Try our new research platform with insights from 80,000+ expert users

Fortify Software Security Center vs SonarQube comparison

OpenText and SonarSource Sàrl are both solutions in the Static Application Security Testing (SAST) category. OpenText is ranked #21 with an average rating of 9.0, while SonarSource Sàrl is ranked #1 with an average rating of 8.2. OpenText holds a 0.9% mindshare in SAST, compared to SonarSource Sàrl’s 18.8% mindshare. Additionally, 100% of OpenText users are willing to recommend the solution, compared to 83% of SonarSource Sàrl users who would recommend it.
Fortify Software Security C...
Read 8 Fortify Software Security Center reviews
  • 890 Views
  • 828 Comparison Views
100% willing to recommend
SonarQube
Read 134 SonarQube reviews
  • 38,470 Views
  • 28,083 Comparison Views
83% willing to recommend
 

Comparison Buyer's Guide

Download the report
Executive SummaryUpdated on Nov 5, 2025

Fortify Software Security Center and SonarQube are both prominent in the application security sector. Fortify typically takes the lead in offering robust support and comprehensive features, while SonarQube excels in cost-effectiveness and integration capabilities.

Features: Fortify Software Security Center provides extensive security testing, vulnerability management, and strong analytical capabilities for compliance management in complex environments. SonarQube shines in continuous code quality inspection, excellent static code analysis, and ease of integration into DevOps pipelines.

Room for Improvement: Fortify could enhance by simplifying its setup process, offering more flexibility in deployment, and refining resource demands. SonarQube might advance by improving its support reputation, offering more comprehensive security insights, and expanding its strong points in vulnerability management.

Ease of Deployment and Customer Service: Fortify requires significant initial setup and configuration, with notable support throughout. In contrast, SonarQube offers straightforward deployment and flexible setup options but lacks the strong support reputation of Fortify.

Pricing and ROI: Fortify involves higher upfront costs with significant long-term ROI, advantageous for large organizations prioritizing security. SonarQube is more budget-friendly, with lower setup costs, appealing to smaller organizations seeking immediate code analysis benefits.

DOWNLOAD THE COMPLETE REPORT
To learn more, read our detailed Fortify Software Security Center vs. SonarQube Report (Updated: December 2025).
Buyer's Guide
Fortify Software Security Center vs. SonarQube
December 2025
Download the complete report
Helped 881,082 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

Fortify Software Security C...
Ranking in Static Application Security Testing (SAST)
21st
Average Rating
8.0
Reviews Sentiment
4.6
Number of Reviews
8
Ranking in other categories
No ranking in other categories
SonarQube
Ranking in Static Application Security Testing (SAST)
1st
Average Rating
8.0
Reviews Sentiment
7.2
Number of Reviews
134
Ranking in other categories
Application Security Tools (1st), Software Development Analytics (1st)
 

Mindshare comparison

As of January 2026, in the Static Application Security Testing (SAST) category, the mindshare of Fortify Software Security Center is 0.9%, up from 0.3% compared to the previous year. The mindshare of SonarQube is 18.8%, down from 26.3% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Static Application Security Testing (SAST) Market Share Distribution
ProductMarket Share (%)
SonarQube18.8%
Fortify Software Security Center0.9%
Other80.3%
Static Application Security Testing (SAST)
 

Featured Reviews

Diego Caicedo Lescano - PeerSpot reviewer
Diego Caicedo Lescano
Chief Innovation Officer at SAGGA
Enables centralized analysis and improves governance through seamless tool integration
The main use case for Fortify Software Security Center is exceptional because we have governance and control through that console. You can centralize both static analysis and dynamic analysis, and correlate both analyses in one tool to get better results by combining those independent results from each solution. That is outstanding, and there is no tool I have seen on the market that offers these capabilities. I appreciate the interoperability with other solutions from Fortify Software Security Center. Because we are using Kiuwan, you can run Kiuwan analyses and integrate them with Fortify Software Security Center to get those results in a single console. That is a good console for centralizing things in one point. That is one of the best features of the on-premises Fortify.
Read full review
KH
KarthikHarpanhalli
Sr Software Engineering Supervisor at Mozarc Medical
Gains control over rule customization and achieves reliable vulnerability assessment
The deployment process took me about 2 or 3 hours to deploy SonarQube Server (formerly SonarQube), although I do not remember exactly since it was done about 2 years back. Currently, about 10 of my developers are using SonarQube Server (formerly SonarQube) in my company. I do not have plans to increase the usage of SonarQube Server (formerly SonarQube) in the future as there will not be any requirement to increase. I am a senior software engineer and supervisor at Mozark Medical. My corporate email address is karthik.k.a.r.t.h.i.k.h.a.r.p.a.n.h.a.l.l.i@mozarkmedical.com. Overall, I would rate SonarQube Server (formerly SonarQube) as a 9 out of 10.
Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The reporting is very useful because you can always view an entire list of the issues that you have."
"Software Security Center is highly customizable and helps me test all vulnerability data against the latest conventions like OWASP Top Ten, CVE Top twenty-five, and several other legal compliances."
"The main use case for Fortify Software Security Center is exceptional because we have governance and control through that console."
"I like the explanation of issues provided by Fortify Software Security Center."
"Fortify Analytics' AI function helps scan and provides more detailed explanations and recommendations about vulnerabilities."
"It's very important because they want to scan their source code every day, so we provide CICD integration to our customers so they can auto build and auto test every day, get reports, and fix issues."
"The overall rating for this tool is ten out of ten."
"This is a stable solution at the end of the day."
More Fortify Software Security Center pros
"The most valuable features are that it is user-friendly, easy to access, and they provide good training files."
"This has improved our organization because it has helped to find Security Vulnerabilities."
"Can tweak rules and feed them into our build pipelines."
"I like the by-default policies that are they, as they seem to cover most of what I need."
"The most valuable feature is the security hotspot feature that identifies where your code is prone to have security issues."
"SonarQube is useful for controlling all of our Azure task tracking and scanning."
"The most valuable feature of SonarCloud is its overall performance."
"The most valuable features of SonarQube Cloud (formerly SonarCloud) include code inspection, addressing technical debt, and identifying security vulnerabilities."
More SonarQube pros
 

Cons

"The product's overlap feature is restrictive and requires more customization efforts, which can be expensive."
"Improvements needed for Software Security Center include better aggregation views of datasets."
"Improvements needed for Software Security Center include better aggregation views of datasets."
"We are having issues with false positives that need to be resolved."
"I am not satisfied with the percentage of false positives, which is around eighteen percent."
"Fortify Software Security Center's setup is really painful."
"This solution is difficult to implement, and it should be made more comfortable for the end-users."
"The support for Fortify on-premises is the same as for the other products. I would say the support is not good and I would rate it a three out of ten."
"SonarQube Cloud could improve its vulnerability detection compared to Veracode."
"SonarQube could be improved by implementing inter-procedural code analysis capabilities, allowing for a more comprehensive detection of defects and vulnerabilities across the entire codebase."
"There isn't a very good enterprise report."
"There is need for support for the additional languages and ease of use in adding new rules for detecting issues."
"Their dashboarding is very limited. They can improve their dashboards for multiple areas, such as security review, maintainability, etc. They have all this information, so they should publish all this information on the dashboard so that the users can view the summary and then analyze it further. This is something that I would like to see in the next version."
"We did have some trouble with the LDAP integration for the console."
"In terms of what can be improved, the areas that need more attention in the solution are its architecture and development."
"The reports could improve by providing more information. We are not able to use the reports in our operation until they are improved. Additionally, if the vendor provided more customization capabilities it would be a benefit."
More SonarQube cons
 

Pricing and Cost Advice

"The solution is priced fair."
"As a Fortify partner company providing technical support, I find the product expensive in our country, where local, inexpensive products are available."
"This is a costly solution that could be cheaper."
"It is very expensive. Its price should be improved."
"Get the paid version which allows the customized dashboard and provides technical support."
"The solution has a free version and a license version. The license is priced reasonably, the cost of hiring one programmer is more expensive than the solution."
"My guess is that we have a yearly subscription. We use it quite extensively, so a monthly license wouldn't make sense. Yearly subscriptions are usually cheaper. In addition to the standard licensing fee, there is just the cost of running the hardware where it is hosted."
"Some of the plugins that were previously free are not free now."
"There is both a free and licensed version. The free version has limitations on development languages and support."
"While not extremely cheap, it aligns well with market standards and offers good value."
"The licence is standard open source licensing"
More SonarQube pricing and cost advice
report
See which vendors are best for you
Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.
See recommendations
881,082 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Manufacturing Company
17%
Financial Services Firm
11%
Government
7%
Computer Software Company
7%
Financial Services Firm
14%
Manufacturing Company
14%
Computer Software Company
13%
Government
5%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
By reviewers
Company SizeCount
Small Business4
Midsize Enterprise1
Large Enterprise3
By reviewers
Company SizeCount
Small Business41
Midsize Enterprise24
Large Enterprise79
 

Questions from the Community

What is your experience regarding pricing and costs for Micro Focus Software Security Center?
The pricing for the on-premises Fortify is expensive.
See all answers
What needs improvement with Micro Focus Software Security Center?
In my opinion, there are no areas that could be improved with Fortify Software Security Center. I would say it is a good product and a mature product. However, the SAST has many improvement areas. ...
See all answers
What is your primary use case for Micro Focus Software Security Center?
We have installed Fortify Static Code Analysis, SAST, in Ecuador in two customers. The Fortify ScanCentral includes three components: SAST, Fortify Software Security Center, and the WebInspect.
See all answers
Is SonarQube the best tool for static analysis?
I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have a look...
See all answers
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
See all answers
How would you decide between Coverity and Sonarqube?
We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing rem...
See all answers
 

Comparisons

Checkmarx One vs Fortify Software Security Center Logo
Checkmarx One vs Fortify Software Security Center
Compared 25% of the time
Checkmarx IaC Security / KICS vs Fortify Software Security Center Logo
Checkmarx IaC Security / KICS vs Fortify Software Security Center
Compared 11% of the time
OpenText Core Application Security vs Fortify Software Security Center Logo
OpenText Core Application Security vs Fortify Software Security Center
Compared 10% of the time
Acunetix vs Fortify Software Security Center Logo
Acunetix vs Fortify Software Security Center
Compared 7% of the time
Snyk vs Fortify Software Security Center Logo
Snyk vs Fortify Software Security Center
Compared 6% of the time
More Fortify Software Security Center Competitors
Checkmarx One vs SonarQube Logo
Checkmarx One vs SonarQube
Compared 27% of the time
Snyk vs SonarQube Logo
Snyk vs SonarQube
Compared 8% of the time
GitHub Advanced Security vs SonarQube Logo
GitHub Advanced Security vs SonarQube
Compared 7% of the time
Coverity Static vs SonarQube Logo
Coverity Static vs SonarQube
Compared 7% of the time
Semgrep vs SonarQube Logo
Semgrep vs SonarQube
Compared 4% of the time
More SonarQube Competitors
 

Product Reports

Buyer's Guide
Static Application Security Testing (SAST)
January 2026
Fortify Software Security Center reportDownload Fortify Software Security Center product report
Buyer's Guide
SonarQube
January 2026
SonarQube reportDownload SonarQube product report
 

Also Known As

Micro Focus Software Security Center, Application Security Center, HPE Application Security Center, WebInspect
Sonar, SonarQube Cloud
 

Overview

Software Security Center enables management, development, and security teams to work together to triage, track, validate, automate, and manage software security activities.
OpenText

SonarQube provides comprehensive support for multi-language development, custom coding rules, and quality gates, integrated seamlessly into CI/CD pipelines. It empowers teams with clear insights through intuitive dashboards, identifying vulnerabilities, code smells, and technical debt.

SonarQube is renowned for its extensive capabilities in static code analysis, making it an invaluable tool for maintaining code quality. By fully integrating into development processes, it allows organizations to manage vulnerabilities and ensure compliance with coding standards. Its extensive community and open-source roots contribute to its accessibility, while robust dashboards facilitate code quality monitoring. Despite its strengths, feedback suggests enhancing analysis speed, better integration with DevOps tools, and refining the user interface. Users also point to the need for handling false positives effectively and expanding on AI-based features for dynamic code analysis.

What are SonarQube's main features?
  • Multi-language Support: Broad compatibility with diverse programming languages
  • Custom Coding Rules: Flexible customization of coding standards
  • Quality Gates: Set thresholds for maintaining coding standards
  • Vulnerability Identification: Detects security and performance issues
  • Integration with CI/CD: Streamlines quality checks in development workflows
  • Open Source Access: Supported by an active developer community
  • Technical Debt Tracking: Identifies and manages coding inefficiencies
What benefits should users expect?
  • Enhanced Code Quality: Improve code reliability and maintainability
  • Security Assurance: Identify and mitigate potential vulnerabilities
  • Reduced Technical Debt: Streamline the process of managing poor coding practices
  • Development Efficiency: Facilitates continuous integration and delivery processes
  • Community Support: Leverages an active network for continual improvements

In industries like finance and healthcare, SonarQube aids in obtaining regulatory compliance through rigorous code quality assessments. It is implemented to enhance cybersecurity by identifying potential vulnerabilities, while ensuring code meets the stringent standards demanded in these fields. As part of a broader development ecosystem, its integration in CI/CD pipelines ensures smooth and efficient software delivery, catering to phases from code inception to deployment, effectively supporting large-scale and critical software applications.

SonarSource Sàrl
 

Sample Customers

Neosecure, Acxiom, Skandinavisk Data Center A/S, Parkeon
Information Not Available
Buyer's Guide
Fortify Software Security Center vs. SonarQube
December 2025
Free Report: Fortify Software Security Center vs. SonarQube
Find out what your peers are saying about Fortify Software Security Center vs. SonarQube and other solutions. Updated: December 2025.
DOWNLOAD NOW
881,082 professionals have used our research since 2012.
See our Fortify Software Security Center vs. SonarQube report.
See our list of best Static Application Security Testing (SAST) vendors.

We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.