We performed a comparison between Synopsys Code Dx and Veracode based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.
Comparison Result: Based on the parameters we compared, Veracode comes out ahead of Synopsys Code Dx. Although both products have valuable features and good technical support, our reviewers found that Synopsys Code Dx has higher false positive rates and less flexibility in licensing options.
"The customers were looking for something around static security and dynamic security, and in all those areas, they were looking for an industry leader with a proven solution. Synopsys is a Gartner leader, so I position this particular technology for the technical pre-sales part of it."
"The deployment mode is very useful."
"It eases integration into our workflow. Veracode is part of our Jenkins build, so whenever we build our software, Jenkins will automatically submit the code bundle over to Veracode, which automatically kicks off the static analysis. It sends an email when it's done, and we look at the report."
"The most valuable feature is detecting security vulnerabilities in the project."
"We are using the Veracode tools to expose the engineers to the security vulnerabilities that were introduced with the new features, i.e. a lot faster or sooner in the development life cycle."
"From a developer's perspective, Veracode's greenlight feature on the IDE is helpful. It helps the developer to be more proactive in secure coding standards. Apart from that, static analysis scanning is definitely one of the top features of Veracode."
"The pricing is worth it."
"Also, our customers benefited from the added security assurance of our applications, as they’ve been able to identify OWASP top-10 application vulnerabilities without a manual tester."
"The Veracode support team is excellent."
"The initial setup is a bit challenging because things are not easy. It needs a lot of technology adaptability plus the customer's environment-specific use cases."
"The triage indicator was kind of hard to find. It's a very small arrow and I had no idea it was there."
"I think for us the biggest improvement would be to have an indicator when there's something wrong with a scan."
"The GUI requires significant simplification, as its current complexity creates a steep learning curve for new users."
"An area for improvement in Veracode is the time that it takes to scan large projects, as that makes it difficult to fit into our CI/CD pipelines."
"While Veracode is way ahead of its competitors on Gartner Magic Quadrant, it's a bit more expensive than Fortify. It's a good solution for the cost, but if we had a high budget, we would go with Checkmarx, which is much better than Veracode."
"A high number of false positives are reported and this should be reduced."
"The scanning takes a lot of time to complete."
"Veracode's container scanning could be improved. We containerize all the platforms we use inside a Docker image. For example, we create a Microsoft Docker image that we build our application on top of. I would like Veracode to implement IT scans before we commit the code."
Synopsys Code Dx is ranked 31st in Application Security Testing (AST) with 1 review while Veracode is ranked 2nd in Application Security Testing (AST) with 194 reviews. Synopsys Code Dx is rated 0.0, while Veracode is rated 8.2. The top reviewer of Synopsys Code Dx writes "Facilitates continuous assessment of applications, covering both static and dynamic security aspects". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". Synopsys Code Dx is most compared with Checkmarx One, Coverity and SonarQube, whereas Veracode is most compared with SonarQube, Checkmarx One, Fortify on Demand, Snyk and OWASP Zap.
See our list of best Application Security Testing (AST) vendors.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.