We compared Veracode and SonarQube across several parameters based on our user's reviews. After reading the collected data, you can find our conclusion below:
Based on the user reviews, Veracode's customer service and support received mixed reviews, but most customers praised the responsiveness and knowledge of the technical support team. SonarQube's customer service and support experiences varied, with some users mentioning the need for availability and response time improvement. Veracode's pricing was considered reasonable and affordable, and SonarQube's pricing was found to be accessible. Overall, Veracode's comprehensive security testing capabilities, ease of use, and accurate vulnerability detection were highly valued by users.
"It is very good at identifying technical debt."
"We advise all of our developers to have this solution in place."
"The tool helps us to monitor and manage violations. It manages the bugs and security violations."
"We use this solution for qualitative coding. We make use of the SonarLint plugin as well as the dashboard."
"Using SonarQube has helped us to identify areas of technical debt to work on, resulting in better code, fewer vulnerabilities, and fewer bugs."
"SonarQube is admin friendly."
"The SonarQube dashboard looks great."
"The most valuable features are the dashboard reports and the ease of integrating it with Jenkins."
"The solution can scan old databases and old code written 20 years back."
"Another feature of Veracode is that they provide e-learning, but the e-learning is not basic, rather it is quite advanced... in the e-learning you can check into best practices for developing code and how to prevent improper management of some component of the code that could lead to a vulnerability. The e-learning that Veracode provides is an extremely good tool."
"The most valuable feature is the static scan that checks for security issues."
"One of the valuable features is that it gives us the option of static scanning. Most tools of this type are centered around dynamic scanning. Having a static scan is very important."
"Veracode's cloud-based approach, coupled with the appliance that lets us use Veracode to scan internal-only web applications, has provided a seamless, always-up-to-date application security scanning solution."
"It can be very hard to make a good lab environment with a console with log windows and code bases. What I like about Veracode is that they managed to do that. It has a very responsive graphical user interface and has worked very well. I was very pleased with that."
"Veracode does not require any maintenance."
"It has the ability to statically scan your source code before it goes to production. It can be scanned within your testing or development environment, and that is very useful. And good explanations of all the vulnerabilities in your source code help take care of those issues in future code implementation as well."
"There are limitations to the free version that limit development options as far as languages."
"The solution is a bit lacking on the security side, in terms of finding and identifying vulnerabilities."
"Ease of use/interface."
"There is need for support for the additional languages and ease of use in adding new rules for detecting issues."
"Code security could be better. They are already focusing on it, but I see a lot of improvement opportunities over there. I can see a lot of false positives in terms of security. They need to make the tests more accurate so that the false positives are not detected so frequently. It would also help if they provided us with an installer."
"SonarQube could improve its static application security testing as per the industry standard."
"If I configure a project in SonarQube, it generates a token. When we're compiling our code with SonarQube, we have to provide the token for security reasons. If IP-based connectivity is established with the solution, the project should automatically be populated without providing any additional token. It will be easy to provide just the IP address. It currently supports this functionality, but it makes a different branch in the project dashboard. From the configuration and dashboard point of view, it should have some transformations. There can be dashboard integration so that we can configure the dashboard for different purposes."
"There are times that we have the database crash. However, this might be an issue with how we have configured it and not a software issue. Apart from this, I do not see any issues with the solution."
"The ideal situation in terms of putting the results in front of the developers would be with Veracode integration into the developer environment (IDE). They do have a plugin, which we've used in the past, but we were not as positive about it."
"I would like to see them provide more content in the developer training section. This field is really changing each day and there are flaws that are detected each day. Some sort of regular updates to the learning would help."
"The solution does not support Dynamic Application Security Testing."
"From the usability perspective, it is not up to date with the latest trends. It looks very old. Tools such as Datadog, New Relic, or infrastructure security tools, such as AWS Cloud, seem very user-friendly. They are completely web-based, and you can navigate through them pretty quickly, whereas Veracode is very rigid. It is like an old-school enterprise application. It does the job, but they need to invest a little more on the usability front."
"The interface is one thing I find a little challenging. Veracode's interface feels a little outdated compared to other solutions, and it could be modernized. I'm mostly happy with the features, but Vercaode could add Docker image scanning."
"I would ask Veracode to be a lot more engaged with the customer and set up live sessions where they force the customer to engage with Veracode's technical team. Veracode could show them a repo, how they should do things, this is what these results mean, here is a dashboard, here's the interpretation, here's where you find the results."
"It does not have a reporting structure for an OS-based vulnerability report, whereas its peers such as Fortify and Checkmarx have this ability. Checkmarx also provides a better visibility of the code flow."
"It needs better controls to include/exclude specific sections when creating a report that can be shared externally with customers and prospects."
SonarQube is ranked 1st in Application Security Testing (AST) with 110 reviews while Veracode is ranked 2nd in Application Security Testing (AST) with 194 reviews. SonarQube is rated 8.0, while Veracode is rated 8.2. The top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Snyk and GitHub Advanced Security, whereas Veracode is most compared with Checkmarx One, Fortify on Demand, Snyk, OWASP Zap and Fortify Static Code Analyzer. See our SonarQube vs. Veracode report.
See our list of best Application Security Testing (AST) vendors and best Application Security Tools vendors.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
We have used SonarQube quite a lot and this is great to check code quality, security hotspots much earlier in the SDLC and fix those. The community edition is free to use, can be used on-premises and is integrated seamlessly with Jenkins and others. The Enterprise and Developer commercial editions offer a lot more rules and functionalities.
Veracode is mostly in space of security testing and amongst the leader in this space. It's a commercial product and has no community edition, to the best of my knowledge.
Depending on your use cases, you will need both of these areas to be covered through these or other tools.
They are mainly two different products.
If your goal is to set the quality on code then SonarQube is your answer.
On the other side, if your main goal is to set high-quality standards in terms of cybersecurity (i.e. both security and compliance with regulations), then Veracode is a better match.
Feels like a false choice to me. They each are trying to do different things as other posters have suggested. What are the outcomes you are looking for?
Both products in the industry are practiced slightly for different purposes. If you are after the code then SonarQube and if you are after the security then Veracode.
Klocwork