Try our new research platform with insights from 80,000+ expert users

Trivy vs Veracode comparison

Aqua Security and Veracode are both solutions in the Container Security category. Aqua Security is ranked #4 with an average rating of 8.6, while Veracode is ranked #8 with an average rating of 8.0. Aqua Security holds a 4.5% mindshare in Container Security, compared to Veracode’s 2.8% mindshare. Additionally, 100% of Aqua Security users are willing to recommend the solution, compared to 89% of Veracode users who would recommend it.
Trivy
Read 12 Trivy reviews
  • 5,573 Views
  • 5,573 Comparison Views
100% willing to recommend
Veracode
Read 208 Veracode reviews
  • 19,227 Views
  • 4,807 Comparison Views
89% willing to recommend
 

Comparison Buyer's Guide

Download the report
Executive Summary
We performed a comparison between Trivy and Veracode based on real PeerSpot user reviews.

Find out in this report how the two Container Security solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI.

DOWNLOAD THE COMPLETE REPORT
To learn more, read our detailed Trivy vs. Veracode Report (Updated: March 2026).
Buyer's Guide
Trivy vs. Veracode
March 2026
Download the complete report
Helped 885,286 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

Trivy
Ranking in Container Security
4th
Average Rating
8.6
Reviews Sentiment
7.5
Number of Reviews
12
Ranking in other categories
No ranking in other categories
Veracode
Ranking in Container Security
8th
Average Rating
8.0
Reviews Sentiment
6.9
Number of Reviews
208
Ranking in other categories
Application Security Tools (3rd), Static Application Security Testing (SAST) (2nd), Software Composition Analysis (SCA) (3rd), Static Code Analysis (1st), Dynamic Application Security Testing (DAST) (1st), Application Security Posture Management (ASPM) (1st)
 

Mindshare comparison

As of March 2026, in the Container Security category, the mindshare of Trivy is 4.5%, down from 4.7% compared to the previous year. The mindshare of Veracode is 2.8%, down from 4.2% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Container Security Mindshare Distribution
ProductMindshare (%)
Trivy4.5%
Veracode2.8%
Other92.7%
Container Security
 

Featured Reviews

ST
Surya Aniketh Tamirisa
Software Engineer at a tech vendor with 10,001+ employees
Consistently maintains vulnerability-free images and integrates effectively with builds
Trivy is very reliable and always has an up-to-date database to scan images and identify vulnerabilities. I integrated it with Jenkins jobs, so every time we run a build, if there is a high, critical, or medium vulnerability, the build is set to fail. This ensures that somebody resolves the issues before the code progresses. This approach helps keep every image in every project we work on vulnerability-free.
Read full review
reviewer2703864 - PeerSpot reviewer
reviewer2703864
Head of Security Architecture at a healthcare company with 5,001-10,000 employees
Onboarding developers successfully while improving code security through IDE integration
Regarding room for improvement, we have some problems when onboarding new projects because the build process has to be done in a certain way, as Veracode analyzes the binaries and not the code by itself alone. If the process is not configured correctly, it doesn't work. That's one of the things that we are discussing with Veracode. Something positive that we've been able to do is submit formal feature requests to them, and they are working on them; they've already solved some of them. This encourages us to propose new ideas and improvements. Another improvement that we asked for this use case is to be able to configure how Veracode Fix proposes and fixes because sometimes it makes proposals using libraries that go against our architecture design made by the enterprise architecture team. For example, we want them to propose using another library, and that's something we already asked Veracode, and they are working on it. We want to specify when you see this kind of vulnerability, you can only propose these two options.
Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"It's customizable, allowing me to add any rules and format HTML templates as I wish."
"Trivy's open source nature and wide functionality are incredibly valuable."
"Trivy's ability to scan files, images, GitHub repositories, Infrastructure as Code like Terraform, and Kubernetes is valuable."
"I rate Trivy a nine out of ten."
"The most valuable feature of Trivy is its easy integration with the CI/CD pipeline."
"Trivy is easy to integrate with CI/CD and can be installed on desktops to scan images."
"Trivy is most valuable for its ability to scan all repository files and dependencies."
"One of the great features of Trivy is that it helps me scan items such as AWS credentials and GCP service accounts."
More Trivy pros
"With the pipeline scanner, it's easier for developers to scan their products, as they don't have to export anything from their computers. They can do everything with the command line on their computer."
"Overall, it's really good."
"My experience with Veracode across the board every time, in all products, the technology, the product, the service, and the salespeople are fabulous."
"What I found most valuable in Veracode Static Analysis is that it categorizes security vulnerabilities."
"When we expanded our definition of critical systems to include an internal application to be scanned by Veracode, we had initial scans that produced hundreds of vulnerabilities. We expected this, based on how the code was treated previously, but the Veracode platform allowed us to streamline our identification of these items and develop a game plan to quickly address them."
"It has provided what we were looking for in such an application, meaning static application security testing functionality. That was what we were interested in."
"Veracode can emulate the most sophisticated attack and create unique or specific use cases around automatic penetration testing."
"The SCA, agent-based analysis, is valuable. SAST and DAST take time, while this is quite fast. It gives the results very quickly. We have implemented it into our CI/CD pipeline."
More Veracode pros
 

Cons

"Trivy can improve by providing an output in PDF format. Additionally, it takes longer to scan container images built with many layers."
"In our CI/CD pipelines, Trivy lacks built-in functionality for report analysis."
"Currently, the container image scanning is static. A dynamic scanning capability during runtime would be a significant advantage."
"For malware detection, I need to use two tools: Trivy as my anomaly scanner and ClamAV. I am integrating these two tools into the CI pipeline. If both malware and anomaly detection could be managed by one tool, I would not need to depend on two tools."
"Trivy generates many false positives, flagging non-existent vulnerabilities. Improvements could include better contextual analysis or granular filtering."
"In our CI/CD pipelines, Trivy lacks built-in functionality for report analysis."
"The reporting could be a little better."
"For malware detection, I need to use two tools: Trivy as my anomaly scanner and ClamAV. I am integrating these two tools into the CI pipeline. If both malware and anomaly detection could be managed by one tool, I would not need to depend on two tools. That would be my suggestion."
More Trivy cons
"Some important languages are not supported."
"The pricing for qualified startups such as Neo4j could be improved."
"One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive."
"I would like to see improvement on the analytics side, and in integrations with different tools."
"One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive."
"The solution recently doubled in price over the past year, which is why I've decided to move away from it."
"Veracode Static Analysis lacks penetration testing, so that's a concern. The tool is also unable to scan when it's a C or C++ model, so that's another area for improvement."
"I would like to see these features: entering comments for internal tracking; entering a priority; reports that show the above."
More Veracode cons
 

Pricing and Cost Advice

Information not available
"It is an expensive solution, but it's the best solution available on the market. If you want something at the top, you have to pay a bit more than the average."
"Users in some forums mentioned that pricing for this solution can be quite high."
"Veracode is a very expensive product."
"If you're licensing, and you're looking at licensing models, you might want to ask Veracode about their microservice, depending on the company. If you are a microservice architecture, I would suggest asking them about their microservice pricing. I would suggest that you evaluate that with your code and their other licensing model, which is like a lump sum in size of artifacts, and just make sure that you price that out with them, because there might be some tradeoffs that can be made in price."
"I believe the price is fair according to market standards."
"Veracode is one of the more expensive solutions in the market, but it is worth the expense because of the eLearning and the security consultations; everything is included in the license."
"The Veracode price model is based on application profiles, which is how you package your components for scanning."
"As compared to others, it is a costly solution. It is overpriced, and many organizations with a limited budget cannot afford it. That is why they are going for other tools, but those tools are not that effective. Veracode is better in terms of quality. If you want good service, you have to pay for it."
More Veracode pricing and cost advice
report
See which vendors are best for you
Use our free recommendation engine to learn which Container Security solutions are best for your needs.
See recommendations
885,286 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
13%
Manufacturing Company
12%
Computer Software Company
11%
Government
8%
Financial Services Firm
16%
Computer Software Company
12%
Manufacturing Company
11%
Government
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
By reviewers
Company SizeCount
Small Business3
Midsize Enterprise1
Large Enterprise9
By reviewers
Company SizeCount
Small Business69
Midsize Enterprise45
Large Enterprise114
 

Questions from the Community

What needs improvement with Trivy?
Trivy's marketing and awareness need improvement. Not everyone knows about it, which isn't ideal given its capabilities. There's potential to integrate AI and machine learning for enhanced function...
See all answers
What is your primary use case for Trivy?
I use Trivy ( /products/trivy-reviews ) to scan code for vulnerabilities before deployment. Our projects, which are developed by different developers, involve various dependencies and third-party c...
See all answers
What advice do you have for others considering Trivy?
I recommend Trivy to others due to its powerful and useful features. However, I suggest increasing its marketing to raise awareness. I rate Trivy an eight out of ten.
See all answers
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
See all answers
What do you like most about Veracode Static Analysis?
I like its integration with GitHub. I like using it from GitHub. I can use the GitHub URL and find out the vulnerabilities.
See all answers
What is your experience regarding pricing and costs for Veracode Static Analysis?
My experience with pricing, setup cost, and licensing for Veracode is that it is fairly moderate.
See all answers
 

Comparisons

JFrog Xray vs Trivy Logo
JFrog Xray vs Trivy
Compared 19% of the time
Snyk vs Trivy Logo
Snyk vs Trivy
Compared 15% of the time
Kubescape vs Trivy Logo
Kubescape vs Trivy
Compared 9% of the time
Wiz vs Trivy Logo
Wiz vs Trivy
Compared 9% of the time
Microsoft Defender for Cloud vs Trivy Logo
Microsoft Defender for Cloud vs Trivy
Compared 3% of the time
More Trivy Competitors
SonarQube vs Veracode Logo
SonarQube vs Veracode
Compared 9% of the time
Checkmarx One vs Veracode Logo
Checkmarx One vs Veracode
Compared 7% of the time
GitHub Advanced Security vs Veracode Logo
GitHub Advanced Security vs Veracode
Compared 4% of the time
Coverity Static vs Veracode Logo
Coverity Static vs Veracode
Compared 3% of the time
OWASP Zap vs Veracode Logo
OWASP Zap vs Veracode
Compared 3% of the time
More Veracode Competitors
 

Product Reports

Buyer's Guide
Trivy
March 2026
Trivy reportDownload Trivy product report
Buyer's Guide
Veracode
March 2026
Veracode reportDownload Veracode product report
 

Also Known As

No data available
Crashtest Security , Veracode Detect
 

Overview

Trivy offers comprehensive scanning for files, images, repositories, and infrastructure. It's open-source and integrates with CI/CD for vulnerability detection and security enhancement.

Trivy scans vulnerabilities in code, Docker images, containers, and infrastructure. It integrates seamlessly into DevOps pipelines, ensuring security in dependency management and open source vulnerabilities. This tool, lightweight and open-source, provides user-friendly reports and supports continuous vulnerability database updates, fostering ease of use across operating systems. Users benefit from its scanning capabilities, covering Kubernetes, AWS credentials, and GCP service accounts, effectively identifying vulnerabilities and misconfigurations.

What are Trivy's key features?
  • Comprehensive Scanning: Covers files, images, repositories, infrastructure, and sensitive data.
  • CI/CD Integration: Easily integrates into existing pipelines for seamless security checks.
  • Open-Source & Lightweight: Quick setup and fast scanning capabilities ensure rapid deployment.
  • Continuously Updated Database: Keeps vulnerability data current for effective threat detection.
  • User-Friendly Reports: Generates understandable and actionable security insights.
What benefits and ROI can users expect?
  • Enhanced Security: Provides in-depth analysis of vulnerabilities and misconfigurations.
  • Ease of Use: Designed for straightforward implementation and user interaction.
  • Compliance Support: Assists in meeting industry security standards and regulations.
  • Cross-Platform Use: Effective across different operating systems, enabling wide scalability.

In industries like technology and finance, Trivy is used extensively to secure applications, perform compliance checks, and offer security metrics visualization. It addresses microservices, container systems, and Kubernetes clusters security requirements, supporting DevOps teams and enhancing codebase analysis precision.

Aqua Security

Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.

Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing. These tools are designed to help developers detect vulnerabilities early in development while maintaining speed in deployment. Veracode also emphasizes scalability, offering features for enterprises that manage a large number of applications across different teams. Its robust reporting and analytics capabilities allow organizations to continuously monitor their security posture and track progress toward remediation.

What are the key features of Veracode?

  • Static Analysis (SAST) - Scans source code for vulnerabilities before deployment.
  • Dynamic Analysis (DAST) - Examines applications in a running state to detect flaws in real-time.
  • Software Composition Analysis (SCA) - Identifies risks in open-source libraries and third-party components.
  • Manual Penetration Testing - Offers expert analysis for more complex vulnerabilities.
  • Integrations with DevOps tools - Seamlessly integrates with CI/CD pipelines for automated security checks.

What benefits should users consider in Veracode reviews?

  • Early detection of vulnerabilities - Helps developers fix security issues early in the development process.
  • Scalability - Supports organizations with large-scale application portfolios.
  • Compliance support - Ensures applications meet various security standards and regulations.
  • Developer training - Provides tools for educating developers on secure coding practices.
  • Comprehensive reporting - Offers detailed reports that track remediation and risk trends.

Veracode is widely adopted in industries like finance, healthcare, and government, where compliance and security are critical. It helps these organizations maintain strict security standards while enabling rapid development through its integration with Agile and DevOps methodologies.


Veracode helps businesses secure their applications efficiently, ensuring they can deliver safe and compliant software at scale.

Veracode
 

Sample Customers

Information Not Available
Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.
Buyer's Guide
Trivy vs. Veracode
March 2026
Free Report: Trivy vs. Veracode
Find out what your peers are saying about Trivy vs. Veracode and other solutions. Updated: March 2026.
DOWNLOAD NOW
885,286 professionals have used our research since 2012.
See our Trivy vs. Veracode report.
See our list of best Container Security vendors.

We monitor all Container Security reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.