Try our new research platform with insights from 80,000+ expert users

JFrog Xray vs Veracode comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Sep 16, 2024

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

ROI

Sentiment score
5.9
JFrog Xray improved efficiency, security, and compliance, reduced downtime, and sped up release cycles with enhanced vulnerability detection and reporting.
Sentiment score
6.8
Veracode saves time, reduces manual processes, decreases penetration tests, enhances compliance, and improves code quality to prevent costly breaches.
The scanners of Veracode bring status of the weaknesses in the current infrastructure. It scans and provides reports regarding the servers, the network, and the applications running on those servers.
Regarding price, the evaluation should focus on how efficiently they will recover their investment, considering the time saved through the use of Veracode Fix, for example, and the ability to fix code at dev time compared to the problems faced when fixing after the product is already deployed.
 

Customer Service

Sentiment score
3.8
JFrog Xray's customer service receives mixed reviews, with varying satisfaction in support response times and account manager interactions.
Sentiment score
7.3
Veracode's support is praised for expertise and responsiveness, but experiences vary, especially with complex issues and staffing.
When we need clarifications, we contact our account manager, and they arrange demos.
Access to the engineering team is crucial for faster feedback on the product fix process.
They are very responsive and quick to help with queries within our scope.
They respond very quickly since security is something critical.
 

Scalability Issues

Sentiment score
7.4
JFrog Xray is viewed as scalable, accommodating growth plans, despite some PostgreSQL constraints, and rates scalability 7-8/10.
Sentiment score
7.5
Veracode offers robust scalability, efficiently managing diverse usage scenarios and volumes, maintaining smooth performance for various organizational sizes.
Cloud solutions are easier to scale than on-premise solutions.
It has a good capacity to scale effectively.
 

Stability Issues

Sentiment score
7.7
JFrog Xray is praised for stability and performance, though its provided PostgreSQL is considered unstable, needing enterprise support.
Sentiment score
7.9
Users find Veracode stable and reliable, with minimal downtime and effective workload handling despite minor issues.
If the Veracode server is down, we experience many issues during the scan.
It's not that easy to onboard, but once they have been onboarded on the platform, and the pipeline configured alongside the product configured, it works effectively.
 

Room For Improvement

JFrog Xray needs improvements in documentation, UI, reporting, performance, vulnerability management, integration, APIs, and troubleshooting support.
Users seek improved false positives, dynamic scanning, UI/UX, language support, integration, reporting, and pricing in Veracode.
X-ray needs improvement in supporting more than one database, as it currently only supports PostgreSQL.
If it could be integrated directly with code repositories such as Bitbucket or GitHub, without the need to create a pipeline to upload and decode code, it would simplify the code scan process significantly.
We had issues with scanning large applications. Scanning took a lot of time, so we kept it outside the DevOps pipeline to avoid delaying deployments.
A nice addition would be if it could be extended for scenarios with custom cleansers.
 

Setup Cost

Veracode's pricing is high but valued for comprehensive features, with flexible options and discounts available for enterprises.
The basic scanning capabilities come with Artifactory, however, curation requires additional licenses.
It's not the most expensive solution.
If there's a security gap, you'll never know the cost or effect.
Pricing-wise, I find it a bit expensive because it's based on the number of users requesting access to Veracode.
 

Valuable Features

JFrog Xray efficiently blocks vulnerabilities with policy watches, integrates with Artifactory, and excels in scanning and license compliance.
Veracode offers scalable security with static/dynamic analysis, seamless integrations, low false positives, and compliance-focused reporting, enhancing developer workflows.
The most valuable features of JFrog Xray are its curation capabilities, its native integration with Artifactory, scanning for vulnerabilities, and license compliance features.
It offers confidence by preventing exposure to vulnerabilities and helps ensure that we are not deploying vulnerable code into production.
The best features in Veracode include static analysis and the early detection of vulnerable libraries; it integrates with tools such as Jenkins.
It fixes issues directly in the IDE while you're doing it.
 

Categories and Ranking

JFrog Xray
Ranking in Container Security
20th
Ranking in Software Composition Analysis (SCA)
6th
Average Rating
8.0
Reviews Sentiment
6.6
Number of Reviews
8
Ranking in other categories
Vulnerability Management (32nd), Software Supply Chain Security (2nd)
Veracode
Ranking in Container Security
8th
Ranking in Software Composition Analysis (SCA)
3rd
Average Rating
8.2
Reviews Sentiment
7.0
Number of Reviews
201
Ranking in other categories
Application Security Tools (2nd), Static Application Security Testing (SAST) (2nd), Static Code Analysis (1st), Application Security Posture Management (ASPM) (2nd)
 

Mindshare comparison

As of July 2025, in the Container Security category, the mindshare of JFrog Xray is 3.9%, up from 2.3% compared to the previous year. The mindshare of Veracode is 2.4%, down from 2.6% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Container Security
 

Featured Reviews

Mokshi Pandita - PeerSpot reviewer
An intelligent solution that prioritizes which vulnerability to target first in your project
We could create any number of repositories, but we can create only thirty projects with JFrog Xray. If I want things to work, it has to be one project and multiple repositories that belong to different real projects. So I have a limitation of thirty projects, despite being a premium customer. JFrog Xray does not have a dashboard. Although I am able to generate reports, there is no proper dashboard where I can see the total number of vulnerabilities, the total number of license issues, and how many vulnerabilities are fixed. Second, I found the shift left approach missing with JFrog Xray. JFrog Xray has integration with IDEs, but it does not tell you about the vulnerabilities until the artifact is created. However, Snyk could directly integrate with your repository and would not allow you to build unless you fix the problem.
Sajal Sharma - PeerSpot reviewer
Offers shift-left security strategy and helps us with the latest security configurations, OWASP standards, and SAST standards
It's robustness is the main benefit to the organization. As it gets upgraded with time, it also improves the coverage – security configuration coverages and vulnerability coverages. It also updates itself with the latest known vulnerabilities that are uploaded to the NVD, OWASP, or other databases. So it gets upgraded itself with that. And so with each upgrade, it gets better and better. The solution offers the ability to prevent vulnerable code from going into production. It provides us with a report containing multiple remediations and mitigations for each vulnerability. For example, if it finds a cross-site scripting vulnerability, it will also include references like CWE and CVE records, instructions on how to fix it, and the specific line of code or module where the vulnerability is present. This helps us fix the issues accordingly. I'm a penetration tester and DevSecOps engineer. I evaluate the findings, mark false positives, and manually exploit vulnerabilities if they exist. If we need further clarification, we raise a ticket with the Veracode team and get consultancy from them. We are a software development team. If we find a vulnerability, I exploit it and come back with the best possible mitigation, and the dev team fixes it. If we use Veracode Fix, it might use third-party implementations or make changes we aren't aware of. We need to be very aware of what our application is using internally. It should be known to us. As per my experience, the solution's policy reporting ensures compliance with industry standards. It comes with multiple features. I get the most out of it, and it's good. The solution provides visibility into application status at every phase of development. Like static analysis, dynamic analysis, software composition, and manual penetration tests - throughout the SDLC We have a pipeline that I maintain. I use the Veracode API account and have integrated it with AWS and our Jenkins pipeline. We use Snyk for SCA and Veracode for SAST scanning. At the earliest stage of the build, the SAST scan runs along with the JS and PHP files. It provides us with reports, which are then handed over to the other tools we depend on. If I validate the report or check the Veracode dashboard and find vulnerabilities, I mark them as false positives or existing issues. We work on multiple projects, but the one I'm handling these days only uses Veracode for SAST. It's been about one and a half years since I've been working with Veracode and this project. It is quite impressive. There are some things Veracode cannot find, like code obfuscations inside the code and some insecure randoms. Sometimes, it misses those flaws. But overall, if I compare it with other tools, it is better. I will definitely recommend others to use this tool. We run the scan before each deployment. If the dev team builds a new module or something, we scan it along with all the files. If we find anything, we get it fixed. That's how it works. Veracode is quite important to the organization's shift-left security strategy because we make a scan for each deployment. Sometimes, if I think we need to perform a shift-left, I just make a scan before deployment and check for any misconfiguration or vulnerability in the code.
report
Use our free recommendation engine to learn which Container Security solutions are best for your needs.
861,390 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
25%
Manufacturing Company
12%
Computer Software Company
12%
Government
5%
Computer Software Company
16%
Financial Services Firm
16%
Manufacturing Company
8%
Insurance Company
7%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

What do you like most about JFrog Xray?
JFrog Xray shows us a list of vulnerabilities that can impact our code.
What needs improvement with JFrog Xray?
X-ray needs improvement in supporting more than one database, as it currently only supports PostgreSQL. More support during troubleshooting sessions would also be beneficial.
What is your primary use case for JFrog Xray?
Our primary use case for X-ray includes multiple activities such as security and vulnerability scanning. We already use Black Duck for these purposes, and we are evaluating how JFrog Xray can offer...
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
What do you like most about Veracode?
The SAST and DAST modules are great.
What is your experience regarding pricing and costs for Veracode?
The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and database features. It is worth the money.
 

Also Known As

JFrog Security Essentials
Crashtest Security , Veracode Detect
 

Overview

 

Sample Customers

google, amazon, cisco, netflix, oracle, vmware, facebook
Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.
Find out what your peers are saying about JFrog Xray vs. Veracode and other solutions. Updated: June 2025.
861,390 professionals have used our research since 2012.