We compared Veracode and SonarQube across several parameters based on our user's reviews. After reading the collected data, you can find our conclusion below:
Based on the user reviews, Veracode's customer service and support received mixed reviews, but most customers praised the responsiveness and knowledge of the technical support team. SonarQube's customer service and support experiences varied, with some users mentioning the need for availability and response time improvement. Veracode's pricing was considered reasonable and affordable, and SonarQube's pricing was found to be accessible. Overall, Veracode's comprehensive security testing capabilities, ease of use, and accurate vulnerability detection were highly valued by users.
"There's plenty of documentation available to users."
"The most valuable features are code scanning and Quality Gates."
"SonarQube is useful for controlling all of our Azure task tracking and scanning."
"I like the by-default policies that are they, as they seem to cover most of what I need."
"We have the software metrics that SonarQube gives us, which is something we did not have before. This helps us work towards aiming coding standards to empower us to move in the direction of better code quality. SonarQube provides targets and metrics for that."
"Provides local scanning for developers."
"The customizable dashboard and ability to include results and coverage from unit test and other static analysis code tools."
"I am only interested in the security features in SonarQube. There are plenty of features other features, such as test coverage, code anomalies, and pointer access are handled by the business logic teams. They get the reports and they have to fix them in JIRA or Bugzilla."
"This is a great tool for learning about potential vulnerabilities in code."
"The dynamic scanning tool is what I like the best. Compared to other tools that I've used for dynamic scanning, it's much faster and easier to use."
"The product provides guidance to develop secure software."
"It provides security of different Shadow IT activities in our environment, especially around application development and website hosting."
"When we do have errors, Veracode is always available, their consultants, to help us either mitigate the error, or provide technical assistance on pointing exactly where the problem is and how we could probably fix it. I'm always amazed at how knowledgeable they are."
"What we found most valuable in Veracode is the ability to do automatic scans of our software. We've incorporated the solution into our SDLC process, so we take our builds before they get released and put them through scans to ensure any new vulnerabilities haven't occurred."
"We use Veracode static analysis during development to eliminate vulnerability issues"
"I like the static scanning, and Veracode's interface is excellent. The dashboard is easy to navigate."
"The product's user documentation can be vastly improved."
"Lacks sufficient visibility and documentation."
"The solution could improve the management reports by making them easier to understand for the technical team that needs to review them."
"There is no automation. You need to put the code there and test. You then pull the results and put them back in the development environment. There is no integration with the development environment. We would like it to be integrated with our development environment, which is basically the CI/CD pipeline or the IDE that we have."
"The reporting is good, but I am not able to download a specific report as a PDF, so downloading reports is something that should be looked at."
"It would be a great add-on if SonarQube could update its database for vulnerabilities or plugging parts."
"SonarQube could improve by adding automatic creation of tasks after scanning and more support for the Czech language."
"SonarQube is not development-centric like Snyk."
"Veracode's ability to fix flaws is less sophisticated than that of its competitors."
"I would like Veracode to add more language support."
"Veracode has plenty of data. The problem is the information on the dashboards of Veracode, as the user interface is not great. It's not immediately usable. Most of the time, the best way to use it is to just create issues and put them in JIRA... But if I were a startup, and only had products with a good user interface, I wouldn't use Veracode because the UI is very dated."
"Static scanning takes a long time, so you need to patiently wait for the scan to achieve. I also think the software could be more accurate. It isn't 100 percent, so you shouldn't completely rely on Veracode. You need to manually verify its findings."
"I think if they could improve the operations around accepted vulnerabilities, we would see improvements in our productivity."
"Some important languages are not supported."
"Veracode can be slow at times and has room for improvement, which may cause delays in our products and prolonged static scans."
"We have encountered occasional issues with scalability."
SonarQube is ranked 1st in Static Application Security Testing (SAST) with 110 reviews while Veracode is ranked 2nd in Static Application Security Testing (SAST) with 194 reviews. SonarQube is rated 8.0, while Veracode is rated 8.2. The top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Snyk and GitHub Advanced Security, whereas Veracode is most compared with Checkmarx One, Fortify on Demand, Snyk, OWASP Zap and Fortify Static Code Analyzer. See our SonarQube vs. Veracode report.
See our list of best Static Application Security Testing (SAST) vendors and best Application Security Tools vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
We have used SonarQube quite a lot and this is great to check code quality, security hotspots much earlier in the SDLC and fix those. The community edition is free to use, can be used on-premises and is integrated seamlessly with Jenkins and others. The Enterprise and Developer commercial editions offer a lot more rules and functionalities.
Veracode is mostly in space of security testing and amongst the leader in this space. It's a commercial product and has no community edition, to the best of my knowledge.
Depending on your use cases, you will need both of these areas to be covered through these or other tools.
They are mainly two different products.
If your goal is to set the quality on code then SonarQube is your answer.
On the other side, if your main goal is to set high-quality standards in terms of cybersecurity (i.e. both security and compliance with regulations), then Veracode is a better match.
Feels like a false choice to me. They each are trying to do different things as other posters have suggested. What are the outcomes you are looking for?
Both products in the industry are practiced slightly for different purposes. If you are after the code then SonarQube and if you are after the security then Veracode.
Klocwork