SonarQube as SAST Vs Fortify SAST


I am looking for a comparison between SonarQube vs Fortify in the SAST area as they are been currently evaluated within my company to select one tool that will be used within our DevOps pipeline.

My understanding till now that Fortify SAST is better that SonarQube as it is tailored to be a security code analyzer, moreover, it is well known within Gartner recent report while SonarQube is not mentioned there.

I would be grateful for any feedback as I not able to find a clear answer on that.


Hello and welcome to the forum!

I would say that SonarQube is much better than Fortify :slight_smile:

More seriously we, SonarSource, do not run such comparison as:

  • it is very simple to try to see what you get
  • we focus all our energy onto adding value to our product
  • the adoption of SonarQube speaks for itself

Quick note on Gartner: the first 2 points above are probably the main reasons why we are not on Gartner…

I am happy to connect you, should you wish to evaluate the product.