I have integrated SonarQube and Checkmarx SAST and SCA into the Azure DevOps build pipeline. I am able to see both the SonarQube and Checkmarx reports without any issues.

I have the following questions. Could someone please clarify:

1. What is the difference between SonarQube and Checkmarx CxSAST?
2. What is the common thing between these two?
3. In which situations are SonarQube and Checkmarx preferred?

If I were to boil it down to a short phrase, SonarQube is used for ensuring code quality, and CheckMarx is used for ensuring the security of a system running that code.

SonarQube looks at several areas, including the code coverage percentage of unit tests of the code, duplication percentages, and also code quality issues found through static analysis of the code.

CheckMarx, on the other hand, just analyzes the flow of the code and the inputs and outputs. It looks for situations where inputs that could have been provided by an end user are used directly to control behavior, and other "attack vectors".

Checkmarx offers significantly more coverage on vulnerabilities for security in code. e.g. Sonarqube will check for around 89 JAVA known vulnerabilties, whereas Checkmarx has a known vuln number >300.

Customers tend to ask themselves - is the goal to just make a developers life easier, or is the goal to achieve that and ensure the brand is protected and customer trust is achieved.