Fortify scans the code to detect security vulnerabilities and sonar as well does that. Lets look at what are the differences between both
Category | Sonar | Fortify |
Purpose | Static code analysis tool which provides code quality report for duplicate code, code smells, security vulnerabilities | Static code analysis tool which provides report on security vulnerabilities that impact the application |
License | Free to use (Community Edition) & have licensed as well | Licensed Software |
Open Source | Yes | No |
Quality Rules Customisation | Can be done | Can’t be done |
Quality Metrics | Code Coverage, Security, Code Smells, Bugs, Duplicate code, Comments etc | Security |
Security Standards Coverage | CWE, OWASP Top 10, SANS Top 25 – outdated | OWASP Top 10 , CWE/SANS Top 25, DISA STIG, and PCI DSS |