We just raised a $30M Series A: Read our story
Cancel
You must select at least 2 products to compare!
Veracode Logo
63,090 views|34,507 comparisons
Checkmarx Logo
44,724 views|33,455 comparisons
SonarQube Logo
90,271 views|74,084 comparisons
Comparison Summary
Question: What is the biggest difference between Checkmarx and SonarQube?
Answer: SonarQube historically was focused on Code Quality and Best Practices. Recently the enterprise and data center versions provide some security vulnerabilities detection with OWASP compliance. This is not enough. If you are focused on Secure Coding, Checkmarx is much better. Most of the enterprise customers use to work with CheckMarx and SonarQube (free version) together in order to detect Security and Quality/Best Practices Issues.
Featured Review
Find out what your peers are saying about Checkmarx vs. SonarQube and other solutions. Updated: November 2021.
552,305 professionals have used our research since 2012.
Quotes From Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros
"Their dashboard is really good, overall. In my opinion, it's one of the best in the market, and I say that because we have used other service providers.""The centralized view of different testing types helps reduce our risk exposure. The development teams have the freedom to choose their own libraries and languages. What happens is sometimes developers feel like a particular library is okay to use, then they will start using it, developing some functionality around it. However, as per our mandate, for every new repository that gets added and scanned, a report gets published. Based on that report, we decide if we can continue. In the past, we have found, by mistake, some developers have used copyleft licenses, which are a bit risky to use. We immediately replace these with more permissive, open-source licenses, so we are safe in the end.""In terms of secure development, the SAST scan is very useful because we are able to identify security flaws in the code base itself, for the application.""It is SaaS hosted. That makes it very convenient to use. There is no initial time needed to set up an application. Scanning is a matter of minutes. You just log in, create an application profile, associate a security configuration, and that's about it. It takes 10 minutes to start. The lack of initial lead time or initial overhead to get going is the primary advantage.""The source composition analysis component is great because it gives our developers some comfort in using new libraries.""Veracode's cloud-based approach, coupled with the appliance that lets us use Veracode to scan internal-only web applications, has provided a seamless, always-up-to-date application security scanning solution.""Veracode provides guidance for fixing vulnerabilities. It enables developers to write secure code from the start by pointing them to the problematic line of code, and saying, "This function/method has security vulnerabilities," then suggests alternatives to fix it. Then, we adopt their suggestions of the tool. By implementing it in the right way, we can fix the issue. For example, if the tool has found a method where it copied one piece of memory into another piece of memory in the code. The tool points to problematic methods with the vulnerability and provides ways to code it more securely. By adopting their suggestions, we are fixing this vulnerability.""Another feature of Veracode is that they provide e-learning, but the e-learning is not basic, rather it is quite advanced... in the e-learning you can check into best practices for developing code and how to prevent improper management of some component of the code that could lead to a vulnerability. The e-learning that Veracode provides is an extremely good tool."

More Veracode Pros »

"The user interface is modern and nice to use.""The UI is very intuitive and simple to use.""The most valuable feature is the simple user interface.""From my point of view, it is the best product on the market.""The features and technologies are very good. The flexibility and the roadmap have also been very good. They're at the forefront of delivering the additional capabilities that are required with cloud delivery, etc. Their ability to deliver what customers require and when they require is very important.""The most valuable feature is the application tracking reporting.""The value you can get out of the speedy production may be worth the price tag.""The most valuable features are the easy to understand interface, and it 's very user-friendly."

More Checkmarx Pros »

"The static code analysis of the solution is the most important aspect for us. When it comes to security breaches within the code, we can leverage some rules to allow us to identify the repetition in our code and the possible targets that we may have. It makes it very easy to review our code for security purposes.""The overall quality of the indicator is good.""SonarQube is good in terms of code review and to report on basic vulnerabilities in your applications.""The most valuable features are the segregation containment and the suspension of product services.""The depth features I have found most valuable. You receive a quick comprehensive comparison overview regarding the current release and the last release and what type of depths dependency or duplication should be used. This is going to help you to make a more readable code and have more flexibility for the engineers to understand how things should work when they do not know.""The product has a friendly UI that is easy to use and understand.""The most valuable features are code scanning and Quality Gates.""It is a very good tool for analysis and security vulnerability checking."

More SonarQube Pros »

Cons
"Scheduling can be a little difficult. For instance, if you set up recurring scheduled scans and a developer comes in and says, "Hey, I have this critical release that happened outside of our normal release patterns and they want you to scan it," we actually have to change our schedule configuration and that means we lose the recurring scheduling settings we had.""The feature that allows me to read which mitigation answer was submitted, and to approve it, requires me to use do so in different screens. That makes it a little bit more complicated because I have to read and then I have to go back and make sure it falls under the same number ID number. That part is a little bit complicated from my perspective, because that's what I use the most.""The policies you have, where you can tune the findings you get, don't allow you not to file tickets about certain findings. It will always report the findings, even if you know you're not that concerned about a library writing to a system log, for example. It will keep raising them, even though you may have a ticket about it. The integration will keep updating the ticket every time the scan runs.""If Veracode was more diversified, as far as the number of platforms and the number of applications it could do in our favor, we would be using it even more. But there are a number of platforms it doesn't support. For example, I know they support C+, .NET, and Java, but there are certain platforms they don't support and that was disappointing.""Sometimes the scans are not done quickly, but the solutions that it provides are really good. The quality is high, but the analysis is not done extremely quickly.""One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive.""It needs better controls to include/exclude specific sections when creating a report that can be shared externally with customers and prospects.""Improve Mobile Application Dynamic Scanning DAST - .ipa and .apk"

More Veracode Cons »

"You can't use it in the continuous delivery pipeline because the scanning takes too much time.""The integration could improve by including, for example, DevSecOps.""Its pricing model can be improved. Sometimes, it is a little complex to understand its pricing model.""Creating and editing custom rules in Checkmarx is difficult because the license for the editor comes at an additional cost, and there is a steep learning curve.""I would like to see the DAST solution in the future.""If it is a very large code base then we have a problem where we cannot scan it.""They can support the remaining languages that are currently not supported. They can also create a different model that can identify zero-day attacks. They can work on different patterns to identify and detect zero-day vulnerability attacks.""Micro-services need to be included in the next release."

More Checkmarx Cons »

"The exporting capabilities could be improved. Currently, exporting is fully dependent on the SonarQube environment.""Code security scanning could be improved.""The BPM language is important and should be considered in SonarQube.""We have tens of millions of code to be analyzed and processed. There can be some performance degradation if we are applying Sonar Link to large code or code that is complex. When the code had to be analyzed is when we ran into the main issues. There were several routines involved to solve those performance issues but this process should be improved.""One thing to improve would be the integration. There is a steep learning curve to get it integrated.""There needs to be a shareable reporting piece or something we can click and generate easily.""If I configure a project in SonarQube, it generates a token. When we're compiling our code with SonarQube, we have to provide the token for security reasons. If IP-based connectivity is established with the solution, the project should automatically be populated without providing any additional token. It will be easy to provide just the IP address. It currently supports this functionality, but it makes a different branch in the project dashboard. From the configuration and dashboard point of view, it should have some transformations. There can be dashboard integration so that we can configure the dashboard for different purposes.""There are sometimes security breaches in our code, which aren't be caught by SonarQube. In the security area, SonarCube has to improve. It needs to better compete with other products."

More SonarQube Cons »

Pricing and Cost Advice
"For the value we get out of it, coupled with the live defect review sessions, we find it an effective value for the money. We are a larger organization.""If I compare the pricing with other software tools, then it is quite competitive. Whatever the price is, they have always given us a good discount.""We use this product per project rather than per developer... Your development model will really determine what the best fit is for you in terms of licensing, because of the project-based licensing. If you do a few projects, that's more attractive. If you have a large number of developers, that would also make the product a little more attractive.""The pricing is really fair compared to a lot of other tools on the market.""From a cost perspective, it seems okay, although we will probably evaluate alternatives next time it's up for renewal because for us, it's a relatively high cost, and we want to make sure that we are using our resources most appropriately.""Veracode's price is high. I would like them to better optimize their pricing.""Veracode is one of the more expensive solutions in the market, but it is worth the expense because of the eLearning and the security consultations; everything is included in the license.""Licensing cost is on a yearly basis and there are no additional costs, the pricing is straightforward."

More Veracode Pricing and Cost Advice »

"The number of users and coverage for languages will have an impact on the cost of the license.""Its price is fair. It is in or around the right spot. Ultimately, if the price is wrong, customers won't commit, but they do tend to commit. It is neither too cheap nor too expensive.""The interface used to create custom rules comes at an additional cost.""It is not expensive, but sometimes, their pricing model or licensing model is not very clear. There are similar variables, such as projects or developers, and sometimes, it is a little bit confusing.""This solution is expensive. The customized package allows you to buy additional users at any time.""It's relatively expensive.""Most of my customers opted for a perpetual license. They prefer to pay the highest amount up front for the perpetual license and then pay for additional support annually."

More Checkmarx Pricing and Cost Advice »

"The solution has a free version and a license version. The license is priced reasonably, the cost of hiring one programmer is more expensive than the solution.""The developer edition is based on cost per lines of code.""We use the free version; there are no hidden costs or licensing required.""It's a bit expensive for us. The currency rate of the dollar is a problem but it may be fine for other countries.""I was using the Community Edition, which is available free of charge.""We are using the open-source version, which is available free of cost.""We are using the community version of the solution and we plan on purchasing licenses for the upgraded version soon. There is a limitation on how many lines of code can be scanned and this is why we are going to purchase a license for an increased amount.""We are using the open-source community version, but there are enterprise licenses available."

More SonarQube Pricing and Cost Advice »

report
Use our free recommendation engine to learn which Application Security solutions are best for your needs.
552,305 professionals have used our research since 2012.
Answers from the Community
Malla Reddy Bakka
author avatarCurtis Yanko (Shiftleft)
Vendor

I’ve always viewed sonarqube as a code quality tool that compliments many code security tools like a checkmarx. 

author avatarManojKumar9
Real User

The major difference I have seen between Checkmarx and SonarQube is :

CheckMarx support: Supports a large number of languages and finds a large variety of potential risks.

Apart from this, I don't see any big differences.

Questions from the Community
Top Answer: SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis… more »
Top Answer: The visibility into application status helps reduce risk exposure for our software. Today, any findings provided by the… more »
Top Answer: Veracode is very, very expensive, one of the most expensive security scanning tools available. We pay an annual license… more »
Top Answer: I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as… more »
Top Answer: I’ve always viewed sonarqube as a code quality tool that compliments many code security tools like a checkmarx. 
Top Answer: It can integrate very well with DAST solutions. So both of them are combined into an integrated solution for customers… more »
Top Answer: I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which… more »
Top Answer: We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security… more »
Top Answer: Snyk does a great job identifying and reducing vulnerabilities. This solution is fully automated and monitors 24/7 to… more »
Comparisons
Also Known As
Sonar
Learn More
Overview

Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.

Checkmarx CxSAST is a highly accurate and flexible Static Code Analysis product that allows organizations to automatically scan un-compiled / un-built code and identify hundreds of security vulnerabilities in all major coding languages. CxSAST is available as a standalone product and can be effectively integrated into the Software Development Lifecycle (SDLC) to streamline detection and remediation. CxSAST can be deployed on-premise in a private data center or hosted via a public cloud.

Whitepaper: I, II

SonarQube is the leading tool for continuously inspecting Code Quality and Code Security, and guiding development teams during code reviews. SonarQube provides clear remediation guidance for 27 languages so developers can understand and fix issues, and so teams can deliver better and safer software. SonarQube integrates into your workflow to provide the right feedback at the right time: in-IDE with SonarLint, in pull requests, and in SonarQube itself. With over 225,000 deployments helping small development teams and global organizations, SonarQube provides the means for teams and companies around the world to own and impact their Code Quality and Code Security.

Offer
Keep your software secure

Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.

Learn more about Checkmarx
Learn more about SonarQube
Sample Customers
State of Missouri, Rekner
YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC
Bank of America, Siemens, Cognizant, Thales, Cisco, eBay
Top Industries
REVIEWERS
Financial Services Firm30%
Computer Software Company12%
Insurance Company9%
Healthcare Company7%
VISITORS READING REVIEWS
Computer Software Company30%
Comms Service Provider16%
Financial Services Firm10%
Manufacturing Company6%
REVIEWERS
Computer Software Company44%
Financial Services Firm22%
Pharma/Biotech Company11%
Manufacturing Company6%
VISITORS READING REVIEWS
Computer Software Company29%
Financial Services Firm16%
Comms Service Provider14%
Insurance Company5%
REVIEWERS
Computer Software Company24%
Financial Services Firm20%
Comms Service Provider10%
Insurance Company8%
VISITORS READING REVIEWS
Computer Software Company28%
Comms Service Provider17%
Financial Services Firm12%
Manufacturing Company7%
Company Size
REVIEWERS
Small Business24%
Midsize Enterprise25%
Large Enterprise51%
VISITORS READING REVIEWS
Small Business24%
Midsize Enterprise31%
Large Enterprise45%
REVIEWERS
Small Business38%
Midsize Enterprise18%
Large Enterprise44%
VISITORS READING REVIEWS
Small Business15%
Midsize Enterprise29%
Large Enterprise56%
REVIEWERS
Small Business28%
Midsize Enterprise18%
Large Enterprise53%
VISITORS READING REVIEWS
Small Business29%
Midsize Enterprise19%
Large Enterprise52%
Find out what your peers are saying about Checkmarx vs. SonarQube and other solutions. Updated: November 2021.
552,305 professionals have used our research since 2012.

Checkmarx is ranked 6th in Application Security with 18 reviews while SonarQube is ranked 1st in Application Security with 46 reviews. Checkmarx is rated 7.8, while SonarQube is rated 8.0. The top reviewer of Checkmarx writes "Easy interface that is user friendly, quick scanning, and good technical support". On the other hand, the top reviewer of SonarQube writes "This is a very capable analysis tool for development projects but the free version has limitations". Checkmarx is most compared with Micro Focus Fortify on Demand, Snyk, Coverity, WhiteSource and OWASP Zap, whereas SonarQube is most compared with Coverity, Sonatype Nexus Lifecycle, Micro Focus Fortify on Demand, WhiteSource and Snyk. See our Checkmarx vs. SonarQube report.

See our list of best Application Security vendors.

We monitor all Application Security reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.