You must select at least 2 products to compare!
Sonar Logo
63,329 views|50,575 comparisons
Veracode Logo
28,835 views|19,575 comparisons
Comparison Buyer's Guide
Executive Summary
Updated on Oct 1, 2023

We compared Veracode and SonarQube across several parameters based on our user's reviews. After reading the collected data, you can find our conclusion below:

Initial Setup: Veracode's setup is described as straightforward and easy, with minimal technical capabilities required. Some users found the web interface not very intuitive but received help from Veracode to deploy the solution. SonarQube's setup is also considered straightforward, but some users found it complex and time-consuming, taking up to two months. The main challenge with SonarQube was getting users accustomed to the tool and providing training.

Valuable Features: Veracode's valuable features include comprehensive security testing, ease of use, accurate vulnerability detection, and reliable reporting. SonarQube offers security features, SAST and SCA capabilities, a free Community edition, and integration with DevOps pipelines, among others.

Setup Cost: Veracode's setup cost varies depending on the size and specific needs of the organization. Some reviewers find it expensive, while others believe it provides value for the cost. SonarQube offers an open-source solution with no additional costs, although some users mention the need to purchase licenses for the upgraded version. 

ROI: Veracode offers benefits such as reducing development costs, preventing security breaches, and maintaining certifications. SonarQube helps identify vulnerabilities and promotes bug-free coding.

Customer Service: Veracode's customer service has received mixed reviews, with positive feedback on responsiveness and knowledge, but negative feedback on slow response times and the need to repeat issues. SonarQube's customer service experiences vary, with some users not needing support and others having positive experiences.

Based on the user reviews, Veracode is the preferred product over SonarQube. Veracode's customer service and support received mixed reviews, but some customers praised the responsiveness and knowledge of the technical support team. In contrast, SonarQube's customer service and support experiences varied, with some users mentioning the need for improvement in terms of availability and response time. Additionally, Veracode's pricing was considered reasonable and affordable by some reviewers, while SonarQube's pricing was found to be accessible. Overall, Veracode's comprehensive security testing capabilities, ease of use, and accurate vulnerability detection were highly valued by users, making it the preferred choice.

To learn more, read our detailed SonarQube vs. Veracode Report (Updated: September 2023).
735,432 professionals have used our research since 2012.
Q&A Highlights
Question: Which gives you more for your money - SonarQube or Veracode?
Answer: SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use and understand, SonarQube is a great solution if you want to quickly focus on functional requirements. There were some security issues with our code that SonarQube did not find. Defining the quality of rules should be improved to ensure that low-performance code does not move forward to production. We would like to see better security scanning and statistical analysis from SonarQube. Using Veracode, on the other hand, we have never had a problem with vulnerable code going into production. We like the visibility of application status across all testing types which Veracode presents in a single dashboard. Even if you are running different types of scans, you have everything in one place, which is very convenient. Veracode helps us keep a high-security standard, which is very important to us. It would really improve Veracode if the mitigation process was somehow added to the dashboard or made more streamlined. Currently, one has to go back and forth between one or more screens and it makes it a bit complicated. Regarding the pipeline scan, we found Veracode can be very fast with Java-based applications but slow with other applications. It would be helpful if the scan completion and scan progress would improve - the time estimates are not always accurate. Conclusion These are two great solutions, each with a slightly different focus. SonarQube has a solid focus on code quality. It offers a very good free version. The SonarQube free version covers 10-15 languages, which can be very limiting for some and there are also some limitations with support. The integration is there, but you do not get full integration with the free version. Overall, the SonarQube free version is a very good option for small businesses. SonarQube does offer an Enterprise license that is very competitively priced. Veracode's main focus is security. It is more closely related to an application security scanning solution. There is no free version and it is considered an expensive solution when comparing price with other similar solutions. However, Veracode offers many features and applications that other solutions do not. One favorite is scanning for compliance; we have some situations where we need to consistently scan code for security to satisfy different compliance regulations. Veracode helps us do that.
Featured Review
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
"We use this solution for qualitative coding. We make use of the SonarLint plugin as well as the dashboard.""We consider it a handy tool that helps to resolve our issues immediately.""One of the most valuable features of SonarQube is its ability to detect code quality during development. There are rules that define various technologies—Java, C#, Python, everything—and these rules declare the coding standards and code quality. With SonarQube, everything is detectable during the time of development and continuous integration, which is an advantage. SonarQube also has a Quality Gate, where the code should reach 85%. Below that, the code cannot be promoted to a further environment, it should be in a development environment only. So the checks are there, and SonarQube will provide that increase. It also provides suggestions on how the code can be fixed and methods of going about this, without allowing hackers to exploit the code. Another valuable feature is that it is tightly integrated with third-party tools. For example, we can see the SonarQube metrics in Bitbucket, the code repository. Once I raise the full request, the developer, team lead, or even the delivery lead can see the code quality metrics of the deliverable so that they can make a decision. SonarQube will also cover all of the top OWASP vulnerabilities, however it doesn't have penetration testing or hacker testing. We use other tools, like Checkmarx, to do penetration testing from the outside.""We are using the Community edition. So, we don't have to incur any licensing costs. This is the best part.""This solution has helped with the integration and building of our CICD pipeline.""This solution has the capability to analyze source code in almost all the languages in the market.""The product is simple.""When comparing other static code analysis tools, SonarQube has fewer false-positive issues being reported. They have a lot of support for different tech stacks. It covers the entire developer community which includes Salesforce or it could be the regular project. It has actually sufficed all the needs in one tool for static code analysis."

More SonarQube Pros →

"Before Veracode, the application was deployed to the production server and there would be a lot of bugs and issues. Once we implemented the Veracode scan, the full deployment issues were drastically reduced.""Veracode creates a list of issues. You can go through them one by one and click through to a new window with all the information about the issue discovered.""The SAST and DAST modules are great.""Veracode is easy to use even if you're not a security professional. I like the dynamic analysis feature, which offers a lot of cost savings when used in production.""I like Veracode's static scanning and SCA. We use three static scans, software composition analysis, and dynamic scans. We haven't used dynamic scanning as much, but we're trying to integrate that into our environment more.""Ours is a Java-based application and Veracode can detect vulnerabilities in both Angular, which is used for the UI, and also in the backend code, which includes APIs and microservices.""Veracode offers various security features.""The most valuable feature is the seamless automation of Veracode via the pipeline, in comparison to other solutions like Fortify SSC, which are complex to integrate through the pipeline."

More Veracode Pros →

"The product's pricing could be lower.""Currently requires multiple tools, lacking one overall tool.""It should be user-friendly.""There isn't a very good enterprise report.""We called support and complained but have not received any information as we use the free version. We had to fix it on our own and could not escalate it to the tool's developer.""SonarQube could be improved with more dynamic testing—basically, now, it's a static code analysis scan. For example, when the developer writes the code and does the corresponding unit test, he can cover functional and non-functional. So the SonarQube could be improved by helping to execute unit tests and test dynamically, using various parameters, and to help detect any vulnerabilities. Currently, it'll just give the test case and say whether it passes or fails—it won't give you any other input or dynamic testing. They could use artificial intelligence to build a feature that would help developers identify and fix issues in the early stages, which would help us deliver the product and reduce costs. Another area with room for improvement is in regard to automating things, since the process currently needs to be done manually.""SonarQube can improve by scanning the internal library which currently it does not do. We are looking for a solution for this.""Lacks sufficient visibility and documentation."

More SonarQube Cons →

"We have some constraints interacting with Veracode self-support. I'm not talking about their technical support. I'm talking about self-support. We sometimes have a hard time communicating with them.""The number of false positives could be reduced a lot. For each good result, we are getting somewhere around 15 to 20 false positives.""An area for improvement in Veracode is the time that it takes to scan large projects, as that makes it difficult to fit into our CI/CD pipelines.""The UI is not user-friendly and can be improved.""When we engaged Veracode to conduct the manual penetration testing, they were extremely slow in completing the task and delivering the report, causing a delay of two to three weeks for us.""In the last month or so, I had a problem with the APIs when doing some implementations. The Veracode support team could be more specific and give me more examples. They shouldn't just copy the URL for a doc and send it to me.""The reporting was detailed, but there were some things that were missing. It showed us on which line an error was found, but it could have been more detailed.""Sometimes we get a lot of false positives even after configuring our policies, so that could be improved."

More Veracode Cons →

Pricing and Cost Advice
  • "On the pricing side, it's 3,000 Euros for 1 million lines of code."
  • "My guess is that we have a yearly subscription. We use it quite extensively, so a monthly license wouldn't make sense. Yearly subscriptions are usually cheaper. In addition to the standard licensing fee, there is just the cost of running the hardware where it is hosted."
  • "Compared to similar solutions, SonarQube was more accessible to us and had more benefits, with regards to size of the code base and supported languages. Apart from the Enterprise licensing fee, there are no additional costs."
  • "SonarQube enterprise, I am not sure of the price but from what I understand they are charging a fee. It's is not clear if it is an annual fee or a one-off."
  • "The free version of SonarQube does everything that we need it to."
  • "We're using an older version because it is the open-source flavor of it and we can continue using it at no cost. We're not paying any licensing at all, which was another factor in choosing this route so that we can learn and grow with it and not be committed to licenses and other similar things. If we choose to get something else, we have to relearn, but we don't have to relicense. Basically, we're paying no license costs."
  • "We are using the Developer Edition and the cost is based on the amount of code that is being processed."
  • "As a user and a consumer of this solution, it can be pricey for my company to support and use, even though there are many benefits. For this reason, we use the free version. In the future, as our product cycles develop and evolve at a more steady pace, we hope to invest in the licensing for this tool."
  • More SonarQube Pricing and Cost Advice →

  • "From a cost perspective, it seems okay, although we will probably evaluate alternatives next time it's up for renewal because for us, it's a relatively high cost, and we want to make sure that we are using our resources most appropriately."
  • "The pricing is a little on the high side but since we combine our product into one suite, it is easy to do and works well for us."
  • "It is quite good. If you adapt it for the whole organization, it is quite affordable. The pricing plans are good as compared to the other competitors, and any small, medium, or big company can easily adopt Veracode. Its cost includes deployment, training, and support for one year."
  • "The cost has been a barrier to wider use here. I think my team is the only one at the university. Other folks might like to use it, but it's pretty pricey. You could see what else is in the market, but I hear that's the price for most solutions. You might not find a better deal in the market, or it might be an incomplete solution. I mean, for the level of interaction we get with Veracode staff, it's been pretty good."
  • "There is a fee to scale up the solution which I consider expensive."
  • "I know that Veracode is a semi-pricey solution. If you are serious about security, I would recommend that you use an open-source option to learn how the scanning process works and then look into Veracode if you want to really step up your game and have an all-in-one solution."
  • "I wouldn't really recommend Veracode for a small firm, because it might be a little pricey for them. But for a large organization, with more than 1,000 applications in the enterprise, there are tiered levels of pricing."
  • "There are no setup or implementation charges. They offer a free trial and free consulting services... The price depends on your requirements, your source code sizes, and how complicated your source code is."
  • More Veracode Pricing and Cost Advice →

    Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
    735,432 professionals have used our research since 2012.
    Answers from the Community
    Netanya Carmi
    Vishal-Goyal - PeerSpot reviewerVishal-Goyal
    Real User

    We have used SonarQube quite a lot and this is great to check code quality, security hotspots much earlier in the SDLC and fix those. The community edition is free to use, can be used on-premises and is integrated seamlessly with Jenkins and others. The Enterprise and Developer commercial editions offer a lot more rules and functionalities.

    Veracode is mostly in space of security testing and amongst the leader in this space. It's a commercial product and has no community edition, to the best of my knowledge. 

    Depending on your use cases, you will need both of these areas to be covered through these or other tools.

    Mauro Verderosa - PeerSpot reviewerMauro Verderosa
    Real User

    They are mainly two different products. 

    If your goal is to set the quality on code then SonarQube is your answer. 

    On the other side, if your main goal is to set high-quality standards in terms of cybersecurity (i.e. both security and compliance with regulations), then Veracode is a better match.

    Curtis Yanko - PeerSpot reviewerCurtis Yanko (Shiftleft)

    Feels like a false choice to me. They each are trying to do different things as other posters have suggested. What are the outcomes you are looking for?

    reviewer1411233 - PeerSpot reviewerreviewer1411233 (Security consultant at a tech services company with 1,001-5,000 employees)
    Real User

    Both products in the industry are practiced slightly for different purposes. If you are after the code then SonarQube and if you are after the security then Veracode.

    Questions from the Community
    Top Answer:I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have  a look… more »
    Top Answer:SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use… more »
    Top Answer:We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing… more »
    Top Answer:The SAST and DAST modules are great.
    Top Answer:The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and database features. It is worth the money.
    Top Answer:Veracode Greenlight scans the code while the developer writes it. It will be beneficial for developers if Veracode Greenlight includes Python.
    Average Words per Review
    Average Words per Review
    Checkmarx logo
    Compared 21% of the time.
    Coverity logo
    Compared 12% of the time.
    SonarCloud logo
    Compared 12% of the time.
    Snyk logo
    Compared 10% of the time.
    Sonatype Lifecycle logo
    Compared 7% of the time.
    Checkmarx logo
    Compared 15% of the time.
    Fortify on Demand logo
    Compared 6% of the time.
    OWASP Zap logo
    Compared 5% of the time.
    SonarCloud logo
    Compared 4% of the time.
    Snyk logo
    Compared 4% of the time.
    Also Known As
    Learn More

    SonarQube is the leading tool for continuously inspecting Code Quality and Code Security, and guiding development teams during code reviews. SonarQube provides clear remediation guidance for 27 languages so developers can understand and fix issues, and so teams can deliver better and safer software. SonarQube integrates into your workflow to provide the right feedback at the right time: in-IDE with SonarLint, in pull requests, and in SonarQube itself. With over 225,000 deployments helping small development teams and global organizations, SonarQube provides the means for teams and companies around the world to own and impact their Code Quality and Code Security.

    Veracode is a leading application security platform that helps organizations to develop and deliver secure software. Veracode's solution provides comprehensive capabilities for static analysis, dynamic analysis, software composition analysis, and manual penetration testing.

    Veracode's static analysis solution scans source code for various security vulnerabilities, including common web application attack vectors, injection flaws, cross-site scripting, and insecure direct object references. Veracode's dynamic analysis solution simulates real-world attacks to identify vulnerabilities that may not be detectable by static analysis alone. Veracode's software composition analysis solution scans open-source and third-party components for known vulnerabilities. Veracode's manual penetration testing service is performed by experienced security professionals who use a variety of techniques to identify vulnerabilities in software applications.

    Many organizations, including Fortune 500 companies, government agencies, and startups, use Veracode's solution. Veracode's customers rely on Veracode to help them to improve the security of their software applications and to reduce the risk of data breaches and other security incidents.

    Here are some of the benefits of using Veracode:

    • Veracode provides capabilities for static analysis, dynamic analysis, software composition analysis, and manual penetration testing to help organizations identify and fix security vulnerabilities in their software applications early in the development process.
    • Veracode helps organizations reduce the risk of data breaches and other security incidents by identifying and fixing security vulnerabilities in their software application. 
    • Veracode helps organizations to comply with industry regulations. Many industries have regulations that require organizations to implement security measures to protect their customers' data. Veracode's solution can help organizations to comply with these regulations by providing them with the tools and resources they need to identify and fix security vulnerabilities in their software applications.
    Learn more about SonarQube
    Keep your software secure

    Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.

    Sample Customers
    Bank of America, Siemens, Cognizant, Thales, Cisco, eBay
    Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.
    Top Industries
    Computer Software Company30%
    Financial Services Firm21%
    Comms Service Provider8%
    Manufacturing Company6%
    Financial Services Firm18%
    Computer Software Company15%
    Manufacturing Company10%
    Financial Services Firm27%
    Computer Software Company18%
    Insurance Company9%
    Comms Service Provider5%
    Financial Services Firm18%
    Computer Software Company16%
    Manufacturing Company8%
    Company Size
    Small Business25%
    Midsize Enterprise17%
    Large Enterprise58%
    Small Business16%
    Midsize Enterprise12%
    Large Enterprise71%
    Small Business29%
    Midsize Enterprise19%
    Large Enterprise52%
    Small Business17%
    Midsize Enterprise12%
    Large Enterprise71%
    Buyer's Guide
    SonarQube vs. Veracode
    September 2023
    Find out what your peers are saying about SonarQube vs. Veracode and other solutions. Updated: September 2023.
    735,432 professionals have used our research since 2012.

    SonarQube is ranked 1st in Application Security Tools with 30 reviews while Veracode is ranked 2nd in Application Security Tools with 70 reviews. SonarQube is rated 8.2, while Veracode is rated 8.2. The top reviewer of SonarQube writes "Open-source, stable, and finds the problems for you and tells you where they are". On the other hand, the top reviewer of Veracode writes "Good reporting, comprehensive interface, and integrates well into our build pipeline". SonarQube is most compared with Checkmarx, Coverity, SonarCloud, Snyk and Sonatype Lifecycle, whereas Veracode is most compared with Checkmarx, Fortify on Demand, OWASP Zap, SonarCloud and Snyk. See our SonarQube vs. Veracode report.

    See our list of best Application Security Tools vendors and best Application Security Testing (AST) vendors.

    We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.