Checkmarx One vs Coverity vs Veracode comparison

Read 201 Veracode reviews

15,486 Views
1,866 Comparison Views

90% willing to recommend

Checkmarx One

Coverity

Comparison Buyer's Guide

Download the report

Executive Summary

We performed a comparison between Checkmarx One, Coverity, and Veracode based on real PeerSpot user reviews.

Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Static Application Security Testing (SAST).

To learn more, read our detailed Static Application Security Testing (SAST) Report (Updated: June 2025).

Static Application Security Testing (SAST)

Download the complete report

Helped 855,266 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Mindshare comparison

As of June 2025, in the Static Application Security Testing (SAST) category, the mindshare of Checkmarx One is 9.5%, down from 12.8% compared to the previous year. The mindshare of Coverity is 7.4%, up from 6.6% compared to the previous year. The mindshare of Veracode is 8.3%, down from 10.2% compared to the previous year. It is calculated based on PeerSpot user engagement data.

Static Application Security Testing (SAST)

Featured Reviews

Syed Hasan

Specialist Leader at Deloitte

Partner experiences excellent technical support and seamless initial setup

In my opinion, if we are able to extract or show the report, and because everything is going towards agent tech and GenAI, it would be beneficial if it could get integrated with our code base and do the fix automatically. It could suggest how the code base is written and automatically populate the source code with three different solution options to choose from. This would be really helpful.

Read full review

Jaile Sebes

Senior Software Architect at Siemens Industry

Resolving critical software issues demands faster implementation and better integration

We use Coverity primarily to find issues such as software bugs and memory leaks, especially in C++ and C# projects. It helps us identify deadlocks, synchronization issues, and product crashes Coverity has been instrumental in resolving product crashes by detecting various issues like deadlocks.…

Read full review

David-Robertson

Director Enterprise Architecture at Exeter Finance Corp.

Static scanning and software composition analysis are very helpful, but the usability needs improvement

Static scanning and software composition analysis are very helpful. My colleagues and I don't need to be experts on all of those ancillary things, so we can focus more on the business deliverables. They have a pretty good tool that allows me to run scans of my local integrated development environment. I can find a lot of those flaws a lot sooner than I would if I had to wait for these cloud-based scans. They've come out with some sort of automated fix feature. I haven't used it, but they gave us a demo of it, and that one looks promising. I don't know if it's ready for prime time yet.

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"From my point of view, it is the best product on the market."

"The solution is always updating to continuously add items that create a level of safety from vulnerabilities. It's one of the key features they provide that's an excellent selling point. They're always ahead of the game when it comes to finding any vulnerabilities within the database."

"It is a stable product."

"The features and technologies are very good. The flexibility and the roadmap have also been very good. They're at the forefront of delivering the additional capabilities that are required with cloud delivery, etc. Their ability to deliver what customers require and when they require is very important."

"The user interface is excellent. It's very user friendly."

"The UI is user-friendly."

"I like that you don't have to compile the code in order to execute static code analysis. So, it's very handy."

"Checkmarx pinpoints the vulnerability in the code and also presents the flow of malicious input across the application."

More Checkmarx One pros

"It provides reports about a lot of potential defects."

"Coverity is easy to set up and has a less lengthy process to find vulnerabilities."

"The app analysis is the most valuable feature as I know other solutions don't have that."

"The reporting feature is up to the mark."

"We were very comfortable with the initial setup."

"It help us identify the latest security vulnerabilities."

"What I find most effective about Coverity is its low rate of false positives. I've seen other platforms with many false positives, but with Coverity, most vulnerabilities it identifies are genuine. This allows me to focus on real issues."

"The solution has helped to increase staff productivity and improved our work significantly by approximately 20 percent."

More Coverity pros

"We use Veracode static analysis during development to eliminate vulnerability issues"

"The benefits are quick discovery and understanding of software vulnerabilities that we are putting in our own code. By discovering them quickly enough, we can triage them and determine the best ways to remediate them and prevent them from happening in the future."

"The main feature, and one of the most important, is the static code analysis. We are able to complete an analysis of the security flaws with this platform. It's very good at helping us find and fix flaws."

"One of the features they have is Software Composition Analysis. When organizations use third-party, open source libraries with their application development, because they're open source they quite often have a lot of bugs. There are always patches coming out for those open source applications. You really have to stay on your toes and keep up with any third-party libraries that might be integrated into your application. Veracode's Software Composition Analysis scans those libraries and we find that very valuable."

"It is easy to use for us developers. It supports so many languages: C#, .NET Core, .NET Framework, and it even scans some of our JavaScript. You just need the extension to upload the files and the reports are generated with so much detail."

"Veracode enables us to build a strong data security layer in our platforms. We can increase customer confidence in data security. Some PCI/HIPAA compliance issues were impossible to resolve without Veracode."

"Within SCA, there is an extremely valuable feature called vulnerable methods. It is able to determine within a vulnerable library which methods are vulnerable. That is very valuable, because in the vast majority of cases where a library is vulnerable, none of the vulnerable methods are actually used by the code. So, if we want to prioritize the way open source libraries are updated when a library is found vulnerable, then we want to prioritize the libraries which have vulnerable methods used within the code."

"It has almost completely eliminated the presence of SQLi vulnerabilities."

More Veracode pros

Cons

"One area for improvement in Checkmarx is pricing, as it's more expensive than other products."

"The tool is currently quite static in terms of finding security vulnerabilities. It would be great if it was more dynamic and we had even more tools at our disposal to keep us safe. It would help if there was more scanning or if the process was more automated."

"The lack of ability to review compiled source code. It would then be able to compete with other scanning tools, such as Veracode."

"It provides us with quite a handful of false positive issues. If Checkmarx could reduce this number, it would be a great tool to use."

"Checkmarx needs to be more scalable for large enterprise companies."

"The plugins for the development environment have room for improvements such as for Android Studio and X code."

"When we first ran it on a big project, there wasn't enough memory on the computer. It originally ran with eight gigabytes, and now it runs with 32. The software stopped at some point, and while I don't think it said it ran out of memory, it just said "stopped" and something else. We had to go to the logs and send them to the integrator, and eventually, they found a memory issue in the logs and recommended increasing the memory. We doubled it once, and it didn't seem enough. We doubled it again, and it helped."

"Some were valid and some were not applicable for us based on the scenario."

More Checkmarx One cons

"It would be great if we could customize the rules to focus on critical issues."

"The quality of the code needs improvement."

"We'd like it to be faster."

"Sometimes it's a bit hard to figure out how to use the product’s UI."

"The price is a concern, and there are a lot of false positives coming through."

"Zero-day vulnerability identification can be an add-on feature that Coverity can provide."

"There is an extra step in my organization that involves uploading to servers, which adds overhead."

"I would like to see integration with popular IDEs, such as Eclipse."

More Coverity cons

"Veracode doesn't really help you so much when it comes to fixing things. It is able to find our vulnerabilities but the remediation activities it does provide are not a straight out-of-the-box kind of model. We need to work on remediation and not completely rely on Veracode."

"They should improve on the static scanning time."

"All areas of the solution could use some improvement."

"We tried to create an automatic scanning process for Veracode and integrate it into our billing process, but it was easier to adopt it to repositories based on GIT. Until now, our source control repository was Azure DevOps Server (Microsoft TFS) to managing our resources. This was not something that they supported. It took us some sessions together before we successfully implemented it."

"There might be room for improvement in the in-app guidance and the tips and tricks for the developer about how to progress. We would like more insight into the development environment, where they would get guidance on how to avoid flaws."

"When we scan binary, when we perform binary analysis, it could go faster. That has a lot to do with the essence of scanning binary code, it takes a little bit longer. Certain aspects, depending on what type of code it is, take a little long, especially legacy code."

"We have encountered occasional issues with scalability."

"Veracode does not support scans for .NET Blazor server applications."

More Veracode cons

Pricing and Cost Advice

"It's relatively expensive."

"The average deal size was usually anywhere between $120K to $175K on an annual basis, which could be divided across 12 months."

"If you want more, you have to pay more. You have to pay for additional modules or functionalities."

"I would rate the solution’s pricing an eight out of ten. The tool’s pricing is higher than others and it is for the license alone."

"The number of users and coverage for languages will have an impact on the cost of the license."

"For around 250 users or committers, the cost is approximately $500,000."

"Its price is fair. It is in or around the right spot. Ultimately, if the price is wrong, customers won't commit, but they do tend to commit. It is neither too cheap nor too expensive."

"It is a good product but a little overpriced."

More Checkmarx One pricing and cost advice

"This is a pretty expensive solution. The overall value of the solution could be improved if the price was reduced. Licensing is done on an annual basis."

"The solution's pricing is comparable to other products."

"Depending on the usage types, one has to opt for different types of licenses from Coverity, especially to be able to use areas like report viewing or report generation."

"I rate Coverity's price a ten on a scale of one to ten, where one is cheap and ten is expensive."

"The pricing is very reasonable compared to other platforms. It is based on a three year license."

"The pricing is on the expensive side, and we are paying for a couple of items."

"I would rate the tool's pricing a one out of ten."

"Coverity is quite expensive."

More Coverity pricing and cost advice

"I think it's a great value. It's at a price point that a small company like mine can afford to use versus, if it was too exorbitant, I wouldn't be able to use this product. The cost of the license is small in comparison to the value it brings"

"I don't really get too involved in the cost sides of things that's in my job, I'm more of a technical focus, but I have heard from my manager and a couple other people that the solution is quite expensive."

"The cost of scanning code is cheaper. It's typically $0.50 per line of code. However, it's expensive to run a high-level process that would normally require a human security expert. For example, penetration testing costs about $1,000 per application for penetration testing. The cost of these features may be too high for smaller organizations. On the other hand, Veracode's interactive application security testing is fast and cheaper compared to other software."

"Its cost for what we needed it for was too high. It wasn't too high for other companies and it was competitively priced, but for us, it just didn't fit. We did plan to use it and increase the usage. In the end, it may have been abandoned because of the cost, but I'm not a hundred percent sure. So, even though we had planned on using it more and more, because of the cost and the business conditions of things, we didn't have the opportunity to really use it more."

"The pricing is reasonable compared to other tools."

"The pricing is a little on the high side but since we combine our product into one suite, it is easy to do and works well for us."

"I recommend going for a one-year licensing with CA, because currently they are the leaders in this field with more features and a much better turn around time with a cheaper position, but there are a lot of new companies coming up in the market and they are building up their platforms."

"The product’s price is a bit higher compared to other solutions."

More Veracode pricing and cost advice

See which vendors are best for you

Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.

See recommendations

855,266 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Financial Services Firm

21%

Computer Software Company

14%

Manufacturing Company

10%

Government

Manufacturing Company

33%

Computer Software Company

14%

Financial Services Firm

Government

Computer Software Company

17%

Financial Services Firm

16%

Manufacturing Company

Insurance Company

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

Questions from the Community

What alternatives are there for Fortify WebInspect and Fortify SCA?

I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as ...

What do you like most about Checkmarx?

Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%.

What is your experience regarding pricing and costs for Checkmarx?

The pricing is relatively expensive due to the product's quality and performance, but it is worth it.

How would you decide between Coverity and Sonarqube?

We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and securi...

What do you like most about Coverity?

The solution has improved our code quality and security very well.

What is your experience regarding pricing and costs for Coverity?

I do not know about the pricing.

Which gives you more for your money - SonarQube or Veracode?

SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. Son...

What do you like most about Veracode?

The SAST and DAST modules are great.

What is your experience regarding pricing and costs for Veracode?

The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and da...

SonarQube Server (formerly SonarQube) vs Checkmarx One

Comparisons

Compared 36% of the time

Checkmarx SAST vs Checkmarx One

Compared 6% of the time

Fortify on Demand vs Checkmarx One

Compared 6% of the time

OWASP Zap vs Checkmarx One

Compared 5% of the time

SonarQube Cloud (formerly SonarCloud) vs Checkmarx One

Compared 2% of the time

More Checkmarx One Competitors

SonarQube Server (formerly SonarQube) vs Coverity

Compared 48% of the time

Klocwork vs Coverity

Compared 7% of the time

Fortify on Demand vs Coverity

Compared 6% of the time

Polyspace Code Prover vs Coverity

Compared 5% of the time

Snyk vs Coverity

Compared 4% of the time

More Coverity Competitors

SonarQube Server (formerly SonarQube) vs Veracode

Compared 19% of the time

GitHub Advanced Security vs Veracode

Compared 7% of the time

Fortify on Demand vs Veracode

Compared 4% of the time

Snyk vs Veracode

Compared 4% of the time

OWASP Zap vs Veracode

Compared 4% of the time

More Veracode Competitors

Product Reports

Checkmarx One

Download Checkmarx One product report

Coverity

Download Coverity product report

Download Veracode product report

May 2025

Also Known As

No data available

Synopsys Static Analysis

Crashtest Security , Veracode Detect

Overview

Checkmarx One is an enterprise cloud-native application security platform focused on providing cross-tool, correlated results to help AppSec and developer teams prioritize where to focus time and resources.

Checkmarx One offers comprehensive application scanning across the SDLC:

Static Application Security Testing (SAST)
Software Composition Analysis (SCA)
API security
Dynamic Application Security Testing (DAST)
Container security
IaC security
Correlation, prioritization, and risk management
Codebashing secure code training
AI security
Tech partnerships extending AppSec into runtime analysis
Developer tool integrations including: CI/CD tools, development frameworks, feedback tools, IDEs, programming languages and SCMs

Checkmarx One provides everything you need to secure application development from the first line of code through deployment and runtime in the cloud. With an ever-evolving set of AppSec engines, correlation and prioritization features, and AI capabilities, Checkmarx One helps consolidate expanding lists of AppSec tools and make better sense of results. Its capabilities are designed to provide an improved developer experience to build trust with development teams and ensure the success of your AppSec program investment.

Checkmarx

Coverity gives you the speed, ease of use, accuracy, industry standards compliance, and scalability that you need to develop high-quality, secure applications. Coverity identifies critical software quality defects and security vulnerabilities in code as it’s written, early in the development process, when it’s least costly and easiest to fix. With the Code Sight integrated development environment (IDE) plugin, developers get accurate analysis in seconds in their IDE as they code. Precise actionable remediation advice and context-specific eLearning help your developers understand how to fix their prioritized issues quickly, without having to become security experts.

Coverity seamlessly integrates automated security testing into your CI/CD pipelines and supports your existing development tools and workflows. Choose where and how to do your development: on-premises or in the cloud with the Polaris Software Integrity Platform (SaaS), a highly scalable, cloud-based application security platform. Coverity supports more than 20 languages and 200 frameworks and templates.

Black Duck

Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.

Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing. These tools are designed to help developers detect vulnerabilities early in development while maintaining speed in deployment. Veracode also emphasizes scalability, offering features for enterprises that manage a large number of applications across different teams. Its robust reporting and analytics capabilities allow organizations to continuously monitor their security posture and track progress toward remediation.

What are the key features of Veracode?

Static Analysis (SAST) - Scans source code for vulnerabilities before deployment.
Dynamic Analysis (DAST) - Examines applications in a running state to detect flaws in real-time.
Software Composition Analysis (SCA) - Identifies risks in open-source libraries and third-party components.
Manual Penetration Testing - Offers expert analysis for more complex vulnerabilities.
Integrations with DevOps tools - Seamlessly integrates with CI/CD pipelines for automated security checks.

What benefits should users consider in Veracode reviews?

Early detection of vulnerabilities - Helps developers fix security issues early in the development process.
Scalability - Supports organizations with large-scale application portfolios.
Compliance support - Ensures applications meet various security standards and regulations.
Developer training - Provides tools for educating developers on secure coding practices.
Comprehensive reporting - Offers detailed reports that track remediation and risk trends.

Veracode is widely adopted in industries like finance, healthcare, and government, where compliance and security are critical. It helps these organizations maintain strict security standards while enabling rapid development through its integration with Agile and DevOps methodologies.

Veracode helps businesses secure their applications efficiently, ensuring they can deliver safe and compliant software at scale.

Sample Customers

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC

SAP, Mega International, Thales Alenia Space

Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.

Static Application Security Testing (SAST)