We performed a comparison between SonarCloud and Veracode based on real PeerSpot user reviews.
Find out in this report how the two Application Security Testing (AST) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."Recently, they introduced support for mono reports and microservices, which is a noteworthy development as it provides a more detailed view of each service."
"The solution can be installed locally."
"The solution provides continuous code analysis which has improved the quality of our code. It can raise alarms on vulnerabilities with immediate reports on the dashboard. Few things are false positives and we can customize the rules."
"For what it is meant to do, it works pretty well."
"The reports from SonarCloud are very good."
"SonarCloud is overall a good tool for identifying code smells, bugs, and code duplication, but we've found that using Android Lint is more effective for our needs."
"Its dashboard provides a unified view of various code quality metrics, including code duplication, unit test coverage, and security hotspots."
"I'm not implementing the solutions. However, I've talked to the people who deploy the tools, and they are happy with how easy setting up SonarCloud is."
"It allows us to prove our security levels to vendors, and additionally helps us with our HIPAA security policies."
"It has caught lots of flaws that could have been exploited, like SQL injection flaws. It has also improved developer engagement with information security."
"Provides the ability to understand the black zones in our system."
"It has given our management a view into issues with all of our product lines. We have three products and all of them were scanned. As a result, the project lead for each product has taken measures to improve things."
"The installation was straightforward."
"What I found most valuable in Veracode is that it gives me a part-by-part report of the entire EAR file and lets me set up the application for a limited time. Once that expires, Veracode allows you to automatically renew it, which is one of the features I find remarkable in Veracode."
"Developer Sandboxes help move scanning earlier within the SDLC."
"We use it to get our scan results and see where our software is vulnerable or not vulnerable."
"The solution needs to improve its customization and flexibility."
"The documentation needs improvement on optimizing build time for seamless CI/CD integration with our Android apps."
"SonarCloud can improve the false positives. Sometimes the gates sometimes act a little weird. We then need to manually go and mark the false positive."
"SonarCloud's UI needs enhancement."
"CI/CD pipeline is part of a whole chain of design, development, and production, and it's becoming increasingly crucial to optimize the various tools across different stages. However, it's still a silo approach because the full integration is missing. This isn't just an issue with SonarCloud. It's a general problem with tooling."
"There's room for improvement in the configuration process, particularly during the initial setup phase."
"I've been told by the developers that the solution is too limited. It's not testing enough within the containers."
"It would be helpful if notifications could go out to an extra person."
"There were some additional manual steps or work involved that we should not have needed to do."
"The support team could be more responsive, and the dependency of users on the support team is too high and should be reduced."
"The pricing for qualified startups such as Neo4j could be improved."
"It would help if there were a training module that would explain how to more effectively integrate the SAST product into the build tool, Jenkins or Bamboo."
"Security can always be improved."
"Mitigation review isn't always super easy."
"Another thing I need is continued support for the new languages today that are popular. Most of them are scripting languages more so than real, fourth-generation, commercial grade stuff; we're evolving. Most applications are using so much open-source that, quite frankly, it would be great to see Veracode, or anybody else, extend their platform to where they are able to help secure open-source platforms or repositories."
"Another problem we have is that, while it is integrated with single sign-on—we are using Okta—the user interface is not great. That's especially true for a permanent link of a report of a page. If you access it, it goes to the normal login page that has nothing that says "Log in with single sign-on," unlike other software as a service that we use. It's quite bothersome because it means that we have to go to the Okta dashboard, find the Veracode link, and log in through it. Only at that point can we go to the permanent link of the page we wanted to access."
SonarCloud is ranked 10th in Application Security Testing (AST) with 10 reviews while Veracode is ranked 2nd in Application Security Testing (AST) with 194 reviews. SonarCloud is rated 8.4, while Veracode is rated 8.2. The top reviewer of SonarCloud writes "Beneficial vulnerability discovery, simple to maintain, and proactive support". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". SonarCloud is most compared with SonarQube, Checkmarx One, OWASP Zap, GitLab and Coverity, whereas Veracode is most compared with SonarQube, Checkmarx One, Fortify on Demand, Snyk and Black Duck. See our SonarCloud vs. Veracode report.
See our list of best Application Security Testing (AST) vendors.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
