We are using it for C and C++ to find security vulnerabilities in our source code. It is a static application security testing (SAST) tool.
Senior Product Specialist at a tech services company with 51-200 employees
On-the-fly analysis and incremental analysis are the best parts, and its detection rate is very high for C and C++
Pros and Cons
- "On-the-fly analysis and incremental analysis are the best parts of Klocwork. Currently, we are using both of these features very effectively."
- "Modern languages, such as Angular and .NET, should be included as a part of Klocwork. They have recently added Kotlin as a part of their project, but we would like to see more languages in Klocwork. That's the reason we are using Coverity as a backup for some of the other languages."
What is our primary use case?
What is most valuable?
On-the-fly analysis and incremental analysis are the best parts of Klocwork. Currently, we are using both of these features very effectively.
What needs improvement?
Modern languages, such as Angular and .NET, should be included as a part of Klocwork. They have recently added Kotlin as a part of their project, but we would like to see more languages in Klocwork. That's the reason we are using Coverity as a backup for some of the other languages.
I would like to see some more new guidelines added. As you know, this Klocwork tool is fully compliant with MISRA, CERT, and CWE, but a few coding guidelines are still not supported by Klocwork.
For how long have I used the solution?
I have been using it for around eight years.
Buyer's Guide
Klocwork
July 2025
Learn what your peers think about Klocwork. Get advice and tips from experienced pros sharing their opinions. Updated: July 2025.
861,524 professionals have used our research since 2012.
What do I think about the stability of the solution?
We have been using Klocwork for many years. That itself speaks of its stability in our organization.
What do I think about the scalability of the solution?
We have been trying to scale up this particular tool. We are not only using Klocwork. We are also using other SAST solutions because security cannot be handled by only using one particular tool. Klocwork is the oldest one, but we are using SonarQube and Coverity to filter out more and more defects from our source code. So, it's not really scalable itself, but with the help of other tools, we managed to scale to organization needs.
Currently, we have nine users who are using it in our organization. It is used once a week to give the reports to our security team, and they act on those reports to filter out all the vulnerabilities.
How are customer service and support?
They're hyperresponsive. They have regular calls to see what exactly we are doing with Klocwork and how we are doing. They are super responsive. They are knowledgeable. I would rate them a five out of five.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I used Kiuwan earlier, but I used it for open source. It was primarily to find open sources in our entire source code. It supports modern languages. It has more languages than Klocwork.
How was the initial setup?
It is an on-premise solution. It is not very difficult to set up on our premises. It is easy to install and easy to use. I would rate it a five out of five in terms of the setup.
What other advice do I have?
If your source code is in C or C++, you should be using Klocwork. We have compared the results of different tools like SonarQube and Coverity with Klocwork. Klocwork was able to find a better number of defects in the source code than SonarQube and Coverity. At times, both Coverity and SonarQube missed some of the defects such as null pointer dereference, memory leak issues, etc. The detection rate of Klocwork is very high for C and C++.
I would rate Klocwork an eight out of ten.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Buyer's Guide
Download our free Klocwork Report and get advice and tips from experienced pros
sharing their opinions.
Updated: July 2025
Product Categories
Application Security Tools Static Application Security Testing (SAST) Static Code AnalysisPopular Comparisons
SonarQube Server (formerly SonarQube)
GitLab
Snyk
Checkmarx One
Veracode
Coverity
Mend.io
OpenText Core Application Security
SonarQube Cloud (formerly SonarCloud)
OpenText Static Application Security Testing
HCL AppScan
PortSwigger Burp Suite Professional
Semgrep
CodeSonar
Polyspace Code Prover
Buyer's Guide
Download our free Klocwork Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- If you had to both encrypt and compress data during transmission, which would you do first and why?
- When evaluating Application Security, what aspect do you think is the most important to look for?
- What are the Top 5 cybersecurity trends in 2022?
- What are the threats associated with using ‘bogus’ cybersecurity tools?
- We're evaluating Tripwire, what else should we consider?
- Which application security solutions include both vulnerability scans and quality checks?
- Is SonarQube the best tool for static analysis?
- Why Do I Need Application Security Software?
- Which Email Security enterprise solution would you choose: Cisco Secure Email vs Forcepoint Email Security vs Barracuda Email Security Gateway?
- SAST vs. DAST: Which is better for application security testing?
