Veracode and SonarQube Cloud are prominent players in code security analysis. Veracode stands out for its comprehensive feature offerings, making it better suited for larger enterprises, whereas SonarQube Cloud is often lauded for ease of navigation and affordability, appealing to smaller organizations.
Features: Veracode offers detailed static and dynamic analysis, integration with various development tools, and extensive vulnerability management across multiple languages. It excels in providing advanced analytics and managing false positives. In contrast, SonarQube Cloud provides continuous code quality analysis, integrating seamlessly with CI/CD pipelines, with a user-friendly interface that efficiently detects vulnerabilities, though it's somewhat limited in dynamic analysis capabilities.
Room for Improvement: Veracode could benefit from greater integration flexibility, better dynamic scanning, and enhanced reporting comprehensiveness. Meanwhile, SonarQube Cloud could expand its dynamic analysis capabilities while offering more customizable reporting and security alerts.
Ease of Deployment and Customer Service: Veracode supports deployment in Private, Public, and Hybrid Cloud environments, with commendable customer service expertise despite some noted response delays. Conversely, SonarQube Cloud focuses on Public Cloud deployment with generally high-rated technical support, although documentation clarity and feature integration can be improved.
Pricing and ROI: Veracode's premium pricing reflects its extensive features and robust support, favored by larger enterprises seeking thorough security solutions. On the other hand, SonarQube Cloud is recognized for its competitive pricing and simplicity, particularly beneficial for startups and SMEs, despite lacking some advanced security features available in Veracode.
It is easily integrable with the CI/CD pipeline and supports multiple projects with its extensive plugin options.
The product is designed for bigger clients, while smaller companies are often put aside.
The scanners of Veracode bring status of the weaknesses in the current infrastructure. It scans and provides reports regarding the servers, the network, and the applications running on those servers.
Regarding price, the evaluation should focus on how efficiently they will recover their investment, considering the time saved through the use of Veracode Fix, for example, and the ability to fix code at dev time compared to the problems faced when fixing after the product is already deployed.
The customer service and support for SonarQube Cloud are responsive and helpful.
Integrating it into different solutions is straightforward.
Access to the engineering team is crucial for faster feedback on the product fix process.
I have communicated with the technical support of Veracode a couple of times, and this was a really great experience because these professionals know their material.
They share detailed information via email, including screenshots or further clarification about the issue.
There are limitations, and it seems to have fewer capabilities than Veracode.
It has been used in multiple projects and performs well.
SonarQube Cloud is a scalable product, and I rate its scalability at seven out of ten.
Cloud solutions are easier to scale than on-premise solutions.
It has a good capacity to scale effectively.
Implementing these features into our normal CI/CD was good, so I can say that scalability is really good.
From my team's feedback, it is almost an eight out of ten.
It is a quite stable solution.
If the Veracode server is down, we experience many issues during the scan.
It's not that easy to onboard, but once they have been onboarded on the platform, and the pipeline configured alongside the product configured, it works effectively.
I would like to see SonarQube Cloud provide more detailed solutions for fixing code issues, especially solutions related to CVEs.
I need a solution that can bring together three key areas: vulnerabilities, static scanning, and misarchitecture.
Static code analysis is good, but the product lacks dynamic code scanning capabilities, an area where Veracode excels.
If it could be integrated directly with code repositories such as Bitbucket or GitHub, without the need to create a pipeline to upload and decode code, it would simplify the code scan process significantly.
We had issues with scanning large applications. Scanning took a lot of time, so we kept it outside the DevOps pipeline to avoid delaying deployments.
A nice addition would be if it could be extended for scenarios with custom cleansers.
SonarQube Cloud is roughly equivalent in cost to Veracode, maybe a little cheaper.
From my experience, SonarQube Cloud (formerly SonarCloud) is very expensive for small companies.
We used the open-source version of SonarQube Cloud for its minimum features and did not license its extensive capabilities.
It's not the most expensive solution.
Overall, Veracode's pricing is lower and more scalable than many alternatives in the market.
If there's a security gap, you'll never know the cost or effect.
I find SonarQube Cloud very easy to use and simple to integrate initially.
It gives precise reports compared to Coverity and has a slightly lower number of false positives.
I use SonarQube Cloud (formerly SonarCloud) to check the quality of developer code and identify vulnerabilities.
It offers confidence by preventing exposure to vulnerabilities and helps ensure that we are not deploying vulnerable code into production.
The best features in Veracode include static analysis and the early detection of vulnerable libraries; it integrates with tools such as Jenkins.
It fixes issues directly in the IDE while you're doing it.
| Product | Market Share (%) |
|---|---|
| Veracode | 6.9% |
| SonarQube Cloud (formerly SonarCloud) | 4.2% |
| Other | 88.9% |
| Company Size | Count |
|---|---|
| Small Business | 8 |
| Midsize Enterprise | 3 |
| Large Enterprise | 4 |
| Company Size | Count |
|---|---|
| Small Business | 69 |
| Midsize Enterprise | 43 |
| Large Enterprise | 112 |
SonarQube Cloud offers static code analysis and application security testing, seamlessly integrating into CI/CD pipelines. It's a vital tool for identifying vulnerabilities and ensuring code quality before deployment.
SonarQube Cloud is widely used for its ability to integrate with tools like GitHub, Jenkins, and Bitbucket, providing critical feedback at the pull request level. It's designed to help organizations maintain clean code by acting as a quality gate. This service supports development methodologies including sprints and Kanban for ongoing vulnerability management. While appreciated for its dashboard and integration capabilities, some users find initial setup challenging and note the need for enhanced documentation. The recent addition of mono reports and microservices support offers deeper insights into security and code quality, though container testing limitations and false positives are noted drawbacks. Manual intervention is sometimes required to address detailed reporting, with external tools being necessary for comprehensive analysis. Notifications for larger teams during serious issues and streamlined integration of new features are also areas of improvement.
What are the key features of SonarQube Cloud?In specific industries, SonarQube Cloud finds application in finance and healthcare where code integrity and security are paramount. It allows teams to identify critical vulnerabilities early and ensures that software development aligns with industry regulations and standards. By continuously analyzing code, it aids organizations in deploying secure and reliable applications, fostering trust and compliance.
Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.
Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing. These tools are designed to help developers detect vulnerabilities early in development while maintaining speed in deployment. Veracode also emphasizes scalability, offering features for enterprises that manage a large number of applications across different teams. Its robust reporting and analytics capabilities allow organizations to continuously monitor their security posture and track progress toward remediation.
What are the key features of Veracode?
What benefits should users consider in Veracode reviews?
Veracode is widely adopted in industries like finance, healthcare, and government, where compliance and security are critical. It helps these organizations maintain strict security standards while enabling rapid development through its integration with Agile and DevOps methodologies.
Veracode helps businesses secure their applications efficiently, ensuring they can deliver safe and compliant software at scale.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
