sonarqubecoveritysast

Feature and price comparison of continuous inspection / static application security testing platforms


Is there any representative comparison among major continuous inspection and static application security testing (SAST) platforms like SonarQube, Coverity, CodeScene, TeamScale, etc?


Solution

  • Although I'd be happy to be proven wrong, I think the answer is no, there is not such a comparison available publicly available that includes the commercial tools.

    The first reason is the commercial vendors typically only offer their tools to prospective customers under the terms of a non-disclosure agreement. So, although prospective customers often do perform their own internal comparison before purchase, they can't publish the results.

    The second reason relates to your request for a "representative" comparison. I assume you mean a comparison that will accurately predict how the tools will perform in your development environment. Unfortunately, the value of a given tool often depends a great deal on the programming languages, development culture, and internal politics of the adopting organization. For example, some tools prioritizing having low false positive rates (low noise), while others prioritize not overlooking anything (low false negatives), and which of those is preferable is highly subjective and organization dependent. There are a number of dimensions to the tool design space that are similarly not objectively comparable, and the tools are in different points in that space.

    However, while the tool vendors require an NDA to perform an evaluation, it is otherwise usually free of charge (aside from whatever time you choose to spend on it). If you're in the market for a commercial tool, you might contact the vendors of interest to arrange for an evaluation.

    Disclosure: I am a former employee of one of the vendors (Coverity/Synopsys) and have current financial interests regarding multiple vendors.