Veracode Reviews

DevSecOps Consultant at a comms service provider with 10,001+ employees
Top 10
Oct 21, 2020
By using Pipeline Scan, which supports synchronous scans, our code is secure

What is our primary use case?

We use the Veracode SAST solution to scan the Java, Node.js, and Python microservices as part of our CI/CD pipeline, wherein we are using our CI/CD server as Bamboo, Jenkins, and GitLab CI/CD. We have teams for both our cloud pipeline and on-prem pipeline, and both teams use this solution. We are using Veracode to constantly run the internal application source code and ensure the code's security hygiene.

Pros and Cons

  • "There are quite a few features that are very reliable, like the newly launched Veracode Pipelines Scan, which is pretty awesome. It supports the synchronous pipeline pretty well. We been using it out of the Jira plugin, and that is fantastic."
  • "Sometimes, I get feedback from a developer saying, "They are scanning a Python code, but getting feedback around Java code." While the remediation and guidelines are there, improvement is still required, e.g., you won't get the exact guidelines, but you can get some sort of a high-level insights."

What other advice do I have?

It is an excellent solution. I would recommend adopting it. If you come from a security background, Veracode is an easy solution. If you don't come from a security background, the adoption of Veracode will take a bit of time. Veracode has been integrated with our IDEs. It has been also integrated with our DevOps CI/CD server, which is Bamboo, Jenkins, or GitLab CI/CD. It is all pretty neat and clean. I would rate this solution as a nine out of 10.

Veracode Questions

Grzegorz Grabarczyk
Project / Delivery Manager at Spyrosoft
Jan 20 2021

Is there anyone here that has used the trial version of Veracode Security Labs? Did you decide to go with a different option and why?

Green Day

We are currently researching application security solutions.

From your experience, would you recommend Veracode? What are some of your use cases? 

Thanks! I appreciate the help.

SanthoshKumar3I would recommend Veracode. Our uses cases included removing vulnerable code… more »
Swapna RagiIt depends on whether Veracode is recommended or not completely based on the… more »
Donovan GreeffI would recommend them. They have the ability to cover multiple languages and… more »
William Hayes
User at Securities America

I am looking for pros and cons for the Checkmarx vs SonarQube, in particular regarding:

  • false positives

  • tuning Sonarqube to reduce false positives without introducing false negatives. 

I am also wondering if SonarQube could allow developers to delint their code before submitting it to SAST with either Checkmarx or Veracode. 

Donovan GreeffMy opinions are my own and do not represent any other entities that I may be or… more »
Durga GudimetlaSonarQube can be used for SAST. However, based on our internal analysis, our… more »
Swapna RagiSonarQube depends on completely what you configure the Rules. You will have the… more »

We are currently evaluating application security solutions. What is the biggest difference between Veracode and Checkmarx? Which would you recommend? 

Thanks! I appreciate the help. 

Russell RothsteinJaeLee, check out our comparison page here of Veracode vs Checkmarx… more »
Vincent HuCheckmarx can be deploy on private , Veracode only support the Saas Model . But… more »
Volker KoenigsbuescherVeracode is very new in DAST and IAST, Checkmarx is offering that since longer… more »
Almir Menezes
Sales Director at a tech company with 1-10 employees

I have more than 20 years of experience in IT, having worked in technical, commercial and business areas.

I am currently researching Veracode and Checkmarx. What is the total cost of ownership for the two? Are there big differences between them?

Thanks! I appreciate your help. 

Miriam Tover
Content Specialist
IT Central Station

If you were talking to someone whose organization is considering Veracode Software Composition Analysis, what would you say?

How would you rate it and why? Any other tips or advice?

Miriam Tover
Content Specialist
IT Central Station

How do you or your organization use this solution?

Please share with us so that your peers can learn from your experiences.

Thank you!

Miriam Tover
Content Specialist
IT Central Station

Please share with the community what you think needs improvement with Veracode Software Composition Analysis.

What are its weaknesses? What would you like to see changed in a future version?

Miriam Tover
Content Specialist
IT Central Station


We all know it's really hard to get good pricing and cost information.

Please share what you can so you can help your peers.

Miriam Tover
Content Specialist
IT Central Station

Hi Everyone,

What do you like most about Veracode Software Composition Analysis?

Thanks for sharing your thoughts with the community!