Veracode and SonarQube Cloud are competitive players in static and dynamic code analysis. Veracode is particularly strong in robust security testing with SAST, DAST, and SCA capabilities, making it suited for secure DevOps environments. SonarQube Cloud is noted for its seamless CI/CD integration and developer-friendly insights, making it ideal for enhancing code quality.
Features: Veracode provides comprehensive vulnerability management and remediation features, supports extensive integration across various development environments, and allows for scalable security testing with strong API support. SonarQube Cloud integrates easily with CI/CD pipelines, offers in-depth code quality metrics, and provides insightful analytics for code duplication and bug tracking.
Room for Improvement: Veracode can enhance its interface simplicity, reduce false positives, and improve scanning speeds. It also needs better API integration and more detailed report generation. SonarQube Cloud should focus on UI refinements, improving vulnerability detection accuracy, and offering advanced security analytics. It lacks dynamic scanning features present in Veracode.
Ease of Deployment and Customer Service: Veracode supports multiple deployment options including public, private, and hybrid clouds, as well as on-premises. Its customer service is generally responsive, though sometimes complex. SonarQube Cloud, hosted primarily on public cloud, is noted for its easy integration into existing workflows, though it may not match Veracode's level of customer engagement.
Pricing and ROI: Veracode is often viewed as a premium solution with comprehensive features, leading to a higher price point that might deter smaller enterprises. However, users find value in its extensive security coverage. SonarQube Cloud offers more affordable pricing models appealing to smaller teams or those with limited budgets, with a strong emphasis on enhancing code quality, yielding competitive ROI for development-centric entities.
It is easily integrable with the CI/CD pipeline and supports multiple projects with its extensive plugin options.
The product is designed for bigger clients, while smaller companies are often put aside.
The scanners of Veracode bring status of the weaknesses in the current infrastructure. It scans and provides reports regarding the servers, the network, and the applications running on those servers.
Regarding price, the evaluation should focus on how efficiently they will recover their investment, considering the time saved through the use of Veracode Fix, for example, and the ability to fix code at dev time compared to the problems faced when fixing after the product is already deployed.
The customer service and support for SonarQube Cloud are responsive and helpful.
Integrating it into different solutions is straightforward.
Access to the engineering team is crucial for faster feedback on the product fix process.
I have communicated with the technical support of Veracode a couple of times, and this was a really great experience because these professionals know their material.
They share detailed information via email, including screenshots or further clarification about the issue.
There are limitations, and it seems to have fewer capabilities than Veracode.
It has been used in multiple projects and performs well.
SonarQube Cloud is a scalable product, and I rate its scalability at seven out of ten.
Cloud solutions are easier to scale than on-premise solutions.
It has a good capacity to scale effectively.
Implementing these features into our normal CI/CD was good, so I can say that scalability is really good.
From my team's feedback, it is almost an eight out of ten.
It is a quite stable solution.
If the Veracode server is down, we experience many issues during the scan.
It's not that easy to onboard, but once they have been onboarded on the platform, and the pipeline configured alongside the product configured, it works effectively.
I would like to see SonarQube Cloud provide more detailed solutions for fixing code issues, especially solutions related to CVEs.
I need a solution that can bring together three key areas: vulnerabilities, static scanning, and misarchitecture.
Static code analysis is good, but the product lacks dynamic code scanning capabilities, an area where Veracode excels.
If it could be integrated directly with code repositories such as Bitbucket or GitHub, without the need to create a pipeline to upload and decode code, it would simplify the code scan process significantly.
We had issues with scanning large applications. Scanning took a lot of time, so we kept it outside the DevOps pipeline to avoid delaying deployments.
A nice addition would be if it could be extended for scenarios with custom cleansers.
SonarQube Cloud is roughly equivalent in cost to Veracode, maybe a little cheaper.
From my experience, SonarQube Cloud (formerly SonarCloud) is very expensive for small companies.
We used the open-source version of SonarQube Cloud for its minimum features and did not license its extensive capabilities.
It's not the most expensive solution.
Overall, Veracode's pricing is lower and more scalable than many alternatives in the market.
If there's a security gap, you'll never know the cost or effect.
I find SonarQube Cloud very easy to use and simple to integrate initially.
It gives precise reports compared to Coverity and has a slightly lower number of false positives.
I use SonarQube Cloud (formerly SonarCloud) to check the quality of developer code and identify vulnerabilities.
It offers confidence by preventing exposure to vulnerabilities and helps ensure that we are not deploying vulnerable code into production.
The best features in Veracode include static analysis and the early detection of vulnerable libraries; it integrates with tools such as Jenkins.
It fixes issues directly in the IDE while you're doing it.
| Product | Market Share (%) |
|---|---|
| Veracode | 7.1% |
| SonarQube Cloud (formerly SonarCloud) | 4.2% |
| Other | 88.7% |
| Company Size | Count |
|---|---|
| Small Business | 8 |
| Midsize Enterprise | 3 |
| Large Enterprise | 4 |
| Company Size | Count |
|---|---|
| Small Business | 69 |
| Midsize Enterprise | 43 |
| Large Enterprise | 112 |
SonarQube Cloud offers static code analysis and application security testing, seamlessly integrating into CI/CD pipelines. It's a vital tool for identifying vulnerabilities and ensuring code quality before deployment.
SonarQube Cloud is widely used for its ability to integrate with tools like GitHub, Jenkins, and Bitbucket, providing critical feedback at the pull request level. It's designed to help organizations maintain clean code by acting as a quality gate. This service supports development methodologies including sprints and Kanban for ongoing vulnerability management. While appreciated for its dashboard and integration capabilities, some users find initial setup challenging and note the need for enhanced documentation. The recent addition of mono reports and microservices support offers deeper insights into security and code quality, though container testing limitations and false positives are noted drawbacks. Manual intervention is sometimes required to address detailed reporting, with external tools being necessary for comprehensive analysis. Notifications for larger teams during serious issues and streamlined integration of new features are also areas of improvement.
What are the key features of SonarQube Cloud?In specific industries, SonarQube Cloud finds application in finance and healthcare where code integrity and security are paramount. It allows teams to identify critical vulnerabilities early and ensures that software development aligns with industry regulations and standards. By continuously analyzing code, it aids organizations in deploying secure and reliable applications, fostering trust and compliance.
Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.
Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing. These tools are designed to help developers detect vulnerabilities early in development while maintaining speed in deployment. Veracode also emphasizes scalability, offering features for enterprises that manage a large number of applications across different teams. Its robust reporting and analytics capabilities allow organizations to continuously monitor their security posture and track progress toward remediation.
What are the key features of Veracode?
What benefits should users consider in Veracode reviews?
Veracode is widely adopted in industries like finance, healthcare, and government, where compliance and security are critical. It helps these organizations maintain strict security standards while enabling rapid development through its integration with Agile and DevOps methodologies.
Veracode helps businesses secure their applications efficiently, ensuring they can deliver safe and compliant software at scale.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
