We performed a comparison between Checkmarx vs.Veracode based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Veracode has the winning edge in this comparison. Customers are more satisfied with Veracode’s robust features, stability, and pricing model.
"The administration in Checkmarx is very good."
"The solution is scalable, but other solutions are better."
"We were using HPE Security Fortify to scan code for security vulnerabilities, but it can scan only after a successful compile. If the code has dependencies or build errors, the scan fails. With Checkmarx, pre-compile scanning is seamless. This allows us to scan more code."
"The setup is very easy. There is a lot of information in the documents which makes the install not difficult at all."
"Both automatic and manual code review (CxQL) are valuable."
"The most valuable features of Checkmarx are difficult to pinpoint because of the way the functionalities and the features are intertwined, it's difficult to say which part of them I prefer most. You initiate the scan, you have a scan, you have the review set, and reporting, they all work together as one whole process. It's not like accounting software, where you have the different features, et cetera."
"The features and technologies are very good. The flexibility and the roadmap have also been very good. They're at the forefront of delivering the additional capabilities that are required with cloud delivery, etc. Their ability to deliver what customers require and when they require is very important."
"The feature that I have found most valuable is that its number of false positives is less than the other security application platforms. Its ease of use is another good feature. It also supports most of the languages."
"It has almost completely eliminated the presence of SQLi vulnerabilities."
"It's helping us with security and making sure that we develop faster. It's able to scan every vulnerability. It's very powerful software that one can use to make sure that you have a very good, secure platform."
"I have found the user interface extremely helpful in prioritizing issues."
"I like Veracode's static analysis. It was one of the core development tools when I worked with a telecommunication company where we were delivering new features for various applications and purposes each week, such as CRM, data channels, compliance, traffic data, etc."
"Integrations into our developer's IDE (Greenlight) and the DevOps Pipeline SAST / SourceClear Integrations has particularly increased our time to market and confidence."
"It has the ability to scale, and the fact that it doesn't produce a lot of false positives."
"There are quite a few features that are very reliable, like the newly launched Veracode Pipelines Scan, which is pretty awesome. It supports the synchronous pipeline pretty well. We been using it out of the Jira plugin, and that is fantastic."
"For our rapid, secure DevOps cycle, we have integration of the Vericode API into our build tool, and Greenlight into our IDE."
"We have received some feedback from our customers who are receiving a large number of false positives."
"I really would like to integrate it as a service along with the SAP HANA Cloud Platform. It will then be easy to use it directly as a service."
"We would like to be able to run scans from our local system, rather than having to always connect to the product server, which is a longer process."
"Micro-services need to be included in the next release."
"They should make it more container-friendly and optimized for the CI pipeline. They should make it a little less heavy. Right now, it requires a SQL database, and the way the tool works is that it has an engine and then it has an analysis database in which it stores the information. So, it is pretty heavy from that perspective because you have to have a full SQL Server. They're working on something called Checkmarx Light, which is a slim-down version. They haven't released it yet, but that's what we need. There should be something a little more slimmed down that can just run the analysis and output the results in a format that's readable as opposed to having a full, really big, and thick deployment with a full database server."
"The solution's user interface could be improved because it seems outdated."
"The solution sometimes reports a false auditable code or false positive."
"Checkmarx needs to be more scalable for large enterprise companies."
"I think for us the biggest improvement would be to have an indicator when there's something wrong with a scan."
"We are testing Veracode's software composition analysis, but we're having trouble integrating it with SVN. It works out of the box when you use Git but doesn't work as well with other tools like SVN. It's more geared toward Git"
"Veracode's ability to fix flaws is less sophisticated than that of its competitors."
"Improve Mobile Application Dynamic Scanning DAST - .ipa and .apk"
"I would like Veracode to add more language support."
"Sometimes, I get feedback from a developer saying, "They are scanning a Python code, but getting feedback around Java code." While the remediation and guidelines are there, improvement is still required, e.g., you won't get the exact guidelines, but you can get some sort of a high-level insights."
"Veracode's container scanning could be improved. We containerize all the platforms we use inside a Docker image. For example, we create a Microsoft Docker image that we build our application on top of. I would like Veracode to implement IT scans before we commit the code."
"There are certain shortcomings in Veracode's static analysis engine. I would improve Veracode's static analysis engine to make it capable of identifying vulnerabilities with low false positives."
Checkmarx One is ranked 3rd in Application Security Tools with 67 reviews while Veracode is ranked 2nd in Application Security Tools with 194 reviews. Checkmarx One is rated 7.6, while Veracode is rated 8.2. The top reviewer of Checkmarx One writes "The report function is a great, configurable asset but sometimes yields false positives". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". Checkmarx One is most compared with SonarQube, Fortify on Demand, Snyk, Coverity and Mend.io, whereas Veracode is most compared with SonarQube, Snyk, Fortify on Demand, OWASP Zap and Fortify Static Code Analyzer. See our Checkmarx One vs. Veracode report.
See our list of best Application Security Tools vendors, best Application Security Testing (AST) vendors, and best Static Code Analysis vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
SonarQube depends on completely what you configure the Rules. You will have the option of the Profile creation and can be assigned to the Projects. If you configure the project --> under them services configuration it is good to go. Proper configuration is important in the Sonat Qube. Yes, Sonarqube allows developers to delint their code before SAST.
Veracode recently introduced it. But this integration at developer Machine integration available for only JAVA coded Projets.
About the Vulnerability coverage, both are the same. OWASP TOP 10 is equal to Sans 25. sans25 is categorized with one category number and describes under that subsection. Refer to this. https://www.templarbit.com/blog/2018/02/08/owasp-top-10-vs-sans-cwe-25/
SonarQube can be used for SAST. However, based on our internal analysis, our team feel CheckMarx is better suited for Security compared to SonarQube. SoanrQube is used in day to day developer code scan and Checkmarx is used during code movement to staging or during release.