Coverity gives you the speed, ease of use, accuracy, industry standards compliance, and scalability that you need to develop high-quality, secure applications. Coverity identifies critical software quality defects and security vulnerabilities in code as it’s written, early in the development process, when it’s least costly and easiest to fix. With the Code Sight integrated development environment (IDE) plugin, developers get accurate analysis in seconds in their IDE as they code. Precise actionable remediation advice and context-specific eLearning help your developers understand how to fix their prioritized issues quickly, without having to become security experts.
| Type | Title | Date | |
|---|---|---|---|
| Category | Static Application Security Testing (SAST) | Jun 10, 2025 | Download |
| Product | Reviews, tips, and advice from real users | Jun 10, 2025 | Download |
| Comparison | Coverity vs SonarQube Server (formerly SonarQube) | Jun 10, 2025 | Download |
| Comparison | Coverity vs Veracode | Jun 10, 2025 | Download |
| Comparison | Coverity vs Checkmarx One | Jun 10, 2025 | Download |
| Title | Rating | Mindshare | Recommending | |
|---|---|---|---|---|
| SonarQube Server (formerly SonarQube) | 4.0 | 23.9% | 81% | 116 interviewsAdd to research |
| GitLab | 4.3 | 2.6% | 97% | 84 interviewsAdd to research |
Coverity seamlessly integrates automated security testing into your CI/CD pipelines and supports your existing development tools and workflows. Choose where and how to do your development: on-premises or in the cloud with the Polaris Software Integrity Platform (SaaS), a highly scalable, cloud-based application security platform. Coverity supports more than 20 languages and 200 frameworks and templates.
Coverity was previously known as Synopsys Static Analysis.
SAP, Mega International, Thales Alenia Space
I work on multiple projects using various programming languages, and Coverity provides more security and quality checks than CodeSonar, resulting in more robust results.
The second point is that CodeSonar created many intermediate directories, consuming almost three-fourths of my hard disk space. In contrast, Coverity occupies less than half of the space that CodeSonar used.
If someone is starting their security journey, they are looking for a code scanning tool and considering the entire portfolio that a vendor can offer. From this perspective, Synopsys provides a comprehensive suite of application security tools that can be used at various stages of the SDLC, which CodeSonar lacks. CodeSonar primarily offers static analysis and binary analysis tools, and while it can perform open-source analysis, it does so with limited programming language coverage. This limitation does not meet our long-term requirements.
Therefore, considering the long-term vision, we decided that Synopsys, recognized as a leader in the industry for seven consecutive years, offers a broader range of tools and greater value.
Coverity has excellent integration capabilities. The best part is that the add-ons come at no additional cost, making them compatible with most IDEs. This helps achieve shift-left testing, enabling early-stage code analysis within the IDE environment. Additionally, Coverity can be integrated with numerous CI/CD tools like Jenkins, Bamboo, Hudson, and Azure DevOps. It also supports integration with binary repositories, such as Artifactory and Nexus. For deployment, Coverity offers flexibility as it can be deployed on Docker, Kubernetes, OpenShift, and more. On-premises and SaaS models provide options tailored to different infrastructure needs.
The main benefits of the integration were complete automation and end-to-end. Coverity seamlessly fits into our process. Coverity integrates with issue-tracking systems like Jira and provides email notifications, alerts, and other features. It works as a complete, comprehensive solution, offering a holistic approach. We gained this bundled plugin approach from integrating Coverity.
Coverity concerns its dashboards and reporting. While Coverity is developer-friendly, it is not particularly intuitive for non-technical users. For instance, a solution architect or C-level executive might want to understand the current state of an application through bar graphs and charts without delving into the technical details. Coverity lacks the ability to generate such executive reports and doesn't offer much customization in its reporting. As a result, we have to rely on other business intelligence tools like Power BI or Splunk to integrate with Coverity, pull the data, and create the desired reports and charts.
Coverity has significantly expanded its support for various programming languages. Currently, it supports more than 24 programming languages. They have also introduced an IDE plugin and a SaaS version of Coverity, where users can upload their code and receive reports. One area of improvement could be expanding incremental scanning to more programming languages. Currently, incremental scanning is supported for only a few languages, but expanding this feature to all the supported languages would be highly beneficial.
I have been using Coverity for four years.
Around four users are using this solution. If you're talking about on-premise deployment, the more hardware resources we have, the more scalable it is. It's a direct proportional relationship. However, in terms of the cloud model, it has been pretty easy. They can scale it effectively.
They provide us access to their technical support team as part of their commercial product agreement. However, they work five days a week. They also offer a premium support package, which comes at an additional cost and includes 24/7 critical priority support. We have opted for the default support that comes with the product.
Positive
The data that CodeSonar generated as output was huge—gigabytes—and used to clog my hard disk. The second step is that Coverity and CodeSonar have good results, with both having a low false positive ratio. They both do a fair job of identifying defects.
In terms of scale, scalability, and stability, Coverity is on par with CodeSonar due to its architecture and fast response. Coverity uses a built-in PostgreSQL database, which has a good schema interface. Additionally, the incremental scanning is efficient. Coverity supports over 27 programming languages, whereas CodeSonar only supports around five to six. So, if you are working on a project that uses languages like Go, PHP, or others that CodeSonar doesn’t support, CodeSonar would not be suitable.
Moreover, Coverity offers extensive IDE support with add-ons for around seven to eight IDEs, whereas CodeSonar primarily targets a few IDEs like Eclipse and Visual Studio.
The initial setup is pretty straightforward. Coverity offers both on-premise and SaaS models, and we are using both. We have a hybrid license, including several on-premise licenses. For the on-premise setup, you download an executable file, double-click on it, and complete the installation easily. The SaaS model is equally simple: log in to the browser with your credentials, upload the files, and generate the report. The process is mainly agent-free.
The tool identified many defects before our source code reached a QA or staging environment. The most impressive feature is the IDE plugin, which identifies crucial defects as the developer writes the code. This means developers can know whether they write defective or proper code before pushing it into the repository. Identifying defects at the initial stages of the development lifecycle can save much money in the long run, providing a good ROI. This is why our organization has been using Coverity for over four years.
When discussing the on-prem portal, if you are a customer handling numerous projects with heavy daily activity, such as triggering various types of scans and integrations with CASD, you should know that Coverity on-device has a built-in database. It is crucial to maintain this database diligently. Regular maintenance and monitoring are essential to ensure smooth operation. In case of any issues, creating a backup server is advisable as a precautionary measure.
We are working on a microservices model, where each small module is considered a separate project for an NTP. We have more than 300 critical business projects. Multiple departments use Coverity: developers use it for local scanning, and the security team uses it to ensure coding practices adhere to standards such as OWASP or PCI.
I suggest conducting a fair analysis. Let them pick the same project for a POC and scan it using their existing tools and Coverity. They can evaluate scalability, language support, compiler support, incremental scanning, IDE plugins, and CI/CD plugins.
During COVID or post-COVID, if we look at the incidents in the security market, most data breaches happen at the application layer. While network layer security is well understood, application security remains a significant challenge. Synopsys addresses this with a comprehensive portfolio, including code scanning, static analysis, SCA, open source analysis, IAST, fuzz testing, and more. Additionally, they offer extensive security services with over 600 consultants who can help eliminate false positives and address security concerns.
Overall, I rate the solution an eight out of ten.
