We compared SonarQube and OWASP Zap based on our user's reviews in several parameters.
SonarQube and OWASP Zap both provide valuable features for detecting vulnerabilities and enhancing code security. SonarQube stands out for its comprehensive features, versatile language support, and seamless DevOps integration, while OWASP Zap is praised for its robust scanning capabilities and user-friendly interface. SonarQube offers strong customer service and positive ROI, while OWASP Zap is commended for its responsive support and affordable pricing. Areas for improvement include analysis speed for SonarQube and tool performance for OWASP Zap.
Features: SonarQube stands out for its support for multiple languages, integration with DevOps pipelines, ability to detect vulnerabilities, and usability enhancements. In contrast, OWASP Zap is praised for its robust scanning capabilities, effective interception and proxying features, comprehensive reporting options, ease of use, user-friendly interface, and strong community support.
Pricing and ROI: The setup cost for SonarQube is considered straightforward and easy, with users appreciating the simplicity of the process. On the other hand, OWASP Zap's setup cost is minimal and hassle-free, allowing for quick and easy installation., SonarQube has proven highly beneficial for ROI, improving code quality, fixing issues, enhancing project efficiency, and detecting vulnerabilities. OWASP Zap provides enhanced security measures, risk mitigation, and user-friendly flexibility.
Room for Improvement: SonarQube's room for improvement lies in enhancing analysis speed, refining UI for navigation, providing clearer setup instructions and advanced functionality documentation, addressing occasional performance issues, and improving integration options. On the other hand, OWASP Zap needs improvements in tool speed and performance, user interface usability, documentation clarity, tool stability, advanced features and customization options, and reporting capabilities.
Deployment and customer support: Users mentioned that it took them three months for deployment and an additional week for setup with SonarQube, while OWASP Zap users had varying timeframes. SonarQube's deployment and setup durations are longer compared to OWASP Zap., SonarQube is commended for its exceptional customer service, with prompt and knowledgeable assistance. Users express confidence in the reliability of its support. OWASP Zap's customer service is also highly praised, with helpful and responsive staff who ensure a positive user experience.
The summary above is based on 47 interviews we conducted recently with SonarQube and OWASP Zap users. To access the review's full transcripts, download our report.
"It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display)."
"The reporting is quite intuitive, which gives you a clear indication of what kind of vulnerability you have that you can drill down on to gather more information."
"You can run it against multiple targets."
"The solution has tightened our security."
"It's great that we can use it with Portswigger Burp."
"The scalability of this product is very good."
"It can be used effectively for internal auditing."
"The ZAP scan and code crawler are valuable features."
"The most valuable features are code scanning and Quality Gates."
"SonarQube is good in terms of code review and to report on basic vulnerabilities in your applications."
"The solution has a plug-in that supports both C and C++ languages."
"Strong code evaluation for budget-minded clients."
"The solution offers a very good community edition."
"SonarQube is admin friendly."
"The customizable dashboard and ability to include results and coverage from unit test and other static analysis code tools."
"There's plenty of documentation available to users."
"Deployment is somewhat complicated."
"Online documentation can be improved to utilize all features of ZAP and API methods to make use in automation."
"It doesn't run on absolutely every operating system."
"Sometimes, we get some false positives."
"If there was an easier to understand exactly what has been checked and what has not been checked, it would make this solution better. We have to trust that it has checked all known vulnerabilities but it's a bit hard to see after the scanning."
"The automated vulnerability assessments that the application performs needs to be simplified as well as diversified."
"Reporting format has no output, is cluttered and very long."
"OWASP Zap needs to extend to mobile application testing."
"In terms of what can be improved, the areas that need more attention in the solution are its architecture and development."
"We also use Fortify, which is another tool to find security errors. Fortify is a better security tool. It is better than SonarQube in finding errors. Sometimes, SonarQube doesn't find some of the errors that Fortify is able to find. Fortify also has a community, which SonarQube doesn't have. Its installation is a little bit complex. We need to install a database, install the product, and specify the version of the database and the product. They can simplify the installation and make it easier. We use docker for the installation because it is easier to use. Its dashboard needs to be improved. It is not intuitive. It is hard to understand the interface, and it can be improved to provide a better user experience."
"If there was an official Docker image of SonarQube that could easily integrate into the pipeline would help the user to plug in and plug out and use it directly without any custom configuration. I am not sure if this is being offered already in an update but it would be very helpful."
"SonarQube can improve by scanning the internal library which currently it does not do. We are looking for a solution for this."
"Code security could be better. They are already focusing on it, but I see a lot of improvement opportunities over there. I can see a lot of false positives in terms of security. They need to make the tests more accurate so that the false positives are not detected so frequently. It would also help if they provided us with an installer."
"I am not very pleased with the technical debt computation."
"The reporting is good, but I am not able to download a specific report as a PDF, so downloading reports is something that should be looked at."
"If I configure a project in SonarQube, it generates a token. When we're compiling our code with SonarQube, we have to provide the token for security reasons. If IP-based connectivity is established with the solution, the project should automatically be populated without providing any additional token. It will be easy to provide just the IP address. It currently supports this functionality, but it makes a different branch in the project dashboard. From the configuration and dashboard point of view, it should have some transformations. There can be dashboard integration so that we can configure the dashboard for different purposes."
OWASP Zap is ranked 8th in Static Application Security Testing (SAST) with 37 reviews while SonarQube is ranked 1st in Static Application Security Testing (SAST) with 112 reviews. OWASP Zap is rated 7.6, while SonarQube is rated 8.0. The top reviewer of OWASP Zap writes "Great for automating and testing and has tightened our security ". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". OWASP Zap is most compared with Acunetix, Qualys Web Application Scanning, Veracode, PortSwigger Burp Suite Professional and Checkmarx One, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Veracode and GitLab. See our OWASP Zap vs. SonarQube report.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
