Is SonarQube Better Than Veracode?


One of the most popular comparisons on IT Central Station is SonarQub and Veracode.

People like you are trying to decide which one is best for their company. Can you help them out?

Is SonarQube better than Veracode? What is the biggest difference between these two solutions, and which would you recommend?

Thanks for helping your peers make the best decision!


ITCS user
77 Answers

author avatar

Both tools are important and meant for different purpose. Sonarcube for code quality and veracode for static, dynamic and third party code analysis which is specific to understand security flaws

author avatar
Top 10Vendor

I didn't get an opportunity to work on Veracode.

However I would like put my thoughts on SonarCube

a.) It is very to easy ingrate with multiple open source configuration tools like Jenkins
b) It is collaboration with Microsoft and SonarQube and Microsoft integration is much easier and should be able to all Code analysis based configured rules from TFS build / even from Visual Studio IDE.
c.) There are plug-ins available from SonarQube, once you install them, user can able to see Sonar results on Visual studio IDE for that project
d.) supports multiple language static code analysis like c#, java, angular, SQL etc.
e.) option to create our user management and provided access rights based on user role.
f.) Its Dashboard representation is very good and also lots of options to customize dashboard
h.) Easy installation
I.) Easy navigation to source code (or even particular code part) based on code analysis error.

author avatar

They are used for two different purposes. If your preference is Software/Application Security then Veracode or Fortify or Checkmarx can be evaluated based on the programming language and issue coverage, also integration and usability options. If your preference is code quality then SonarQube or CAST can be evaluated based on your requirement or wish list.

Keep in mind, one (quality) can not replace another one (software) so decide based on your needs.

Good luck!

author avatar

You need to have clarity on what is your expectation from the vendor. Sonarqube is good for code quality and easy integration with build cycle. Veracode is good for SAST, recently DAST with reduced false positives. Has some complexity in SDLC integration.

author avatar

Or if you want to do both quality and security in one SAST tool, Parasoft C/C++test and Jtest can do both.

author avatar


author avatar

Veracode can be used for OWASP security but SonarQube can suggest you to avoid writing vulnerable code .it can give the path to write stander code.

Find out what your peers are saying about SonarQube vs. Veracode and other solutions. Updated: July 2021.
521,189 professionals have used our research since 2012.