We compared Veracode and SonarQube across several parameters based on our user's reviews. After reading the collected data, you can find our conclusion below:
Initial Setup: Veracode's setup is described as straightforward and easy, with minimal technical capabilities required. Some users found the web interface not very intuitive but received help from Veracode to deploy the solution. SonarQube's setup is also considered straightforward, but some users found it complex and time-consuming, taking up to two months. The main challenge with SonarQube was getting users accustomed to the tool and providing training.
Valuable Features: Veracode's valuable features include comprehensive security testing, ease of use, accurate vulnerability detection, and reliable reporting. SonarQube offers security features, SAST and SCA capabilities, a free Community edition, and integration with DevOps pipelines, among others.
Setup Cost: Veracode's setup cost varies depending on the size and specific needs of the organization. Some reviewers find it expensive, while others believe it provides value for the cost. SonarQube offers an open-source solution with no additional costs, although some users mention the need to purchase licenses for the upgraded version.
ROI: Veracode offers benefits such as reducing development costs, preventing security breaches, and maintaining certifications. SonarQube helps identify vulnerabilities and promotes bug-free coding.
Customer Service: Veracode's customer service has received mixed reviews, with positive feedback on responsiveness and knowledge, but negative feedback on slow response times and the need to repeat issues. SonarQube's customer service experiences vary, with some users not needing support and others having positive experiences.
Based on the user reviews, Veracode is the preferred product over SonarQube. Veracode's customer service and support received mixed reviews, but some customers praised the responsiveness and knowledge of the technical support team. In contrast, SonarQube's customer service and support experiences varied, with some users mentioning the need for improvement in terms of availability and response time. Additionally, Veracode's pricing was considered reasonable and affordable by some reviewers, while SonarQube's pricing was found to be accessible. Overall, Veracode's comprehensive security testing capabilities, ease of use, and accurate vulnerability detection were highly valued by users, making it the preferred choice.
"We use this solution for qualitative coding. We make use of the SonarLint plugin as well as the dashboard."
"We consider it a handy tool that helps to resolve our issues immediately."
"One of the most valuable features of SonarQube is its ability to detect code quality during development. There are rules that define various technologies—Java, C#, Python, everything—and these rules declare the coding standards and code quality. With SonarQube, everything is detectable during the time of development and continuous integration, which is an advantage. SonarQube also has a Quality Gate, where the code should reach 85%. Below that, the code cannot be promoted to a further environment, it should be in a development environment only. So the checks are there, and SonarQube will provide that increase. It also provides suggestions on how the code can be fixed and methods of going about this, without allowing hackers to exploit the code. Another valuable feature is that it is tightly integrated with third-party tools. For example, we can see the SonarQube metrics in Bitbucket, the code repository. Once I raise the full request, the developer, team lead, or even the delivery lead can see the code quality metrics of the deliverable so that they can make a decision. SonarQube will also cover all of the top OWASP vulnerabilities, however it doesn't have penetration testing or hacker testing. We use other tools, like Checkmarx, to do penetration testing from the outside."
"We are using the Community edition. So, we don't have to incur any licensing costs. This is the best part."
"This solution has helped with the integration and building of our CICD pipeline."
"This solution has the capability to analyze source code in almost all the languages in the market."
"The product is simple."
"When comparing other static code analysis tools, SonarQube has fewer false-positive issues being reported. They have a lot of support for different tech stacks. It covers the entire developer community which includes Salesforce or it could be the regular Java.net project. It has actually sufficed all the needs in one tool for static code analysis."
"Before Veracode, the application was deployed to the production server and there would be a lot of bugs and issues. Once we implemented the Veracode scan, the full deployment issues were drastically reduced."
"Veracode creates a list of issues. You can go through them one by one and click through to a new window with all the information about the issue discovered."
"The SAST and DAST modules are great."
"Veracode is easy to use even if you're not a security professional. I like the dynamic analysis feature, which offers a lot of cost savings when used in production."
"I like Veracode's static scanning and SCA. We use three static scans, software composition analysis, and dynamic scans. We haven't used dynamic scanning as much, but we're trying to integrate that into our environment more."
"Ours is a Java-based application and Veracode can detect vulnerabilities in both Angular, which is used for the UI, and also in the backend code, which includes APIs and microservices."
"Veracode offers various security features."
"The most valuable feature is the seamless automation of Veracode via the pipeline, in comparison to other solutions like Fortify SSC, which are complex to integrate through the pipeline."
"The product's pricing could be lower."
"Currently requires multiple tools, lacking one overall tool."
"It should be user-friendly."
"There isn't a very good enterprise report."
"We called support and complained but have not received any information as we use the free version. We had to fix it on our own and could not escalate it to the tool's developer."
"SonarQube could be improved with more dynamic testing—basically, now, it's a static code analysis scan. For example, when the developer writes the code and does the corresponding unit test, he can cover functional and non-functional. So the SonarQube could be improved by helping to execute unit tests and test dynamically, using various parameters, and to help detect any vulnerabilities. Currently, it'll just give the test case and say whether it passes or fails—it won't give you any other input or dynamic testing. They could use artificial intelligence to build a feature that would help developers identify and fix issues in the early stages, which would help us deliver the product and reduce costs. Another area with room for improvement is in regard to automating things, since the process currently needs to be done manually."
"SonarQube can improve by scanning the internal library which currently it does not do. We are looking for a solution for this."
"Lacks sufficient visibility and documentation."
"We have some constraints interacting with Veracode self-support. I'm not talking about their technical support. I'm talking about self-support. We sometimes have a hard time communicating with them."
"The number of false positives could be reduced a lot. For each good result, we are getting somewhere around 15 to 20 false positives."
"An area for improvement in Veracode is the time that it takes to scan large projects, as that makes it difficult to fit into our CI/CD pipelines."
"The UI is not user-friendly and can be improved."
"When we engaged Veracode to conduct the manual penetration testing, they were extremely slow in completing the task and delivering the report, causing a delay of two to three weeks for us."
"In the last month or so, I had a problem with the APIs when doing some implementations. The Veracode support team could be more specific and give me more examples. They shouldn't just copy the URL for a doc and send it to me."
"The reporting was detailed, but there were some things that were missing. It showed us on which line an error was found, but it could have been more detailed."
"Sometimes we get a lot of false positives even after configuring our policies, so that could be improved."
Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.
SonarQube is ranked 1st in Application Security Tools with 30 reviews while Veracode is ranked 2nd in Application Security Tools with 70 reviews. SonarQube is rated 8.2, while Veracode is rated 8.2. The top reviewer of SonarQube writes "Open-source, stable, and finds the problems for you and tells you where they are". On the other hand, the top reviewer of Veracode writes "Good reporting, comprehensive interface, and integrates well into our build pipeline". SonarQube is most compared with Checkmarx, Coverity, SonarCloud, Snyk and Sonatype Lifecycle, whereas Veracode is most compared with Checkmarx, Fortify on Demand, OWASP Zap, SonarCloud and Snyk. See our SonarQube vs. Veracode report.
See our list of best Application Security Tools vendors and best Application Security Testing (AST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
We have used SonarQube quite a lot and this is great to check code quality, security hotspots much earlier in the SDLC and fix those. The community edition is free to use, can be used on-premises and is integrated seamlessly with Jenkins and others. The Enterprise and Developer commercial editions offer a lot more rules and functionalities.
Veracode is mostly in space of security testing and amongst the leader in this space. It's a commercial product and has no community edition, to the best of my knowledge.
Depending on your use cases, you will need both of these areas to be covered through these or other tools.
They are mainly two different products.
If your goal is to set the quality on code then SonarQube is your answer.
On the other side, if your main goal is to set high-quality standards in terms of cybersecurity (i.e. both security and compliance with regulations), then Veracode is a better match.
Feels like a false choice to me. They each are trying to do different things as other posters have suggested. What are the outcomes you are looking for?
Both products in the industry are practiced slightly for different purposes. If you are after the code then SonarQube and if you are after the security then Veracode.
Klocwork