Try our new research platform with insights from 80,000+ expert users

Checkmarx One vs Veracode comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Jul 27, 2025

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

ROI

Sentiment score
7.5
Organizations saw ROI with Checkmarx One via improved development speed, cost savings, and enhanced security, despite quantification challenges.
Sentiment score
6.6
Veracode enhances security, reduces costs, and boosts efficiency, with varied ROI perceptions, but some struggle to quantify it financially.
The scanners of Veracode bring status of the weaknesses in the current infrastructure. It scans and provides reports regarding the servers, the network, and the applications running on those servers.
Regarding price, the evaluation should focus on how efficiently they will recover their investment, considering the time saved through the use of Veracode Fix, for example, and the ability to fix code at dev time compared to the problems faced when fixing after the product is already deployed.
 

Customer Service

Sentiment score
7.1
Checkmarx One offers fast, expert support, though some users note resolution delays and additional support charges.
Sentiment score
7.2
Veracode's customer service is praised for expertise and responsiveness, though variability and time zones can affect efficiency.
Access to the engineering team is crucial for faster feedback on the product fix process.
I have communicated with the technical support of Veracode a couple of times, and this was a really great experience because these professionals know their material.
They share detailed information via email, including screenshots or further clarification about the issue.
 

Scalability Issues

Sentiment score
7.1
Checkmarx One excels in scalability, integration, and automation, efficiently managing various organizational sizes though licensing can be restrictive.
Sentiment score
7.4
Veracode efficiently scales, supports large applications and users, integrates seamlessly, providing fast results with minimal challenges or performance issues.
Cloud solutions are easier to scale than on-premise solutions.
It has a good capacity to scale effectively.
Implementing these features into our normal CI/CD was good, so I can say that scalability is really good.
 

Stability Issues

Sentiment score
7.2
Checkmarx One is reliable with some performance issues during large scans; user ratings vary from six to ten.
Sentiment score
7.8
Veracode is highly stable with minimal downtime, effective workload handling, and no significant operational issues reported by users.
I would rate the stability of this solution a nine on a scale of 1 to 10 where one is low stability and 10 is high.
If the Veracode server is down, we experience many issues during the scan.
It's not that easy to onboard, but once they have been onboarded on the platform, and the pipeline configured alongside the product configured, it works effectively.
 

Room For Improvement

Checkmarx One needs enhanced false positive reduction, language support, CD integration, pricing, UI, reporting, and automation improvements.
Veracode needs improvements in false positives, interface, speed, reporting, tool integration, language support, cost, APIs, and documentation.
It could suggest how the code base is written and automatically populate the source code with three different solution options to choose from.
If it could be integrated directly with code repositories such as Bitbucket or GitHub, without the need to create a pipeline to upload and decode code, it would simplify the code scan process significantly.
We had issues with scanning large applications. Scanning took a lot of time, so we kept it outside the DevOps pipeline to avoid delaying deployments.
A nice addition would be if it could be extended for scenarios with custom cleansers.
 

Setup Cost

Checkmarx One offers high quality and performance, though its pricing varies and is often seen as expensive yet competitive.
Veracode's pricing is high, valued for features, but complex and costly for small organizations, justified for large enterprises.
It's not the most expensive solution.
Overall, Veracode's pricing is lower and more scalable than many alternatives in the market.
If there's a security gap, you'll never know the cost or effect.
 

Valuable Features

Checkmarx One provides comprehensive vulnerability analysis with intuitive features, efficient reporting, CI/CD integration, and extensive language support.
Veracode offers static code analysis, integrates with development tools, provides remediation guidance, and enhances security while ensuring scalability and compliance.
My experience with the initial setup of Checkmarx One is straightforward; it is not complex compared to other tools that I have tried.
It offers confidence by preventing exposure to vulnerabilities and helps ensure that we are not deploying vulnerable code into production.
The best features in Veracode include static analysis and the early detection of vulnerable libraries; it integrates with tools such as Jenkins.
It fixes issues directly in the IDE while you're doing it.
 

Categories and Ranking

Checkmarx One
Ranking in Application Security Tools
3rd
Ranking in Static Application Security Testing (SAST)
3rd
Ranking in Container Security
22nd
Ranking in Static Code Analysis
3rd
Average Rating
7.6
Reviews Sentiment
6.9
Number of Reviews
71
Ranking in other categories
Vulnerability Management (23rd), API Security (3rd), Dynamic Application Security Testing (DAST) (4th), DevSecOps (5th), Risk-Based Vulnerability Management (9th)
Veracode
Ranking in Application Security Tools
2nd
Ranking in Static Application Security Testing (SAST)
2nd
Ranking in Container Security
8th
Ranking in Static Code Analysis
1st
Average Rating
8.0
Reviews Sentiment
6.9
Number of Reviews
204
Ranking in other categories
Software Composition Analysis (SCA) (3rd), Application Security Posture Management (ASPM) (2nd)
 

Mindshare comparison

As of September 2025, in the Application Security Tools category, the mindshare of Checkmarx One is 10.2%, down from 13.7% compared to the previous year. The mindshare of Veracode is 8.0%, down from 10.5% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Application Security Tools Market Share Distribution
ProductMarket Share (%)
Veracode8.0%
Checkmarx One10.2%
Other81.8%
Application Security Tools
 

Q&A Highlights

it_user1354977 - PeerSpot reviewer
Jul 08, 2020
 

Featured Reviews

Syed Hasan - PeerSpot reviewer
Partner experiences excellent technical support and seamless initial setup
In my opinion, if we are able to extract or show the report, and because everything is going towards agent tech and GenAI, it would be beneficial if it could get integrated with our code base and do the fix automatically. It could suggest how the code base is written and automatically populate the source code with three different solution options to choose from. This would be really helpful.
Kv Rao - PeerSpot reviewer
Integrates pipelines smoothly and fortifies code against vulnerabilities
I use Veracode in multiple places including static code analysis, penetration testing, and dynamic code analysis. It is part of our pipeline and integrates well with Bitbucket and Git pipelines The ease of integration with Bitbucket pipelines and Git pipelines is vital for us. Veracode allows us…
report
Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
867,370 professionals have used our research since 2012.
 

Answers from the Community

it_user1354977 - PeerSpot reviewer
Jul 8, 2020
Jul 8, 2020
My opinions are my own and do not represent any other entities that I may be or have been affiliated with. On this topic I think it is important to acknowledge that no matter which solution you go for you will have false positives. I don't think there will be any solution that properly solves this anytime soon. As for Checkmarx vs SonarQube... Checkmarx may cover more rules over a wider land...
2 out of 3 answers
DG
Jul 6, 2020
My opinions are my own and do not represent any other entities that I may be or have been affiliated with.  On this topic I think it is important to acknowledge that no matter which solution you go for you will have false positives. I don't think there will be any solution that properly solves this anytime soon.  As for Checkmarx vs SonarQube...  Checkmarx may cover more rules over a wider landscape, however I personally found this extra breadth covered outlyer rules and mostly lower priority issues. Both Checkmarx and SonarQube cover the OWASP top 10 and Sans25. Both tools can be tuned to help reduce false positives, for both you will need to analyse your tuning to ensure you are not introducing false negatives. Any tools that provide you customisation come with the risk that you could make things worse.  SonarQube has very good integration into most development IDEs empowering the engineers to run scans against the company rules on their local machine before submitting your source control and further tooling. In some it will even check the code automatically while you type it.  I see you also included Veracode in here. In my opinion that is a far superior tool to Checkmarx, this is down to their more modern approach to this problem. They also allow local developer integration to self lint code before submission.  In a perfect world, I would use Sonar for development bugs, test coverage and technical debt measurements. Then veracode to handle the SAST side for me. In short I would not duplicate the security scans in Sonar and Veracode.  Hope that helps
DG
Jul 7, 2020
SonarQube can be used for SAST. However, based on our internal analysis, our team feel CheckMarx is better suited for Security compared to SonarQube. SoanrQube is used in day to day developer code scan and Checkmarx is used during code movement to staging or during release.
 

Top Industries

By visitors reading reviews
Financial Services Firm
20%
Computer Software Company
13%
Manufacturing Company
10%
Government
6%
Financial Services Firm
16%
Computer Software Company
16%
Manufacturing Company
9%
Insurance Company
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
By reviewers
Company SizeCount
Small Business30
Midsize Enterprise9
Large Enterprise38
By reviewers
Company SizeCount
Small Business69
Midsize Enterprise43
Large Enterprise112
 

Questions from the Community

What alternatives are there for Fortify WebInspect and Fortify SCA?
I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as well. Veracode is only a cloud solution. Hope this helps.
What do you like most about Checkmarx?
Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%.
What is your experience regarding pricing and costs for Checkmarx?
The pricing is relatively expensive due to the product's quality and performance, but it is worth it.
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
What do you like most about Veracode?
The SAST and DAST modules are great.
What is your experience regarding pricing and costs for Veracode?
The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and database features. It is worth the money.
 

Also Known As

No data available
Crashtest Security , Veracode Detect
 

Overview

 

Sample Customers

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC
Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.
Find out what your peers are saying about Checkmarx One vs. Veracode and other solutions. Updated: August 2025.
867,370 professionals have used our research since 2012.