IT Central Station is now PeerSpot: Here's why
Cancel
You must select at least 2 products to compare!
Sonar Logo
87,858 views|72,333 comparisons
Veracode Logo
51,336 views|29,264 comparisons
Executive Summary
Updated on March 17, 2022

We performed a comparison between Sonarqube and Veracode based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.

  • Ease of Deployment: Users of Sonarqube say that deployment is simple, easy, and straightforward. Most Veracode reviewers felt the same, with the exception of a few select reviewers that felt it was slightly complex.
  • Features: Valuable features of Sonarqube include good stability and performance, good integration, scalability, QualityGate, friendly UI, security hotspot, time snapshot, segregation containment, and the suspension of product services. Some reviewers say the architecture and its development need to be improved, while others would prefer to see notification features added, better reporting, and would like more dynamic testing and documentation available.

    Users of Veracode appreciate its cloud-based approach, API integration, static scan, its stability, policy reporting, a great dashboard, static and dynamic analysis, SCA, and the fact that it is SaaS hosted. While users value Veracode for its solid set of features, some feel it is lacking in its user interface and user experience, mentioning that it can be slow and could use some improvement.
  • Pricing: Regarding standard licensing, users of Sonarqube feel that it is slightly expensive. Beyond that, other users find that the free open-source community version works really well for them. Some users of Veracode consider it to be reasonably priced while others feel it is on the expensive side.
  • Service and Support: Users who have had experience with Sonarqube’s service and support under the licensed version state that support is good and responds quickly. Veracode reviewers have also provided very positive feedback on the service and support they receive, mentioning that technical support is very helpful.
  • ROI: While none of the reviews on Sonarqube explicitly mention an ROI, several users of Veracode say they have seen an ROI, some even as soon as six months after implementing it. Some users said they achieved greatly improved security, earlier detection of security defects in the life cycle, and were able to easily meet compliance requirements. Others say that Veracode has saved them a lot of time and helped them comply with clients' requirements.

Comparison Results: Based on the parameters we compared, Sonarqube and Veracord are pretty well-matched in terms of popularity. Users of both share the opinion that deployment is fairly easy and fast and that technical support is helpful. Each product has its own unique set of features, but also has areas that reviewers would like to see improved. Although there are users that feel both solutions are expensive, some Veracode users do say that its price is fairly reasonable.

To learn more, read our detailed SonarQube vs. Veracode report (Updated: July 2022).
Buyer's Guide
SonarQube vs. Veracode
July 2022
Find out what your peers are saying about SonarQube vs. Veracode and other solutions. Updated: July 2022.
610,518 professionals have used our research since 2012.
Q&A Highlights
Question: Which gives you more for your money - SonarQube or Veracode?
Answer: SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use and understand, SonarQube is a great solution if you want to quickly focus on functional requirements. There were some security issues with our code that SonarQube did not find. Defining the quality of rules should be improved to ensure that low-performance code does not move forward to production. We would like to see better security scanning and statistical analysis from SonarQube. Using Veracode, on the other hand, we have never had a problem with vulnerable code going into production. We like the visibility of application status across all testing types which Veracode presents in a single dashboard. Even if you are running different types of scans, you have everything in one place, which is very convenient. Veracode helps us keep a high-security standard, which is very important to us. It would really improve Veracode if the mitigation process was somehow added to the dashboard or made more streamlined. Currently, one has to go back and forth between one or more screens and it makes it a bit complicated. Regarding the pipeline scan, we found Veracode can be very fast with Java-based applications but slow with other applications. It would be helpful if the scan completion and scan progress would improve - the time estimates are not always accurate. Conclusion These are two great solutions, each with a slightly different focus. SonarQube has a solid focus on code quality. It offers a very good free version. The SonarQube free version covers 10-15 languages, which can be very limiting for some and there are also some limitations with support. The integration is there, but you do not get full integration with the free version. Overall, the SonarQube free version is a very good option for small businesses. SonarQube does offer an Enterprise license that is very competitively priced. Veracode's main focus is security. It is more closely related to an application security scanning solution. There is no free version and it is considered an expensive solution when comparing price with other similar solutions. However, Veracode offers many features and applications that other solutions do not. One favorite is scanning for compliance; we have some situations where we need to consistently scan code for security to satisfy different compliance regulations. Veracode helps us do that.
Featured Review
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"SonarQube is one of the more popular solutions because it supports 29 languages.""I am only interested in the security features in SonarQube. There are plenty of features other features, such as test coverage, code anomalies, and pointer access are handled by the business logic teams. They get the reports and they have to fix them in JIRA or Bugzilla.""I like that it helps us maintain our work quality and code security.""The software quality gate streamlines the product's quality.""The reporting and the results are quick. It gets integrated within the pipeline well.""SonarQube has a lot of value, it reviews the basic coding standards and security vulnerabilities of code that help to reduce issues.""It assists during the development with SonarLint and helps the developer to change his approach or rather improve his coding pattern or style. That's one advantage I've seen. Another advantage is that we can customize the rules.""The good thing with SonarQube is it covers a lot of issues, it's a very robust framework."

More SonarQube Pros →

"There is a single area on the dashboard where you can get a full view of all of the tests and the results from everything. There is a nice, very simple graphic that shows you the types of vulnerabilities that were found, their severity, the scoring, and in what part of the code they were found. All the details are together in one place.""The policy reporting for ensuring compliance with industry standards and regulations is pretty comprehensive, especially around PCI. If you do the static analysis, the dynamic analysis, and then a manual penetration test, it aggregates all of these results into one report. And then they create a PCI-specific report around it which helps to illustrate how the application adheres to different standards.""There are quite a few features that are very reliable, like the newly launched Veracode Pipelines Scan, which is pretty awesome. It supports the synchronous pipeline pretty well. We been using it out of the Jira plugin, and that is fantastic.""The reporting being highly accurate is pretty cool. I use another product and I was always looking for answers as to what line, which part of the code, was wrong, and what to do about it. Veracode seems to have a solid database to look things up and a website to look things up.""You can easily integrate it with Azure DevOps. This is an added value because we work with Azure DevOps. Veracode is natively supported and we don't have to work with APIs.""Veracode provides guidance for fixing vulnerabilities. It enables developers to write secure code from the start by pointing them to the problematic line of code, and saying, "This function/method has security vulnerabilities," then suggests alternatives to fix it. Then, we adopt their suggestions of the tool. By implementing it in the right way, we can fix the issue. For example, if the tool has found a method where it copied one piece of memory into another piece of memory in the code. The tool points to problematic methods with the vulnerability and provides ways to code it more securely. By adopting their suggestions, we are fixing this vulnerability.""It's comprehensive from a feature standpoint.""The solution's ability to prevent vulnerable code from going into production is perfectly fine. It delivers, at least for the reports that we have been checking on Java and JavaScript. It has reported things that were helpful."

More Veracode Pros →

Cons
"Monitoring is a feature that can be improved in the next version.""If the product could assist us with fixing issues by giving us more pointers then it would help to resolve more of the warnings without such a commitment in terms of time.""If I configure a project in SonarQube, it generates a token. When we're compiling our code with SonarQube, we have to provide the token for security reasons. If IP-based connectivity is established with the solution, the project should automatically be populated without providing any additional token. It will be easy to provide just the IP address. It currently supports this functionality, but it makes a different branch in the project dashboard. From the configuration and dashboard point of view, it should have some transformations. There can be dashboard integration so that we can configure the dashboard for different purposes.""We found a solution with dynamic testing, and are looking to find a solution that can be used for both types of testing.""There isn't a very good enterprise report.""I am not very pleased with the technical debt computation.""There is no automation. You need to put the code there and test. You then pull the results and put them back in the development environment. There is no integration with the development environment. We would like it to be integrated with our development environment, which is basically the CI/CD pipeline or the IDE that we have.""You may need to purchase add-ons to get the useability you desire."

More SonarQube Cons →

"The feature that allows me to read which mitigation answer was submitted, and to approve it, requires me to use do so in different screens. That makes it a little bit more complicated because I have to read and then I have to go back and make sure it falls under the same number ID number. That part is a little bit complicated from my perspective, because that's what I use the most.""Another problem we have is that, while it is integrated with single sign-on—we are using Okta—the user interface is not great. That's especially true for a permanent link of a report of a page. If you access it, it goes to the normal login page that has nothing that says "Log in with single sign-on," unlike other software as a service that we use. It's quite bothersome because it means that we have to go to the Okta dashboard, find the Veracode link, and log in through it. Only at that point can we go to the permanent link of the page we wanted to access.""I've seen slightly better static analysis tools from other companies when it comes to speed and ease of use.""If the dynamic scan is improved, then the speed might go up. That is somehow not happening. We have raised this concern. It might also help if they could time limit scans to 24 hours instead of letting them go for three days. Then, whatever results could be shared, even if the scan is not complete, that would definitely help us.""The static analysis is prone to a lot of false positives. But that's how it is with most static analysis tools... Also, the static analysis can sometimes take a little while. The time that it takes to do a scan should be improved.""The training lab is not very user-friendly and takes a long time to set up.""The solution could improve the Dynamic Analysis Security Testing(DAST).""Sometimes the scans are not done quickly, but the solutions that it provides are really good. The quality is high, but the analysis is not done extremely quickly."

More Veracode Cons →

Pricing and Cost Advice
  • "I was using the Community Edition, which is available free of charge."
  • "The developer edition is based on cost per lines of code."
  • "We are using the open-source version, which is available free of cost."
  • "There is both a free and licensed version. The free version has limitations on development languages and support."
  • "For the Community edition, there is no extra cost. It's totally free. The Enterprise edition, Data Center edition, and Developer edition are the paid versions."
  • "We are using the open-source community version, but there are enterprise licenses available."
  • "SonarQube is an open-source product that can be used free of charge."
  • "I am satisfied with the pricing."
  • More SonarQube Pricing and Cost Advice →

  • "I don't really know about the pricing, but I'd say it's worth whatever Veracode is charging, because the solution is that good."
  • "Veracode's price is high. I would like them to better optimize their pricing."
  • "If I compare the pricing with other software tools, then it is quite competitive. Whatever the price is, they have always given us a good discount."
  • "Veracode is expensive. Some of its products are expensive. I don't think it's way more expensive than its competitors. The dynamic is definitely worth it, as I think it's cheaper than the competitors. The static scan is a little bit more expensive, around 20 percent more expensive. The manual pen test is more expensive, but it is an expensive service because it's a manual pen test and we also do retests. I don't think it is way more expensive than the competitors, but it's about 15 to 20 percent more expensive."
  • "We use this product per project rather than per developer... Your development model will really determine what the best fit is for you in terms of licensing, because of the project-based licensing. If you do a few projects, that's more attractive. If you have a large number of developers, that would also make the product a little more attractive."
  • "The pricing is really fair compared to a lot of other tools on the market."
  • "It is very reasonably priced compared to what we were paying our previous vendor. For the same price, we are getting much more value and reducing our AppSec costs from 40 to 50 percent."
  • "Veracode is one of the more expensive solutions in the market, but it is worth the expense because of the eLearning and the security consultations; everything is included in the license."
  • More Veracode Pricing and Cost Advice →

    report
    Use our free recommendation engine to learn which Application Security solutions are best for your needs.
    610,518 professionals have used our research since 2012.
    Answers from the Community
    Netanya Carmi
    reviewer1572348 - PeerSpot reviewerreviewer1572348 (Chief Architect at a computer software company with 10,001+ employees)
    Real User

    We have used SonarQube quite a lot and this is great to check code quality, security hotspots much earlier in the SDLC and fix those. The community edition is free to use, can be used on-premises and is integrated seamlessly with Jenkins and others. The Enterprise and Developer commercial editions offer a lot more rules and functionalities.


    Veracode is mostly in space of security testing and amongst the leader in this space. It's a commercial product and has no community edition, to the best of my knowledge. 


    Depending on your use cases, you will need both of these areas to be covered through these or other tools.

    Curtis Yanko - PeerSpot reviewerCurtis Yanko (Shiftleft)
    Vendor

    Feels like a false choice to me. They each are trying to do different things as other posters have suggested. What are the outcomes you are looking for?

    reviewer1411233 - PeerSpot reviewerreviewer1411233 (Security consultant at a tech services company with 1,001-5,000 employees)
    Real User

    Both products in the industry are practiced slightly for different purposes. If you are after the code then SonarQube and if you are after the security then Veracode.

    Mauro Verderosa - PeerSpot reviewerMauro Verderosa
    Real User

    They are mainly two different products. 


    If your goal is to set the quality on code then SonarQube is your answer. 


    On the other side, if your main goal is to set high-quality standards in terms of cybersecurity (i.e. both security and compliance with regulations), then Veracode is a better match.

    Akash Singh Singh - PeerSpot reviewerAkash Singh Singh
    User

    Klocwork

    Questions from the Community
    Top Answer:I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have  a look… more »
    Top Answer:SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use… more »
    Top Answer:We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing… more »
    Top Answer:Veracode's technical support is great. They assigned us a TAM and once a week, we have a brief engagement with the TAM to verify that everything's going well. If we have any outstanding issues, they… more »
    Top Answer:Veracode recently introduced some pricing based on microservices. This model gives us a lot of flexibility in being able to add and remove microservices and scale them that way. The pricing is solid… more »
    Top Answer:I think the biggest room for improvement is around known or accepted vulnerabilities that, when we re-scan, we want those things to be recognized as already accepted, as an exception. Sometimes they… more »
    Ranking
    1st
    Views
    87,858
    Comparisons
    72,333
    Reviews
    60
    Average Words per Review
    494
    Rating
    8.0
    2nd
    Views
    51,336
    Comparisons
    29,264
    Reviews
    24
    Average Words per Review
    1,440
    Rating
    8.1
    Comparisons
    Also Known As
    Sonar
    Learn More
    Overview

    SonarQube is the leading tool for continuously inspecting Code Quality and Code Security, and guiding development teams during code reviews. SonarQube provides clear remediation guidance for 27 languages so developers can understand and fix issues, and so teams can deliver better and safer software. SonarQube integrates into your workflow to provide the right feedback at the right time: in-IDE with SonarLint, in pull requests, and in SonarQube itself. With over 225,000 deployments helping small development teams and global organizations, SonarQube provides the means for teams and companies around the world to own and impact their Code Quality and Code Security.

    Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.

    Offer
    Learn more about SonarQube
    Keep your software secure

    Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.

    Sample Customers
    Bank of America, Siemens, Cognizant, Thales, Cisco, eBay
    State of Missouri, Rekner
    Top Industries
    REVIEWERS
    Computer Software Company22%
    Financial Services Firm21%
    Comms Service Provider10%
    Insurance Company7%
    VISITORS READING REVIEWS
    Computer Software Company25%
    Comms Service Provider15%
    Financial Services Firm14%
    Manufacturing Company7%
    REVIEWERS
    Financial Services Firm31%
    Insurance Company11%
    Computer Software Company11%
    Healthcare Company7%
    VISITORS READING REVIEWS
    Computer Software Company27%
    Comms Service Provider14%
    Financial Services Firm12%
    Manufacturing Company7%
    Company Size
    REVIEWERS
    Small Business26%
    Midsize Enterprise17%
    Large Enterprise56%
    VISITORS READING REVIEWS
    Small Business14%
    Midsize Enterprise14%
    Large Enterprise72%
    REVIEWERS
    Small Business24%
    Midsize Enterprise27%
    Large Enterprise49%
    VISITORS READING REVIEWS
    Small Business16%
    Midsize Enterprise14%
    Large Enterprise70%
    Buyer's Guide
    SonarQube vs. Veracode
    July 2022
    Find out what your peers are saying about SonarQube vs. Veracode and other solutions. Updated: July 2022.
    610,518 professionals have used our research since 2012.

    SonarQube is ranked 1st in Application Security with 63 reviews while Veracode is ranked 2nd in Application Security with 24 reviews. SonarQube is rated 8.0, while Veracode is rated 8.0. The top reviewer of SonarQube writes "Open-source, stable, and finds the problems for you and tells you where they are". On the other hand, the top reviewer of Veracode writes "Good reporting, comprehensive interface, and integrates well into our build pipeline". SonarQube is most compared with Checkmarx, Coverity, Sonatype Nexus Lifecycle, Snyk and Micro Focus Fortify on Demand, whereas Veracode is most compared with Checkmarx, Micro Focus Fortify on Demand, Coverity, OWASP Zap and HCL AppScan. See our SonarQube vs. Veracode report.

    See our list of best Application Security vendors.

    We monitor all Application Security reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.