As

IBM Security AppScan, Rational AppScan, AppScan
Sonar
 

Interactive Demo

Demo not available
 

Overview

 

Sample Customers

Essex Technology Group Inc., Cisco, West Virginia University, APIS IT
Information Not Available
Find out what your peers are saying about HCL AppScan vs. SonarQube Server (formerly SonarQube) and other solutions. Updated: April 2025.
848,716 professionals have used our research since 2012.