Back in 2018 when I was working at Appirio, I undertook a comprehensive analysis to compare the different tools available for code security and quality analysis for Salesforce. I attempted to map each rule to the other’s rules to determine which rules were unique and which were common. The tools compared are:
- PMD – an Open Source CLI which is the engine used on Codacy, CodeClimate, and other tools
- (Deprecated) Enforce – SonarQube Open Source Plugin
- CodeScan
- Checkmarx
- Clayton.io
- SonarQube (Sonar Apex)
This document is now out of date, but captures the situation as of 2019. Please contact me if you want a copy of the original or are willing to help update it.