We compared Veracode and SonarQube across several parameters based on our user's reviews. After reading the collected data, you can find our conclusion below:
Based on the user reviews, Veracode's customer service and support received mixed reviews, but most customers praised the responsiveness and knowledge of the technical support team. SonarQube's customer service and support experiences varied, with some users mentioning the need for availability and response time improvement. Veracode's pricing was considered reasonable and affordable, and SonarQube's pricing was found to be accessible. Overall, Veracode's comprehensive security testing capabilities, ease of use, and accurate vulnerability detection were highly valued by users.
"Improve the code coverage and evaluates the technical steps and percentage of code being resolved."
"It provides the security that is required from a solution for financial businesses."
"The overall quality of the indicator is good."
"If you want to have your code scanned and timed then this is a good tool."
"The stability is good."
"It's enabled us to improve software quality and help us to disseminate best practices."
"SonarQube is designed well making it easy to use, simple to identify issues and find solutions to problems."
"It's a great product. If you are in a hurry and just want to focus on the functional requirements of any kind of project, SonarQube is highly helpful. It enables the developers to code securely. SonarQube has a Community edition, which is open source and free. There are also three proprietary or paid versions: Enterprise edition, Data Center edition, and Developer edition."
"Our development team use this solution for static code analysis and pen testing."
"I like the static scanning, and Veracode's interface is excellent. The dashboard is easy to navigate."
"The most important features, I would say, are the scanning abilities and the remediation abilities within the product. Scanning because, obviously, we want to make sure that our application code is flaw-free. And the remediation tools are helpful to the developers to help them track and manage their flaws."
"Veracode's technical support is great. They assigned us a TAM and once a week, we have a brief engagement with the TAM to verify that everything's going well. If we have any outstanding issues, they get serviced and addressed."
"I like the sandbox, the ability to upload compiled code, and how easy it is."
"The coverage of backdoors attacks on security that's the most valuable for my clients."
"We have found the static analysis to be useful in Veracode Static Analysis. However, we are in the process of testing."
"It's helping us with security and making sure that we develop faster. It's able to scan every vulnerability. It's very powerful software that one can use to make sure that you have a very good, secure platform."
"We found a solution with dynamic testing, and are looking to find a solution that can be used for both types of testing."
"It does not provide deeper scanning of vulnerabilities in an application, on a live session. This is something we are not happy about. Maybe the reason for that is we are running the community edition currently, but other editions may improve on that aspect."
"I would like to see more options for security, beyond the basics like SQL injection."
"We've been using the Community Edition, which means that we get to use it at our leisure, and they're kind enough to literally give it to us. However, it takes a fair amount of effort to figure out how to get everything up and running. Since we didn't go with the professional paid version, we're not entitled to support. Of course that could be self-correcting if we were to make the step to buy into this and really use it. Then their technical support would be available to us to make strides for using it better."
"Our developers have complained about the Quality Gates and the number of false positives that this product reports."
"A robust credential scanner would be a huge bonus as it would remove the need for yet another niche product."
"It would be a great add-on if SonarQube could update its database for vulnerabilities or plugging parts."
"We did have some trouble with the LDAP integration for the console."
"The scanning could be improved, because some scans take a bit of time."
"There were some additional manual steps or work involved that we should not have needed to do."
"It could have better integration with our pipeline. If we could have better integration with our application pipeline, e.g., Jira, Bamboo, or Azure DevOps, then that will be very helpful. Right now, it is quite hard to integrate the solution into our existing pipeline."
"Sometimes, the scans halt or drop for some reason, and we need to get help from Veracode to fix it."
"The scanning process for records could be faster and there is room for improvement in Veracode's performance."
"The negative that I found is that it has a subscription-based model."
"There are times when certain modules cannot be scanned automatically, requiring us to manually select these modules and initiate the scanning process on our side."
"The documentation is poor and the technical support isn't helpful."
SonarQube is ranked 1st in Application Security Tools with 108 reviews while Veracode is ranked 2nd in Application Security Tools with 194 reviews. SonarQube is rated 8.0, while Veracode is rated 8.2. The top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Snyk and Sonatype Lifecycle, whereas Veracode is most compared with Checkmarx One, Snyk, Fortify on Demand, OWASP Zap and Fortify Static Code Analyzer. See our SonarQube vs. Veracode report.
See our list of best Application Security Tools vendors and best Application Security Testing (AST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
We have used SonarQube quite a lot and this is great to check code quality, security hotspots much earlier in the SDLC and fix those. The community edition is free to use, can be used on-premises and is integrated seamlessly with Jenkins and others. The Enterprise and Developer commercial editions offer a lot more rules and functionalities.
Veracode is mostly in space of security testing and amongst the leader in this space. It's a commercial product and has no community edition, to the best of my knowledge.
Depending on your use cases, you will need both of these areas to be covered through these or other tools.
They are mainly two different products.
If your goal is to set the quality on code then SonarQube is your answer.
On the other side, if your main goal is to set high-quality standards in terms of cybersecurity (i.e. both security and compliance with regulations), then Veracode is a better match.
Feels like a false choice to me. They each are trying to do different things as other posters have suggested. What are the outcomes you are looking for?
Both products in the industry are practiced slightly for different purposes. If you are after the code then SonarQube and if you are after the security then Veracode.
Klocwork