Reputation: 5540
What is the difference between SonarQube and Checkmarx CxSAST & CxSCA?
I have integrated SonarQube and Checkmarx SAST and SCA into the Azure DevOps build pipeline. I am able to see both the SonarQube and Checkmarx reports without any issues.
I have the following questions. Could someone please clarify:
- What is the difference between SonarQube and Checkmarx CxSAST?
- What is the common thing between these two?
- In which situations are SonarQube and Checkmarx preferred?
Upvotes: 6
Views: 18948
Answers (2)
Reputation: 1
Checkmarx offers significantly more coverage on vulnerabilities for security in code. e.g. Sonarqube will check for around 89 JAVA known vulnerabilties, whereas Checkmarx has a known vuln number >300.
Customers tend to ask themselves - is the goal to just make a developers life easier, or is the goal to achieve that and ensure the brand is protected and customer trust is achieved.
Upvotes: 0
Reputation: 15235
If I were to boil it down to a short phrase, SonarQube is used for ensuring code quality, and CheckMarx is used for ensuring the security of a system running that code.
SonarQube looks at several areas, including the code coverage percentage of unit tests of the code, duplication percentages, and also code quality issues found through static analysis of the code.
CheckMarx, on the other hand, just analyzes the flow of the code and the inputs and outputs. It looks for situations where inputs that could have been provided by an end user are used directly to control behavior, and other "attack vectors".
Upvotes: 18
Related Questions
- SonarQube And SonarLint difference
- SonarCube Vs SonarSource
- SonarQube - how is it used
- What is the difference between code analysis and sonar?
- Difference between Sonarqube & SonarScanner
- Sonar scanner vs. SonarQube Scanner for MSBuild
- Does SonarLint provide any advantage over SonarAnalyzer.CSharp
- Sonarqube vs sonarscanner
- Comparison of Analysis within SonarQube 6.1
- difference between sonar and sonarqube