We compared Veracode and SonarQube across several parameters based on our user's reviews. After reading the collected data, you can find our conclusion below:
Based on the user reviews, Veracode's customer service and support received mixed reviews, but most customers praised the responsiveness and knowledge of the technical support team. SonarQube's customer service and support experiences varied, with some users mentioning the need for availability and response time improvement. Veracode's pricing was considered reasonable and affordable, and SonarQube's pricing was found to be accessible. Overall, Veracode's comprehensive security testing capabilities, ease of use, and accurate vulnerability detection were highly valued by users.
"Improve the code coverage and evaluates the technical steps and percentage of code being resolved."
"The most valuable feature of this solution is that it is free."
"I like that it has a better dashboard compared to Clockwork. It's also stable."
"If you want to have your code scanned and timed then this is a good tool."
"The SonarQube dashboard looks great."
"The static code analysis of the solution is the most important aspect for us. When it comes to security breaches within the code, we can leverage some rules to allow us to identify the repetition in our code and the possible targets that we may have. It makes it very easy to review our code for security purposes."
"It is a good deal compared to all other tools on the market."
"SonarQube: Recording of issues over a period of time, with an indication of the addition in the new issues or the reduction of existing issues (which were fixed)."
"The capability to identify vulnerable code is the most valuable feature of Veracode."
"Their dashboard is really good, overall. In my opinion, it's one of the best in the market, and I say that because we have used other service providers."
"I like Veracode's static analysis. It was one of the core development tools when I worked with a telecommunication company where we were delivering new features for various applications and purposes each week, such as CRM, data channels, compliance, traffic data, etc."
"Veracode is very easy to use."
"The most valuable feature is the dynamic application security testing."
"The static analysis gives you deep insights into problems."
"The installation was straightforward."
"Regarding Software Composition Analysis, an exceptional feature is that during a SAST scan, SCA is seamlessly conducted in the background."
"There are times that we have the database crash. However, this might be an issue with how we have configured it and not a software issue. Apart from this, I do not see any issues with the solution."
"Lacks sufficient visibility and documentation."
"I don't believe you can have metrics of code quality based upon code analysis. I don't think it's possible for a computer to do it."
"You may need to purchase add-ons to get the useability you desire."
"There needs to be a shareable reporting piece or something we can click and generate easily."
"SonarQube's detail in the security could be improved. It may be helpful to have additional details, with regards to Oracle PL/SQL. For example, it's neither as built nor as thorough as Java. For now, this is the only additional feature I would like to see."
"SonarQube could improve its static application security testing as per the industry standard."
"One thing to improve would be the integration. There is a steep learning curve to get it integrated."
"On-premise implementation is not available."
"I've found that Veracode is not particularly suitable for Dynamic Application Security Testing."
"We use Ruby on Rails and we still don't have any support for that from Veracode."
"I would like Veracode to add more language support."
"From what we have seen of Veracode's SCA offering, it is just average."
"It can be a bit complex because it takes a lot of time to have it complete the task."
"I'd like to see more development tools and platforms integrated together with Veracode to amplify the solution's effectiveness."
"Searching for applications in Veracode is a little bit difficult. We have to minimize the length of an application's name to 47 characters. It would be good if this limit could be increased so that an application's name can be properly reflected in Veracode."
SonarQube is ranked 1st in Application Security Tools with 108 reviews while Veracode is ranked 2nd in Application Security Tools with 194 reviews. SonarQube is rated 8.0, while Veracode is rated 8.2. The top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Snyk and Sonatype Lifecycle, whereas Veracode is most compared with Checkmarx One, Snyk, Fortify on Demand, OWASP Zap and Fortify Static Code Analyzer. See our SonarQube vs. Veracode report.
See our list of best Application Security Tools vendors and best Application Security Testing (AST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
We have used SonarQube quite a lot and this is great to check code quality, security hotspots much earlier in the SDLC and fix those. The community edition is free to use, can be used on-premises and is integrated seamlessly with Jenkins and others. The Enterprise and Developer commercial editions offer a lot more rules and functionalities.
Veracode is mostly in space of security testing and amongst the leader in this space. It's a commercial product and has no community edition, to the best of my knowledge.
Depending on your use cases, you will need both of these areas to be covered through these or other tools.
They are mainly two different products.
If your goal is to set the quality on code then SonarQube is your answer.
On the other side, if your main goal is to set high-quality standards in terms of cybersecurity (i.e. both security and compliance with regulations), then Veracode is a better match.
Feels like a false choice to me. They each are trying to do different things as other posters have suggested. What are the outcomes you are looking for?
Both products in the industry are practiced slightly for different purposes. If you are after the code then SonarQube and if you are after the security then Veracode.
Klocwork