Netanya Carmi - PeerSpot reviewer
Content Manager at PeerSpot (formerly IT Central Station)
  • 7
  • 224

Which gives you more for your money - SonarQube or Veracode?

Why is one better than the other?

PeerSpot user
6 Answers
Top 5
Nov 15, 2021

SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use and understand, SonarQube is a great solution if you want to quickly focus on functional requirements.

There were some security issues with our code that SonarQube did not find. Defining the quality of rules should be improved to ensure that low-performance code does not move forward to production. We would like to see better security scanning and statistical analysis from SonarQube.

Using Veracode, on the other hand, we have never had a problem with vulnerable code going into production. We like the visibility of application status across all testing types which Veracode presents in a single dashboard. Even if you are running different types of scans, you have everything in one place, which is very convenient. Veracode helps us keep a high-security standard, which is very important to us.

It would really improve Veracode if the mitigation process was somehow added to the dashboard or made more streamlined. Currently, one has to go back and forth between one or more screens and it makes it a bit complicated. Regarding the pipeline scan, we found Veracode can be very fast with Java-based applications but slow with other applications. It would be helpful if the scan completion and scan progress would improve - the time estimates are not always accurate.


These are two great solutions, each with a slightly different focus.

SonarQube has a solid focus on code quality. It offers a very good free version. The SonarQube free version covers 10-15 languages, which can be very limiting for some and there are also some limitations with support. The integration is there, but you do not get full integration with the free version. Overall, the SonarQube free version is a very good option for small businesses. SonarQube does offer an Enterprise license that is very competitively priced.

Veracode's main focus is security. It is more closely related to an application security scanning solution. There is no free version and it is considered an expensive solution when comparing price with other similar solutions. However, Veracode offers many features and applications that other solutions do not. One favorite is scanning for compliance; we have some situations where we need to consistently scan code for security to satisfy different compliance regulations. Veracode helps us do that.

Product comparison that may be of interest to you
Vishal-Goyal - PeerSpot reviewer
Chief Architect at Peristent Systems
Real User
Top 5Leaderboard
Sep 7, 2021

We have used SonarQube quite a lot and this is great to check code quality, security hotspots much earlier in the SDLC and fix those. The community edition is free to use, can be used on-premises and is integrated seamlessly with Jenkins and others. The Enterprise and Developer commercial editions offer a lot more rules and functionalities.

Veracode is mostly in space of security testing and amongst the leader in this space. It's a commercial product and has no community edition, to the best of my knowledge. 

Depending on your use cases, you will need both of these areas to be covered through these or other tools.

Curtis Yanko - PeerSpot reviewer
DevSecOps Evangelist & Coach at Shiftleft
Top 5
Oct 7, 2021

Feels like a false choice to me. They each are trying to do different things as other posters have suggested. What are the outcomes you are looking for?

Security consultant at a tech services company with 1,001-5,000 employees
Real User
Top 5Leaderboard
Oct 5, 2021

Both products in the industry are practiced slightly for different purposes. If you are after the code then SonarQube and if you are after the security then Veracode.

Mauro Verderosa - PeerSpot reviewer
Cybersecurity Expert at PSYND
Real User
Sep 6, 2021

They are mainly two different products. 

If your goal is to set the quality on code then SonarQube is your answer. 

On the other side, if your main goal is to set high-quality standards in terms of cybersecurity (i.e. both security and compliance with regulations), then Veracode is a better match.

Senior Product Specialist at a tech services company with 51-200 employees
Real User
Top 10Leaderboard
Sep 6, 2021


Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Community Manager
Sep 7, 2021

@Akash Singh Singh can you please explain why do you recommend a different product? What are its advantages?

PeerSpot user
Find out what your peers are saying about SonarQube vs. Veracode and other solutions. Updated: October 2022.
653,522 professionals have used our research since 2012.
Related Questions
Meri Harutyunyan - PeerSpot reviewer
DevSecOps Engineer at a financial services firm with 1,001-5,000 employees
Nov 1, 2022
Hello community,  After the first full scan with Veracode SAST, when the programmer changes something in the code, does he scan the code again completely or only the changes? Thank you.
Vishal-Goyal - PeerSpot reviewer
Chief Architect at Peristent Systems
Aug 12, 2022
Dear experts, I wanted to check with those who have experience in using both SonarQube Community Edition and SonarQube Enterprise Edition. What real advantages do you see in spending money to procure an enterprise license vs using community edition which is free? I'm aware enterprise provides better programming languages coverage, strong reporting and more rules. But I wanted to hear feedbac...
See 1 answer
Independent Professional at Studio Dott. Ing. Angelo Quaglia
Aug 12, 2022
Decoration of pull requests is pretty cool.
Download Free Report
Download our FREE report comparing SonarQube and Veracode based on reviews, features, and more! Updated: October 2022.
653,522 professionals have used our research since 2012.