When enterprise security teams evaluate SAST tools, three names come up in nearly every shortlist: Fortify Static Code Analyzer (OpenText), Checkmarx, and SonarQube. Each has been around long enough to have significant market presence, and each serves meaningfully different needs — which is precisely what makes the comparison complicated.
This guide breaks down Fortify vs Checkmarx vs SonarQube on the dimensions that actually matter for a buying decision: analysis engine quality, language coverage, DAST integration, on-premise vs. SaaS deployment, and pricing. It also covers where Offensive360 fits for teams that find limitations with the three incumbents.
The Core Distinction: What Are You Actually Buying?
Before comparing features, it’s worth understanding what each product is fundamentally designed to do:
-
Fortify SCA — a mature, enterprise SAST tool with source-level interprocedural taint analysis. Built for security teams who need deep vulnerability detection and compliance reporting. High price, high complexity, high detection accuracy.
-
Checkmarx — an enterprise SAST platform with genuine taint analysis and strong customization capabilities. SAST-only; DAST and SCA are separate products. Known for its CxQL query language that allows custom rule writing.
-
SonarQube — primarily a code quality platform with security as a secondary capability. Measures cyclomatic complexity, code duplication, technical debt, and maintainability ratings. Security rules are pattern-based, not taint-analysis-based. Widely adopted but frequently misused as a SAST replacement.
The most common mistake in this comparison: treating SonarQube as a SAST tool. It is not. If your primary goal is finding SQL injection, XSS, and other injection vulnerabilities in production-grade code, SonarQube’s pattern-based security rules will leave meaningful gaps. More on this below.
Analysis Engine: Taint Analysis vs. Pattern Matching
The single most important factor in SAST tool selection is the analysis engine — specifically whether the tool performs interprocedural taint analysis or relies on pattern matching.
What Taint Analysis Does
A taint-analysis SAST engine:
- Identifies sources — HTTP request parameters, form fields, file uploads, database reads, environment variables, external API responses
- Identifies sinks — SQL query construction, shell command execution, HTML output, file system writes, HTTP requests, XML parsers
- Traces data flow — Follows every execution path to determine whether tainted (untrusted) data can reach a dangerous sink
- Checks sanitizers — Determines whether the data was properly validated, escaped, or parameterized before reaching the sink
- Reports findings — Only flags cases where tainted data reaches a sink without adequate protection
This approach detects injection vulnerabilities that span multiple functions, classes, and files — the kind that actually exist in production enterprise code.
What Pattern Matching Does
Pattern-based tools scan for dangerous API calls and known-bad code patterns within a local context. They are fast and easy to configure, but they miss the majority of real injection vulnerabilities in production code because those vulnerabilities exist across function call boundaries.
Example: Multi-Method SQL Injection
// Controller layer — receives user input
@GetMapping("/users")
public List<User> getUsers(@RequestParam String department) {
return userService.getUsersByDepartment(department);
}
// Service layer — passes it along
public List<User> getUsersByDepartment(String dept) {
return userRepo.findByDepartment(dept);
}
// Repository layer — SQL injection sink
public List<User> findByDepartment(String dept) {
String sql = "SELECT * FROM users WHERE dept = '" + dept + "'";
return jdbcTemplate.query(sql, userRowMapper);
}
A pattern-matching tool scanning each method in isolation sees no individual method that looks obviously dangerous. The sink (jdbcTemplate.query() with string concatenation) is three function calls away from the source (@RequestParam).
A taint-analysis tool traces department from the @RequestParam annotation through getUsersByDepartment() and findByDepartment() to the SQL string concatenation — and correctly flags it as a SQL injection vulnerability.
This single difference explains why taint-analysis tools find 3–5× more high-severity vulnerabilities than pattern-matching tools on real enterprise codebases.
Where Each Tool Falls
| Tool | Analysis Engine | Cross-Method Injection Detection |
|---|---|---|
| Fortify SCA | ✅ Taint analysis | ✅ Yes |
| Checkmarx | ✅ Taint analysis | ✅ Yes |
| SonarQube | ⚠️ Pattern matching | ❌ Limited |
| Offensive360 | ✅ Taint analysis | ✅ Yes |
Fortify SCA: Strengths and Limitations
What Fortify Does Well
Fortify Static Code Analyzer (now under OpenText after the Micro Focus acquisition) has been in the market since the early 2000s and has one of the most comprehensive rule sets for enterprise vulnerability detection.
Analysis strengths:
- Deep interprocedural taint analysis across language boundaries
- Strong coverage of Java EE, .NET/C#, C/C++, and Python
- Large library of language-specific taint rules for frameworks (Spring, Struts, ASP.NET, Django)
- Built-in compliance reporting for PCI-DSS, HIPAA, OWASP Top 10, CWE Top 25
- Long track record in government, defense, and financial services — common in regulated environments with existing Fortify deployments
Ecosystem:
- Fortify on Demand (FoD) — SaaS-based scanning
- Fortify SCA — on-premise installation
- SSC (Software Security Center) — the management and reporting server for on-premise deployments
Fortify’s Limitations
Price: Fortify is among the most expensive SAST tools in the market. Enterprise contracts typically range from $50,000 to $200,000+ per year depending on the number of applications, developers, and included support. Fortify SCA and Fortify WebInspect (DAST) are separate products with separate licensing costs.
Scan speed: Fortify is notably slow compared to modern alternatives. Full scans of large codebases can take hours, which creates friction for CI/CD integration.
Deployment complexity: On-premise Fortify deployment requires significant infrastructure: the SCA scanner, SSC server, and database (MySQL or Oracle). Initial setup and ongoing maintenance require dedicated engineering effort.
User experience: The SSC web interface and the Fortify IDE plugins are functional but dated. The developer experience is significantly worse than newer tools.
Fortify pricing summary: No public pricing. Estimated $50,000–$200,000+/year for enterprise contracts. SCA and DAST (WebInspect) licensed separately.
Checkmarx: Strengths and Limitations
What Checkmarx Does Well
Checkmarx has a genuine taint-analysis engine with strong ASP.NET, Java Spring, and PHP coverage. Its CxQL query language gives security teams the ability to write custom vulnerability rules — a significant advantage for organizations with complex proprietary frameworks.
Analysis strengths:
- Interprocedural taint analysis for major enterprise languages
- Strong ASP.NET Core and .NET Framework coverage
- CxQL allows custom queries for proprietary frameworks and internal APIs
- Good OWASP compliance reporting
- Incremental scanning for faster PR-level checks
- Checkmarx One integrates SAST, SCA, and IaC scanning
Deployment: Available as SaaS (Checkmarx One) and on-premise (CxSAST). On-premise deployment is available but complex.
Checkmarx’s Limitations
DAST not included: Checkmarx is a SAST + SCA platform. DAST requires a separate purchase. For teams wanting code scanning and dynamic application testing in a single platform, Checkmarx requires additional integration work and budget.
Per-seat pricing: Checkmarx uses per-developer or per-application licensing that scales poorly for large teams. Enterprise contracts typically start at $20,000+/year and increase significantly with team size.
False-positive rate: Multiple independent reviews and customer reports note high false-positive rates in some language configurations, requiring significant time investment in rule tuning.
CxQL complexity: While CxQL is powerful, it has a learning curve. Teams without a dedicated application security engineer to write and maintain queries may find it difficult to leverage fully.
Checkmarx pricing summary: Enterprise contracts from $20,000+/year (per-seat model). Checkmarx One (SaaS) available at per-developer pricing.
SonarQube: Strengths and Limitations
What SonarQube Does Well
SonarQube is excellent at what it was designed to do: code quality measurement. If your primary concern is reducing technical debt, tracking cyclomatic complexity, enforcing coding standards, and monitoring code maintainability over time, SonarQube is the right choice.
Strengths:
- Code quality metrics: cyclomatic complexity, cognitive complexity, code duplication, test coverage
- Technical debt tracking and maintainability ratings (A–E)
- Wide language support (30+ languages)
- Free Community Edition for basic usage
- Good IDE integration (SonarLint for VS Code and IntelliJ)
- Widely adopted — developers are likely already familiar with it
SonarQube’s Limitations as a Security Tool
Security Hotspots are not vulnerabilities: SonarQube’s primary security output is “Security Hotspots” — areas of code that might be vulnerable and require manual review. They are not confirmed vulnerabilities. Security teams triaging SonarQube output spend most of their time reviewing findings that turn out not to be exploitable.
Pattern-based security rules: SonarQube’s security vulnerability rules use pattern matching, not taint analysis. They catch obvious, local patterns (a SqlCommand built with string concatenation in the same method) but miss multi-method injection chains that are the actual vulnerability pattern in production code.
Community Edition limitations: The free Community Edition has very limited security rules. The Developer Edition (from €150/year) adds branch analysis. The Enterprise Edition ($20,000+/year) is required for meaningful security scanning, semantic taint analysis, and compliance reporting.
Not a SAST replacement: SonarQube is most valuable as a complement to a dedicated SAST tool — not as a replacement. Using SonarQube as your primary security gate gives developers a false sense of confidence that vulnerabilities are being caught when they are not.
SonarQube pricing summary: Community Edition (free); Developer Edition (from €150/year); Enterprise Edition ($20,000+/year). Pricing based on lines of code.
Side-by-Side Comparison
| Criterion | Fortify SCA | Checkmarx | SonarQube | Offensive360 |
|---|---|---|---|---|
| Analysis engine | Taint analysis | Taint analysis | Pattern matching | Taint analysis |
| Interprocedural coverage | ✅ Yes | ✅ Yes | ⚠️ Limited | ✅ Yes |
| Java / Spring | ✅ Strong | ✅ Strong | ⚠️ Pattern only | ✅ Strong |
| C# / ASP.NET | ✅ Strong | ✅ Strong | ⚠️ Pattern only | ✅ Strong |
| Python / Django / Flask | ✅ Yes | ✅ Yes | ⚠️ Pattern only | ✅ Yes |
| JavaScript / Node.js | ⚠️ Limited | ✅ Yes | ⚠️ Pattern only | ✅ Yes |
| Language count | 27+ | 30+ | 30+ | 60+ |
| On-premise deployment | ✅ Yes | ⚠️ Complex | ✅ Yes | ✅ OVA + air-gap |
| SaaS option | ✅ FoD | ✅ Checkmarx One | ✅ SonarCloud | ❌ On-premise only |
| DAST included | ❌ Separate (WebInspect) | ❌ Separate | ❌ No | ✅ Included |
| SCA included | ⚠️ Add-on | ✅ Checkmarx One | ⚠️ Limited | ✅ Included |
| IaC scanning | ⚠️ Limited | ✅ Checkmarx One | ✅ Yes | ✅ Terraform, K8s, Helm |
| Second-order injection | ✅ Yes | ✅ Yes | ❌ No | ✅ Yes |
| Code quality metrics | ❌ No | ❌ No | ✅ Excellent | ⚠️ Limited |
| Pricing model | Per-application | Per-seat | Per-LOC | Flat annual rate |
| Estimated annual cost | $50k–$200k+ | $20k–$100k+ | €150–€20k+ | Contact for quote |
| Scan speed | ⚠️ Slow | ✅ Good | ✅ Fast | ✅ Fast |
When to Choose Each Tool
Choose Fortify SCA If:
- You are in a government, defense, or regulated financial environment where Fortify is mandated or already integrated into your compliance program
- You need FISMA, FedRAMP, or DoD compliance reporting specifically tied to Fortify tooling
- You have an existing Fortify deployment and the switching cost outweighs the price premium
- Your team has dedicated AppSec engineers who can handle the deployment complexity and rule tuning
When not to choose Fortify: If price and scan speed are concerns, or if you need DAST included without a separate product purchase, Fortify’s total cost of ownership is difficult to justify for most commercial enterprises.
Choose Checkmarx If:
- You need strong taint analysis with the ability to write custom vulnerability queries (CxQL) for proprietary frameworks
- Your team works heavily in Java Spring, ASP.NET, or PHP and wants deep framework-specific rule coverage
- You want SCA bundled with SAST in a single platform (Checkmarx One)
- You have an existing Checkmarx relationship and want to move to the unified Checkmarx One platform
When not to choose Checkmarx: If DAST is a requirement (Checkmarx is SAST-only without a separate purchase), if your team uses many languages beyond the core enterprise set, or if per-seat pricing at scale makes the total cost prohibitive.
Choose SonarQube If:
- Code quality is your primary objective — technical debt tracking, complexity metrics, coverage reporting
- You want a free, widely adopted tool for code quality that developers will actually use
- You’re using SonarQube alongside a dedicated SAST tool (not as a replacement for it)
- You need CI/CD code quality gates to prevent technical debt from accumulating
When not to choose SonarQube: As your primary security tool. SonarQube’s pattern-based security rules will miss the majority of injection vulnerabilities in production code. If a breach occurs and SonarQube was your security gate, the incident report will not be kind.
Consider Offensive360 If:
- You need SAST + DAST + SCA in a single platform without separate product licensing
- Source code privacy is required — Offensive360 deploys as an on-premise OVA appliance; code never leaves your network
- Air-gapped deployment is needed for classified, defense, or high-security environments
- You want flat-rate annual pricing instead of per-seat or per-application costs that scale unpredictably
- Your stack includes less common languages — Offensive360 supports 60+ languages including Kotlin, Swift, Dart, COBOL, ABAP, PL/SQL, Apex, Solidity, and IaC formats
- You want to start with a one-time scan ($500) before committing to an annual subscription
A Note on the “SonarQube Is Enough” Misconception
The most common security tooling mistake we observe in enterprise environments is using SonarQube as the sole security gate for application code. This typically happens because:
- SonarQube was already deployed for code quality — security rules feel “included”
- The Security Hotspot count looks impressive in dashboards
- The price point of Community Edition makes it the path of least resistance
The reality: SonarQube’s pattern-based security rules catch only the most obvious, local code patterns. In real-world security assessments of organizations using SonarQube as their primary security tool, it is common to find high-severity SQL injection, stored XSS, SSRF, and deserialization vulnerabilities in code that passed SonarQube’s quality gates with a clean security report.
SonarQube should be in your toolchain for code quality. It should not be your security gate.
The SonarQube + SAST Combination
The most effective approach for organizations using SonarQube is to pair it with a dedicated SAST tool for security:
- SonarQube — code quality metrics, technical debt, complexity, coverage, developer-friendly feedback
- Dedicated SAST tool (Offensive360, Checkmarx, or Fortify) — security vulnerability detection with taint analysis, CI/CD policy enforcement, compliance reporting
This combination catches the widest range of issues at the appropriate layer:
- SonarQube flags code smells and quality regressions
- The SAST tool flags security vulnerabilities that will not appear in SonarQube output
Many organizations start with SonarQube for quality and add Offensive360 when they need genuine security coverage — particularly before a penetration test, compliance audit, or product security review.
Second-Order Injection: The Test That Separates Real SAST Tools
One reliable way to distinguish true taint-analysis tools from pattern matchers is to test second-order injection detection. Second-order injection occurs when:
- User-controlled data enters the application and is stored (in a database, cache, or file)
- In a later request, that stored data is retrieved and used unsafely in a dangerous operation (SQL query, command execution, HTML rendering)
// Request 1: User submits a "username" that is stored in the database
@PostMapping("/register")
public void registerUser(@RequestBody RegistrationRequest req) {
String sql = "INSERT INTO users (username) VALUES (?)";
jdbcTemplate.update(sql, req.getUsername()); // Parameterized — safe here
}
// Request 2: An admin report retrieves the username and uses it unsafely
@GetMapping("/admin/report")
@PreAuthorize("hasRole('ADMIN')")
public String generateReport() {
String username = jdbcTemplate.queryForObject(
"SELECT username FROM users WHERE id = 1", String.class
);
// Second-order injection — username came from user input originally
String report = jdbcTemplate.queryForObject(
"SELECT * FROM audit WHERE actor = '" + username + "'", String.class
);
return report;
}
A pattern-matching tool sees jdbcTemplate.queryForObject() called with a hardcoded query in Request 1 (safe) and a string-concatenated query in Request 2 — but because the second query’s input came from the database (not directly from the HTTP request), the tool does not connect them. It may not flag this at all, or it may flag it as lower-severity.
A taint-analysis tool with persistent taint tracking identifies that username in Request 2 originates from user-controlled data stored in Request 1, and correctly flags the second-order SQL injection.
Test this with your SAST vendor: Create a two-method test case with this pattern and ask the vendor to demonstrate detection. Fortify and Checkmarx handle this pattern. SonarQube does not. Offensive360 detects second-order injection through persistent taint tracking.
Pricing Reality Check for 2026
Accurate pricing for enterprise SAST tools is notoriously difficult to find — vendors only publish pricing through direct sales conversations. Based on customer reports and independent research:
| Tool | Typical Entry Point | Large Enterprise | Notes |
|---|---|---|---|
| Fortify SCA | ~$50,000/yr | $100k–$200k+/yr | SCA only; DAST (WebInspect) separate |
| Checkmarx | ~$20,000/yr | $50k–$100k+/yr | Per-seat pricing; DAST separate |
| SonarQube | Free–€150/yr | €20,000+/yr | Enterprise required for security features |
| Offensive360 | Contact for quote | Flat annual rate | SAST + DAST + SCA included; one-time scan $500 |
For Fortify specifically, the /compare/offensive360-vs-fortify/ page on this site covers the Fortify pricing comparison in detail, including where Offensive360’s flat-rate model provides cost advantages for teams scaling beyond a few developers.
Frequently Asked Questions
Is SonarQube a SAST tool?
SonarQube is primarily a code quality platform with some security rules. It lacks the interprocedural taint analysis required to reliably detect injection vulnerabilities, making it insufficient as a standalone security tool. It is best used alongside a dedicated SAST tool — SonarQube for quality metrics, the SAST tool for security findings.
Does Fortify include DAST?
No. Fortify SCA (Static Code Analyzer) is a SAST-only product. Fortify WebInspect is the separate DAST product from OpenText. Organizations that need both must purchase and integrate them separately. This is a significant total cost consideration compared to platforms that include both (like Offensive360).
Can Checkmarx do DAST?
Checkmarx is primarily a SAST and SCA platform. Checkmarx One includes some DAST capabilities through its partnership integrations, but dedicated DAST was not a core Checkmarx product as of 2026. Verify current offerings with Checkmarx sales, as the product portfolio has evolved through multiple acquisitions.
Which tool has the best coverage for Java applications?
Fortify SCA and Checkmarx both have strong Java coverage with deep Spring, Struts, and Java EE taint rules. Offensive360 also covers Java Spring, Spring Boot, Spring Security, Struts, JAX-RS, Spark, and Java EE patterns. SonarQube’s Java security rules are pattern-based and will miss complex injection chains.
Which tool is best for .NET and C# applications?
For C# and ASP.NET, Fortify SCA and Checkmarx both have strong coverage. Offensive360 also provides deep ASP.NET Core and ASP.NET Framework coverage, including Entity Framework FromSqlRaw() detection, Razor XSS, and BinaryFormatter deserialization. See our .NET static code analysis tools comparison for a detailed breakdown.
What is the cheapest SAST tool that actually works?
For free tools, Roslyn analyzers (built into the .NET SDK) and GitHub CodeQL (free for public repositories, included with GitHub Advanced Security for private repos) provide genuine taint analysis for their supported languages. For paid tools, Offensive360’s one-time scan at $500 is the lowest-commitment entry point for a full taint-analysis scan without a subscription.
How do I evaluate SAST tools before buying?
- Request a proof-of-concept scan of a representative sample of your actual codebase
- Test each tool against a known-vulnerable application (DVWA, WebGoat, Juice Shop) to measure detection rate against known findings
- Measure false-positive rate — manually verify a sample of 50 findings per tool
- Test cross-method injection detection: create a test case where a SQL injection spans 3 functions and verify each tool detects it
- Ask specifically about second-order injection detection — not all vendors handle it
Summary
The Fortify vs Checkmarx vs SonarQube decision comes down to what you’re actually trying to achieve:
- Security vulnerability detection with compliance reporting → Fortify SCA or Checkmarx (both have genuine taint analysis; Fortify if you’re in a regulated environment with existing Fortify contracts; Checkmarx if you need custom CxQL rules)
- Code quality tracking with basic security → SonarQube (Community or Enterprise Edition), ideally paired with a dedicated SAST tool
- SAST + DAST + SCA in one platform with flat-rate pricing → Offensive360
- Start with a low-commitment baseline scan → One-time scan for $500 before committing to any annual subscription
For teams evaluating all options, the most useful exercise is to run each candidate tool against a known-vulnerable target (WebGoat or DVWA) and count the confirmed findings. The difference in detection rates between taint-analysis tools and pattern-matching tools will be immediately visible — and will make the decision considerably clearer.
Offensive360 performs deep interprocedural taint analysis across 60+ languages with on-premise OVA deployment and flat-rate annual pricing. Book a demo to see a live scan, or run a one-time SAST scan for $500 — no subscription required.