Checkmarx One vs Veracode comparison


Comparison Buyer's Guide

Executive SummaryUpdated on Sep 5, 2022

Categories and Ranking

Checkmarx One
Ranking in Application Security Tools
Ranking in Static Application Security Testing (SAST)
Ranking in Static Code Analysis
Average Rating
Number of Reviews
Ranking in other categories
Vulnerability Management (11th), API Security (4th), DevSecOps (2nd), Risk-Based Vulnerability Management (5th)
Ranking in Application Security Tools
Ranking in Static Application Security Testing (SAST)
Ranking in Static Code Analysis
Average Rating
Number of Reviews
Ranking in other categories
Container Security (4th), Software Composition Analysis (SCA) (2nd), Penetration Testing Services (3rd), Application Security Posture Management (ASPM) (2nd)

Mindshare comparison

As of June 2024, in the Application Security Tools category, the mindshare of Checkmarx One is 13.2%, down from 15.3% compared to the previous year. The mindshare of Veracode is 10.0%, down from 10.1% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Application Security Tools
Unique Categories:
Static Application Security Testing (SAST)
Vulnerability Management
Container Security

Q&A Highlights

Jul 08, 2020

Featured Reviews

Feb 7, 2024
Specifies the exact line of code where it finds the problem and gives good reports
There's one thing Checkmarx can maybe fix, actually two things. First, when we first ran it on a big project, there wasn't enough memory on the computer. It originally ran with eight gigabytes, and now it runs with 32. The software stopped at some point, and while I don't think it said it ran out of memory, it just said "stopped" and something else. We had to go to the logs and send them to the integrator, and eventually, they found a memory issue in the logs and recommended increasing the memory. We doubled it once, and it didn't seem enough. We doubled it again, and it helped. So, even if the software reaches capacity on the computer, even though it writes it in the logs, it should also give an indication in the GUI to the person running it, saying "not enough memory" or "not enough disk space." Another problem is that when it's scanning and it has an internal problem, for example, it cannot check something, or an internal bug or internal problem, it's being found in the logs, but there's no indication to the user. Now, this is good for them because the user runs it, gets a report, everything's fine. But in a way, it's not good for them because the user doesn't know there's a problem since they don't check the logs. Because mostly, only the manager looks at the logs and only if there's a problem being reported. You run a process, get a report, but in the logs, there might be an indication that it couldn't check several files or understand something. There's a problem, an internal problem that can be fixed, but nobody knows about it because we don't look at the code. The user doesn't look at the logs; only the business manager does, but they don't know because the user doesn't report it, because the user doesn't know. So, my suggestion for them is this: if they have problems, they should say, 'Here is the report,' but also indicate to the user somewhere, perhaps in the GUI, not necessarily in the report itself, 'We found 100 problems while looking at your code. Please provide us the logs so we can try to fix those.' Then they can ask if the user has any problems. This way, users would know to send them their logs, and they could improve their software, meaning fix the problems. Now, they may not want to do this because they'll get flooded with millions of responses and millions of problems from all over the world. They would have to fix them, and people might get angry, asking why they provided a report when there were hidden problems. People might say, 'How come you gave me a report with seven or eight problems when analyzing it, there were internal problems with your code? So it's not a perfect report.'" So, these internal issues are logged but not communicated to the user through the Checkmarx interface (GUI) or report. The solution also has a few false positives. So, if they had an easier way for users to send an email directly, instead of just opening a ticket. Because when we open a ticket, they want all the logs and everything, and it becomes a hassle. Perhaps they could implement an easier system where users can send a snippet of the code, along with an explanation of why they believe it's a false positive, referencing the specific report. This way, Checkmarx could analyze the information and the development team could potentially fix the product in those areas. It wouldn't require them to necessarily respond to the user, but I'm not sure if that's feasible for most companies.
Nov 11, 2020
All-encompassing tool that scans for vulnerabilities and security breaches
Veracode provides guidance for fixing vulnerabilities. It enables developers to write secure code from the start by pointing them to the problematic line of code, and saying, "This function/method has security vulnerabilities," then suggests alternatives to fix it. Then, we adopt their suggestions of the tool. By implementing it in the right way, we can fix the issue. For example, if the tool has found a method where it copied one piece of memory into another piece of memory in the code. The tool points to problematic methods with the vulnerability and provides ways to code it more securely. By adopting their suggestions, we are fixing this vulnerability. Once you run the tool and realize that it is not secure to use a certain method or function, then you fix it. Next time that you want to add new code, you don't want to repeat that mistake. So, you're already adopting the original suggestion, then writing more security code. If we continued to scan and fix issues, which is an ongoing battle because every day as there are new vulnerabilities, we are on the safe side.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:


"The setup is fairly easy. We didn't struggle with the process at all."
"From my point of view, it is the best product on the market."
"The main advantage of this solution is its centralized reporting functionality, which lets us track issues, then see and report on the priorities via a web portal."
"The user interface is modern and nice to use."
"The main benefit to using this solution is that we find vulnerabilities in our software before the development cycle is complete."
"The setup is very easy. There is a lot of information in the documents which makes the install not difficult at all."
"The most valuable features of Checkmarx are the automation and information that it provides in the reports."
"The solution is scalable, but other solutions are better."
"The article scanning is excellent."
"It has the ability to statically scan your source code before it goes to production. It can be scanned within your testing or development environment, and that is very useful. And good explanations of all the vulnerabilities in your source code help take care of those issues in future code implementation as well."
"The main feature that I have found valuable is the solution's ability to find issues in static analysis. Additionally, there are plenty of useful tools."
"The visibility into application status helps reduce risk exposure for our software. Today, any findings provided by the DAST are reviewed by the developers and we have internal processes in place to correct those findings before there can be a release. So it absolutely does prevent us from releasing weak code."
"The tech support has been very much on the forefront of contacting customers. They help us by making sure all the processes have been outlined and are being followed. They regularly look with us at the whole platform process."
"The solution can scan old databases and old code written 20 years back."
"I have used this solution in multiple projects for vulnerability testing and finding security leaks within the code."
"Code analysis tool to help identify code issues before entered into production."


"In terms of dashboarding, the solution could provide a little more flexibility in terms of creating more dashboards. It has some of its own dashboards that come out of the box. However, if I have to implement my own dashboards that are aligned to my organization's requirements, that dashboarding feature has limited capability right now."
"They should make it more container-friendly and optimized for the CI pipeline. They should make it a little less heavy. Right now, it requires a SQL database, and the way the tool works is that it has an engine and then it has an analysis database in which it stores the information. So, it is pretty heavy from that perspective because you have to have a full SQL Server. They're working on something called Checkmarx Light, which is a slim-down version. They haven't released it yet, but that's what we need. There should be something a little more slimmed down that can just run the analysis and output the results in a format that's readable as opposed to having a full, really big, and thick deployment with a full database server."
"This product requires you to create your own rulesets. You have to do a lot of customization."
"Its user interface could be improved and made more friendly."
"With Checkmarx, normally you need to use one tool for quality and you need to use another tool for security. I understand that Checkmarx is not in the parity space because it's totally different, but they could include some free features or recommendations too."
"C, C++, VB and T-SQL are not supported by this product. Although, C and C++ were advertised as being supported."
"I would like to see the rate of false positives reduced."
"We would like to be able to run scans from our local system, rather than having to always connect to the product server, which is a longer process."
"The triage indicator was kind of hard to find. It's a very small arrow and I had no idea it was there."
"Another problem we have is that, while it is integrated with single sign-on—we are using Okta—the user interface is not great. That's especially true for a permanent link of a report of a page. If you access it, it goes to the normal login page that has nothing that says "Log in with single sign-on," unlike other software as a service that we use. It's quite bothersome because it means that we have to go to the Okta dashboard, find the Veracode link, and log in through it. Only at that point can we go to the permanent link of the page we wanted to access."
"All areas of the solution could use some improvement."
"It could have better integration with our pipeline. If we could have better integration with our application pipeline, e.g., Jira, Bamboo, or Azure DevOps, then that will be very helpful. Right now, it is quite hard to integrate the solution into our existing pipeline."
"We are testing Veracode's software composition analysis, but we're having trouble integrating it with SVN. It works out of the box when you use Git but doesn't work as well with other tools like SVN. It's more geared toward Git"
"Veracode is a little costly. It's cost-effective for a large enterprise, but it may be too expensive for small businesses."
"An area for improvement in Veracode is the time that it takes to scan large projects, as that makes it difficult to fit into our CI/CD pipelines."
"Veracode should include the feature to run multiple scales at a time."

Pricing and Cost Advice

"We're using a commercial version of Checkmarx, and we paid for the solution for one year. The price is high and could be reduced."
"It's relatively expensive."
"It is not expensive, but sometimes, their pricing model or licensing model is not very clear. There are similar variables, such as projects or developers, and sometimes, it is a little bit confusing."
"Be cautious of the one-year subscription date. Once it expires, your price will go up."
"I believe pricing is better compared to other commercial tools."
"We got a special offer for a 30% reduction for three years, after our first year. I think for a real source-code scanning tool, you have to add a lot of money for Open Source Analysis, and AppSec Coach (160 Euro per user per year)."
"The solution's price is high and you pay based on the number of users."
"Before implementing the product I would evaluate if it is really necessary to scan so many different languages and frameworks. If not, I think there must be a cheaper solution for scanning Java-only applications (which are 90% of our applications)."
"Veracode is expensive."
"Depending on the number of users, my company makes payments toward the solution's licensing costs."
"Negotiate some, but their prices are reasonable."
"I think it's a great value. It's at a price point that a small company like mine can afford to use versus, if it was too exorbitant, I wouldn't be able to use this product. The cost of the license is small in comparison to the value it brings"
"It can be expensive to do this, so I would just make sure that you're getting the proper number of licenses. Do your analysis. Make sure you know exactly what it is you need, going in."
"I wouldn't really recommend Veracode for a small firm, because it might be a little pricey for them. But for a large organization, with more than 1,000 applications in the enterprise, there are tiered levels of pricing."
"There is a fee to scale up the solution which I consider expensive."
"It's very expensive, especially when you are a very small organization. If you're using Veracode at an individual level, for example, you're a developer or you run agents, the pricing might not affect you, but if you're using it at a company level to troubleshoot security issues, the pricing is not quite favorable. It may affect ROI."
Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
789,728 professionals have used our research since 2012.

Answers from the Community

Jul 8, 2020
Jul 8, 2020
My opinions are my own and do not represent any other entities that I may be or have been affiliated with. On this topic I think it is important to acknowledge that no matter which solution you go for you will have false positives. I don't think there will be any solution that properly solves this anytime soon. As for Checkmarx vs SonarQube... Checkmarx may cover more rules over a wider land...
2 out of 3 answers
Jul 6, 2020
My opinions are my own and do not represent any other entities that I may be or have been affiliated with.  On this topic I think it is important to acknowledge that no matter which solution you go for you will have false positives. I don't think there will be any solution that properly solves this anytime soon.  As for Checkmarx vs SonarQube...  Checkmarx may cover more rules over a wider landscape, however I personally found this extra breadth covered outlyer rules and mostly lower priority issues. Both Checkmarx and SonarQube cover the OWASP top 10 and Sans25. Both tools can be tuned to help reduce false positives, for both you will need to analyse your tuning to ensure you are not introducing false negatives. Any tools that provide you customisation come with the risk that you could make things worse.  SonarQube has very good integration into most development IDEs empowering the engineers to run scans against the company rules on their local machine before submitting your source control and further tooling. In some it will even check the code automatically while you type it.  I see you also included Veracode in here. In my opinion that is a far superior tool to Checkmarx, this is down to their more modern approach to this problem. They also allow local developer integration to self lint code before submission.  In a perfect world, I would use Sonar for development bugs, test coverage and technical debt measurements. Then veracode to handle the SAST side for me. In short I would not duplicate the security scans in Sonar and Veracode.  Hope that helps
Jul 7, 2020
SonarQube can be used for SAST. However, based on our internal analysis, our team feel CheckMarx is better suited for Security compared to SonarQube. SoanrQube is used in day to day developer code scan and Checkmarx is used during code movement to staging or during release.

Top Industries

By visitors reading reviews
Financial Services Firm
Computer Software Company
Manufacturing Company
Financial Services Firm
Computer Software Company
Manufacturing Company

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business

Questions from the Community

What alternatives are there for Fortify WebInspect and Fortify SCA?
I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as well. Veracode is only a cloud solution. Hope this helps.
What do you like most about Checkmarx?
Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%.
What is your experience regarding pricing and costs for Checkmarx?
The solution's price is high and you pay based on the number of users.
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
What do you like most about Veracode?
The SAST and DAST modules are great.
What is your experience regarding pricing and costs for Veracode?
The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and database features. It is worth the money.



Also Known As

No data available
Crashtest Security , Veracode Detect



Sample Customers

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC
Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.
Find out what your peers are saying about Checkmarx One vs. Veracode and other solutions. Updated: June 2024.
789,728 professionals have used our research since 2012.