IT Central Station is now PeerSpot: Here's why
Cancel
You must select at least 2 products to compare!
SonarSource Logo
87,773 views|72,214 comparisons
Veracode Logo
54,238 views|30,557 comparisons
Executive Summary
Updated on March 17, 2022

We performed a comparison between Sonarqube and Veracode based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.

  • Ease of Deployment: Users of Sonarqube say that deployment is simple, easy, and straightforward. Most Veracode reviewers felt the same, with the exception of a few select reviewers that felt it was slightly complex.
  • Features: Valuable features of Sonarqube include good stability and performance, good integration, scalability, QualityGate, friendly UI, security hotspot, time snapshot, segregation containment, and the suspension of product services. Some reviewers say the architecture and its development need to be improved, while others would prefer to see notification features added, better reporting, and would like more dynamic testing and documentation available.

    Users of Veracode appreciate its cloud-based approach, API integration, static scan, its stability, policy reporting, a great dashboard, static and dynamic analysis, SCA, and the fact that it is SaaS hosted. While users value Veracode for its solid set of features, some feel it is lacking in its user interface and user experience, mentioning that it can be slow and could use some improvement.
  • Pricing: Regarding standard licensing, users of Sonarqube feel that it is slightly expensive. Beyond that, other users find that the free open-source community version works really well for them. Some users of Veracode consider it to be reasonably priced while others feel it is on the expensive side.
  • Service and Support: Users who have had experience with Sonarqube’s service and support under the licensed version state that support is good and responds quickly. Veracode reviewers have also provided very positive feedback on the service and support they receive, mentioning that technical support is very helpful.
  • ROI: While none of the reviews on Sonarqube explicitly mention an ROI, several users of Veracode say they have seen an ROI, some even as soon as six months after implementing it. Some users said they achieved greatly improved security, earlier detection of security defects in the life cycle, and were able to easily meet compliance requirements. Others say that Veracode has saved them a lot of time and helped them comply with clients' requirements.

Comparison Results: Based on the parameters we compared, Sonarqube and Veracord are pretty well-matched in terms of popularity. Users of both share the opinion that deployment is fairly easy and fast and that technical support is helpful. Each product has its own unique set of features, but also has areas that reviewers would like to see improved. Although there are users that feel both solutions are expensive, some Veracode users do say that its price is fairly reasonable.

Q&A Highlights
Question: Which gives you more for your money - SonarQube or Veracode?
Answer: SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use and understand, SonarQube is a great solution if you want to quickly focus on functional requirements. There were some security issues with our code that SonarQube did not find. Defining the quality of rules should be improved to ensure that low-performance code does not move forward to production. We would like to see better security scanning and statistical analysis from SonarQube. Using Veracode, on the other hand, we have never had a problem with vulnerable code going into production. We like the visibility of application status across all testing types which Veracode presents in a single dashboard. Even if you are running different types of scans, you have everything in one place, which is very convenient. Veracode helps us keep a high-security standard, which is very important to us. It would really improve Veracode if the mitigation process was somehow added to the dashboard or made more streamlined. Currently, one has to go back and forth between one or more screens and it makes it a bit complicated. Regarding the pipeline scan, we found Veracode can be very fast with Java-based applications but slow with other applications. It would be helpful if the scan completion and scan progress would improve - the time estimates are not always accurate. Conclusion These are two great solutions, each with a slightly different focus. SonarQube has a solid focus on code quality. It offers a very good free version. The SonarQube free version covers 10-15 languages, which can be very limiting for some and there are also some limitations with support. The integration is there, but you do not get full integration with the free version. Overall, the SonarQube free version is a very good option for small businesses. SonarQube does offer an Enterprise license that is very competitively priced. Veracode's main focus is security. It is more closely related to an application security scanning solution. There is no free version and it is considered an expensive solution when comparing price with other similar solutions. However, Veracode offers many features and applications that other solutions do not. One favorite is scanning for compliance; we have some situations where we need to consistently scan code for security to satisfy different compliance regulations. Veracode helps us do that.
Featured Review
Buyer's Guide
SonarQube vs. Veracode
May 2022
Find out what your peers are saying about SonarQube vs. Veracode and other solutions. Updated: May 2022.
598,116 professionals have used our research since 2012.
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"I am only interested in the security features in SonarQube. There are plenty of features other features, such as test coverage, code anomalies, and pointer access are handled by the business logic teams. They get the reports and they have to fix them in JIRA or Bugzilla.""SonarQube is good in terms of code review and to report on basic vulnerabilities in your applications.""SonarQube is a fantastic tool which saves us precious time.""Before you even compile, it can catch known vulnerability issues or patterns.""The most valuable features are that it is user-friendly, easy to access, and they provide good training files.""The most valuable features are the dashboard, the ability to drill down to the code, user-friendly, and the technical debt estimation.""Provides local scanning for developers.""It is a good deal compared to all other tools on the market."

More SonarQube Pros →

"Veracode's cloud-based approach, coupled with the appliance that lets us use Veracode to scan internal-only web applications, has provided a seamless, always-up-to-date application security scanning solution.""The main feature that I have found valuable is the solution's ability to find issues in static analysis. Additionally, there are plenty of useful tools.""There is a single area on the dashboard where you can get a full view of all of the tests and the results from everything. There is a nice, very simple graphic that shows you the types of vulnerabilities that were found, their severity, the scoring, and in what part of the code they were found. All the details are together in one place.""Integrations into our developer's IDE (Greenlight) and the DevOps Pipeline SAST / SourceClear Integrations has particularly increased our time to market and confidence.""You can easily integrate it with Azure DevOps. This is an added value because we work with Azure DevOps. Veracode is natively supported and we don't have to work with APIs.""It's comprehensive from a feature standpoint.""There are quite a few features that are very reliable, like the newly launched Veracode Pipelines Scan, which is pretty awesome. It supports the synchronous pipeline pretty well. We been using it out of the Jira plugin, and that is fantastic.""Another feature of Veracode is that they provide e-learning, but the e-learning is not basic, rather it is quite advanced... in the e-learning you can check into best practices for developing code and how to prevent improper management of some component of the code that could lead to a vulnerability. The e-learning that Veracode provides is an extremely good tool."

More Veracode Pros →

Cons
"If I configure a project in SonarQube, it generates a token. When we're compiling our code with SonarQube, we have to provide the token for security reasons. If IP-based connectivity is established with the solution, the project should automatically be populated without providing any additional token. It will be easy to provide just the IP address. It currently supports this functionality, but it makes a different branch in the project dashboard. From the configuration and dashboard point of view, it should have some transformations. There can be dashboard integration so that we can configure the dashboard for different purposes.""The solution could improve by having better-consulting services.""The solution could improve by providing more advanced technologies.""There are limitations to the free version that limit development options as far as languages.""In the next release, I would like to have notifications because now, it is a bit difficult. I think that's a feature which we could add there and it would benefit the users as well. For every full request, they should be able to see their bugs or vulnerability directly on the surface.""It should be user-friendly.""The scanning part could be improved in SonarQube. We have used Coverity for scanning, and we have the critical issues reported by Coverity. When we used SonarQube for scanning and looked at the results, it seems that some of them have incorrect input. This part can be improved for C and C++ languages.""SonarQube needs to improve its support model. They do not work 24/7, and they do not provide weekend support in case things go wrong. They only have a standard 8:00 am to 5:00 pm support model in which you have to raise a support ticket and wait. The support model is not effective for premium customers."

More SonarQube Cons →

"I've seen slightly better static analysis tools from other companies when it comes to speed and ease of use.""The static analysis is prone to a lot of false positives. But that's how it is with most static analysis tools... Also, the static analysis can sometimes take a little while. The time that it takes to do a scan should be improved.""I would ask Veracode to be a lot more engaged with the customer and set up live sessions where they force the customer to engage with Veracode's technical team. Veracode could show them a repo, how they should do things, this is what these results mean, here is a dashboard, here's the interpretation, here's where you find the results.""If the dynamic scan is improved, then the speed might go up. That is somehow not happening. We have raised this concern. It might also help if they could time limit scans to 24 hours instead of letting them go for three days. Then, whatever results could be shared, even if the scan is not complete, that would definitely help us.""The triage indicator was kind of hard to find. It's a very small arrow and I had no idea it was there.""Sometimes, I get feedback from a developer saying, "They are scanning a Python code, but getting feedback around Java code." While the remediation and guidelines are there, improvement is still required, e.g., you won't get the exact guidelines, but you can get some sort of a high-level insights.""I think for us the biggest improvement would be to have an indicator when there's something wrong with a scan.""The feature that allows me to read which mitigation answer was submitted, and to approve it, requires me to use do so in different screens. That makes it a little bit more complicated because I have to read and then I have to go back and make sure it falls under the same number ID number. That part is a little bit complicated from my perspective, because that's what I use the most."

More Veracode Cons →

Pricing and Cost Advice
  • "I was using the Community Edition, which is available free of charge."
  • "The developer edition is based on cost per lines of code."
  • "We are using the open-source version, which is available free of cost."
  • "There is both a free and licensed version. The free version has limitations on development languages and support."
  • "For the Community edition, there is no extra cost. It's totally free. The Enterprise edition, Data Center edition, and Developer edition are the paid versions."
  • "We are using the open-source community version, but there are enterprise licenses available."
  • "SonarQube is an open-source product that can be used free of charge."
  • "I am satisfied with the pricing."
  • More SonarQube Pricing and Cost Advice →

  • "For the value we get out of it, coupled with the live defect review sessions, we find it an effective value for the money. We are a larger organization."
  • "I don't really know about the pricing, but I'd say it's worth whatever Veracode is charging, because the solution is that good."
  • "Veracode's price is high. I would like them to better optimize their pricing."
  • "If I compare the pricing with other software tools, then it is quite competitive. Whatever the price is, they have always given us a good discount."
  • "Veracode is expensive. Some of its products are expensive. I don't think it's way more expensive than its competitors. The dynamic is definitely worth it, as I think it's cheaper than the competitors. The static scan is a little bit more expensive, around 20 percent more expensive. The manual pen test is more expensive, but it is an expensive service because it's a manual pen test and we also do retests. I don't think it is way more expensive than the competitors, but it's about 15 to 20 percent more expensive."
  • "We use this product per project rather than per developer... Your development model will really determine what the best fit is for you in terms of licensing, because of the project-based licensing. If you do a few projects, that's more attractive. If you have a large number of developers, that would also make the product a little more attractive."
  • "The pricing is really fair compared to a lot of other tools on the market."
  • "It is very reasonably priced compared to what we were paying our previous vendor. For the same price, we are getting much more value and reducing our AppSec costs from 40 to 50 percent."
  • More Veracode Pricing and Cost Advice →

    report
    Use our free recommendation engine to learn which Application Security solutions are best for your needs.
    598,116 professionals have used our research since 2012.
    Answers from the Community
    Netanya Carmi
    reviewer1572348 - PeerSpot reviewerreviewer1572348 (Chief Architect at a computer software company with 10,001+ employees)
    Real User

    We have used SonarQube quite a lot and this is great to check code quality, security hotspots much earlier in the SDLC and fix those. The community edition is free to use, can be used on-premises and is integrated seamlessly with Jenkins and others. The Enterprise and Developer commercial editions offer a lot more rules and functionalities.


    Veracode is mostly in space of security testing and amongst the leader in this space. It's a commercial product and has no community edition, to the best of my knowledge. 


    Depending on your use cases, you will need both of these areas to be covered through these or other tools.

    Curtis Yanko - PeerSpot reviewerCurtis Yanko (Shiftleft)
    Vendor

    Feels like a false choice to me. They each are trying to do different things as other posters have suggested. What are the outcomes you are looking for?

    reviewer1411233 - PeerSpot reviewerreviewer1411233 (Security consultant at a tech services company with 1,001-5,000 employees)
    Real User

    Both products in the industry are practiced slightly for different purposes. If you are after the code then SonarQube and if you are after the security then Veracode.

    Mauro Verderosa - PeerSpot reviewerMauro Verderosa
    Real User

    They are mainly two different products. 


    If your goal is to set the quality on code then SonarQube is your answer. 


    On the other side, if your main goal is to set high-quality standards in terms of cybersecurity (i.e. both security and compliance with regulations), then Veracode is a better match.

    Akash Singh Singh - PeerSpot reviewerAkash Singh Singh
    User

    Klocwork

    Questions from the Community
    Top Answer: 
    I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have  a look… more »
    Top Answer: 
    SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use… more »
    Top Answer: 
    We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing… more »
    Top Answer: 
    The dynamic scanning tool is what I like the best. Compared to other tools that I've used for dynamic scanning, it's much faster and easier to use.
    Top Answer: 
    I was impressed with the pricing we got from Veracode. I was able to make it work very well within our budget.
    Top Answer: 
    I've seen slightly better static analysis tools from other companies when it comes to speed and ease of use. Also, with the dynamic tool, sometimes a scan gets stuck and it can be hard to get a hold… more »
    Ranking
    1st
    Views
    87,773
    Comparisons
    72,214
    Reviews
    59
    Average Words per Review
    492
    Rating
    8.0
    2nd
    Views
    54,238
    Comparisons
    30,557
    Reviews
    25
    Average Words per Review
    1,340
    Rating
    8.2
    Comparisons
    Also Known As
    Sonar
    Learn More
    Overview

    SonarQube is the leading tool for continuously inspecting Code Quality and Code Security, and guiding development teams during code reviews. SonarQube provides clear remediation guidance for 27 languages so developers can understand and fix issues, and so teams can deliver better and safer software. SonarQube integrates into your workflow to provide the right feedback at the right time: in-IDE with SonarLint, in pull requests, and in SonarQube itself. With over 225,000 deployments helping small development teams and global organizations, SonarQube provides the means for teams and companies around the world to own and impact their Code Quality and Code Security.

    Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.

    Offer
    Learn more about SonarQube
    Keep your software secure

    Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.

    Sample Customers
    Bank of America, Siemens, Cognizant, Thales, Cisco, eBay
    State of Missouri, Rekner
    Top Industries
    REVIEWERS
    Computer Software Company22%
    Financial Services Firm21%
    Comms Service Provider10%
    Insurance Company7%
    VISITORS READING REVIEWS
    Computer Software Company26%
    Comms Service Provider17%
    Financial Services Firm13%
    Manufacturing Company7%
    REVIEWERS
    Financial Services Firm30%
    Computer Software Company13%
    Insurance Company11%
    Healthcare Company7%
    VISITORS READING REVIEWS
    Computer Software Company28%
    Comms Service Provider17%
    Financial Services Firm11%
    Manufacturing Company6%
    Company Size
    REVIEWERS
    Small Business26%
    Midsize Enterprise17%
    Large Enterprise56%
    VISITORS READING REVIEWS
    Small Business32%
    Midsize Enterprise20%
    Large Enterprise48%
    REVIEWERS
    Small Business24%
    Midsize Enterprise27%
    Large Enterprise49%
    VISITORS READING REVIEWS
    Small Business29%
    Midsize Enterprise32%
    Large Enterprise40%
    Buyer's Guide
    SonarQube vs. Veracode
    May 2022
    Find out what your peers are saying about SonarQube vs. Veracode and other solutions. Updated: May 2022.
    598,116 professionals have used our research since 2012.

    SonarQube is ranked 1st in Application Security with 63 reviews while Veracode is ranked 2nd in Application Security with 27 reviews. SonarQube is rated 8.0, while Veracode is rated 8.2. The top reviewer of SonarQube writes "Open-source, stable, and finds the problems for you and tells you where they are". On the other hand, the top reviewer of Veracode writes "Good reporting, comprehensive interface, and integrates well into our build pipeline". SonarQube is most compared with Checkmarx, Coverity, Sonatype Nexus Lifecycle, Snyk and Micro Focus Fortify on Demand, whereas Veracode is most compared with Checkmarx, Micro Focus Fortify on Demand, Coverity, OWASP Zap and HCL AppScan. See our SonarQube vs. Veracode report.

    See our list of best Application Security vendors.

    We monitor all Application Security reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.