Try our new research platform with insights from 80,000+ expert users
Yantao Zhao - PeerSpot reviewer
Software Integration Engineer at Thales
Real User
Top 5
Powerful capabilities, reliable, and good support
Pros and Cons
  • "The most valuable feature of Coverity is the wrapper. We use the wrapper to build the C++ component, then we use the other code analysis to analyze the code to the build object, and then send back the result to the SonarQube server. Additionally, it is a powerful capabilities solution."
  • "Coverity could improve the ease of use. Sometimes things become difficult and you need to follow the guides from the website but the guides could be better."

What is our primary use case?

We use Coverity because we have a SonarQube server and we have a lot of software components that use different languages, such as Java, C, C++, and above. For C and C++ components we use Coverity.

What is most valuable?

The most valuable feature of Coverity is the wrapper. We use the wrapper to build the C++ component, then we use the other code analysis to analyze the code to the build object, and then send back the result to the SonarQube server. Additionally, it is a powerful capabilities solution.

What needs improvement?

Coverity could improve the ease of use. Sometimes things become difficult and you need to follow the guides from the website but the guides could be better.

For how long have I used the solution?

I have been using Coverity for approximately four years.

Buyer's Guide
Coverity
June 2025
Learn what your peers think about Coverity. Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.
855,752 professionals have used our research since 2012.

What do I think about the stability of the solution?

Coverity is stable.

What do I think about the scalability of the solution?

The scalability of Coverity is good. We have more than around 15 software components and other components involved.

We have 20 developers that are using the solution in my organization.

How are customer service and support?

We had support from Coverity for the first six months of usage but later we did not.

I rate the support from Coverity a four out of five.

Which solution did I use previously and why did I switch?

We have used other solutions, such as SonarQube.

How was the initial setup?

In the beginning, it takes two weeks to learn how to set up Coverity, but later the maintenance work is very easy. The beginning involves soft code, that we need to set up before using SonarQube, we have created SonarQube property itself for every component and inside we need to copy different options for Coverity. We had global Coverity roles or vendors we had to allow it to work with global rules and according to the component itself and the setup. The full implementation process can take approximately one month to complete.

What about the implementation team?

We have two teams to set up the server and install Coverity. I set up the project in Coverity and the different roles in the soft code. The developers use Coverity in their daily work.

What other advice do I have?

My advice to other is the first few steps of using Coverity takes time. It's better to have an experienced user to support it. For new users, it will be hard for them to set it up. If they can get someone to support it directly at the beginning it would be better because for me it's very hard at the beginning for a few weeks.

And on a scale from one to 10, how would you rate Coverity?

I rate Coverity an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company does not have a business relationship with this vendor other than being a customer.

PeerSpot user
Rich text editor
    Estefania Ramirez - PeerSpot reviewer
    Application Security Auditor at Softtek
    Real User
    Great app analysis, support, and pricing
    Pros and Cons
    • "The app analysis is the most valuable feature as I know other solutions don't have that."
    • "The solution could use more rules."

    What is our primary use case?

    We use the product only as a solution for defect code, to find more build liabilities in the code.

    How has it helped my organization?

    The product allows us to find vulnerabilities while testing our apps. 

    What is most valuable?

    The app analysis is the most valuable feature as I know other solutions don't have that.

    It's a good tool. The interface, support, pricing, and integration do not have any limitations.

    What needs improvement?

    The solution could use more rules. For example, if I have a lot of rules in many languages, it helps my company as having access to more rules works for us.

    We'd like a bit more integration.

    For how long have I used the solution?

    I've been using the solution for maybe three months. 

    What do I think about the stability of the solution?

    The solution is stable. There are no bugs or glitches and it doesn't crash or freeze. It's reliable and the performance has been good overall. 

    What do I think about the scalability of the solution?

    We find the solution to be scalable. 

    I'm not sure exactly how many people are using the product.

    I can't say if we have plans to increase usage or not in the future. 

    How are customer service and support?

    We haven't had any issues with technical support. They are helpful and responsive. 

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We also use SonarQube.

    In the past, I used Checkmarx and Fortify, and Coverity had the better price.

    How was the initial setup?

    I have access only to the interface part and I didn't do the configuration of the tool. I do not handle the initial setup of the product.

    As I recall, the deployment itself only took days. 

    What about the implementation team?

    Our company managed the setup in-house without the help of outside vendors. 

    What's my experience with pricing, setup cost, and licensing?

    We find the pricing to be reasonable.

    What other advice do I have?

    We're a customer and end-user.

    We are using a recent version of the solution. 

    I'd like potential new users to be aware that it's a good tool to implement basic code.

    I'd rate the solution nine out of ten.

    Disclosure: My company does not have a business relationship with this vendor other than being a customer.

    PeerSpot user
    Rich text editor
      Buyer's Guide
      Coverity
      June 2025
      Learn what your peers think about Coverity. Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.
      855,752 professionals have used our research since 2012.
      Junior Software Engineer at NAVER Corp
      Real User
      Top 20
      Has a straightforward UI and helps to scan codes
      Pros and Cons
      • "I like Coverity's capability to scan codes once we push it. We don't need more time to review our colleagues' codes. Its UI is pretty straightforward."
      • "The product should include more customization options. The analytics is not as deep as compared to SonarQube."

      What is most valuable?

      I like Coverity's capability to scan codes once we push it. We don't need more time to review our colleagues' codes. Its UI is pretty straightforward. 

      What needs improvement?

      The product should include more customization options. The analytics is not as deep as compared to SonarQube. 

      For how long have I used the solution?

      I have been using the product for one month. 

      What do I think about the stability of the solution?

      I would rate Coverity's stability a ten out of ten. 

      What do I think about the scalability of the solution?

      I would rate the product's scalability an eight out of ten. My company has three users for the tool. 

      How was the initial setup?

      I would rate the tool's setup a seven out of ten. The deployment gets completed in a couple of minutes. 

      What's my experience with pricing, setup cost, and licensing?

      I would rate the tool's pricing a one out of ten. 

      What other advice do I have?

      Coverity's documentation is pretty straightforward and I would rate it a seven out of ten. The solution is cheap and provides us with a dedicated server. 

      Disclosure: My company does not have a business relationship with this vendor other than being a customer.

      PeerSpot user
      Rich text editor
        reviewer1649727 - PeerSpot reviewer
        Sr. QA Engineer at a computer software company with 1-10 employees
        Real User
        Good tech support but it doesn't report errors like it should
        Pros and Cons
        • "I encountered a bug with Coverity, and I opened a ticket. Support provided me with a workaround. So it's working at the moment, or at least it seems to be."
        • "Coverity is far from perfection, and I'm not 100 percent sure it's helping me find what I need to find in my role. We need exactly what we are looking for, i.e. security errors and vulnerabilities. It doesn't seem to be reporting while we are changing our code."

        What is our primary use case?

        We use Coverity for static analysis of our code.

        What needs improvement?

        Coverity is far from perfection, and I'm not 100 percent sure it's helping me find what I need to find in my role. We need exactly what we are looking for, i.e. security errors and vulnerabilities. It doesn't seem to be reporting while we are changing our code. So either we are perfect, or the tool is missing something. 

        For how long have I used the solution?

        I've been using Coverity for a couple of years.

        What do I think about the scalability of the solution?

        I haven't had much experience trying to scale up Coverity. Only three people at our company work with it.

        How are customer service and support?

        I encountered a bug with Coverity, and I opened a ticket. Support provided me with a workaround. So it's working at the moment, or at least it seems to be. They are on par with other tech support in terms of knowledge. However, their style of communication could use some improvement.

        How was the initial setup?

        Setting up Coverity is highly complex. The upgrade procedure is also pretty tough. We've had trouble with it on at least one occasion. When I went ahead with it, it destroyed the installation. I couldn't go back. So it's challenging to understand from the documentation. It seems like they tried to cover all possible topics in their manuals, so they ended up scratching the surface of everything in the world except for the particular practical items that I needed.

        What's my experience with pricing, setup cost, and licensing?

        Coverity is very expensive.

        What other advice do I have?

        I rate Coverity five out of 10, but it's tough for me to judge because we decided to purchase it based on one requirement that no other static analysis tool could satisfy. For that reason, we haven't tried anything else. So, let's make an analogy. Let's say I used Sony TVs my entire life, and someone comes up and says, "Hey, there is a new brand of TVs. What do you think of them? Do you think they are good?" How would I know? By comparison, SonarQube seems to be more feature-rich for a standard programming language, and it works with more continuous integration tools.

        Which deployment model are you using for this solution?

        On-premises
        Disclosure: My company does not have a business relationship with this vendor other than being a customer.

        PeerSpot user
        Rich text editor
          reviewer1428837 - PeerSpot reviewer
          Security Consultant at a tech services company with 11-50 employees
          Consultant
          Straightforward to install and reports few false positives, but it should be easier to specify your own validation and sanitation routines
          Pros and Cons
          • "The most valuable feature is that there were not a whole lot of false positives, at least on the codebases that I looked at."
          • "It should be easier to specify your own validation routines and sanitation routines."

          What is our primary use case?

          I am a consultant and I work to bring solutions to different companies. Static code analysis is one of the things that I assist people with, and Coverity is one of the tools that I use for doing that.

          I worked with Coverity when doing a couple of different PoCs. For these, I get a few different teams of developers together and we want to decide what makes the most sense for each team as far as scanning technologies. So, part of that is what languages are supported, part of that is how extensible it is, and part of that extensibility is do the developers have time to actually create custom roles?

          We also want to know things like what the professional are services like, and do people typically need many hours of professional services to get the system spun up. Other factors include whether it deployed on-premises or in the cloud, and also, which of those environments it can operate with.

          One of the things is there's not really a shining star out of all of these tools. SaaS tools have been getting more mature in the past decade, particularly in how fast they run, but also in the results they get. Of course, framework and language additions that increase the capability with results are considered.

          What is most valuable?

          The most valuable feature is that there were not a whole lot of false positives, at least on the codebases that I looked at.

          What needs improvement?

          It should be easier to specify your own validation routines and sanitation routines.

          For example, if you have data coming into the application, perhaps something really simple like it's getting a parameter from a web page that is your username when you go to a website to login, and then ultimately that's being consumed by something, the data goes through some business logic and then, let's say, it enters that username into a database. 

          Well, what if I say my username is JavaScript calling alert hello. Now I've just entered JavaScript code as my username and you should be able to sanitize that pretty easily with a number of different techniques to remove the actual executable code from what they entered on the login page. However, once you do that, you want the program to understand that you are doing it and then remove what looks like a true positive at first glance because, in fact, the data being consumed in the SQL exec statement is not unsanitized. It's not just coming from the web.

          Likewise, let's say you log in, and then it says, "Hello" Such and such. You can inject JavaScript code there and have it be executed when it says hello. So basically the ability to say that this validates and then also above and beyond that, this validates data coming from any GET parameter on the web. You should be able to specify a particular routine validates all of that, or this particular routine validates anytime we read data from a database, maybe an untrusted database.

          So, if I reach for that data eight times and I say, "Hey," this validates it once, I also get the option to say it validates it the other seven times, or I could just say it's a universal validator. Obviously, a God validator so to speak is not a good practice because you're sure to miss some edge cases, but to have one routine validate three or four different occurrences is not rare and is often not a bad practice.

          Another thing that Coverity needs to implement or improve is a graphical way to display the data. If you can see an actual graphical view of the data coming in, then it would be very useful. Let's say, the first node would be GET parameter from a webpage, and then it would be an arrow to another method like validate user ID, and then another method of GET data about the user. Next, that goes into the database, and so forth. When that's graphically displayed, then it is helpful for developers because they can better grab onto it.

          The speed of Coverity can be improved, although that is true for any similar product.

          What do I think about the stability of the solution?

          It never crashed so stability has not been an issue.

          What do I think about the scalability of the solution?

          I have never used it for more than four relatively small to medium-sized projects at a time, so I've never needed to scale it.

          How are customer service and technical support?

          I have dealt with sales engineering, rather than technical support. They would sometimes provide a liaison to tech support if they didn't know the answer, but really, they guided us through the proof of concept and they knew that they were under a competitive evaluation against the other tools. They were able to resolve any issues that we came across and got us up and running fairly quickly, as far as I recall.

          How was the initial setup?

          Coverity is on the good side when it comes to setting it up. I think that it is pretty straightforward to get up and running.

          What about the implementation team?

          We implement Coverity on our own, with guidance from Coverity.

          What's my experience with pricing, setup cost, and licensing?

          The price is competitive with other solutions.

          Which other solutions did I evaluate?

          In addition to Coverity, I have experience with Checkmarx, Fortify, Veracode, and HCL AppScan, which was previously known as IBM AppScan.

          Checkmarx is probably the most extensible and customizable of these products, and you're able to use the C# language to do so, which a lot of developers are familiar with.

          HCL AppScan is another tool that has customization capabilities. They are not as powerful but they are easier to implement because you don't need to write any code.

          I cannot give an endorsement for any particular one. They all have their merits and it just depends on the requirements. Generally, however, all of these tools are getting better.

          What other advice do I have?

          My advice for anybody who is considering this product is to first look around your organization to see if it has already been implemented in another group. If you're a big organization then Coverity or a similar tool may already be in use. In cases like this, I would say that it is best to adopt the same tool because your organization has already gone down that path and there are no huge differences in the capabilities of these tools. Some of them do it in different ways and some do things that others don't, but you won't have the initial bump of the learning curve and you can leverage their experience.

          I would rate this solution a seven out of ten.

          Disclosure: My company does not have a business relationship with this vendor other than being a customer.

          PeerSpot user
          Rich text editor
            it_user1316571 - PeerSpot reviewer
            Automation Practice Leader at a financial services firm with 10,001+ employees
            Real User
            Improves security by detecting vulnerabilities in code, but it needs integration with popular development environments
            Pros and Cons
            • "Coverity is quite stable and we haven’t had any issues or any downtime."
            • "I would like to see integration with popular IDEs, such as Eclipse."

            What is our primary use case?

            I am the administrator and I use this solution to do the calibrating and security scanning of the code in my bank. We are trying to find any vulnerabilities in our code and we are integrating the process with our DevOps.

            What is most valuable?

            The most valuable feature is the ability to find vulnerabilities in our code.

            What needs improvement?

            I would like to see integration with popular IDEs, such as Eclipse. If Coverity were available as a plugin then developers could use it to find security issues while they are coding because right now, as we are using Coverity, it is a reactive way of finding vulnerabilities. We need to find these kinds of problems during the coding phase, rather than waiting for the code to be analyzed after it is written.

            For how long have I used the solution?

            I have been working with Coverity for about eight months.

            What do I think about the stability of the solution?

            Coverity is quite stable and we haven’t had any issues or any downtime.

            What do I think about the scalability of the solution?

            We did not have to scale drastically on any of our applications, so it would be difficult for me to judge how scalable it is. Because of the price, we only purchased 20 licenses. We do plan on scaling the number of users and increasing our usage.

            How are customer service and technical support?

            The technical support is quite responsive and most of the time, we received a response really quickly. We have not had any timeline-related issues with them.

            Which solution did I use previously and why did I switch?

            We did not use another solution before Coverty, although in my previous company, I used Veracode.

            We also use SonarQube for code analysis.

            Compared to SonarQube, Coverity finds more vulnerabilities. SonarQube is stronger on core quality, such as duplicate lines of code, but the security issues are found by Coverity.

            SonarQube is available as a plugin for development environments such as Eclipse, which allows us to find vulnerabilities proactively.

            SonarQube was easier to deploy and I did not require assistance from the vendor for installation or configuration.

            How was the initial setup?

            We found that during installation and configuration, it takes pipelines for continuous integration and continuous deployment. It was a bit challenging because the necessary base integration was not easy to configure.

            It took us slightly over a week to deploy, whereas, with SonarQube, we were able to complete it in less than a day. It was due to complexities in Coverity that it took us more than a week. The complexities were related to missing API features and hooks.

            What about the implementation team?

            I had assistance from the vendor, Synopsys, during the deployment.

            What's my experience with pricing, setup cost, and licensing?

            Coverity is quite expensive. Generally, for security scanning products, the pricing is very expensive. Some solutions have pricing that is based on the number of millions of lines of code, but Coverity is priced based on the number of users.

            I believe that pricing based on the number of lines of codes is cheaper than billing on a per-user basis. If we have 400 or 500 developers and each needs a license then it will be cheaper to have a solution where the cost depends on the size of the code.

            What other advice do I have?

            We also purchased Black Duck Binary Analysis and the Black Duck Hub from Synopsys.

            My advice for anybody who is implementing this solution is to try to best capture security issues while the code is being written, rather than waiting until it is compiling. It’s easier and much more cost-effective to find vulnerabilities at the earlier, code-writing stage.

            The other thing to keep in mind is that you should not rely on one approach to code security. You need to make sure that binary security is also in place, which is not done using Coverity. Any company that wants to secure its environment will need multiple levels of security scanning, and only one of these is handled by Coverity. The second one, binary scanning, can be done by using Black Duck or Veracode. This continues onto other security concerns, such as network scanning.

            I would rate this solution a seven out of ten.

            Which deployment model are you using for this solution?

            On-premises
            Disclosure: My company does not have a business relationship with this vendor other than being a customer.

            PeerSpot user
            Rich text editor
              Project Manager at a manufacturing company with 11-50 employees
              Real User
              Top 5
              A stable solution that has deep scanning capabilities
              Pros and Cons
              • "The product has deeper scanning capabilities."
              • "The tool needs to improve its reporting."

              What is most valuable?

              The product has deeper scanning capabilities. 

              What needs improvement?

              The tool needs to improve its reporting. 

              For how long have I used the solution?

              I have been working with the product for one and a half years. 

              What do I think about the stability of the solution?

              The product's stability is good. 

              What do I think about the scalability of the solution?

              The product is scalable since it can integrate CI/CD tools. My company has 10 users for the product. 

              How are customer service and support?

              The solution's support is fast. 

              How would you rate customer service and support?

              Positive

              How was the initial setup?

              The solution's setup is easy. 

              What's my experience with pricing, setup cost, and licensing?

              The tool's price is somewhere in the middle. It's neither cheap nor expensive. I would rate the pricing a five out of ten. 

              What other advice do I have?

              I would rate the solution a ten out of ten. 

              Which deployment model are you using for this solution?

              On-premises
              Disclosure: My company does not have a business relationship with this vendor other than being a customer.

              PeerSpot user
              Rich text editor
                Angestellter at a computer software company with 11-50 employees
                Real User
                A scalable and easy-to-use solution that can be easily deployed
                Pros and Cons
                • "The product is easy to use."
                • "Sometimes it's a bit hard to figure out how to use the product’s UI."

                What is our primary use case?

                I use the solution for static analysis.

                What is most valuable?

                The product has good API documentation. I’m quite happy with it. The product is easy to use.

                What needs improvement?

                Sometimes it's a bit hard to figure out how to use the product’s UI.

                For how long have I used the solution?

                I have been using the solution for some years.

                What do I think about the stability of the solution?

                I have not faced any issues with the product’s stability.

                What do I think about the scalability of the solution?

                The solution is scalable. Four people in my organization use the solution.

                How was the initial setup?

                The initial setup is easy.

                What other advice do I have?

                I am using the latest version of the product. I have also used Clang Static Analyzer. People planning to use the solution should try the open-source version first to understand how it works. We must have the paid version of the product to get all the resources and documentation. Overall, I rate the product an eight out of ten.

                Disclosure: My company does not have a business relationship with this vendor other than being a customer.

                PeerSpot user
                Rich text editor
                  Buyer's Guide
                  Download our free Coverity Report and get advice and tips from experienced pros sharing their opinions.
                  Updated: June 2025
                  Buyer's Guide
                  Download our free Coverity Report and get advice and tips from experienced pros sharing their opinions.