We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
"We like that we can create branches and then the branches can be reviewed and you can mesh those branches back. You can independently work with your own branch, you don't need to really control the core of other people."
"Everything is easy to configure and easy to work with."
"A user friendly solution."
"It speeds up our development, it's faster, safer, and more convenient."
"The best thing is that as the developers work on separate tasks, all of the code goes there and the other team members don't have to wait on each other to finish."
"GitLab offers a good interface for doing code reviews between two colleagues."
"This product is always evolving, and they listen to the customers."
"It is very useful for reviews. We are using branch merging operations and full reset operations. It is also very useful for merging our code and tracking another branch. The graph diagrams of Git are very useful. Its interface is straightforward and not too complex for us."
"The most valuable feature is the efficiency of the tool in finding vulnerabilities."
"The solution is stable. we've never had any issues surrounding its stability."
"This is a great tool for learning about potential vulnerabilities in code."
"The article scanning is excellent."
"The most valuable feature is the dynamic application security testing."
"The dependency graph visualization provides the ability to see nested dependencies within libraries for pinpointing vulnerabilities."
"There have been a lot of benefits gained from Veracode. Compared to other tools, Veracode has good flexibility with an easy way to run a scan. We get in-depth details on how to fix things and go through the process. They provide good process documents, community, and consultation for any issues that occur during the use of Veracode."
"Within SCA, there is an extremely valuable feature called vulnerable methods. It is able to determine within a vulnerable library which methods are vulnerable. That is very valuable, because in the vast majority of cases where a library is vulnerable, none of the vulnerable methods are actually used by the code. So, if we want to prioritize the way open source libraries are updated when a library is found vulnerable, then we want to prioritize the libraries which have vulnerable methods used within the code."
"I would like to see static analysis also embedded in GitLab. That would also help us. If there's something that it does internally by GitLab and then that is already tied up with your pipeline and then it can tell you that you're coding is good or your code is not great. Based on that, it would pass or fail. That should be streamlined. I would think that would help to a greater extent, in terms of having one solution rather than depending on multiple vendors."
"The only thing our company is really waiting on in terms of features is the development of metrics."
"Reporting could be improved."
"I would like to see better integration with project management tools such as Jira."
"The documentation could be improved to help newcomers better understand things like creating new branches."
"We are having a few problems integrating with Jira at the moment, which is something that our IT department is investigating."
"It would be really good if they integrated more features in application security."
"It can be free for commercial use."
"A high number of false positives are reported and this should be reduced."
"The cost of the solution is a little bit expensive. Expensive in the sense that there was a hundred percent increase in cost from last year to this year, which is certainly not justified."
"There were some additional manual steps or work involved that we should not have needed to do."
"The documentation is poor and the technical support isn't helpful."
"In the future, I would like to see the RASP capability built-in."
"Improving sorting through findings reports to filter by only what is critically relevant will help developers focus on issues."
"The scanning could be improved, because some scans take a bit of time."
"Veracode has a few shortcomings in terms of how they handle certain components of the UI. For example, in the case of the false positive, it would be highly desirable if the false positive don't show up again on the UI, instead still showing up for any subsequent scan as a false positive. There is a little bit of cluttering that could be avoided."
"I think that we pay approximately $100 USD per month."
"The price is okay."
"It seems reasonable. Our IT team manages the licenses."
"Its price is fine. It is on the cheaper side and not expensive. You have to pay additionally for GitLab CI/CD minutes. Initially, we used the free version. When we ran out of GitLab minutes, we migrated to the paid version."
"It is very expensive. We can't bear it now, and we have to find another solution. We have a yearly subscription in which we can increase the number of licenses, but we have to pay at the end of the year."
"Without getting too specific, I'd say the average yearly cost is around $50,000. The costs include licensing and maintenance support."
"The Veracode price model is based on application profiles, which is how you package your components for scanning."
"Compared to other similar products, the licensing and pricing are definitely competitive. If you see Checkmarx as the market leader, then we are talking about Veracode being a fraction of the cost. You also have to consider your hidden costs: you need a team to maintain it, a server, and resources. From that point of view, Veracode is great because the cost is really a fraction of many competitors."
"It's too expensive for the European market. That is why, in a big bank with 400 applications, we are able to use it only for 10 of them. But the other solutions are also expensive, so it wasn't a differentiator."
GitLab is a single application with features for the whole software development and operations (DevOps) lifecycle.
Veracode Software Composition detects open source vulnerabilities in the software development process with higher accuracy. Veracode SCA reduces false positives by prioritizing vulnerabilities in the execution path of the application. Its proprietary database contains significantly more vulnerabilities than the NVD because it datamines pull requests, bug reports, and release notes. It also looks for vulnerabilities in dependencies several layers deep. Veracode SCA is part of a comprehensive DevSecOps solution that covers multiple assessment types, enables developers, and helps organizations achieve AppSec governance.
GitLab is ranked 4th in Software Composition Analysis (SCA) with 15 reviews while Veracode Software Composition Analysis is ranked 7th in Software Composition Analysis (SCA) with 11 reviews. GitLab is rated 8.2, while Veracode Software Composition Analysis is rated 8.2. The top reviewer of GitLab writes "Provides or mandates quantitative code into the Master". On the other hand, the top reviewer of Veracode Software Composition Analysis writes "The scanning process helps to significantly improve our standards and best practices". GitLab is most compared with Microsoft Azure DevOps, Tekton, TeamCity, Sonatype Nexus Lifecycle and GoCD, whereas Veracode Software Composition Analysis is most compared with Black Duck, Snyk, JFrog Xray, WhiteSource and Sonatype Nexus Lifecycle. See our GitLab vs. Veracode Software Composition Analysis report.
See our list of best Software Composition Analysis (SCA) vendors.
We monitor all Software Composition Analysis (SCA) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.