We performed a comparison between Coverity and Veracode based on real PeerSpot user reviews.
Find out in this report how the two Application Security Testing (AST) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."It's very stable."
"The product has deeper scanning capabilities."
"I like Coverity's capability to scan codes once we push it. We don't need more time to review our colleagues' codes. Its UI is pretty straightforward."
"The solution has helped to increase staff productivity and improved our work significantly by approximately 20 percent."
"The security analysis features are the most valuable features of this solution."
"Provides software security, and helps to find potential security bugs or defects."
"The most valuable feature of Coverity is that it shows examples of what is actually wrong with the code."
"The solution effectively identifies bugs in code."
"There is a single area on the dashboard where you can get a full view of all of the tests and the results from everything. There is a nice, very simple graphic that shows you the types of vulnerabilities that were found, their severity, the scoring, and in what part of the code they were found. All the details are together in one place."
"There are quite a few features that are very reliable, like the newly launched Veracode Pipelines Scan, which is pretty awesome. It supports the synchronous pipeline pretty well. We been using it out of the Jira plugin, and that is fantastic."
"The dashboards and the threat insights it provides are very good. The dashboards are intuitive and pretty straightforward, but also pretty detailed."
"The Static and Dynamic Analysis capabilities are very valuable to us. They've improved the speed of the inspection process."
"Integrations into our developer's IDE (Greenlight) and the DevOps Pipeline SAST / SourceClear Integrations has particularly increased our time to market and confidence."
"The policy reporting for ensuring compliance with industry standards and regulations is pretty comprehensive, especially around PCI. If you do the static analysis, the dynamic analysis, and then a manual penetration test, it aggregates all of these results into one report. And then they create a PCI-specific report around it which helps to illustrate how the application adheres to different standards."
"The coding standards in our development group have improved. From scanning our code we've learned the patterns and techniques to make our code more secure. An example would be SQL injection. We have mitigated all the SQL injection in our applications."
"The solution can scan old databases and old code written 20 years back."
"Some features are not performing well, like duplicate detection and switch case situations."
"The setup takes very long."
"We'd like it to be faster."
"When I put my code into Coverity for scanning, the code information of the product is in the system. The solution could be improved by providing a SBOM, a software bill of material."
"Coverity could improve the ease of use. Sometimes things become difficult and you need to follow the guides from the website but the guides could be better."
"The solution's user interface and quality gate could be improved."
"The product should include more customization options. The analytics is not as deep as compared to SonarQube."
"Right now, the Coverity executable is around 1.2GB to download. If they can reduce it to approximately 600 or 700MB, that would be great. If they decrease the executable, it will be much easier to work in an environment like Docker."
"I've seen slightly better static analysis tools from other companies when it comes to speed and ease of use."
"Once your report has been generated, you need to review the report with consultation team, especially if it is too detailed on the development side or regarding the language. Then, you need some professional help from their end to help you understand whatever has been identified. Scheduling consultation takes a longer time. So, if you are running multiple reports at the same time, then you need to schedule a multiple consultation times with one of their developers. There are few developers on their end who work can work with your developers, and their schedules are very tight."
"The reports on offer are too verbose."
"Mitigation review isn't always super easy."
"The false positive rates were quite high in our case."
"One of the most important areas that need improvement for Veracode is its DaaS. Veracode's DAST engines are primitive."
"One of the things that we have from a reporting point of view, is that we would love to see a graphical report. If you look through a report for something that has come back from Veracode, it takes a whole lot of time to just go through all the pages of the code to figure out exactly what it says. We know certain areas don’t have the greatest security features but those are usually minor and we don’t want to see those types of notifications."
"The language version support could be improved."
Coverity is ranked 4th in Application Security Testing (AST) with 33 reviews while Veracode is ranked 2nd in Application Security Testing (AST) with 194 reviews. Coverity is rated 7.8, while Veracode is rated 8.2. The top reviewer of Coverity writes "Best SAST tool to check software quality issues". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". Coverity is most compared with SonarQube, Klocwork, Fortify on Demand, Checkmarx One and Polyspace Code Prover, whereas Veracode is most compared with SonarQube, Checkmarx One, Fortify on Demand, Snyk and SonarCloud. See our Coverity vs. Veracode report.
See our list of best Application Security Testing (AST) vendors.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.