Veracode Reviews

Name: Veracode
Brand: Veracode
Rating: 4.1 (201 reviews)

4.1 out of 5

201 reviews
90% willing to recommend

What is Veracode?

Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.

Get the Veracode Buyer's Guide and find out what your peers are saying about Veracode, SonarQube Server (formerly SonarQube), Wiz and more!

Veracode is the #1 ranked solution in top Static Code Analysis solutions, #2 ranked solution in application security solutions, #2 ranked solution in AST tools, #2 ranked solution in top Application Security Posture Management (ASPM) solutions, #3 ranked solution in top Software Composition Analysis (SCA) solutions, and #8 ranked solution in Container Security Solutions. PeerSpot users give Veracode an average rating of 8.2 out of 10. Veracode is most commonly compared to SonarQube Server (formerly SonarQube): Veracode vs SonarQube Server (formerly SonarQube). Veracode is popular among the large enterprise segment, accounting for 63% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a financial services firm, accounting for 16% of all views.

Helped 861,034 peers since 2012

Featured Veracode reviews

Sajal Sharma

Test Analyst - Security at Net solutions India Pvt.

It's robustness is the main benefit to the organization. As it gets upgraded with time, it also improves the coverage – security configuration coverages and vulnerability coverages. It also updates itself with the latest known vulnerabilities that are uploaded to the NVD, OWASP, or other databases. So it gets upgraded itself with that. And so with each upgrade, it gets better and better. The solution offers the ability to prevent vulnerable code from going into production. It provides us with a report containing multiple remediations and mitigations for each vulnerability. For example, if it finds a cross-site scripting vulnerability, it will also include references like CWE and CVE records, instructions on how to fix it, and the specific line of code or module where the vulnerability is present. This helps us fix the issues accordingly. I'm a penetration tester and DevSecOps engineer. I evaluate the findings, mark false positives, and manually exploit vulnerabilities if they exist. If we need further clarification, we raise a ticket with the Veracode team and get consultancy from them. We are a software development team. If we find a vulnerability, I exploit it and come back with the best possible mitigation, and the dev team fixes it. If we use Veracode Fix, it might use third-party implementations or make changes we aren't aware of. We need to be very aware of what our application is using internally. It should be known to us. As per my experience, the solution's policy reporting ensures compliance with industry standards. It comes with multiple features. I get the most out of it, and it's good. The solution provides visibility into application status at every phase of development. Like static analysis, dynamic analysis, software composition, and manual penetration tests - throughout the SDLC We have a pipeline that I maintain. I use the Veracode API account and have integrated it with AWS and our Jenkins pipeline. We use Snyk for SCA and Veracode for SAST scanning. At the earliest stage of the build, the SAST scan runs along with the JS and PHP files. It provides us with reports, which are then handed over to the other tools we depend on. If I validate the report or check the Veracode dashboard and find vulnerabilities, I mark them as false positives or existing issues. We work on multiple projects, but the one I'm handling these days only uses Veracode for SAST. It's been about one and a half years since I've been working with Veracode and this project. It is quite impressive. There are some things Veracode cannot find, like code obfuscations inside the code and some insecure randoms. Sometimes, it misses those flaws. But overall, if I compare it with other tools, it is better. I will definitely recommend others to use this tool. We run the scan before each deployment. If the dev team builds a new module or something, we scan it along with all the files. If we find anything, we get it fixed. That's how it works. Veracode is quite important to the organization's shift-left security strategy because we make a scan for each deployment. Sometimes, if I think we need to perform a shift-left, I just make a scan before deployment and check for any misconfiguration or vulnerability in the code.

Read full review

reviewer2703864

Head of Security Architecture at a healthcare company with 5,001-10,000 employees

One of the aspects I appreciate most about Veracode is that even though we have a license for developers, we don't get charged by the users who don't develop code but are only trying to access the platform to see the reports or the dashboard, such as architects who do some code reviews but don't develop. That's a nice feature that doesn't happen on other platforms that we analyzed. Another feature that we appreciate significantly is Veracode Fix and how it's integrated with Visual Studio Code. Even though it has some room for improvement, the key usage for us is to be able to solve everything. The developers also learn how and why they have to solve the security vulnerabilities detected. At the same time, they are developing the feature. Veracode Fix has affected our time to remediate security flaws in cases where we've been able to use it correctly because the proposals were on point, and it's been great.

Read full review

Brintha Prabakar

Lead Automation Quality Engineer in Leading UK Bank at Tata Consultancy

Veracode helped with policy compliance. We have proposed Veracode for SAST to our stakeholder in the banking plarform. They have specific security policies that the code needs to accommodate. We have two sets of policies defined: one is the default policy in Veracode, and the other is provided by stakeholders from the chief security team, who have imported policies relevant to the banking platform. The default policy is not sufficient to ensure the code is secure, so stakeholders provided more security policies relevant to their domain and the platform. Our actual application code was a CAT-A application, meaning it had to pass SAST and DAST testing for deployment into production. This was a mandatory check from our perspective to get the code deployed into production. We have internal strategies to implement Veracode in different phases of our application deployment. Before going into production, we do SAST testing in lower environments and then one round of testing in higher environments based on bug-fixing code. We are cautious about deploying directly into production after completing security testing in Veracode because we continually receive bug-fixing code from different applications. So, we defined our strategy this way. Veracode provided visibility into application status at every phase of development, including static analysis, dynamic analysis, composition, and penetration. Most of the fixes relate to password encryption or some kind of SQL injections. If there are any security flaws verified against the policies defined by our stakeholders, as well as Veracode's, and if they pose a potential risk of breaches, Veracode provides excellent recommendations for fixing those security flaws. This detail helps us address the issues efficiently, as it specifies where fixes need to be applied and the implications of ignoring them. The options for developers to provide false positive comments or justification through Jira tickets if a fix cannot be implemented for a particular release are also very useful. These features in Veracode significantly aid developers in addressing security flaws in the code. Because scanning takes a long time for uploading any kind of large application code, I would estimate we saved around 30% to 40%. After implementing our strategy for SAST within our platform, we started doing SAST scanning in Veracode for every sprint. This frequency is crucial because, without Veracode, it could be very difficult to implement such a strategy in the earliest stages of application development. Veracode had a positive impact on our security posture.

Read full review

Veracode mindshare

Product category:

As of July 2025, the mindshare of Veracode in the Application Security Tools category stands at 9.0%, down from 10.7% compared to the previous year, according to calculations based on PeerSpot user engagement data.

Application Security Tools

PeerResearch reports based on Veracode reviews

Type	Title	Date
Category	Application Security Tools	Jul 9, 2025	Download
Product	Reviews, tips, and advice from real users	Jul 9, 2025	Download
Comparison	Veracode vs SonarQube Server (formerly SonarQube)	Jul 9, 2025	Download
Comparison	Veracode vs Checkmarx One	Jul 9, 2025	Download
Comparison	Veracode vs GitHub Advanced Security	Jul 9, 2025	Download

Title	Rating	Mindshare	Recommending
SonarQube Server (formerly SonarQube)	4.0	22.7%	81%	116 interviews Add to research
Wiz	4.5	N/A	95%	22 interviews Add to research

Valuable Features

Veracode's most valuable features include robust static and dynamic code analysis, integration with development tools, comprehensive vulnerability management, and automated remediation guidance. Its cloud-based platform offers scalability, ease of use, and integration with CI/CD pipelines, significantly reducing false positives and enhancing the efficiency of identifying and fixing security flaws. The platform supports multiple programming languages, provides real-time feedback, and ensures compliance with industry standards, enabling proactive secure coding throughout the software development lifecycle.

"The integrated IDE tool enables users to get instant feedback in real-time on the code itself, rather than waiting for it to go through the CI/CD pipeline and get the result."
"Veracode has impacted our overall security posture because we are from a security background."
"Veracode has impacted our overall security posture because we are from a security background. Every week, we review the dashboards of open findings."

Room for Improvement

Many find Veracode's user interface challenging and outdated. False positives occur frequently and complicate the process. Issues with scanning speed and support for certain programming languages frustrate users. API integration needs enhancement for seamless workflow. Users desire improved reporting with better analytics. Price is viewed as steep, limiting accessibility for smaller organizations. Integration with development tools and repositories is insufficient, creating workflow interruptions. Better code scanning accuracy and support for new languages are requested.

"Veracode needs to shift to a more modern approach because it still feels traditional in its way of doing code scanning compared with others, such as Snyk."
"The scanning process could be more streamlined as it has certain limitations when performing manual scans. It has some checks when the content is in ZIP format or other formats, which takes two or three more steps than Fortify does."
"The scanning process could be more streamlined as it has certain limitations when performing manual scans."

ROI

Veracode's ROI is reflected in advanced security, time savings, and reduced application security costs. It aids early error detection, improving code quality and boosting customer trust. Many users report increased retention rates and compliance efficiency. Automated scanning reduces development hours and vulnerability risks. Though specific monetary ROI is often unquantified, improved operational efficiency, reduced manual processes, and enhanced organizational security presence demonstrate significant value. Many have seen substantial returns, citing a reduction in resource usage and increased customer satisfaction.

Pricing

Veracode is recognized for its robust security capabilities but comes with a higher price tag, suitable primarily for large enterprises rather than small to medium businesses due to its complexity and cost. Users highlight its flexible licensing model, allowing for adaptation to specific organizational needs, though many find it costly. Some appreciate its value for comprehensive coverage, while others note potential costs beyond the initial licensing, such as implementation and support. Negotiations often help in securing better pricing terms.

"The pricing is reasonable compared to other tools."
"I have not examined Veracode's pricing in detail, but from an industry perspective, I see that there is a tendency toward Veracode, which suggests competitive pricing."
"Pricing-wise, I find it a bit expensive because it's based on the number of users requesting access to Veracode."

Popular Use Cases

Veracode is primarily used for application security, focusing on static and dynamic analysis, software composition analysis, and manual penetration tests. Organizations employ it for security scanning, application security testing, vulnerability detection, and ensuring compliance. The platform supports integrating these processes into CI/CD pipelines, aiding in identifying vulnerabilities, ensuring code security, and providing secure software development practices across diverse languages and industries.

Service and Support

Veracode's customer service and support are praised for their responsiveness and expertise. Technical support often responds within 24 hours, although some users experience longer wait times. The team is knowledgeable, quick to assist with consultations, and provides thorough analysis. While some users report slow response times, others note the effectiveness of escalation processes. Veracode's support team is viewed positively for resolving issues and providing valuable guidance to development teams.

Deployment

Veracode's initial setup is generally straightforward, benefitting from cloud-based deployment and strong documentation. While many find it easy, those lacking technical expertise may experience complexity, especially with integrations like CI/CD pipelines. Role-based access, single sign-on, and APIs are commonly utilized. Expert guidance enhances the process, and while deployment often requires minimal maintenance, some users report challenges with specific applications or environments. Most appreciate minimal setup time and ongoing support.

Scalability

Veracode's scalability receives positive feedback, with many users noting it scales effectively and handles diverse applications. Users appreciate its cloud-based operation, enabling rapid expansion across various company sizes. Some mention occasional licensing limitations that required adjustments. A small number report performance slowdowns with high workloads, but most find it seamlessly scalable. Several users highlight its ability to manage extensive codebases and effortlessly integrate with varied development processes, signifying robust scaling capabilities.

Stability

Veracode is recognized for its strong stability, with users rarely experiencing downtime or unplanned outages. While early versions faced issues, the adoption of Agile CI/CD has enhanced reliability. Most feedback highlights its dependability, though occasional scan interruptions or slower processes are noted. Maintenance activities are communicated promptly, preventing disruptions. Some users experienced false positives, impacting their perception. Overall, Veracode's stability earns high ratings, but there's room for slight improvements.

These insights are based on the in-depth reviews provided by peers to help you make a better buying decision.

Download our Veracode Buyer's Guide for additional reliable information.

Review data by company size

By reviewers

By visitors reading reviews

Top industries

By visitors reading reviews

Computer Software Company

16%

Financial Services Firm

16%

Manufacturing Company

Insurance Company

Government

Healthcare Company

Comms Service Provider

Retailer

Educational Organization

University

Media Company

Energy/Utilities Company

Construction Company

Real Estate/Law Firm

Non Profit

Performing Arts

Transportation Company

Legal Firm

Wholesaler/Distributor

Logistics Company

Outsourcing Company

Consumer Goods Company

Hospitality Company

Recreational Facilities/Services Company

Pharma/Biotech Company

Aerospace/Defense Firm

Compare Veracode with alternative products

Learn more about Veracode

Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing. These tools are designed to help developers detect vulnerabilities early in development while maintaining speed in deployment. Veracode also emphasizes scalability, offering features for enterprises that manage a large number of applications across different teams. Its robust reporting and analytics capabilities allow organizations to continuously monitor their security posture and track progress toward remediation.

What are the key features of Veracode?

Static Analysis (SAST) - Scans source code for vulnerabilities before deployment.
Dynamic Analysis (DAST) - Examines applications in a running state to detect flaws in real-time.
Software Composition Analysis (SCA) - Identifies risks in open-source libraries and third-party components.
Manual Penetration Testing - Offers expert analysis for more complex vulnerabilities.
Integrations with DevOps tools - Seamlessly integrates with CI/CD pipelines for automated security checks.

What benefits should users consider in Veracode reviews?

Early detection of vulnerabilities - Helps developers fix security issues early in the development process.
Scalability - Supports organizations with large-scale application portfolios.
Compliance support - Ensures applications meet various security standards and regulations.
Developer training - Provides tools for educating developers on secure coding practices.
Comprehensive reporting - Offers detailed reports that track remediation and risk trends.

Veracode is widely adopted in industries like finance, healthcare, and government, where compliance and security are critical. It helps these organizations maintain strict security standards while enabling rapid development through its integration with Agile and DevOps methodologies.

Veracode helps businesses secure their applications efficiently, ensuring they can deliver safe and compliant software at scale.

Veracode was previously known as Crashtest Security , Veracode Detect.

Veracode customers

Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.