There are many tools available on the market for performing security scans of application code and dependencies. Some examples include WhiteSource, Black Duck, Veracode, and Checkmarx.

WhiteSource is the paid version of WhiteSource Bolt. It offers the same services and more. For example, it doesn't only report risks at the time of the dependency scan; it also gives you alerts when new risks become available for dependencies that were present in the last scan of an application.

Black Duck is a product that helps teams to manage the risks associated with using open source software. The services it offers are comparable to WhiteSource.

Veracode and Checkmarx are code scanning tools that are used to identify vulnerable code. Whereas SonarQube checks both the code quality and security risks, these two products focus solely on security risks. In general, they are better at security scanning, with the downside being that they are more expensive.