Can someone tell me what is the difference between SonarQube and Fortify? Both are static code analysis tool. I found out Fortify is more inclined towards security as it gives information about vulnerabilities included in OWASP, SANS etc. SonarQube also shows this information.

3 Answers

Fortify essentially classifies the code quality issues in terms of its security impact on the solution. While Sonarqube is more of a Static code analysis tool which also gives you like "code smells," though Sonarqube also lists out the vulnerabilities as part of its analysis.

However, the biggest difference is in-terms of Cost. Sonarqube is Free to use (with community support) while Fortify needs a license, which is expensive.

3

When comparing product its good to have a list of things, here is my list let me know what you think.

Fortify

• static analysis
• can't add rules, using configuration as code
• proprietary rules
• manual file upload use case, no easy way of pipeline integration
• does not provide git branch perspectives, improvements over other branches
• provide only security code metrics
• not opensource
• has only paid support model

SonarQube

• static analysis
• can add rules, using configuration as code
• has standard rules based on language being used
• automated code upload use case, has tooling for major frameworks
• provide git branch perspectives, improvements over other branches
• provide all code quality metrics, including security
• opensource
• has paid support model
• free cloud host sonarcloud.io

2

The main difference is the quality of the results. Fortify is an enterprise grade solution, sonarqube works hard but is not in the same league.

2