SonarQube is a code quality and vulnerability solution for development teams that integrates with CI/CD pipelines to ensure the software you produce is secure, reliable, and maintainable.
$720
per year per installation
Wiz
Score 8.1 out of 10
N/A
Wiz is a Tel Aviv based, cloud risk visibility solution for enterprise security. It provides a 360° view of security risks across clouds, containers and workloads.
N/A
Pricing
SonarQube Server
Wiz
Editions & Modules
Community
Free
Developer EDITION
starting at $720
per year per installation
Enterprise EDITION
Contact sales for pricing
per year per installation
Data Center EDITION
Contact sales for pricing
per year per installation
No answers on this topic
Offerings
Pricing Offerings
SonarQube Server
Wiz
Free Trial
Yes
No
Free/Freemium Version
Yes
No
Premium Consulting/Integration Services
No
No
Entry-level Setup Fee
No setup fee
No setup fee
Additional Details
—
—
More Pricing Information
Community Pulse
SonarQube Server
Wiz
Considered Both Products
SonarQube Server
Verified User
Anonymous
Chose SonarQube Server
Some are still under consideration. Pricing is a big component. Some FOSS products have been considered is at par (at least for our needs) or catching up. Although the amazing support in the community weighs hard on the value. So, if it went away...so would some arguments …
SonarQube is more focused on code quality, whereas Veracode does a better job of finding security vulnerabilities. We lean towards SonarQube because we are looking for quality.
Jenkins and Gitlab are not exact alternatives for SonarQube, however, they do provide functionality for running and executing build pipelines for various languages and generating reports. However, they are not extensible, have no integration with IDEs and not suitable for …
SonarQube deployment worked well with our pipeline and had the right integrations with our IDE as well as it worked well with analyzing .NET frameworks when compared to GitHub and GitLab which has some of the functionality and can do some checks, but SonarQube made more sense …
SonarQube is a SAST, SOOS focuses on SCA and DAST - both of which we felt were out of scope for our immediate needs. Plus, through plugins SonarQube is able to accomplish some SCA.
SonarQube identifies significant more thing compared to the built-in suggestions in IntelliJ IDEA. The suggestions how to correct issues are also a lot better with SonarQube. IntelliJ IDEA provides great refactoring support to make it easy to refactor the code to solve issues. …
Getting SonarQube instead of the other tools we tested was an easy choice. Snyk was way too much limited to only Docker images and dependency analysis at that time. And Checkmarx was very hard to adapt to our needs : configuring custom quality gates was way too much of a …
SonarQube is much improved version as compared to SonarLint and Findbugs or any other software we found in similar category. It's open source and can be easily integrated with code pipeline.
I have used GitHub more that fortify so I am more familiar with GitHub for checking for vulnerabilities. I have noticed GitHub is good for checking different packages within your project but as far as checking code Quality and coverage Sonar is the better one in my opinion. …
I have used other tools like SoapUI and Postman, but their working and use case are totally different from the SonarQube, so basically cannot compare SonarQube with them. We use SonarQube in our project to basically calculate the code quality report mostly. In that report, we …
I personally evaluated klocwork in a previous company and it worked well for Static Code Analysis for C++ applications but the Java support was not as good as SonarQube.
Also the overall tooling and integrations provided by SonarQube is stellar and very other competitors can …
SonarQube is an open-source. It's a scalable product. The costs for this application, for the kind of job it does, are pretty descent. Pipeline scan is more secured in SonarQube. Its a very good tool and its support multiple languages. Its main core competency is of static code …
SonarQube contains all of their features. Findbugs has very limited capabilities. It is just a static code analyser and does not check for a continous code quality and also not possible to integrate its plugin azure devops .net pipelines and more importantly SonarQube ui is …
Sonar Qube doesn't do as good of a job of finding security vulnerabilities as dedicated SAST software, but it does more for code quality that the developers want to see. A comparison of Sonar Qube to something like Veracode or Fortify isn't apples to apples since they're not …
We found SonarQube right at the beginning of our research process and found that it met most of our needs. SonarQube fit very nicely into our TFS continuous integration process. We seamlessly integrated the SonarQube steps into our TFS process via the Microsoft Marketplace. …
Gitlab, if you have the right license, ships with a static analysis tool. It integrates better with Gitlab, but didn't seem to have the same quality output that Sonarqube did. Sonarqube's community version is plenty suitable for day to day analysis operations.
Prior to Wiz, I have used mostly AWS security services such as security hub for CSPM and GuardDuty for threat intel. Although these services are great, it makes it hard to centralize this information in a multi-cloud deployment. It is understandable that AWS native services may …
After previously utilizing Orca and testing Tenable, we preferred Wiz over the competition. The reporting, usability, and feature-rich platform enabled us to investigate security risks and issues simultaneously.
As someone relatively new to the security space, coming from a software engineering background in identity, I don’t have deep experience across a wide range of security tools. That said, based on the products I have used—such as Palo Alto’s Cortex XDR, Panorama, GlobalProtect, …
Wiz is a solid solution over these other products, it has capabilities in all clouds that we utilize that others didn't have at the time. Its much easier to segment access than CrowdStrike as an example. Engineers quickly because familiar with the tool to help reduce the …
We chose Wiz over Tenable.io due to its agentless deployment, holistic security graph, and cloud-native focus. Wiz’s quick setup, intuitive interface, and advanced risk prioritisation provided actionable insights faster, making it a better fit for our multi-cloud environment.
We previously used Lacework but transitioned to Wiz as part of our effort to improve cloud security visibility and streamline risk management. While Lacework provided useful insights, we found that Wiz offered a clearer, more intuitive interface and better collaboration …
Tenable.io and Qualys are good just for vulnerability management. Wiz has very good capability to show all issues on single console and also it has provision to show them in different dashboards in different category. It shows cloud configuration gap, AWS cis benchmark gap and …
Large codebase: The tool's static analysis capabilities can help teams quickly identify and fix bugs, vulnerabilities, and code smells in large codebases.
Compliance and security: The tool can check the code against industry standards or regulations, such as OWASP and CWE, and identify any issues that need to be addressed.
Agile development: SonarQube can be integrated with CI/CD pipelines allowing teams to continuously monitor and improve code quality throughout the development process.
Teams using multiple languages: Teams that use multiple programming languages can benefit from using SonarQube, as the tool supports a wide range of languages and can be integrated with a variety of development tools.
Scenarios where SonarQube may be less appropriate:
Small codebase: Organizations with a small codebase may not see the full benefits of using SonarQube, as the tool's static analysis capabilities may be overkill for a smaller codebase.
Limited resources: Organizations with limited resources may find it difficult to set up and configure SonarQube, as the tool can be complex and may require specialized expertise.
Limited integration: Organizations that use development tools or IDEs that are not supported by SonarQube may find it difficult to integrate the tool into their existing development workflow.
Limited scalability: Large organizations with millions of lines of code may find SonarQube's performance and scalability to be an issue. It may take longer for the analysis to finish and the results may not be as accurate.
Wiz is well-suited if you want to run real-time scans against resources that were recently patched or configured. It is good to keep track of vulnerabilities found and what can be done to resolve the issues without having to open up multiple tabs. Overall, it is good to keep an eye on how well cloud teams or cloud security teams are doing.
Getting started with Wiz was quick and painless. The onboarding process was well-structured, and their team provided solid support to help us integrate Wiz into our cloud environments with minimal effort. Documentation is clear, and their customer success team is always on hand to help with any questions, making the adoption process seamless
One of Wiz’s biggest strengths is how clearly it presents security risks. It provides a well organised view of issues, making it easy to see where action is needed. The AI-powered Remediation Wizard is a great feature, offering guided fixes and automation options that speed up resolution, reducing the time spent manually investigating and fixing issues.
The Wiz interface is intuitive and easy to navigate, which is a big plus when dealing with complex environments. Everything is laid out in a way that makes it simple to drill down into issues
Wiz scanning doesn't detect risks in real time. New sensors are now included and these capabilities are growing. I believe that within a year Wiz will get good real time capabilities
Wiz can generate a lot of alerts, which can be overwhelming, especially if you have a very dynamic environment. It's important to set up filters so that you only receive alerts for the risks that are most important to you.
Wiz can improve the way it augments the vulnerability data with additional data on Technologies. It sometimes has missing technologies but updated its inventory as soon as we opened a case on that.
The UI is very user-friendly, with documentation available on every page of the application. New users can learn about the product features as they navigate through several different pages, using the instructions at the top of each page, making it quite easy to use.
We we easily able to integrate the SonarQube steps into our TFS process via the Microsoft Marektplace, we didn't have the need to call SonarQube support. We've used their online documentation and community forum if we ran into any issues.
SonarQube identifies significant more thing compared to the built-in suggestions in IntelliJ IDEA. The suggestions how to correct issues are also a lot better with SonarQube. IntelliJ IDEA provides great refactoring support to make it easy to refactor the code to solve issues. We use these tools together and they really complement each other.
Prior to Wiz, I have used mostly AWS security services such as security HUB for CSPM and GuardDuty for threat intel. Although these services are great, it makes it hard to centralize this information in a multi-cloud deployment. It is understandable that AWS native services may provide more info and realtime security analysis of its services, but does not scale well with a growing organization looking to leverage amazing tools from other CSPs. Wiz may not have real time analysis or the most relevant vulnerability findings for cloud platforms compared to their native solutions, but Wiz scales extremely well, which in cases is a more valuable asset.
Positive ROI from the standpoint of flagging several issues that would have otherwise likely been unaddressed and caused more time to be spent closer to launch
Slightly positive ROI from time-saving perspective (it's an automated check which is nice, but depending on the issues it finds, can take developers time to investigate and resolve)
We haven't completed a full rollout yet, but the goal is to shift left security to all of our product teams so that security is a shared effort across the organization.
We want to be able to demonstrate fast remediations, corrective action plans with tangibles from Wiz in response to audits or red team findings.
We would like to also use information from Wiz to substantiate answers to security questionnaires that customers requires us to fill out in order to do business with them.