Static Code Analysis: How to Pick the Right Tool (CodeScan vs. Checkmarx vs. SonarQube vs. Others)

static code analysis tool

The tools that you use to streamline your Salesforce development process are what allow you to deliver the best and most efficient version of your release. Planning, project management, source code management, static code analysis (SCA), and continuous integration, these are tools that help to streamline the development process. Each of these tools plays an important role in helping you deliver your final product.

What to Consider

With so many options available, how do you know which tool fits your development needs? As static code analysis experts, we’re here to help you assess which SCA tool is right for your organization.

There are a lot of Static Code Analysis tools available to optimize your code. Major factors that should be considered in your decision making are as follows:

  • Language Support
  • Ruleset
  • Integrations
  • Cost

Language Support

The most important part of picking a static code analysis tool is language. What language is your code written? There are thousands of languages that you can code in, so at the most basic level, you want to be sure the tool you pick supports your language.

Major Salesforce languages include Apex, Visualforce, Lightning Web Components, metadata, flows, and process builders. The top contenders in the Salesforce ecosystem that support these languages are CodeScan, PMD, SonarQube™, CheckMarx, Clayton, Codecy, and CodeClimate. Before choosing the right tool for you, you should take into consideration how many Salesforce languages are supported.


Finding a tool that supports your languages isn’t enough. You need to evaluate how robust the coverage is within that program. Would you buy a book on translation that only translates 25% of the words?

After understanding how many Salesforce languages are supported in your static code analysis tool, you should consider the number of rules the tool supports within those languages. We created a graph that highlights ruleset and language coverage per SCA tool.

CodeScan vs. Checkmarx vs. SonarQube vs. Others

CodeScan vs. SonarQube vs. Checkmarx vs. Others

As you can see, PMD, Codacy, and CodeClimate only offer support for a minimal percentage of languages, Apex. Additionally, they provide minimal rulesets.

SonarQube™ and Checkmarx both boast of user-friendly interfaces, making them easy to use. However, Checkmarx comes out ahead with a broader feature set, encompassing software composition scanning and an increased capability for detecting vulnerabilities. In addition, Checkmarx offers superior language support and enhanced reporting capabilities.

CodeScan and Clayton cover all the Salesforce languages including Lightning Web Components and metadata. The number of rules within each tool range from low to high with PMD having the smallest ruleset and CodeScan with the largest ruleset.


The DevOps pipeline requires many different tools to work together simultaneously in order to help teams work more efficiently. This is why integration with your static code analysis tool is important. You want to find the right Static Code Analysis tool to integrate with your development pipeline and sync with your process.

For static code analysis, there are 4 major points in which integration is key: IDE, code repository, project management, and CI. For example, if you want to block failed scans from committing to production, you will need a tool that integrates with your CI. Fortunately, most Static Code Analysis tools work with APIs, plugins, and GUIs, so they are compatible with the DevOps pipeline. However, you need to consider your team’s capacity, as each tool provides a different level of effort.


Cost can be a dealbreaker for some teams, whereas for other teams, tools that provide the best ROI outweigh the cost. The cost can vary from a free open source option to a very expensive enterprise-level price. It’s important to examine the price structure to determine if the tool suits your needs. Are you a small or large organization? Do you need to perform a couple scans or a lot of scans daily? These questions will help you determine if you need a tool that limits total lines scanned over time (such as CheckMarx) compared to total lines each scan (such as CodeScan). With the wrong choice, you may sacrifice functionality, while increasing your cost.

The number of users is another major factor when evaluating cost. If you anticipate growth within your team or require multiple users, you can expect to see higher costs.

The aspect to consider when it comes to cost is service. What type of customer service are you offered after you purchase your product? Is it extra for a dedicated customer care representative? What is the skill level of your team and do they require extra support with xml files, proxy settings, etc? These all should be factored when making a decision.

Best Ranked Tools

While language support, ruleset, integration, and cost are important to consider when picking a Static Code Analysis tool, other aspects to consider are the following: – cloud versus self hosted services, and – custom rules options.

Cloud services provide no maintenance and self hosted provides more control. Creating custom rules is a great option if you choose a tool that has a smaller ruleset.

Every organization is different and approaches DevOps differently. Still unsure which static code tool is right for you? We ranked our top three tools and highlighted the benefits of each.

CodeScan: Top Ranking Static Code Analysis Tools

Develop high quality, secure code!

Setting Up and Using CodeScan Effectively
Setting up and CodeScan in your salesforce org

Running CodeScan on your Salesforce Org is a great first step towards quality code, but maintaining that quality is a Read more

Estimating ROI with CodeScan
Estimate ROI using static code analysis tool CodeScan

Every Software Development Professional knows the following fact: the later bugs are found, the more expensive they are to fix. Read more

SFDX Tutorial | Setting Up CodeScan
CodeScan with Salesforce DX

Salesforce DX is a new focus on source-driven, collaborative development. The Salesforce CLI (Command Line Interface) easily integrates into your Read more

CodeScan and Visual Studio Team Services
continuous integration visual studio

Visual Studio Continuous IntegrationVisual Studio Team Services (VSTS) is a quick and powerful tool to set up continuous integration and Read more