Try our new research platform with insights from 80,000+ expert users

Rapid7 AppSpider vs SonarQube Server (formerly SonarQube) comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Mar 9, 2025

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

Rapid7 AppSpider
Ranking in Static Application Security Testing (SAST)
27th
Average Rating
7.8
Reviews Sentiment
6.7
Number of Reviews
14
Ranking in other categories
No ranking in other categories
SonarQube Server (formerly ...
Ranking in Static Application Security Testing (SAST)
1st
Average Rating
8.0
Reviews Sentiment
7.2
Number of Reviews
114
Ranking in other categories
Application Security Tools (1st), Software Development Analytics (1st)
 

Mindshare comparison

As of April 2025, in the Static Application Security Testing (SAST) category, the mindshare of Rapid7 AppSpider is 0.5%, down from 0.6% compared to the previous year. The mindshare of SonarQube Server (formerly SonarQube) is 26.7%, down from 28.5% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Static Application Security Testing (SAST)
 

Featured Reviews

Andrei Bigdan - PeerSpot reviewer
Useful vulnerability reporting data, flexible, and simple implementation
I have had some stability problems but it could be the Microsoft Windows operating system. I found that closing other applications helps with stability. It is helpful to have as much memory as possible, such as eight gigabytes. The more pages being processed the more resources you need. I rate the stability of Rapid7 AppSpider a nine out of ten.
Wang Dayong - PeerSpot reviewer
Easy to integrate and has a plug-in that supports both C and C++ languages
The product provides false reports sometimes. It also fails to understand the context of the code. It reports that a line of code has issues without considering its relation with the previous line. The product should improve the report quality. While it asks us to improve the code quality, it would be good if it also suggests how to improve the quality.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"One of the most valuable features of AppSpider is its broad range of authentication identification, which is a key reason for its utilization."
"When it is set up properly, it can do scanning on web apps with multiple engines automatically."
"The initial deployment is very straightforward and simple. The product is stable if configured properly."
"The solution is highly stable, rated at ten out of ten."
"The most valuable feature is the reporting, which is compliant with international standards."
"The setup is usually straightforward."
"AppSpider's most valuable feature is reporting - everything is stored in the local database so it can be sent to other machines."
"I like the ability the product has to detect vulnerabilities quickly, when it has been released in our environment, then displaying them to us."
"It automatically scans for code, detects vulnerabilities, and generates daily reports."
"It is working fine. It provides a good value for money."
"The fact that the solution does security scanning is valuable."
"I like the by-default policies that are they, as they seem to cover most of what I need."
"The most valuable features are the dashboard, the ability to drill down to the code, user-friendly, and the technical debt estimation."
"The features of SonarQube that I find most valuable for identifying code smells are its comprehensive code analysis capabilities, which cover various aspects of code sustainability."
"When comparing other static code analysis tools, SonarQube has fewer false-positive issues being reported. They have a lot of support for different tech stacks. It covers the entire developer community which includes Salesforce or it could be the regular Java.net project. It has actually sufficed all the needs in one tool for static code analysis."
"If code coverage is a low number then that's of great value to me."
 

Cons

"Implementing Rapid7 AppSpider requires scanning and self-identification mechanisms. You can add different types of authentication to each scan."
"For Japanese customers, localization is needed. The product should offer a GUI in Japanese and provide Japanese reports for end-users."
"AppSpider could improve in the area of integration. They need to add more integration opportunities."
"The solution is too slow. It could take a full day to scan. Competitors are much faster."
"One of the challenges I have with AppSpider is that it gives you a lot of false positives, especially when compared to other solutions."
"The dashboard and interface are crucial and they need some improvement."
"AppSpider has some problems with the RAM needed while scanning."
"The product should offer a GUI in Japanese and provide Japanese reports for end-users."
"The solution could improve by providing more advanced technologies."
"It requires advanced heuristics to recognize more complex constructs that could be disregarded as issues."
"I would also like SonarQube to be able to write custom scanning rules. More documentation would be helpful as well because some of our guys were struggling with the customization script."
"You may need to purchase add-ons to get the useability you desire."
"If I configure a project in SonarQube, it generates a token. When we're compiling our code with SonarQube, we have to provide the token for security reasons. If IP-based connectivity is established with the solution, the project should automatically be populated without providing any additional token. It will be easy to provide just the IP address. It currently supports this functionality, but it makes a different branch in the project dashboard. From the configuration and dashboard point of view, it should have some transformations. There can be dashboard integration so that we can configure the dashboard for different purposes."
"Any suggestions for potential improvements may include bill of materials functionality."
"There are sometimes security breaches in our code, which aren't be caught by SonarQube. In the security area, SonarCube has to improve. It needs to better compete with other products."
"SonarQube is not development-centric like Snyk."
 

Pricing and Cost Advice

"The price is pretty fair."
"The licensing cost depends on the number of users."
"It is expensive if you want to buy the Enterprise version that is able to scan multiple applications at once."
"The price of Rapid7 AppSpider cost 9,000 annually but there is limited usage. Large companies are able to negotiate a better price or a better deal for the usage with the vendor."
"AppSpider is closed-source software and you need to acquire a license in order to use it."
"I am satisfied with the pricing."
"SonarQube enterprise, I am not sure of the price but from what I understand they are charging a fee. It's is not clear if it is an annual fee or a one-off."
"I think comparing the product to competitors it should be less expensive."
"My guess is that we have a yearly subscription. We use it quite extensively, so a monthly license wouldn't make sense. Yearly subscriptions are usually cheaper. In addition to the standard licensing fee, there is just the cost of running the hardware where it is hosted."
"We are using the free, unlicensed version."
"The price point on SonarQube is good."
"We use the solution free of cost."
"We are using the Developer Edition and the cost is based on the amount of code that is being processed."
report
Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.
849,190 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
17%
Computer Software Company
14%
Healthcare Company
8%
Government
8%
Financial Services Firm
17%
Computer Software Company
15%
Manufacturing Company
13%
Government
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

What do you like most about Rapid7 AppSpider?
The most valuable feature of Rapid7 AppSpider is the vulnerability reporting data. Additionally, the data is reported in a convenient way rather than seeing them as a PDF. We are able to generate a...
What is your experience regarding pricing and costs for Rapid7 AppSpider?
The price is not high, but for Japanese customers, localization may incur additional costs.
What needs improvement with Rapid7 AppSpider?
For Japanese customers, localization is needed. The product should offer a GUI in Japanese and provide Japanese reports for end-users.
Is SonarQube the best tool for static analysis?
I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have a look...
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
How would you decide between Coverity and Sonarqube?
We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing rem...
 

Also Known As

AppSpider
Sonar
 

Interactive Demo

Demo not available
 

Overview

 

Sample Customers

Microsoft
Information Not Available
Find out what your peers are saying about Rapid7 AppSpider vs. SonarQube Server (formerly SonarQube) and other solutions. Updated: April 2025.
849,190 professionals have used our research since 2012.