We performed a comparison between GitHub Code Scanning and Veracode based on real PeerSpot user reviews.
Find out in this report how the two Static Application Security Testing (SAST) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."We use GitHub Code Scanning mostly for source code management."
"The solution helps identify vulnerabilities by understanding how ports communicate with applications running on a system. Ports are like house numbers; to visit someone's house, you must know their number. Similarly, ports are used to communicate with applications. For example, if you want to use an HTTP web server, you must use port 80. It is the port on which the web application or your server listens for incoming requests."
"The most valuable feature of Veracode is the binary scan feature for auditing, which allows us to audit the software without the source code."
"Static analysis scanning engine is a key feature."
"The static analysis gives you deep insights into problems."
"Veracode has good support for microservices, and I also like the sandbox environment. For example, when introducing a new component, we can scan it in a sandbox environment. It will not impact the main environment. When our team fixes it, they. can push it to the production environment when the results are acceptable."
"Veracode supports a broad range of code technologies, and it can analyze large applications. Fortify takes a long time and may not be able to generate the report for larger applications. We don't have these constraints with Veracode."
"I like the sandbox, the ability to upload compiled code, and how easy it is."
"Veracode Fix is a new feature that functions similarly to auto-remediation for low or medium flaw codes."
"The source composition analysis component is great because it gives our developers some comfort in using new libraries."
"GitHub Code Scanning should add more templates."
"The scanning is a little slow, but other than that it's fine. It's usually when the binaries get up into the multi-hundred megabyte size."
"I would like Veracode to add more language support."
"The security labs integration has room for improvement."
"The ideal situation in terms of putting the results in front of the developers would be with Veracode integration into the developer environment (IDE). They do have a plugin, which we've used in the past, but we were not as positive about it."
"The GUI requires significant simplification, as its current complexity creates a steep learning curve for new users."
"There is much to be desired of UI and user experience. The UI is very slow. With every click, it just takes a lot of time for the pages to load. We have seen this consistently since getting this solution. The UI and UX are very disjointed."
"The Greenlight product that integrates into the IDE is not available for PHP, which is our primary language."
"The only areas that I'm concerned with are some of the newer code libraries, things that we're starting to see people dabble with. They move quickly enough to get them into the Analysis Engine, so I wouldn't even say it is a complaint. It is probably the only thing I worry about: Occasionally hitting something that is built in some other obscure development model, where we either can't scan it or can't scan it very well."
GitHub Code Scanning is ranked 20th in Static Application Security Testing (SAST) with 2 reviews while Veracode is ranked 2nd in Static Application Security Testing (SAST) with 194 reviews. GitHub Code Scanning is rated 9.6, while Veracode is rated 8.2. The top reviewer of GitHub Code Scanning writes "A highly stable solution that can be used for source code management". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". GitHub Code Scanning is most compared with SonarCloud, Coverity, SonarQube and Polaris Software Integrity Platform, whereas Veracode is most compared with SonarQube, Checkmarx One, Fortify on Demand, Snyk and Fortify Static Code Analyzer. See our GitHub Code Scanning vs. Veracode report.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
