We performed a comparison between SonarCloud and Veracode based on real PeerSpot user reviews.
Find out in this report how the two Application Security Testing (AST) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."The solution can be installed locally."
"The solution provides continuous code analysis which has improved the quality of our code. It can raise alarms on vulnerabilities with immediate reports on the dashboard. Few things are false positives and we can customize the rules."
"Its dashboard provides a unified view of various code quality metrics, including code duplication, unit test coverage, and security hotspots."
"I'm not implementing the solutions. However, I've talked to the people who deploy the tools, and they are happy with how easy setting up SonarCloud is."
"SonarCloud is overall a good tool for identifying code smells, bugs, and code duplication, but we've found that using Android Lint is more effective for our needs."
"For what it is meant to do, it works pretty well."
"The most valuable features of SonarCloud are the ability to discover vulnerabilities, security weak points, security hotspots, and all the feedback that comes into the feature branch. You can deploy the code with the security, you can eliminate the problem at the developer level rather than identifying the problem in the productions."
"Recently, they introduced support for mono reports and microservices, which is a noteworthy development as it provides a more detailed view of each service."
"We have to look at it from the perspectives of how important it is to fix something and when it should be prioritized for fixing. The JSON output from the agent-based scans gives us the CVS core, and that makes things much easier."
"The installation was straightforward."
"It is easy to use for us developers. It supports so many languages: C#, .NET Core, .NET Framework, and it even scans some of our JavaScript. You just need the extension to upload the files and the reports are generated with so much detail."
"They also have what's called a Software Composition Analysis that can point out errors and fixes for third-party software frameworks, which is very nice."
"It gives me an idea about the most important vulnerabilities and fast remediation tips."
"Veracode's cloud-based approach, coupled with the appliance that lets us use Veracode to scan internal-only web applications, has provided a seamless, always-up-to-date application security scanning solution."
"The ability on static scans to be able to do sandbox scans which do not generate metrics."
"In terms of application security best practices and guidance to our teams, their engineering staff is really excellent. They provide our developers with suggestions and they take those to heart. They've learned from the recommended remediation strategies provided by the Veracode security engineers. That makes all of their future code better."
"The documentation needs improvement on optimizing build time for seamless CI/CD integration with our Android apps."
"I've been told by the developers that the solution is too limited. It's not testing enough within the containers."
"CI/CD pipeline is part of a whole chain of design, development, and production, and it's becoming increasingly crucial to optimize the various tools across different stages. However, it's still a silo approach because the full integration is missing. This isn't just an issue with SonarCloud. It's a general problem with tooling."
"There's room for improvement in the configuration process, particularly during the initial setup phase."
"It would be helpful if notifications could go out to an extra person."
"The reports could improve by providing more information. We are not able to use the reports in our operation until they are improved. Additionally, if the vendor provided more customization capabilities it would be a benefit."
"SonarCloud can improve the false positives. Sometimes the gates sometimes act a little weird. We then need to manually go and mark the false positive."
"We had some issues with the scanner."
"Sometimes Veracode gives us results about small glitches in the necessary packages. For example, we recently found issues with Veracode's native libraries for .NET 6 that were fixed in the next versions of those libraries. But sometimes you do not know which version of the library particular components are using. The downside of that is that one day, the solution found some issues in that library for the necessary package we spent. Another day, it found the same issues with another library. It will clearly state that this is the same stuff you've already analyzed. This creates some additional work, but it isn't significant. However, sometimes you see the same issue for two or three days in a row."
"There were some additional manual steps or work involved that we should not have needed to do."
"Veracode needs to improve its integration with other tools."
"The policies you have, where you can tune the findings you get, don't allow you not to file tickets about certain findings. It will always report the findings, even if you know you're not that concerned about a library writing to a system log, for example. It will keep raising them, even though you may have a ticket about it. The integration will keep updating the ticket every time the scan runs."
"I would like to see these features: entering comments for internal tracking; entering a priority; reports that show the above."
"Veracode can be improved in terms of software composition analysis and related vulnerabilities."
"There should be more APIs, especially in SCA, to get some results or automate some things."
"Veracode can be slow at times and has room for improvement, which may cause delays in our products and prolonged static scans."
SonarCloud is ranked 10th in Application Security Testing (AST) with 10 reviews while Veracode is ranked 2nd in Application Security Testing (AST) with 194 reviews. SonarCloud is rated 8.4, while Veracode is rated 8.2. The top reviewer of SonarCloud writes "Beneficial vulnerability discovery, simple to maintain, and proactive support". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". SonarCloud is most compared with SonarQube, Checkmarx One, OWASP Zap, GitLab and Coverity, whereas Veracode is most compared with SonarQube, Checkmarx One, Fortify on Demand, Snyk and Black Duck. See our SonarCloud vs. Veracode report.
See our list of best Application Security Testing (AST) vendors.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.