Fortify scans the code to detect security vulnerabilities and sonar as well does that. Lets look at what are the differences between both
| Category | Sonar | Fortify |
| Purpose | Static code analysis tool which provides code quality report for duplicate code, code smells, security vulnerabilities | Static code analysis tool which provides report on security vulnerabilities that impact the application |
| License | Free to use (Community Edition) & have licensed as well | Licensed Software |
| Open Source | Yes | No |
| Quality Rules Customisation | Can be done | Can’t be done |
| Quality Metrics | Code Coverage, Security, Code Smells, Bugs, Duplicate code, Comments etc | Security |
| Security Standards Coverage | CWE, OWASP Top 10, SANS Top 25 – outdated | OWASP Top 10 , CWE/SANS Top 25, DISA STIG, and PCI DSS |