Try our new research platform with insights from 80,000+ expert users

Trivy vs Veracode comparison

Aqua Security and Veracode are both solutions in the Container Security category. Aqua Security is ranked #4 with an average rating of 8.6, while Veracode is ranked #8 with an average rating of 8.0. Aqua Security holds a 4.5% mindshare in Container Security, compared to Veracode’s 2.8% mindshare. Additionally, 100% of Aqua Security users are willing to recommend the solution, compared to 89% of Veracode users who would recommend it.
Trivy
Read 12 Trivy reviews
  • 5,573 Views
  • 5,573 Comparison Views
100% willing to recommend
Veracode
Read 208 Veracode reviews
  • 19,227 Views
  • 4,807 Comparison Views
89% willing to recommend
 

Comparison Buyer's Guide

Download the report
Executive Summary
We performed a comparison between Trivy and Veracode based on real PeerSpot user reviews.

Find out in this report how the two Container Security solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI.

DOWNLOAD THE COMPLETE REPORT
To learn more, read our detailed Trivy vs. Veracode Report (Updated: March 2026).
Buyer's Guide
Trivy vs. Veracode
March 2026
Download the complete report
Helped 884,873 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

Trivy
Ranking in Container Security
4th
Average Rating
8.6
Reviews Sentiment
7.5
Number of Reviews
12
Ranking in other categories
No ranking in other categories
Veracode
Ranking in Container Security
8th
Average Rating
8.0
Reviews Sentiment
6.9
Number of Reviews
208
Ranking in other categories
Application Security Tools (3rd), Static Application Security Testing (SAST) (2nd), Software Composition Analysis (SCA) (3rd), Static Code Analysis (1st), Dynamic Application Security Testing (DAST) (1st), Application Security Posture Management (ASPM) (1st)
 

Mindshare comparison

As of March 2026, in the Container Security category, the mindshare of Trivy is 4.5%, down from 4.7% compared to the previous year. The mindshare of Veracode is 2.8%, down from 4.2% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Container Security Mindshare Distribution
ProductMindshare (%)
Trivy4.5%
Veracode2.8%
Other92.7%
Container Security
 

Featured Reviews

ST
Surya Aniketh Tamirisa
Software Engineer at a tech vendor with 10,001+ employees
Consistently maintains vulnerability-free images and integrates effectively with builds
Trivy is very reliable and always has an up-to-date database to scan images and identify vulnerabilities. I integrated it with Jenkins jobs, so every time we run a build, if there is a high, critical, or medium vulnerability, the build is set to fail. This ensures that somebody resolves the issues before the code progresses. This approach helps keep every image in every project we work on vulnerability-free.
Read full review
reviewer2703864 - PeerSpot reviewer
reviewer2703864
Head of Security Architecture at a healthcare company with 5,001-10,000 employees
Onboarding developers successfully while improving code security through IDE integration
Regarding room for improvement, we have some problems when onboarding new projects because the build process has to be done in a certain way, as Veracode analyzes the binaries and not the code by itself alone. If the process is not configured correctly, it doesn't work. That's one of the things that we are discussing with Veracode. Something positive that we've been able to do is submit formal feature requests to them, and they are working on them; they've already solved some of them. This encourages us to propose new ideas and improvements. Another improvement that we asked for this use case is to be able to configure how Veracode Fix proposes and fixes because sometimes it makes proposals using libraries that go against our architecture design made by the enterprise architecture team. For example, we want them to propose using another library, and that's something we already asked Veracode, and they are working on it. We want to specify when you see this kind of vulnerability, you can only propose these two options.
Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"I definitely recommend Trivy."
"Trivy is easy to integrate with CI/CD and can be installed on desktops to scan images."
"What I find valuable is the ease of setup with Trivy, including pre-defined operators that require minimal configuration."
"I can see vulnerabilities in the images of any applications deployed in the Kubernetes environment or as container applications."
"Overall, I would rate Trivy a ten out of ten."
"The vulnerability scanning feature is excellent as it supports various container capabilities like Docker and Sharma."
"The most valuable feature of Trivy is its easy integration with the CI/CD pipeline."
"Trivy is very reliable and always has an up-to-date database to scan images and identify vulnerabilities."
More Trivy pros
"Static Scanning is the most valuable feature of Veracode."
"The most valuable feature is the seamless automation of Veracode via the pipeline, in comparison to other solutions like Fortify SSC, which are complex to integrate through the pipeline."
"We use Veracode static analysis during development to eliminate vulnerability issues"
"Static code scanning is the most valuable feature."
"It is scalable and quick to deploy into the site and the pipelines. The reports and analytics are good, and the false positive rate is low. It gives true results."
"It eases integration into our workflow. Veracode is part of our Jenkins build, so whenever we build our software, Jenkins will automatically submit the code bundle over to Veracode, which automatically kicks off the static analysis. It sends an email when it's done, and we look at the report."
"Veracode Fix has affected our time to remediate security flaws in cases where we've been able to use it correctly because the proposals were on point, and it's been great."
"The solution's ability to help create secure software is very valuable. We're a zero-trust networking company so we want to have the ability to say that we're practicing security seriously. Having something like Veracode allows us to have confidence when we're speaking to people about our product that we can back up what we're doing with a certification, with a reputable platform, and say, "This is what we're using to scan an application. Here's the number of vulnerabilities that are on an application. And here's the risk that we're accepting.""
More Veracode pros
 

Cons

"One drawback I have observed with Trivy is the difficulty in building or integrating a UI, particularly for an operator in the NetSuite example."
"Trivy generates many false positives, flagging non-existent vulnerabilities."
"Trivy is not scalable; however, I have scanned very large projects with it. It is stable but not scalable according to my experience."
"The main area for improvement is in differentiating between OS and application-based vulnerabilities."
"The only problem is that Trivy does not support reporting features such as generating reports in CSV, which is useful for auditing and reporting."
"Trivy generates many false positives, flagging non-existent vulnerabilities. Improvements could include better contextual analysis or granular filtering."
"Trivy can improve by providing an output in PDF format. Additionally, it takes longer to scan container images built with many layers."
"Having little experience can hinder the ability to connect it to a user-friendly UI effectively."
More Trivy cons
"The current version of the application does not support testing for API."
"I would like to see expanded coverage for supporting more platforms, frameworks, and languages."
"I have contacted the technical support and customer support. With Veracode's technical support, for some issues, it has been really difficult for them to understand the problem, and they ask us to do some tests we've already told them we completed in the first ticket."
"A nice addition would be if it could be extended for scenarios with custom cleansers."
"We connected with Veracode's support a couple of times, and we got a different answer each time."
"The scans were sometimes not accurate in version 2022. There were some false positives in the vulnerability reports. We used to get false positives, and we were responsible for checking all of the alerts and determining whether they were true positives or false positives. They might have already improved it. If they have not, they can look into how to mitigate false positives."
"It would be better if we had a channel for direct communication with the engineering team to speed up the process of providing feedback."
"There were some additional manual steps or work involved that we should not have needed to do."
More Veracode cons
 

Pricing and Cost Advice

Information not available
"The Veracode price model is based on application profiles, which is how you package your components for scanning."
"The price of Veracode Static Analysis is expensive. There is an annual fee to use the solution and the company is upfront with the pricing model and fees."
"The pricing is a bit high."
"Veracode's pricing is on the higher end, but it is acceptable."
"Veracode is a very expensive product."
"The licensing and prices were upfront and clear. They stand behind everything that is said during the commercial phase and during the onboarding phase. Even the most irrelevant "that can be done" was delivered, no matter how important the request was."
"For our company, the price is reasonable for the benefits that we get."
"I think it's a great value. It's at a price point that a small company like mine can afford to use versus, if it was too exorbitant, I wouldn't be able to use this product. The cost of the license is small in comparison to the value it brings"
More Veracode pricing and cost advice
report
See which vendors are best for you
Use our free recommendation engine to learn which Container Security solutions are best for your needs.
See recommendations
884,873 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
13%
Manufacturing Company
11%
Computer Software Company
11%
Government
8%
Financial Services Firm
16%
Computer Software Company
12%
Manufacturing Company
11%
Government
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
By reviewers
Company SizeCount
Small Business3
Midsize Enterprise1
Large Enterprise9
By reviewers
Company SizeCount
Small Business69
Midsize Enterprise45
Large Enterprise114
 

Questions from the Community

What needs improvement with Trivy?
Trivy's marketing and awareness need improvement. Not everyone knows about it, which isn't ideal given its capabilities. There's potential to integrate AI and machine learning for enhanced function...
See all answers
What is your primary use case for Trivy?
I use Trivy ( /products/trivy-reviews ) to scan code for vulnerabilities before deployment. Our projects, which are developed by different developers, involve various dependencies and third-party c...
See all answers
What advice do you have for others considering Trivy?
I recommend Trivy to others due to its powerful and useful features. However, I suggest increasing its marketing to raise awareness. I rate Trivy an eight out of ten.
See all answers
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
See all answers
What do you like most about Veracode Static Analysis?
I like its integration with GitHub. I like using it from GitHub. I can use the GitHub URL and find out the vulnerabilities.
See all answers
What is your experience regarding pricing and costs for Veracode Static Analysis?
My experience with pricing, setup cost, and licensing for Veracode is that it is fairly moderate.
See all answers
 

Comparisons

JFrog Xray vs Trivy Logo
JFrog Xray vs Trivy
Compared 19% of the time
Snyk vs Trivy Logo
Snyk vs Trivy
Compared 15% of the time
Kubescape vs Trivy Logo
Kubescape vs Trivy
Compared 9% of the time
Wiz vs Trivy Logo
Wiz vs Trivy
Compared 9% of the time
Microsoft Defender for Cloud vs Trivy Logo
Microsoft Defender for Cloud vs Trivy
Compared 3% of the time
More Trivy Competitors
SonarQube vs Veracode Logo
SonarQube vs Veracode
Compared 9% of the time
Checkmarx One vs Veracode Logo
Checkmarx One vs Veracode
Compared 7% of the time
GitHub Advanced Security vs Veracode Logo
GitHub Advanced Security vs Veracode
Compared 4% of the time
Coverity Static vs Veracode Logo
Coverity Static vs Veracode
Compared 3% of the time
OWASP Zap vs Veracode Logo
OWASP Zap vs Veracode
Compared 3% of the time
More Veracode Competitors
 

Product Reports

Buyer's Guide
Trivy
February 2026
Trivy reportDownload Trivy product report
Buyer's Guide
Veracode
February 2026
Veracode reportDownload Veracode product report
 

Also Known As

No data available
Crashtest Security , Veracode Detect
 

Overview

Trivy offers comprehensive scanning for files, images, repositories, and infrastructure. It's open-source and integrates with CI/CD for vulnerability detection and security enhancement.

Trivy scans vulnerabilities in code, Docker images, containers, and infrastructure. It integrates seamlessly into DevOps pipelines, ensuring security in dependency management and open source vulnerabilities. This tool, lightweight and open-source, provides user-friendly reports and supports continuous vulnerability database updates, fostering ease of use across operating systems. Users benefit from its scanning capabilities, covering Kubernetes, AWS credentials, and GCP service accounts, effectively identifying vulnerabilities and misconfigurations.

What are Trivy's key features?
  • Comprehensive Scanning: Covers files, images, repositories, infrastructure, and sensitive data.
  • CI/CD Integration: Easily integrates into existing pipelines for seamless security checks.
  • Open-Source & Lightweight: Quick setup and fast scanning capabilities ensure rapid deployment.
  • Continuously Updated Database: Keeps vulnerability data current for effective threat detection.
  • User-Friendly Reports: Generates understandable and actionable security insights.
What benefits and ROI can users expect?
  • Enhanced Security: Provides in-depth analysis of vulnerabilities and misconfigurations.
  • Ease of Use: Designed for straightforward implementation and user interaction.
  • Compliance Support: Assists in meeting industry security standards and regulations.
  • Cross-Platform Use: Effective across different operating systems, enabling wide scalability.

In industries like technology and finance, Trivy is used extensively to secure applications, perform compliance checks, and offer security metrics visualization. It addresses microservices, container systems, and Kubernetes clusters security requirements, supporting DevOps teams and enhancing codebase analysis precision.

Aqua Security

Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.

Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing. These tools are designed to help developers detect vulnerabilities early in development while maintaining speed in deployment. Veracode also emphasizes scalability, offering features for enterprises that manage a large number of applications across different teams. Its robust reporting and analytics capabilities allow organizations to continuously monitor their security posture and track progress toward remediation.

What are the key features of Veracode?

  • Static Analysis (SAST) - Scans source code for vulnerabilities before deployment.
  • Dynamic Analysis (DAST) - Examines applications in a running state to detect flaws in real-time.
  • Software Composition Analysis (SCA) - Identifies risks in open-source libraries and third-party components.
  • Manual Penetration Testing - Offers expert analysis for more complex vulnerabilities.
  • Integrations with DevOps tools - Seamlessly integrates with CI/CD pipelines for automated security checks.

What benefits should users consider in Veracode reviews?

  • Early detection of vulnerabilities - Helps developers fix security issues early in the development process.
  • Scalability - Supports organizations with large-scale application portfolios.
  • Compliance support - Ensures applications meet various security standards and regulations.
  • Developer training - Provides tools for educating developers on secure coding practices.
  • Comprehensive reporting - Offers detailed reports that track remediation and risk trends.

Veracode is widely adopted in industries like finance, healthcare, and government, where compliance and security are critical. It helps these organizations maintain strict security standards while enabling rapid development through its integration with Agile and DevOps methodologies.


Veracode helps businesses secure their applications efficiently, ensuring they can deliver safe and compliant software at scale.

Veracode
 

Sample Customers

Information Not Available
Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.
Buyer's Guide
Trivy vs. Veracode
March 2026
Free Report: Trivy vs. Veracode
Find out what your peers are saying about Trivy vs. Veracode and other solutions. Updated: March 2026.
DOWNLOAD NOW
884,873 professionals have used our research since 2012.
See our Trivy vs. Veracode report.
See our list of best Container Security vendors.

We monitor all Container Security reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.