Cancel
You must select at least 2 products to compare!
Sonar Logo
57,256 views|45,052 comparisons
Veracode Logo
27,089 views|18,138 comparisons
Comparison Buyer's Guide
Executive Summary
Updated on Oct 12, 2023

We compared Veracode and SonarQube across several parameters based on our user's reviews. After reading the collected data, you can find our conclusion below:

  • Initial Setup: Veracode's setup is described as straightforward and easy, with minimal technical capabilities required. Some users found the web interface not very intuitive but received help from Veracode to deploy the solution. SonarQube's setup is also considered straightforward, but some users found it complex and time-consuming, taking up to two months. The main challenge with SonarQube was getting users accustomed to the tool and providing training.
  • Valuable Features: Veracode's valuable features include comprehensive security testing, ease of use, accurate vulnerability detection, and reliable reporting. SonarQube offers security features, SAST and SCA capabilities, a free Community edition, and integration with DevOps pipelines, among others.
  • Setup Cost: Veracode's setup cost varies depending on the size and specific needs of the organization. Some reviewers find it expensive, while others believe it provides value for the cost. SonarQube offers an open-source solution with no additional costs, although some users mention the need to purchase licenses for the upgraded version. 
  • ROI: Veracode offers benefits such as reducing development costs, preventing security breaches, and maintaining certifications. SonarQube helps identify vulnerabilities and promotes bug-free coding.
  • Customer Service: Veracode's customer service has received mixed reviews, with positive feedback on responsiveness and knowledge, but negative feedback on slow response times and the need to repeat issues. SonarQube's customer service experiences vary, with some users not needing support and others having positive experiences.

Based on the user reviews, Veracode's customer service and support received mixed reviews, but most customers praised the responsiveness and knowledge of the technical support team. SonarQube's customer service and support experiences varied, with some users mentioning the need for availability and response time improvement. Veracode's pricing was considered reasonable and affordable, and SonarQube's pricing was found to be accessible. Overall, Veracode's comprehensive security testing capabilities, ease of use, and accurate vulnerability detection were highly valued by users.

To learn more, read our detailed SonarQube vs. Veracode Report (Updated: March 2024).
763,955 professionals have used our research since 2012.
Q&A Highlights
Question: Which gives you more for your money - SonarQube or Veracode?
Answer: SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use and understand, SonarQube is a great solution if you want to quickly focus on functional requirements. There were some security issues with our code that SonarQube did not find. Defining the quality of rules should be improved to ensure that low-performance code does not move forward to production. We would like to see better security scanning and statistical analysis from SonarQube. Using Veracode, on the other hand, we have never had a problem with vulnerable code going into production. We like the visibility of application status across all testing types which Veracode presents in a single dashboard. Even if you are running different types of scans, you have everything in one place, which is very convenient. Veracode helps us keep a high-security standard, which is very important to us. It would really improve Veracode if the mitigation process was somehow added to the dashboard or made more streamlined. Currently, one has to go back and forth between one or more screens and it makes it a bit complicated. Regarding the pipeline scan, we found Veracode can be very fast with Java-based applications but slow with other applications. It would be helpful if the scan completion and scan progress would improve - the time estimates are not always accurate. Conclusion These are two great solutions, each with a slightly different focus. SonarQube has a solid focus on code quality. It offers a very good free version. The SonarQube free version covers 10-15 languages, which can be very limiting for some and there are also some limitations with support. The integration is there, but you do not get full integration with the free version. Overall, the SonarQube free version is a very good option for small businesses. SonarQube does offer an Enterprise license that is very competitively priced. Veracode's main focus is security. It is more closely related to an application security scanning solution. There is no free version and it is considered an expensive solution when comparing price with other similar solutions. However, Veracode offers many features and applications that other solutions do not. One favorite is scanning for compliance; we have some situations where we need to consistently scan code for security to satisfy different compliance regulations. Veracode helps us do that.
Featured Review
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"There are many options and examples available in the tool that help us fix the issues it shows us.""The product itself has a friendly UI.""The solution has a wide variety of features and an open-source community that you are able to learn Java, JavaScript, or any other programing language.""Integrate it into the developers' workbench so that they can bench check their code against what will be done in the server-based audit version.""It is a good deal compared to all other tools on the market.""It helps our developers work more efficiently as we can identify things in a code prior to it being pushed to where it needs to go.""Some of the most valuable features have been the latest up-to-date of the OWASP, the monitoring, the reporting, and the ease of use with the IDE plugins, in terms of integration.""My focus is mainly on the DevOps pipeline side of things, and from my perspective, the ease of use and configuration is valuable. It is pretty straightforward to take a deployment pipeline or CI/CD pipeline and integrate SonarQube into it."

More SonarQube Pros →

"The solution can scan old databases and old code written 20 years back.""The solution's ability to prevent vulnerable code from going into production is perfectly fine. It delivers, at least for the reports that we have been checking on Java and JavaScript. It has reported things that were helpful.""The product’s policy reporting for ensuring compliance with industry standards and regulations is great.""The source composition analysis component is great because it gives our developers some comfort in using new libraries.""The tech support has been very much on the forefront of contacting customers. They help us by making sure all the processes have been outlined and are being followed. They regularly look with us at the whole platform process.""Our development team use this solution for static code analysis and pen testing.""We have to look at it from the perspectives of how important it is to fix something and when it should be prioritized for fixing. The JSON output from the agent-based scans gives us the CVS core, and that makes things much easier.""It gives feedback to developers on the effectiveness of their secure coding practices."

More Veracode Pros →

Cons
"From a reporting perspective, we sometimes have problems interpreting the vulnerability scan reports. For example, if it finds a possible threat, our analysts have to manually check the provided reports, and sometimes we have issues getting all the data needed to properly verify if it's accurate or not.""I don't believe you can have metrics of code quality based upon code analysis. I don't think it's possible for a computer to do it.""This is a well-rounded solution, however, some features could be made available on the free version. The price of the solution could be reduced.""There is no automation. You need to put the code there and test. You then pull the results and put them back in the development environment. There is no integration with the development environment. We would like it to be integrated with our development environment, which is basically the CI/CD pipeline or the IDE that we have.""The handling of the contents of Docker container images could be better.""A better design of the interface and add some new rules.""Having performance regression would be a helpful add on or ability to be able to do during the scan.""I think the code security can be improved."

More SonarQube Cons →

"It's taking too much time to do a quality scan.""Veracode Static Analysis lacks penetration testing, so that's a concern. The tool is also unable to scan when it's a C or C++ model, so that's another area for improvement.""The dynamic scanning feature works, but it doesn't work properly for some of our applications. It doesn't allow us to skip. They claim that we can do this, but it doesn't work when we're scanning the applications in real-time.""Because our application is large, it takes a long time to upload and scan.""I would like to see improvement on the analytics side, and in integrations with different tools. Also, the dynamic scanning takes time.""Veracode Static Analysis could improve the terminology. For example, I do not know what the sandbox scan does. The terminology and the way they have used it are quite confusing. They should have a process of capturing problems that users are having on their end.""I haven't heard about any problems so far. However, it would be great if Veracode automatically packaged stuff up for you.""When we engaged Veracode to conduct the manual penetration testing, they were extremely slow in completing the task and delivering the report, causing a delay of two to three weeks for us."

More Veracode Cons →

Pricing and Cost Advice
  • "This is open source."
  • "We did not purchase a license (required for C++ support), but this option was considered."
  • "Get the paid version which allows the customized dashboard and provides technical support."
  • "People can try the free licenses and later can seek buying plugins/support, etc. once they started liking it."
  • "This product is open source and very convenient."
  • "The licence is standard open source licensing"
  • "The price point on SonarQube is good."
  • "Some of the plugins that were previously free are not free now."
  • More SonarQube Pricing and Cost Advice →

  • "Its complexity makes it quite expensive, but it’s all worth it, with all the engineering in the background."
  • "The pricing is pretty high."
  • "The worst part about the product is that it does not scale at all. Also, microservices apps will cost you a fortune."
  • "I think licensing needs to be changed or updated so that it works with adjustments. Pricing is expensive compared to the amount of scanning we perform."
  • "It's worth the value"
  • "Pricing seems fair for what is offered, and licensing has been no problem. All developers are able to get the access they need."
  • "It can be expensive to do this, so I would just make sure that you're getting the proper number of licenses. Do your analysis. Make sure you know exactly what it is you need, going in."
  • "The licensing and prices were upfront and clear. They stand behind everything that is said during the commercial phase and during the onboarding phase. Even the most irrelevant "that can be done" was delivered, no matter how important the request was."
  • More Veracode Pricing and Cost Advice →

    report
    Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
    763,955 professionals have used our research since 2012.
    Answers from the Community
    Netanya Carmi
    Vishal-Goyal - PeerSpot reviewerVishal-Goyal
    Real User

    We have used SonarQube quite a lot and this is great to check code quality, security hotspots much earlier in the SDLC and fix those. The community edition is free to use, can be used on-premises and is integrated seamlessly with Jenkins and others. The Enterprise and Developer commercial editions offer a lot more rules and functionalities.


    Veracode is mostly in space of security testing and amongst the leader in this space. It's a commercial product and has no community edition, to the best of my knowledge. 


    Depending on your use cases, you will need both of these areas to be covered through these or other tools.

    Mauro Verderosa - PeerSpot reviewerMauro Verderosa
    Real User

    They are mainly two different products. 


    If your goal is to set the quality on code then SonarQube is your answer. 


    On the other side, if your main goal is to set high-quality standards in terms of cybersecurity (i.e. both security and compliance with regulations), then Veracode is a better match.

    Curtis Yanko - PeerSpot reviewerCurtis Yanko (Shiftleft)
    Vendor

    Feels like a false choice to me. They each are trying to do different things as other posters have suggested. What are the outcomes you are looking for?

    reviewer1411233 - PeerSpot reviewerreviewer1411233 (Security consultant at a computer software company with 1,001-5,000 employees)
    Real User

    Both products in the industry are practiced slightly for different purposes. If you are after the code then SonarQube and if you are after the security then Veracode.

    Questions from the Community
    Top Answer:I am not very familiar with SonarQube and their solutions, so I can not answer But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have  a look… more »
    Top Answer:SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use… more »
    Top Answer:We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing… more »
    Top Answer:The SAST and DAST modules are great.
    Top Answer:The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and database features. It is worth the money.
    Top Answer:Veracode Greenlight scans the code while the developer writes it. It will be beneficial for developers if Veracode Greenlight includes Python.
    Ranking
    Views
    57,256
    Comparisons
    45,052
    Reviews
    18
    Average Words per Review
    397
    Rating
    8.0
    Views
    27,089
    Comparisons
    18,138
    Reviews
    97
    Average Words per Review
    972
    Rating
    8.1
    Comparisons
    Also Known As
    Sonar
    Crashtest Security , Veracode Detect
    Learn More
    Interactive Demo
    Veracode
    Demo Not Available
    Overview

    SonarQube is a self-managed open-source platform that helps developers create code devoid of quality and vulnerability issues. By integrating seamlessly with the top DevOps platforms in the Continuous Integration (CI) pipeline, SonarQube continuously inspects projects across multiple programming languages, providing immediate status feedback while coding. SonarQube’s quality gates become part of your release pipeline, displaying pass/fail results for new code based on quality profiles you customize to your company standards. Following Sonar’s Clean as You Code methodology guarantees that only software of the highest quality makes it to production.

    At its core, SonarQube includes a static code analyzer that identifies bugs, security vulnerabilities, hidden secrets, and code smells. The platform guides you through issue resolution, fostering a culture of continuous improvement. SonarQube’s comprehensive reporting is a valuable tool for dev teams to monitor their codebase's overall health and quality across multiple projects in their portfolio. With SonarQube, you can achieve a state of Clean Code, leading to secure, reliable, and maintainable software.

    Sonar is the only solution combining the power of industry-leading software quality analysis with static application security testing (SAST) and real-time coding guidance in the IDE (with SonarLint) to meet the DevOps and DevSecOps demand of putting agility, automation, and security in the hands of developers. Further accelerate DevOps continuous integration by helping developers find and fix issues in code before the software testing stage, reducing the churn of finding, fixing, rebuilding, and retesting your app.

    With over 5,000 Clean Code rules, SonarQube analyzes 30+ of the most popular programming languages, including dozens of frameworks, the top DevOps platforms (GitLab, GitHub, Azure DevOps, and Bitbucket, and more), and the leading infrastructure as code (IaC) platforms.

    SonarQube is the most trusted static code analyzer used by over 7 million developers and 400,000 organizations globally to clean over half a trillion lines of code.

    Veracode is a leading application security platform that helps organizations to develop and deliver secure software. Veracode's solution provides comprehensive capabilities for static analysis, dynamic analysis, software composition analysis, and manual penetration testing.

    Veracode's static analysis solution scans source code for various security vulnerabilities, including common web application attack vectors, injection flaws, cross-site scripting, and insecure direct object references. Veracode's dynamic analysis solution simulates real-world attacks to identify vulnerabilities that may not be detectable by static analysis alone. Veracode's software composition analysis solution scans open-source and third-party components for known vulnerabilities. Veracode's manual penetration testing service is performed by experienced security professionals who use a variety of techniques to identify vulnerabilities in software applications.

    Many organizations, including Fortune 500 companies, government agencies, and startups, use Veracode's solution. Veracode's customers rely on Veracode to help them to improve the security of their software applications and to reduce the risk of data breaches and other security incidents.

    Here are some of the benefits of using Veracode:

    • Veracode provides capabilities for static analysis, dynamic analysis, software composition analysis, and manual penetration testing to help organizations identify and fix security vulnerabilities in their software applications early in the development process.
    • Veracode helps organizations reduce the risk of data breaches and other security incidents by identifying and fixing security vulnerabilities in their software application. 
    • Veracode helps organizations to comply with industry regulations. Many industries have regulations that require organizations to implement security measures to protect their customers' data. Veracode's solution can help organizations to comply with these regulations by providing them with the tools and resources they need to identify and fix security vulnerabilities in their software applications.
    Offer
    Learn more about SonarQube
    Keep your software secure

    Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.

    Sample Customers
    Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.
    Top Industries
    REVIEWERS
    Computer Software Company30%
    Financial Services Firm21%
    Comms Service Provider7%
    Manufacturing Company6%
    VISITORS READING REVIEWS
    Financial Services Firm17%
    Computer Software Company15%
    Manufacturing Company11%
    Government6%
    REVIEWERS
    Computer Software Company25%
    Financial Services Firm23%
    Insurance Company9%
    Comms Service Provider6%
    VISITORS READING REVIEWS
    Financial Services Firm18%
    Computer Software Company15%
    Manufacturing Company8%
    Government6%
    Company Size
    REVIEWERS
    Small Business25%
    Midsize Enterprise15%
    Large Enterprise60%
    VISITORS READING REVIEWS
    Small Business17%
    Midsize Enterprise13%
    Large Enterprise71%
    REVIEWERS
    Small Business30%
    Midsize Enterprise20%
    Large Enterprise50%
    VISITORS READING REVIEWS
    Small Business17%
    Midsize Enterprise13%
    Large Enterprise70%
    Buyer's Guide
    SonarQube vs. Veracode
    March 2024
    Find out what your peers are saying about SonarQube vs. Veracode and other solutions. Updated: March 2024.
    763,955 professionals have used our research since 2012.

    SonarQube is ranked 1st in Application Security Tools with 18 reviews while Veracode is ranked 2nd in Application Security Tools with 101 reviews. SonarQube is rated 8.0, while Veracode is rated 8.2. The top reviewer of SonarQube writes "A stable solution that needs to make its enterprise version and support available to users in Thailand". On the other hand, the top reviewer of Veracode writes "Great SAST, good DAST, and helps save a significant amount of time". SonarQube is most compared with Checkmarx, SonarCloud, Coverity, Snyk and Sonatype Lifecycle, whereas Veracode is most compared with Checkmarx, Snyk, Fortify on Demand, OWASP Zap and Fortify Static Code Analyzer. See our SonarQube vs. Veracode report.

    See our list of best Application Security Tools vendors and best Application Security Testing (AST) vendors.

    We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.