We performed a comparison between Coverity and Veracode based on real PeerSpot user reviews.
Find out in this report how the two Static Application Security Testing (SAST) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."I encountered a bug with Coverity, and I opened a ticket. Support provided me with a workaround. So it's working at the moment, or at least it seems to be."
"The solution effectively identifies bugs in code."
"One of the most valuable features is Contributing Events. That particular feature helps the developer understand the root cause of a defect. So you can locate the starting point of the defect and figure out exactly how it is being exploited."
"We were very comfortable with the initial setup."
"The most valuable feature is the integration with Jenkins."
"Coverity is quite stable and we haven’t had any issues or any downtime."
"The security analysis features are the most valuable features of this solution."
"The solution has improved our code quality and security very well."
"Our development team use this solution for static code analysis and pen testing."
"We have such a wide variety of users for Veracode, including security champions, development leads, developers themselves, that the ease of use is really quite important, because we don't assume anything about what those people might already know, or need to know. It just makes it very useful for anyone who has to engage with it."
"In pipeline scanning, there is a configuration that can be set with respect to the security level of the flaw. If there is a high or a critical issue, there's a way the build can be failed and blocked before going into production."
"I have used this solution in multiple projects for vulnerability testing and finding security leaks within the code."
"The tech support has been very much on the forefront of contacting customers. They help us by making sure all the processes have been outlined and are being followed. They regularly look with us at the whole platform process."
"It eases integration into our workflow. Veracode is part of our Jenkins build, so whenever we build our software, Jenkins will automatically submit the code bundle over to Veracode, which automatically kicks off the static analysis. It sends an email when it's done, and we look at the report."
"I have found the user interface extremely helpful in prioritizing issues."
"Before Veracode, the application was deployed to the production server and there would be a lot of bugs and issues. Once we implemented the Veracode scan, the full deployment issues were drastically reduced."
"The solution's user interface and quality gate could be improved."
"Ideally, it would have a user-based license that does not have a restriction in the number of lines of code."
"Coverity takes a lot of time to dereference null pointers."
"Coverity is far from perfection, and I'm not 100 percent sure it's helping me find what I need to find in my role. We need exactly what we are looking for, i.e. security errors and vulnerabilities. It doesn't seem to be reporting while we are changing our code."
"Sometimes it's a bit hard to figure out how to use the product’s UI."
"The solution could use more rules."
"We actually specified several checkers, but we found some checkers had a higher false positive rate. I think this is a problem. Because we have to waste some time is really the issue because the issue is not an issue. I mean, the tool pauses or an issue, but the same issue is the filter now.Some check checkers cannot find some issues, but sometimes they find issues that are not relevant, right, that are not really issues. Some customisation mechanism can be added in the next release so that we can define our Checker. The Modelling feature provided by Coverity helps in finding more information for potential issues but it is not mature enough, it should be mature. The fast testing feature for security testing campaign can be added as well. So if you correctly integrate it with the training team, maybe you can help us to find more potential issues."
"The product could be enhanced by providing video troubleshooting guides, making issue resolution more accessible. Troubleshooting without visual guides can be time-consuming."
"The interface is basic and has room for improvement."
"It does not have a reporting structure for an OS-based vulnerability report, whereas its peers such as Fortify and Checkmarx have this ability. Checkmarx also provides a better visibility of the code flow."
"When we engaged Veracode to conduct the manual penetration testing, they were extremely slow in completing the task and delivering the report, causing a delay of two to three weeks for us."
"They could improve how they fix vulnerabilities. They could have more support in place to help the developers."
"The zip file scanning has room for improvement."
"The only notable problem we have had is that when new versions of Swift have come out, we have found Veracode tends to be a bit behind in updates to support the new language changes."
"The support team could be more responsive, and the dependency of users on the support team is too high and should be reduced."
"The number of false positives could be reduced a lot. For each good result, we are getting somewhere around 15 to 20 false positives."
Coverity is ranked 4th in Static Application Security Testing (SAST) with 33 reviews while Veracode is ranked 2nd in Static Application Security Testing (SAST) with 194 reviews. Coverity is rated 7.8, while Veracode is rated 8.2. The top reviewer of Coverity writes "Best SAST tool to check software quality issues". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". Coverity is most compared with SonarQube, Klocwork, Fortify on Demand, Checkmarx One and Polyspace Code Prover, whereas Veracode is most compared with SonarQube, Checkmarx One, Fortify on Demand, Snyk and SonarCloud. See our Coverity vs. Veracode report.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.