We compared Veracode and SonarQube across several parameters based on our user's reviews. After reading the collected data, you can find our conclusion below:
Based on the user reviews, Veracode's customer service and support received mixed reviews, but most customers praised the responsiveness and knowledge of the technical support team. SonarQube's customer service and support experiences varied, with some users mentioning the need for availability and response time improvement. Veracode's pricing was considered reasonable and affordable, and SonarQube's pricing was found to be accessible. Overall, Veracode's comprehensive security testing capabilities, ease of use, and accurate vulnerability detection were highly valued by users.
"Before you even compile, it can catch known vulnerability issues or patterns."
"It provides you with many features, as it does with the premium model, but there are still extra features that can be purchased if needed."
"It helps our developers work more efficiently as we can identify things in a code prior to it being pushed to where it needs to go."
"All the features of the solution are quite good."
"Improve the code coverage and evaluates the technical steps and percentage of code being resolved."
"It provides the security that is required from a solution for financial businesses."
"The solution offers a very good community edition."
"Using SonarQube has helped us to identify areas of technical debt to work on, resulting in better code, fewer vulnerabilities, and fewer bugs."
"The Static and Dynamic Analysis capabilities are very valuable to us. They've improved the speed of the inspection process."
"The developers' awareness of the security weaknesses within their code has improved. They aren't just mitigating these issues, they are realizing these are, in fact, issues that have to be dealt with."
"The feature I like most in Veracode is that it clearly specifies the line in the entire file where a vulnerability is found."
"It's hard to say that any single feature is the most essential. There are many errors and vulnerabilities in software today in the standard libraries for different vendors because. We don't need to reinvent the wheel every time because we're using standard libraries, and it's important to know that your security isn't compromised because you are using libraries with vulnerabilities."
"The Veracode support team is excellent."
"Veracode supports a broad range of code technologies, and it can analyze large applications. Fortify takes a long time and may not be able to generate the report for larger applications. We don't have these constraints with Veracode."
"Code analysis tool to help identify code issues before entered into production."
"We like the fact that all the issues are identified and that Veracode provides sufficient information on how to resolve them."
"SonarQube could improve its static application security testing as per the industry standard."
"We had some issues where the Quality Gate check sometimes gets stuck and it is unclear."
"It does not provide deeper scanning of vulnerabilities in an application, on a live session. This is something we are not happy about. Maybe the reason for that is we are running the community edition currently, but other editions may improve on that aspect."
"There could be better integration with other products."
"There are limitations to the free version that limit development options as far as languages."
"Technical support and the price could be better."
"SonarQube could improve by adding automatic creation of tasks after scanning and more support for the Czech language."
"We found a solution with dynamic testing, and are looking to find a solution that can be used for both types of testing."
"Veracode should provide more flexibility in its pricing and licensing modules so that it could be more affordable for all types of projects and not only for very active mission-critical projects."
"I would like Veracode to add more language support."
"The language version support could be improved."
"I would also like to see some improvement in the speed. That is really the only complaint, but in all reality we have a massive Java application that needs to be scanned. Our developers are saying, "It takes 72 hours to scan it." That is probably the nature of the beast, and I'm actually pretty accepting of that time frame, but since it's a complaint that I get, faster is always better. I don't necessarily think that the speed is bad as it is, just that faster would be better."
"Once your report has been generated, you need to review the report with consultation team, especially if it is too detailed on the development side or regarding the language. Then, you need some professional help from their end to help you understand whatever has been identified. Scheduling consultation takes a longer time. So, if you are running multiple reports at the same time, then you need to schedule a multiple consultation times with one of their developers. There are few developers on their end who work can work with your developers, and their schedules are very tight."
"It's very expensive for a small organization."
"Sometimes, I get feedback from a developer saying, "They are scanning a Python code, but getting feedback around Java code." While the remediation and guidelines are there, improvement is still required, e.g., you won't get the exact guidelines, but you can get some sort of a high-level insights."
"It would be ideal if it was able to demonstrate higher levels of cybersecurity certifications like becoming FedRAMP compliant or working in those areas."
SonarQube is ranked 1st in Application Security Tools with 108 reviews while Veracode is ranked 2nd in Application Security Tools with 194 reviews. SonarQube is rated 8.0, while Veracode is rated 8.2. The top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Snyk and Sonatype Lifecycle, whereas Veracode is most compared with Checkmarx One, Snyk, Fortify on Demand, OWASP Zap and Fortify Static Code Analyzer. See our SonarQube vs. Veracode report.
See our list of best Application Security Tools vendors and best Application Security Testing (AST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
We have used SonarQube quite a lot and this is great to check code quality, security hotspots much earlier in the SDLC and fix those. The community edition is free to use, can be used on-premises and is integrated seamlessly with Jenkins and others. The Enterprise and Developer commercial editions offer a lot more rules and functionalities.
Veracode is mostly in space of security testing and amongst the leader in this space. It's a commercial product and has no community edition, to the best of my knowledge.
Depending on your use cases, you will need both of these areas to be covered through these or other tools.
They are mainly two different products.
If your goal is to set the quality on code then SonarQube is your answer.
On the other side, if your main goal is to set high-quality standards in terms of cybersecurity (i.e. both security and compliance with regulations), then Veracode is a better match.
Feels like a false choice to me. They each are trying to do different things as other posters have suggested. What are the outcomes you are looking for?
Both products in the industry are practiced slightly for different purposes. If you are after the code then SonarQube and if you are after the security then Veracode.
Klocwork