Try our new research platform with insights from 80,000+ expert users

JFrog Xray vs Veracode comparison

JFrog and Veracode are both solutions in the Container Security category. JFrog is ranked #20 with an average rating of 7.8, while Veracode is ranked #8 with an average rating of 8.1. JFrog holds a 3.9% mindshare in Container Security, compared to Veracode’s 2.5% mindshare. Additionally, 100% of JFrog users are willing to recommend the solution, compared to 90% of Veracode users who would recommend it.
JFrog Xray
Read 8 JFrog Xray reviews
  • 3,038 Views
  • 762 Comparison Views
100% willing to recommend
Veracode
Read 201 Veracode reviews
  • 2,835 Views
  • 219 Comparison Views
90% willing to recommend
 

Comparison Buyer's Guide

Download the report
Executive SummaryUpdated on Sep 16, 2024

Veracode and JFrog Xray are leading tools in software security. Veracode has the upper hand in customer support and user satisfaction, while JFrog Xray stands out with its rich feature set and integration capabilities.

Features: Veracode offers comprehensive static analysis, rich reporting tools, and wide vulnerability detection. JFrog Xray includes in-depth artifact scanning, seamless CI/CD pipeline integration, and extensive package support.

Room for Improvement: Veracode could improve scan speed, flexibility in customizing scan parameters, and overall performance during large-scale scans. JFrog Xray needs a more straightforward setup process, enhanced documentation, and quicker initial deployment.

Ease of Deployment and Customer Service: Veracode provides straightforward deployment and robust customer service, while JFrog Xray has a steeper learning curve during deployment but offers effective customer support.

Pricing and ROI: Veracode offers flexible pricing options and is seen as good value for the money, showing positive ROI. JFrog Xray is pricier but justified by its advanced capabilities, making investment dependent on organizational needs.

DOWNLOAD THE COMPLETE REPORT
To learn more, read our detailed JFrog Xray vs. Veracode Report (Updated: June 2025).
Buyer's Guide
JFrog Xray vs. Veracode
June 2025
Download the complete report
Helped 856,873 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

JFrog Xray
Ranking in Container Security
20th
Ranking in Software Composition Analysis (SCA)
6th
Average Rating
8.0
Reviews Sentiment
7.1
Number of Reviews
8
Ranking in other categories
Vulnerability Management (32nd), Software Supply Chain Security (2nd)
Veracode
Ranking in Container Security
8th
Ranking in Software Composition Analysis (SCA)
3rd
Average Rating
8.2
Reviews Sentiment
7.0
Number of Reviews
201
Ranking in other categories
Application Security Tools (2nd), Static Application Security Testing (SAST) (2nd), Static Code Analysis (1st), Application Security Posture Management (ASPM) (2nd)
 

Mindshare comparison

As of June 2025, in the Container Security category, the mindshare of JFrog Xray is 3.9%, up from 2.1% compared to the previous year. The mindshare of Veracode is 2.5%, down from 2.6% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Container Security
 

Featured Reviews

Sai Pradeep Koneti - PeerSpot reviewer
Goes deep into the docker files and find out vulnerabilities
When we were trying to get it up and working initially, I found it a bit hard to go through JFrog Xray's documentation and get my error solved. I was facing some issues because we hadn't got a specific license for the tool, but I was able to access it. As a regular user, I regularly saw an error message saying that the license feature was unavailable for my subscription. After a couple of days, I realized I was missing a license. I had to go back to the JFrog Xray team, who provided me with the new license, and then I could complete the setup.
Read full review
David-Robertson - PeerSpot reviewer
Static scanning and software composition analysis are very helpful, but the usability needs improvement
Static scanning and software composition analysis are very helpful. My colleagues and I don't need to be experts on all of those ancillary things, so we can focus more on the business deliverables. They have a pretty good tool that allows me to run scans of my local integrated development environment. I can find a lot of those flaws a lot sooner than I would if I had to wait for these cloud-based scans. They've come out with some sort of automated fix feature. I haven't used it, but they gave us a demo of it, and that one looks promising. I don't know if it's ready for prime time yet.
Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"Good reporting functionalities."
"If multiple dependencies and vulnerabilities are found in a project, JFrog Xray is intelligent enough to tell you which vulnerability to target first."
"I would say that this solution has helped our organization by allowing us to automate a lot of the processes."
"JFrog Xray's reporting feature has a lot of options in it, including scanning."
"The most valuable features of JFrog Xray are its curation capabilities, its native integration with Artifactory, scanning for vulnerabilities, and license compliance features."
"The most valuable feature of JFrog Xray is the display of the entire internal dependencies hierarchy."
"The solution is stable and reliable."
"The most valuable features of JFrog Xray are its curation capabilities, its native integration with Artifactory, scanning for vulnerabilities, and license compliance features."
More JFrog Xray pros
"This is a great tool for learning about potential vulnerabilities in code."
"Because it is a SaaS offering, I do not have to support the infrastructure."
"One of the best things they offer is the scalability. The fact that you can work with it through the cloud means that if you have unintegrated business units, you don't have to worry about having a solution on-prem and having the network connection; you don't have to worry about giving up source code, you are just sending your binary files for most of the applications. So it scales much faster."
"I like its integration with GitHub. I like using it from GitHub. I can use the GitHub URL and find out the vulnerabilities."
"The solution is stable. we've never had any issues surrounding its stability."
"The developers' awareness of the security weaknesses within their code has improved. They aren't just mitigating these issues, they are realizing these are, in fact, issues that have to be dealt with."
"We used it for performing security checks. We have many Java applications and Android applications. Essentially it was used for checking the security validations for compliance purposes."
"It has caught lots of flaws that could have been exploited, like SQL injection flaws. It has also improved developer engagement with information security."
More Veracode pros
 

Cons

"The out-of-the-box PostgreSQL provided is not stable, which is why we are considering enterprise support."
"JFrog Xray's documentation and error logging could be improved."
"I think that the user interface should be expanded to provide customers with a better dashboard for reviewing their feedback regarding their images and the vulnerabilities that are associated with the images."
"Lacks deeper reporting, the ability to compare things."
"The speed of JFrog Xray should improve. Other solutions have better performance."
"JFrog Xray does not have a dashboard."
"Reporting is crucial, but it is lacking in the current tool. Every organization seeks specific data points rather than general information. Therefore, we require customized reports from the Xray tool."
"Since we have been using the solution via APIs, there are some limitations in the APIs."
More JFrog Xray cons
"Scanning large amounts of code can be a time-consuming process and there is scope for improvement."
"Improve Mobile Application Dynamic Scanning DAST - .ipa and .apk"
"Veracode can improve the price model and how they bill the final offer to customers. It's based on the amount of traffic. For example, you can buy 1 gigabyte distributed across various applications, and each one can consume part of the whole allotment of traffic data."
"Veracode does not support scans for .NET Blazor server applications."
"I've seen slightly better static analysis tools from other companies when it comes to speed and ease of use."
"An area for improvement I found in Veracode is the connectivity because currently, my company uses a plugin for the dev-ops cloud-based connectivity. A pretty helpful feature would be if Veracode gives a direct code for connecting to the Oracle server directly and authenticating it via a unique server."
"We would like a way to mark entire modules as "safe." The lack of this feature hasn't stopped us previously, it just makes our task more tedious at times. That kind of feature would save us time."
"Veracode is a little costly. It's cost-effective for a large enterprise, but it may be too expensive for small businesses."
More Veracode cons
 

Pricing and Cost Advice

Information not available
"The cost has been a barrier to wider use here. I think my team is the only one at the university. Other folks might like to use it, but it's pretty pricey. You could see what else is in the market, but I hear that's the price for most solutions. You might not find a better deal in the market, or it might be an incomplete solution. I mean, for the level of interaction we get with Veracode staff, it's been pretty good."
"The licensing and prices were upfront and clear. They stand behind everything that is said during the commercial phase and during the onboarding phase. Even the most irrelevant "that can be done" was delivered, no matter how important the request was."
"Its complexity makes it quite expensive, but it’s all worth it, with all the engineering in the background."
"It is very reasonably priced compared to what we were paying our previous vendor. For the same price, we are getting much more value and reducing our AppSec costs from 40 to 50 percent."
"Regarding licensing, pay very close attention to what applications you're going to need to do dynamic scanning for, versus static. Right now, the way the licensing is set up, if you don't have any static elements for a website, you can certainly avoid some costs by doing more dynamic licenses. You need to pay very close attention to that, because if you find out later that you have static code elements - like Java scripts, etc. - that you want to have scanned statically, having the two licenses bundled together will actually save you money."
"No issues, the pricing seems reasonable."
"If you're licensing, and you're looking at licensing models, you might want to ask Veracode about their microservice, depending on the company. If you are a microservice architecture, I would suggest asking them about their microservice pricing. I would suggest that you evaluate that with your code and their other licensing model, which is like a lump sum in size of artifacts, and just make sure that you price that out with them, because there might be some tradeoffs that can be made in price."
"We use this product per project rather than per developer... Your development model will really determine what the best fit is for you in terms of licensing, because of the project-based licensing. If you do a few projects, that's more attractive. If you have a large number of developers, that would also make the product a little more attractive."
More Veracode pricing and cost advice
report
See which vendors are best for you
Use our free recommendation engine to learn which Container Security solutions are best for your needs.
See recommendations
856,873 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
25%
Computer Software Company
12%
Manufacturing Company
11%
Government
5%
Computer Software Company
17%
Financial Services Firm
16%
Manufacturing Company
8%
Insurance Company
7%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

What do you like most about JFrog Xray?
JFrog Xray shows us a list of vulnerabilities that can impact our code.
See all answers
What needs improvement with JFrog Xray?
X-ray needs improvement in supporting more than one database, as it currently only supports PostgreSQL. More support during troubleshooting sessions would also be beneficial.
See all answers
What is your primary use case for JFrog Xray?
Our primary use case for X-ray includes multiple activities such as security and vulnerability scanning. We already use Black Duck for these purposes, and we are evaluating how JFrog Xray can offer...
See all answers
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
See all answers
What do you like most about Veracode?
The SAST and DAST modules are great.
See all answers
What is your experience regarding pricing and costs for Veracode?
The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and database features. It is worth the money.
See all answers
 

Comparisons

Black Duck vs JFrog Xray Logo
Black Duck vs JFrog Xray
Compared 14% of the time
Trivy vs JFrog Xray Logo
Trivy vs JFrog Xray
Compared 14% of the time
Prisma Cloud by Palo Alto Networks vs JFrog Xray Logo
Prisma Cloud by Palo Alto Networks vs JFrog Xray
Compared 6% of the time
GitHub Dependabot vs JFrog Xray Logo
GitHub Dependabot vs JFrog Xray
Compared 6% of the time
Wiz vs JFrog Xray Logo
Wiz vs JFrog Xray
Compared 5% of the time
More JFrog Xray Competitors
SonarQube Server (formerly SonarQube) vs Veracode Logo
SonarQube Server (formerly SonarQube) vs Veracode
Compared 19% of the time
Checkmarx One vs Veracode Logo
Checkmarx One vs Veracode
Compared 10% of the time
GitHub Advanced Security vs Veracode Logo
GitHub Advanced Security vs Veracode
Compared 7% of the time
Fortify on Demand vs Veracode Logo
Fortify on Demand vs Veracode
Compared 4% of the time
Black Duck vs Veracode Logo
Black Duck vs Veracode
Compared 3% of the time
More Veracode Competitors
 

Product Reports

Buyer's Guide
JFrog Xray
June 2025
JFrog Xray reportDownload JFrog Xray product report
Buyer's Guide
Veracode
May 2025
Veracode reportDownload Veracode product report
 

Also Known As

JFrog Security Essentials
Crashtest Security , Veracode Detect
 

Overview

JFrog is on a mission to enable continuous updates through Liquid Software, empowering developers to code high-quality applications that securely flow to end-users with zero downtime. The world’s top brands such as Amazon, Facebook, Google, Netflix, Uber, VMware, and Spotify are among the 4500 companies that already depend on JFrog to manage binaries for their mission-critical applications. JFrog is a privately-held, global company, and is a proud sponsor of the Cloud Native Computing Foundation [CNCF].

If you are a team player and you care and you play to WIN, we have just the job you're looking for.

As we say at JFrog: "Once You Leap Forward You Won't Go Back!"​

JFrog

Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.

Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing. These tools are designed to help developers detect vulnerabilities early in development while maintaining speed in deployment. Veracode also emphasizes scalability, offering features for enterprises that manage a large number of applications across different teams. Its robust reporting and analytics capabilities allow organizations to continuously monitor their security posture and track progress toward remediation.

What are the key features of Veracode?

  • Static Analysis (SAST) - Scans source code for vulnerabilities before deployment.
  • Dynamic Analysis (DAST) - Examines applications in a running state to detect flaws in real-time.
  • Software Composition Analysis (SCA) - Identifies risks in open-source libraries and third-party components.
  • Manual Penetration Testing - Offers expert analysis for more complex vulnerabilities.
  • Integrations with DevOps tools - Seamlessly integrates with CI/CD pipelines for automated security checks.

What benefits should users consider in Veracode reviews?

  • Early detection of vulnerabilities - Helps developers fix security issues early in the development process.
  • Scalability - Supports organizations with large-scale application portfolios.
  • Compliance support - Ensures applications meet various security standards and regulations.
  • Developer training - Provides tools for educating developers on secure coding practices.
  • Comprehensive reporting - Offers detailed reports that track remediation and risk trends.

Veracode is widely adopted in industries like finance, healthcare, and government, where compliance and security are critical. It helps these organizations maintain strict security standards while enabling rapid development through its integration with Agile and DevOps methodologies.


Veracode helps businesses secure their applications efficiently, ensuring they can deliver safe and compliant software at scale.

Veracode
 

Sample Customers

google, amazon, cisco, netflix, oracle, vmware, facebook
Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.
Buyer's Guide
JFrog Xray vs. Veracode
June 2025
Free Report: JFrog Xray vs. Veracode
Find out what your peers are saying about JFrog Xray vs. Veracode and other solutions. Updated: June 2025.
DOWNLOAD NOW
856,873 professionals have used our research since 2012.
See our JFrog Xray vs. Veracode report.
See our list of best Container Security vendors and best Software Composition Analysis (SCA) vendors.

We monitor all Container Security reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.