Checkmarx vs. SonarQube for IDE

Overview
ProductRatingMost Used ByProduct SummaryStarting Price
Checkmarx
Score 9.1 out of 10
N/A
Checkmarx, an Israeli headquartered company with US offices, provides a suite of application security software delivered via the Checkmarx Software Security Platform. Individual modules and capabilities include Checkmarx Static Application Security Testing, Checkmarx Software Composition Analysis, Checkmarx Interactive Application Security Testing (CxIAST)N/A
SonarQube for IDE
Score 9.2 out of 10
N/A
SonarQube for IDE is a free IDE plugin that helps developers by detecting and highlighting issues in their code in real time. Like a spell checker, SonarLint detects Bugs, code smells, and Security Vulnerabilities as code is written, and offers guidance.N/A
Pricing
CheckmarxSonarQube for IDE
Editions & Modules
No answers on this topic
No answers on this topic
Offerings
Pricing Offerings
CheckmarxSonarQube for IDE
Free Trial
NoYes
Free/Freemium Version
NoYes
Premium Consulting/Integration Services
NoNo
Entry-level Setup FeeNo setup feeNo setup fee
Additional Details
More Pricing Information
Community Pulse
CheckmarxSonarQube for IDE
Considered Both Products
Checkmarx
Chose Checkmarx
Checkmarx is easier to integrate with development tools and gives quick feedback during coding, which is helpful for developers. Veracode is more focused on scanning and reporting for compliance, but it’s more complex to set up. We chose Checkmarx because it fits better into …
Chose Checkmarx
We actually use Checkmarx along with the other tools. However, the reason we chose Checkmarx is its wide support for languages and useful fix recommendations. The flowcharts help better understand the data flow and give a clear picture of what needs to be fixed and how. Also, …
SonarQube for IDE
Best Alternatives
CheckmarxSonarQube for IDE
Small Businesses
GitLab
GitLab
Score 8.7 out of 10
Microsoft Visual Studio Code
Microsoft Visual Studio Code
Score 9.0 out of 10
Medium-sized Companies
Veracode
Veracode
Score 8.7 out of 10
Microsoft Visual Studio Code
Microsoft Visual Studio Code
Score 9.0 out of 10
Enterprises
Veracode
Veracode
Score 8.7 out of 10
Microsoft Visual Studio Code
Microsoft Visual Studio Code
Score 9.0 out of 10
All AlternativesView all alternativesView all alternatives
User Ratings
CheckmarxSonarQube for IDE
Likelihood to Recommend
9.0
(0 ratings)
8.0
(0 ratings)
Usability
7.0
(0 ratings)
-
(0 ratings)
User Testimonials
CheckmarxSonarQube for IDE
Likelihood to Recommend
If you are going with SAST process or want to improve overall security posture then go for it like integrating it with post deployment steps. If you are more concerned about proactive controls better choose other options such as pee-commit hooks and CI security. Also choose other tools for DAST and API scans.
Read full review
No answers on this topic
Pros
  • Supports a large number of languages
  • Finds a large variety of potential risks
Read full review
  • SonarLint highlights all the issues in our codes and also displays the severity of each issue.
  • SonarLint also provides suggestions for how to fix those code issues which are highlighted.
  • SonarLint starts the processing of the file as soon as it is opened and highlights all the issues which it found.
  • When we fix the issue, we don't even need to create a new build or generate fresh code quality report, as soon as we save the file with the changes, it does the processing again and shows the result if the issue is fixed or not.
  • SonarLint saves a lot of time and effort by saving us from doing fresh build every time and generating new code quality report every time, thus increasing the efficiency and output which is in return beneficial for the client.
Read full review
Cons
  • DAST capability can be the one where it does not support native use case of using OTP based arch
  • API Scanning is something that lacks a bit due to not much customizations
  • Branch wise reports for SAST is not available
Read full review
  • Sometimes, SonarLint does not highlight the issues in the code correctly.
  • The severity of the issues highlighted is according to the default rules set, we should also be given authority to set the severity of the issues.
  • The default fixes which SonarLint provides should be more enhanced and there should be more fixes available.
  • Sometimes it takes a lot of time for processing of the file when any new file is loaded or changes are saved in a file.
Read full review
Usability
Checkmarx's usability is generally good, but it can be a bit complex for new users. The interface may take some time to get used to, especially for those unfamiliar with security tools. Once you become familiar with it, it’s effective and integrates well into development workflows.
Read full review
No answers on this topic
Alternatives Considered
Checkmarx is easier to integrate with development tools and gives quick feedback during coding, which is helpful for developers. Veracode is more focused on scanning and reporting for compliance, but it’s more complex to set up. We chose Checkmarx because it fits better into our development process, offering faster scans and more useful suggestions for fixing problems
Read full review
SonarLint works along with SonarQube
Read full review
Return on Investment
  • Great diversity of vulnerabilities covered.
  • Quicker scans
  • They are feature rich compared to other tools I used in the past.
  • Dashboards are not customizable enough.
  • High number of false positives take up time and sometimes make our report look bad.
Read full review
  • SonarLint helps in achieving all the business requirements in a more efficient way.
  • It reduces the manual and redundant work which we would have to do else every time if we did not use SonarLint.
  • SonarLint helps in maintaining code quality, and thus also highlights the loopholes for the cyber attacks and phishing attacks.
  • SonarLint makes work easy and helps the developer to invest less time in manual work thereby increasing their capacity to deliver the maximum output to the client.
Read full review
ScreenShots

SonarQube for IDE Screenshots

Screenshot of where SonarQube for IDE identifies and highlights issues in a Java project within VS Code. It also explains why this is an issue, how to fix it, and offers more educational content to help developers grow. SonarLint uncovers issues in over 30 languages, frameworks and IaC platforms. SonarLint is available for VS Code, Visual Studio, Eclipse and JetBrains IDEs.Screenshot of how when connected to either SonarCloud or SonarQube the developer can leverage  SonarQube for IDE to identify complex bugs, share code quality expectations with their team, perform deeper issue analysis, enjoy smart notifications, and unlock additional language analysis opportunities. Connecting is easy and guided for a rapid setup, as seen here in the image.