Checkmarx vs SonarQube: Complete Application Security Testing Comparison 2026
Selecting the right application security testing platform represents a critical decision for development teams in 2026. Two prominent solutions dominate this space: Checkmarx and SonarQube. Each platform brings distinct strengths to code analysis and vulnerability detection.
Checkmarx specializes in comprehensive security testing with advanced static application security testing (SAST) capabilities. SonarQube focuses primarily on code quality management while offering expanding security features. Understanding their differences helps organizations make informed decisions.
This comparison examines key evaluation criteria including security capabilities, integration options, pricing models, and deployment flexibility. Both platforms serve different organizational needs and technical requirements. The choice between these solutions depends on specific security priorities, team structure, and existing development workflows.
Understanding Core Platform Philosophies
The fundamental difference between Checkmarx and SonarQube lies in their foundational design philosophies. These distinct approaches shape every aspect of their functionality and user experience.
Checkmarx: Security-First Architecture
Checkmarx was built from the ground up as a security-focused platform. The company designed its core engine specifically for identifying complex security vulnerabilities through sophisticated taint analysis. This security-centric approach enables deep analysis of data flow patterns across application layers.
The platform excels at detecting intricate security flaws that simpler tools might miss. Checkmarx employs advanced algorithms to trace potential attack vectors through complex code structures. This methodology proves particularly effective for enterprise applications with sophisticated architectures.
Security teams appreciate Checkmarx’s comprehensive vulnerability coverage. The platform identifies issues ranging from injection attacks to authentication bypasses. Its rule engine continuously updates to address emerging threat patterns and attack methodologies.
SonarQube: Quality-Driven Evolution
SonarQube originated as a code quality management platform before expanding into security domains. This foundation emphasizes maintainability, reliability, and technical debt reduction. The platform’s security capabilities represent evolutionary additions to its quality-focused core.
Development teams value SonarQube’s holistic approach to code health. The platform identifies bugs, code smells, and maintainability issues alongside security vulnerabilities. This comprehensive view helps teams understand overall code quality trends.
The platform’s strength lies in continuous quality monitoring throughout development cycles. SonarQube provides detailed metrics on code complexity, duplication, and coverage. These insights enable teams to maintain high coding standards while addressing security concerns.
Static Application Security Testing Capabilities
Both platforms offer static application security testing functionality, but their approaches and effectiveness vary significantly across different dimensions.
Checkmarx SAST Excellence
Checkmarx delivers industry-leading SAST capabilities through its advanced taint analysis engine. The platform traces data flow from user inputs to potential vulnerability points with exceptional accuracy. This deep analysis capability reduces false positives while identifying complex security issues.
The platform supports extensive programming language coverage including Java, .NET, JavaScript, Python, and numerous others. Checkmarx maintains detailed rule sets for each supported language, ensuring comprehensive vulnerability detection across diverse technology stacks.
Enterprise security teams particularly value Checkmarx’s ability to handle large, complex codebases. The platform efficiently processes millions of lines of code while maintaining scanning accuracy. This scalability proves essential for organizations with extensive application portfolios.
| SAST Feature | Checkmarx | SonarQube |
|---|---|---|
| Language Support | 25+ languages with deep analysis | 30+ languages with varying depth |
| Vulnerability Detection | Advanced taint analysis | Rule-based pattern matching |
| False Positive Rate | Low due to flow analysis | Moderate with tuning |
| Scanning Speed | Moderate for deep analysis | Fast incremental scans |
SonarQube Security Analysis
SonarQube’s security analysis capabilities focus on identifying common vulnerability patterns through rule-based detection. The platform excels at finding straightforward security issues while maintaining fast scanning speeds. This approach works well for teams prioritizing rapid feedback cycles.
The platform’s security rules cover OWASP Top 10 vulnerabilities and CWE classifications. SonarQube regularly updates its rule engine to address new vulnerability patterns. However, the rule-based approach may miss complex data flow vulnerabilities that require deeper analysis.
Teams appreciate SonarQube’s immediate feedback on security issues during development. The platform integrates seamlessly into CI/CD pipelines, providing quick security checks without significant build delays. This responsiveness encourages developers to address security issues proactively.
Code Quality Management Features
The platforms demonstrate contrasting strengths in code quality management, reflecting their different foundational priorities and target audiences.
SonarQube’s Quality Leadership
SonarQube excels in comprehensive code quality analysis across multiple dimensions. The platform evaluates maintainability, reliability, security, and technical debt simultaneously. This holistic approach provides development teams with complete visibility into code health.
The platform’s quality gate feature enables teams to establish objective criteria for code acceptance. Organizations can define thresholds for bug counts, coverage percentages, and security vulnerabilities. These gates prevent problematic code from reaching production environments.
SonarQube’s technical debt calculation helps teams prioritize improvement efforts. The platform quantifies the effort required to fix identified issues, enabling data-driven decisions about code maintenance. This feature proves valuable for planning development sprints and resource allocation.
Checkmarx Quality Capabilities
Checkmarx offers basic code quality features primarily focused on security-related quality issues. The platform identifies coding practices that may introduce vulnerabilities or reduce application security posture. These insights complement the primary security analysis functionality.
The platform’s quality features emphasize secure coding practices rather than general maintainability. Checkmarx identifies patterns that may not represent immediate vulnerabilities but could create security risks over time. This security-centric quality approach aligns with the platform’s core mission.
While less comprehensive than SonarQube’s quality features, Checkmarx’s security-focused quality analysis provides valuable insights for security-conscious teams. The platform helps organizations maintain secure coding standards throughout development cycles.
Integration and Development Workflow
Both platforms prioritize seamless integration with existing development workflows, though they emphasize different integration scenarios and use cases.
IDE Integration Capabilities
Checkmarx provides extensive IDE integration across popular development environments including Visual Studio, Eclipse, and IntelliJ IDEA. These integrations enable developers to scan code for security vulnerabilities directly within their preferred development tools. Real-time feedback helps developers address security issues before committing code.
The IDE plugins offer comprehensive functionality including incremental scanning, vulnerability explanations, and remediation guidance. Developers can view detailed vulnerability information without leaving their development environment. This seamless experience encourages proactive security practices.
SonarQube’s IDE integration through SonarLint provides immediate code quality feedback during development. The tool highlights quality issues and security vulnerabilities as developers write code. This real-time analysis helps prevent issues from entering version control systems.
- Visual Studio: Both platforms offer robust plugins with full scanning capabilities
- IntelliJ IDEA: Comprehensive integration with real-time analysis features
- Eclipse: Native plugins supporting incremental scanning workflows
- VS Code: Lightweight extensions for rapid feedback cycles
CI/CD Pipeline Integration
Checkmarx integrates seamlessly with popular CI/CD platforms including Jenkins, Azure DevOps, GitLab CI, and GitHub Actions. The platform can automatically trigger security scans on code commits or pull requests. Build pipelines can fail based on security vulnerability thresholds, preventing insecure code deployment.
The platform’s API-driven architecture enables custom integration scenarios and automated workflow creation. Organizations can build sophisticated security testing pipelines that incorporate multiple Checkmarx scanning engines. This flexibility supports diverse DevSecOps implementation strategies.
SonarQube’s CI/CD integration emphasizes continuous quality monitoring throughout development cycles. The platform provides detailed quality metrics and trend analysis across multiple builds. Teams can track quality improvements or degradations over time through comprehensive reporting dashboards.
| Integration Aspect | Checkmarx | SonarQube |
|---|---|---|
| Primary Focus | Security scanning automation | Quality gate enforcement |
| Scan Triggers | Commit, PR, scheduled | Build, commit, scheduled |
| Failure Conditions | Security vulnerability thresholds | Quality gate criteria |
| Reporting | Security-focused dashboards | Comprehensive quality metrics |
Vulnerability Detection Accuracy and Coverage
The accuracy and coverage of vulnerability detection represent critical evaluation criteria for organizations selecting application security testing platforms.
Checkmarx Detection Superiority
Checkmarx demonstrates superior accuracy in complex vulnerability detection through its advanced static analysis engine. The platform’s taint analysis capabilities enable identification of sophisticated attack vectors that span multiple application layers. This deep analysis approach significantly reduces false negative rates for critical security issues.
The platform excels at detecting injection vulnerabilities, authentication bypasses, and access control issues. Checkmarx’s rule engine incorporates extensive security research and threat intelligence. Regular updates ensure coverage of emerging vulnerability patterns and attack techniques.
Security research demonstrates Checkmarx’s effectiveness in identifying zero-day vulnerabilities and complex security flaws. The platform’s analysis depth enables detection of issues that automated tools often miss. This capability proves particularly valuable for organizations with high security requirements.
SonarQube Detection Capabilities
SonarQube provides solid coverage of common security vulnerabilities through its rule-based detection engine. The platform effectively identifies OWASP Top 10 vulnerabilities and standard security anti-patterns. While less sophisticated than Checkmarx’s analysis, SonarQube’s approach proves sufficient for many development teams.
The platform’s strength lies in consistent detection of straightforward security issues across large codebases. SonarQube’s fast scanning capabilities enable frequent security checks throughout development cycles. This regular analysis helps teams maintain baseline security standards.
However, SonarQube’s rule-based approach may miss complex vulnerabilities requiring sophisticated data flow analysis. The platform performs best when combined with additional security testing tools for comprehensive vulnerability coverage.
Language and Technology Support
Both platforms support diverse programming languages and technology stacks, though their coverage depth and analysis quality vary significantly.
Comprehensive Language Coverage
Checkmarx supports 25+ programming languages with varying analysis depth depending on language maturity and usage patterns. The platform provides excellent coverage for enterprise languages including Java, C#, C++, and JavaScript. Each supported language benefits from specialized rule sets and analysis techniques.
The platform’s language support emphasizes quality over quantity, focusing on deep analysis capabilities rather than superficial coverage. Checkmarx invests significant resources in maintaining comprehensive rule sets for each supported language. This approach ensures consistent analysis quality across different technology stacks.
SonarQube supports 30+ programming languages with emphasis on popular development languages and frameworks. The platform provides broad coverage suitable for diverse development environments. However, analysis depth varies significantly between well-supported and emerging languages.
- Enterprise Languages: Both platforms excel with Java, C#, JavaScript, and Python
- Modern Languages: Go, Rust, and Kotlin receive varying support levels
- Legacy Languages: COBOL, Fortran support differs between platforms
- Mobile Development: Swift, Objective-C, and Kotlin coverage varies
Framework and Technology Integration
Checkmarx demonstrates excellent framework awareness for security-critical technologies including Spring, .NET Core, and popular JavaScript frameworks. The platform understands framework-specific security patterns and common vulnerability scenarios. This awareness enables more accurate vulnerability detection within complex application architectures.
The platform’s technology support extends beyond programming languages to include configuration analysis and infrastructure-as-code scanning. Checkmarx can analyze Docker files, Kubernetes configurations, and cloud deployment templates for security misconfigurations.
SonarQube provides comprehensive framework support focused on code quality analysis across popular development frameworks. The platform understands framework-specific patterns for maintainability and reliability analysis. While security analysis exists, the primary strength lies in quality-focused framework integration.
Enterprise Scalability and Performance
Enterprise organizations require application security platforms that can handle large-scale deployments while maintaining consistent performance and analysis quality.
Checkmarx Enterprise Architecture
Checkmarx provides robust enterprise scalability through its distributed scanning architecture and high-performance analysis engines. The platform efficiently processes large codebases containing millions of lines of code. Enterprise deployments can scan multiple applications simultaneously without performance degradation.
The platform’s architecture supports horizontal scaling across multiple server instances. Organizations can deploy scanning engines across different geographic locations or business units. This distributed approach enables consistent analysis performance regardless of organizational size or complexity.
Checkmarx’s enterprise features include advanced user management, detailed audit logging, and comprehensive compliance reporting. The platform supports integration with enterprise identity systems including Active Directory and LDAP. These capabilities simplify deployment within complex organizational structures.
SonarQube Performance Characteristics
SonarQube demonstrates excellent performance for continuous analysis workflows through its incremental scanning capabilities and efficient analysis engines. The platform can quickly analyze code changes without rescanning entire applications. This performance enables rapid feedback cycles during active development.
The platform’s architecture emphasizes analysis speed and developer productivity over deep security analysis. SonarQube can handle large development teams with frequent code commits. The fast scanning approach encourages regular quality and security checks throughout development workflows.
However, SonarQube’s performance advantages come with trade-offs in analysis depth. The platform prioritizes speed over comprehensive vulnerability detection. Organizations requiring deep security analysis may need to supplement SonarQube with additional security testing tools.
| Scalability Factor | Checkmarx | SonarQube |
|---|---|---|
| Codebase Size | Millions of lines efficiently | Large codebases with fast scans |
| Concurrent Projects | High throughput enterprise scanning | Excellent for continuous integration |
| Geographic Distribution | Distributed enterprise deployment | Centralized or distributed options |
| Analysis Depth vs Speed | Deep analysis with moderate speed | Fast analysis with moderate depth |
Pricing Models and Total Cost of Ownership
Understanding the financial implications of each platform helps organizations make cost-effective decisions while meeting security and quality requirements.
Checkmarx Investment Considerations
Checkmarx employs enterprise-focused pricing models that reflect the platform’s comprehensive security capabilities and target market. The pricing structure typically includes licensing fees based on lines of code, number of applications, or scanning frequency. Enterprise organizations should expect significant investment levels commensurate with advanced security functionality.
The platform’s total cost of ownership includes initial licensing, implementation services, and ongoing support costs. However, organizations often realize substantial value through improved security posture and reduced vulnerability remediation expenses. The comprehensive security coverage can eliminate needs for additional security testing tools.
Many enterprises justify Checkmarx investments through risk reduction and compliance benefits. The platform’s detailed security analysis helps organizations avoid costly security incidents and regulatory penalties. These risk mitigation benefits often outweigh initial licensing expenses.
SonarQube Cost Efficiency
SonarQube offers flexible pricing options including open-source community editions and commercial enterprise licenses. The community edition provides substantial functionality suitable for many development teams. This flexibility enables organizations to start with limited investment and scale based on requirements.
The platform’s commercial editions include additional features like branch analysis, security reporting, and enterprise integrations. Pricing typically scales based on lines of code analyzed or number of developers. The transparent pricing model helps organizations predict and budget for ongoing costs.
SonarQube’s cost efficiency stems from its dual focus on quality and security analysis. Organizations can address multiple requirements with a single platform investment. This consolidation reduces tool sprawl and associated management overhead.
Compliance and Regulatory Support
Both platforms provide compliance features, though they emphasize different regulatory frameworks and reporting capabilities.
Checkmarx Compliance Excellence
Checkmarx provides comprehensive compliance reporting for major security standards including OWASP, CWE, SANS Top 25, and various regulatory frameworks. The platform generates detailed compliance reports showing vulnerability coverage and remediation status. These reports simplify audit processes and demonstrate security posture to stakeholders.
The platform supports industry-specific compliance requirements including PCI DSS, HIPAA, and SOX. Checkmarx’s detailed vulnerability analysis helps organizations meet specific regulatory security requirements. The platform’s audit trail capabilities provide necessary documentation for compliance reviews.
Security teams appreciate Checkmarx’s ability to map vulnerabilities to specific compliance requirements. The platform clearly indicates which issues affect regulatory compliance versus general security posture. This clarity helps organizations prioritize remediation efforts based on compliance impact.
SonarQube Quality Compliance
SonarQube emphasizes quality-focused compliance standards including ISO 9001 and various software quality frameworks. The platform’s comprehensive quality metrics support quality assurance processes and continuous improvement initiatives. Organizations can demonstrate code quality compliance through detailed SonarQube reporting.
The platform’s security compliance features cover basic requirements for common standards. While less comprehensive than Checkmarx’s security-focused compliance capabilities, SonarQube provides sufficient coverage for many organizational requirements. The platform’s strength lies in quality compliance rather than security-specific regulations.
SonarQube’s compliance reporting emphasizes trends and improvements over time. Organizations can demonstrate continuous quality improvement through historical analysis and metrics tracking. This approach supports quality management system requirements and internal governance processes.
User Experience and Learning Curve
The user experience and learning requirements significantly impact platform adoption and effective utilization across development teams.
Checkmarx Professional Interface
Checkmarx provides sophisticated user interfaces designed for security professionals and experienced developers. The platform’s comprehensive functionality requires substantial learning investment but offers powerful capabilities for advanced users. Security teams appreciate the detailed analysis options and extensive configuration possibilities.
The platform’s complexity reflects its comprehensive security analysis capabilities. New users typically require training and onboarding support to utilize advanced features effectively. However, experienced security professionals find the detailed controls and analysis options valuable for thorough security testing.
Checkmarx offers extensive documentation, training programs, and professional services to support user adoption. The platform’s learning curve is significant but manageable with proper support and training investment. Organizations should plan for onboarding time and training costs during implementation planning.
SonarQube Developer-Friendly Design
SonarQube emphasizes developer-friendly interfaces that integrate seamlessly into existing development workflows. The platform’s intuitive design enables rapid adoption by development teams without extensive training requirements. Developers can quickly understand quality metrics and security findings through clear visualizations.
The platform’s learning curve is minimal for developers familiar with continuous integration workflows. SonarQube’s straightforward interfaces and clear reporting enable immediate productivity gains. Teams can begin realizing value quickly without extensive onboarding processes.
SonarQube’s community edition allows teams to explore functionality without licensing commitments. This approach enables risk-free evaluation and gradual adoption. The extensive community resources and documentation support self-service learning and troubleshooting.
Support and Professional Services
The quality of support and professional services significantly impacts platform implementation success and ongoing operational effectiveness.
Checkmarx Enterprise Support
Checkmarx provides comprehensive enterprise support including dedicated customer success teams, professional implementation services, and ongoing technical support. The platform’s complex security capabilities benefit from expert guidance during deployment and optimization phases.
The company offers extensive professional services including security assessment, custom rule development, and integration consulting. These services help organizations maximize platform value and address specific security requirements. Expert guidance proves particularly valuable for complex enterprise deployments.
Checkmarx’s support organization includes security researchers and analysis experts who can assist with complex vulnerability investigations. This deep expertise helps organizations address sophisticated security challenges and optimize analysis accuracy. The support quality reflects the platform’s enterprise positioning and pricing.
SonarQube Community and Commercial Support
SonarQube benefits from extensive community support through active forums, documentation wikis, and open-source contributions. The large user community provides valuable resources for troubleshooting and best practices sharing. Community support often addresses common implementation challenges quickly.
Commercial SonarQube licenses include professional support with guaranteed response times and direct access to technical experts. The support organization emphasizes rapid issue resolution and platform optimization guidance. Professional services focus on integration assistance and advanced configuration optimization.
The platform’s broad adoption ensures extensive third-party resources including consulting services, training providers, and integration specialists. This ecosystem provides flexibility in selecting support options based on organizational needs and preferences.
Future Platform Direction and Innovation
Understanding each platform’s strategic direction helps organizations make forward-looking investment decisions aligned with evolving security and quality requirements.
Checkmarx Security Innovation
Checkmarx continues investing heavily in advanced security analysis capabilities including machine learning-enhanced vulnerability detection and cloud-native application security. The platform’s roadmap emphasizes expanding security coverage across modern development paradigms including microservices and serverless architectures.
The company focuses on artificial intelligence integration to improve analysis accuracy and reduce false positive rates. These investments aim to enhance the platform’s already strong security analysis capabilities. Checkmarx’s innovation direction aligns with evolving enterprise security requirements.
Recent platform enhancements include container security scanning, infrastructure-as-code analysis, and API security testing. These additions demonstrate Checkmarx’s commitment to comprehensive application security coverage. The platform evolution addresses modern development practices and deployment models.
SonarQube Evolution Strategy
SonarQube’s strategic direction emphasizes expanding security capabilities while maintaining its core strength in code quality analysis. The platform continues adding security rules and analysis features to compete more effectively in the application security market.
Recent innovations include improved security hotspot identification, enhanced secret detection, and infrastructure-as-code analysis. These additions strengthen SonarQube’s security positioning while preserving its quality analysis leadership. The platform aims to provide comprehensive DevSecOps capabilities through unified analysis.
SonarQube’s cloud-first strategy emphasizes SaaS deployment options and improved scalability. The platform evolution supports modern development practices including distributed teams and cloud-native development. These investments position SonarQube for continued growth in evolving market conditions.
Making the Right Platform Choice
Selecting between Checkmarx and SonarQube requires careful evaluation of organizational priorities, technical requirements, and strategic objectives.
Checkmarx Ideal Scenarios
Organizations should choose Checkmarx when security represents the primary concern and comprehensive vulnerability detection is essential. The platform excels for enterprises with strict security requirements, regulatory compliance needs, or high-risk applications. Checkmarx provides superior security analysis capabilities for organizations prioritizing security over other factors.
Financial services, healthcare, and government organizations often benefit from Checkmarx’s comprehensive security features. These industries require detailed vulnerability analysis and extensive compliance reporting. The platform’s security expertise aligns with stringent regulatory requirements and risk management needs.
Large enterprises with complex application portfolios appreciate Checkmarx’s scalability and enterprise features. The platform handles sophisticated security analysis requirements across diverse technology stacks. Organizations with dedicated security teams can fully utilize Checkmarx’s advanced capabilities and detailed analysis options.
SonarQube Optimal Use Cases
SonarQube represents the optimal choice when code quality and rapid feedback are primary objectives with security as an important secondary consideration. Development teams benefit from the platform’s comprehensive quality analysis and developer-friendly interfaces. SonarQube excels for organizations emphasizing development velocity and continuous improvement.
Technology companies and software development organizations often prefer SonarQube’s balanced approach to quality and security. The platform supports rapid development cycles while maintaining acceptable security coverage. Teams can address multiple code health dimensions through a single platform investment.
Organizations with limited security expertise may find SonarQube more accessible than Checkmarx’s sophisticated security features. The platform provides sufficient security coverage for many applications without requiring specialized security knowledge. This accessibility enables broader adoption across development teams.
Choosing between Checkmarx and SonarQube ultimately depends on organizational priorities, security requirements, and technical capabilities. Both platforms offer valuable functionality for different use cases and organizational contexts. The decision should align with strategic objectives and available resources for platform implementation and ongoing management.
Conclusion
Checkmarx and SonarQube serve distinct organizational needs in application security and quality management. Checkmarx excels in comprehensive security analysis through advanced SAST capabilities and extensive vulnerability detection. SonarQube provides balanced code quality management with expanding security features suitable for development-focused teams.
The choice between these platforms depends on security priorities, organizational structure, and technical requirements. Security-focused enterprises benefit from Checkmarx’s sophisticated analysis capabilities, while development teams may prefer SonarQube’s comprehensive quality focus with adequate security coverage.
Frequently Asked Questions: Checkmarx vs SonarQube Comparison
- Which platform provides better security vulnerability detection?
Checkmarx offers superior security vulnerability detection through advanced taint analysis and comprehensive SAST capabilities. The platform excels at identifying complex security flaws that require sophisticated data flow analysis. SonarQube provides adequate security coverage for common vulnerabilities but may miss complex security issues requiring deep analysis. - What are the main cost differences between Checkmarx and SonarQube?
Checkmarx typically requires higher investment reflecting its enterprise security focus and comprehensive capabilities. SonarQube offers more flexible pricing including free community editions and scalable commercial licenses. Total cost of ownership depends on organizational requirements, team size, and desired feature sets. - Which platform integrates better with existing development workflows?
Both platforms provide excellent integration capabilities through IDE plugins, CI/CD integrations, and API access. SonarQube emphasizes developer-friendly integration with minimal workflow disruption. Checkmarx offers comprehensive integration options focused on security workflow automation and enterprise deployment scenarios. - How do the platforms compare for enterprise scalability?
Checkmarx provides robust enterprise scalability through distributed architecture and high-performance analysis engines suitable for large-scale deployments. SonarQube offers excellent scalability for continuous integration workflows and rapid feedback cycles. Both platforms handle enterprise workloads effectively with different performance characteristics. - Which platform requires less training and onboarding time?
SonarQube features more intuitive interfaces and shorter learning curves suitable for rapid team adoption. The platform’s developer-friendly design enables quick productivity gains without extensive training. Checkmarx requires more substantial learning investment but provides comprehensive security analysis capabilities for experienced users. - What compliance and regulatory support do the platforms provide?
Checkmarx excels in security compliance reporting for standards including OWASP, CWE, PCI DSS, and various regulatory frameworks. The platform provides detailed compliance mapping and audit trail capabilities. SonarQube emphasizes quality compliance standards while offering basic security compliance features sufficient for many organizational requirements. - Which platform is better for teams new to application security testing?
SonarQube provides a more accessible introduction to application security testing through its balanced quality and security approach. The platform’s intuitive interfaces and extensive community resources support self-service learning. Checkmarx offers comprehensive security capabilities but may overwhelm teams without existing security expertise.
Stack Insight is intended to support informed decision-making by providing independent information about business software and services. Some product details, including pricing, features, and promotional offers, may be supplied by vendors or partners and can change without notice.