We just raised a $30M Series A: Read our story
Cancel
You must select at least 2 products to compare!
SonarQube Logo
90,271 views|74,084 comparisons
Veracode Logo
63,090 views|34,507 comparisons
Comparison Summary
Question: Which gives you more for your money - SonarQube or Veracode?
Answer: SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use and understand, SonarQube is a great solution if you want to quickly focus on functional requirements. There were some security issues with our code that SonarQube did not find. Defining the quality of rules should be improved to ensure that low-performance code does not move forward to production. We would like to see better security scanning and statistical analysis from SonarQube. Using Veracode, on the other hand, we have never had a problem with vulnerable code going into production. We like the visibility of application status across all testing types which Veracode presents in a single dashboard. Even if you are running different types of scans, you have everything in one place, which is very convenient. Veracode helps us keep a high-security standard, which is very important to us. It would really improve Veracode if the mitigation process was somehow added to the dashboard or made more streamlined. Currently, one has to go back and forth between one or more screens and it makes it a bit complicated. Regarding the pipeline scan, we found Veracode can be very fast with Java-based applications but slow with other applications. It would be helpful if the scan completion and scan progress would improve - the time estimates are not always accurate. Conclusion These are two great solutions, each with a slightly different focus. SonarQube has a solid focus on code quality. It offers a very good free version. The SonarQube free version covers 10-15 languages, which can be very limiting for some and there are also some limitations with support. The integration is there, but you do not get full integration with the free version. Overall, the SonarQube free version is a very good option for small businesses. SonarQube does offer an Enterprise license that is very competitively priced. Veracode's main focus is security. It is more closely related to an application security scanning solution. There is no free version and it is considered an expensive solution when comparing price with other similar solutions. However, Veracode offers many features and applications that other solutions do not. One favorite is scanning for compliance; we have some situations where we need to consistently scan code for security to satisfy different compliance regulations. Veracode helps us do that.
Featured Review
Find out what your peers are saying about SonarQube vs. Veracode and other solutions. Updated: November 2021.
552,305 professionals have used our research since 2012.
Quotes From Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros
"The stability is good.""It is a good deal compared to all other tools on the market.""The software quality gate streamlines the product's quality.""The solution can verify vulnerabilities, code smells, and hotspots. It makes the software more secure and it helps make a junior or novice developer sharper.""It is a very good tool for analysis despite its limitations.""SonarQube is designed well making it easy to use, simple to identify issues and find solutions to problems.""The static code analysis of the solution is the most important aspect for us. When it comes to security breaches within the code, we can leverage some rules to allow us to identify the repetition in our code and the possible targets that we may have. It makes it very easy to review our code for security purposes.""There's plenty of documentation available to users."

More SonarQube Pros »

"My experience with Veracode across the board every time, in all products, the technology, the product, the service, and the salespeople is fabulous.""The static scan is the feature that we use the most, as it gives us insight into our source code. We have it integrated with our continuous integration, continuous delivery system, so we can get insight quickly.""Good static analysis and dynamic analysis.""There are quite a few features that are very reliable, like the newly launched Veracode Pipelines Scan, which is pretty awesome. It supports the synchronous pipeline pretty well. We been using it out of the Jira plugin, and that is fantastic.""It's comprehensive from a feature standpoint.""In terms of secure development, the SAST scan is very useful because we are able to identify security flaws in the code base itself, for the application.""The source composition analysis component is great because it gives our developers some comfort in using new libraries.""The centralized view of different testing types helps reduce our risk exposure. The development teams have the freedom to choose their own libraries and languages. What happens is sometimes developers feel like a particular library is okay to use, then they will start using it, developing some functionality around it. However, as per our mandate, for every new repository that gets added and scanned, a report gets published. Based on that report, we decide if we can continue. In the past, we have found, by mistake, some developers have used copyleft licenses, which are a bit risky to use. We immediately replace these with more permissive, open-source licenses, so we are safe in the end."

More Veracode Pros »

Cons
"Their dashboarding is very limited. They can improve their dashboards for multiple areas, such as security review, maintainability, etc. They have all this information, so they should publish all this information on the dashboard so that the users can view the summary and then analyze it further. This is something that I would like to see in the next version.""The pricing could be reduced a bit. It's a little expensive.""The scanning part could be improved in SonarQube. We have used Coverity for scanning, and we have the critical issues reported by Coverity. When we used SonarQube for scanning and looked at the results, it seems that some of them have incorrect input. This part can be improved for C and C++ languages.""The documentation is not clear and it needs to be updated.""The security in SonarQube could be better.""There are sometimes security breaches in our code, which aren't be caught by SonarQube. In the security area, SonarCube has to improve. It needs to better compete with other products.""In the next release, I would like to have notifications because now, it is a bit difficult. I think that's a feature which we could add there and it would benefit the users as well. For every full request, they should be able to see their bugs or vulnerability directly on the surface.""There needs to be a shareable reporting piece or something we can click and generate easily."

More SonarQube Cons »

"The pricing for qualified startups such as Neo4j could be improved.""The product has issues with scanning.""When it comes to the speed of the pipeline scan, one of the things we have found with Veracode is that it's very fast with Java-based applications but a bit slow with C/C++ based applications. So we have implemented the pipeline scan only for Java-based applications not for the C/C++ applications.""One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive.""The feature that allows me to read which mitigation answer was submitted, and to approve it, requires me to use do so in different screens. That makes it a little bit more complicated because I have to read and then I have to go back and make sure it falls under the same number ID number. That part is a little bit complicated from my perspective, because that's what I use the most.""The ideal situation in terms of putting the results in front of the developers would be with Veracode integration into the developer environment (IDE). They do have a plugin, which we've used in the past, but we were not as positive about it.""The policies you have, where you can tune the findings you get, don't allow you not to file tickets about certain findings. It will always report the findings, even if you know you're not that concerned about a library writing to a system log, for example. It will keep raising them, even though you may have a ticket about it. The integration will keep updating the ticket every time the scan runs.""We tried to create an automatic scanning process for Veracode and integrate it into our billing process, but it was easier to adopt it to repositories based on GIT. Until now, our source control repository was Azure DevOps Server (Microsoft TFS) to managing our resources. This was not something that they supported. It took us some sessions together before we successfully implemented it."

More Veracode Cons »

Pricing and Cost Advice
"It is very expensive. Its price should be improved.""The solution has a free version and a license version. The license is priced reasonably, the cost of hiring one programmer is more expensive than the solution.""We are using the open-source version, which is available free of cost.""We use the free version; there are no hidden costs or licensing required.""For the Community edition, there is no extra cost. It's totally free. The Enterprise edition, Data Center edition, and Developer edition are the paid versions.""This solution is free.""The price of this solution is more expensive than competitors. However, it works better than competitors.""I requested this license for one million lines of code and they accepted this."

More SonarQube Pricing and Cost Advice »

"Veracode is expensive. Some of its products are expensive. I don't think it's way more expensive than its competitors. The dynamic is definitely worth it, as I think it's cheaper than the competitors. The static scan is a little bit more expensive, around 20 percent more expensive. The manual pen test is more expensive, but it is an expensive service because it's a manual pen test and we also do retests. I don't think it is way more expensive than the competitors, but it's about 15 to 20 percent more expensive.""Veracode is one of the more expensive solutions in the market, but it is worth the expense because of the eLearning and the security consultations; everything is included in the license.""Veracode's price is high. I would like them to better optimize their pricing.""We use this product per project rather than per developer... Your development model will really determine what the best fit is for you in terms of licensing, because of the project-based licensing. If you do a few projects, that's more attractive. If you have a large number of developers, that would also make the product a little more attractive.""If I compare the pricing with other software tools, then it is quite competitive. Whatever the price is, they have always given us a good discount.""The pricing is really fair compared to a lot of other tools on the market.""It is very reasonably priced compared to what we were paying our previous vendor. For the same price, we are getting much more value and reducing our AppSec costs from 40 to 50 percent.""For the value we get out of it, coupled with the live defect review sessions, we find it an effective value for the money. We are a larger organization."

More Veracode Pricing and Cost Advice »

report
Use our free recommendation engine to learn which Application Security solutions are best for your needs.
552,305 professionals have used our research since 2012.
Answers from the Community
Netanya Carmi
author avatarreviewer1572348 (Chief Architect at a computer software company with 10,001+ employees)
Real User

We have used SonarQube quite a lot and this is great to check code quality, security hotspots much earlier in the SDLC and fix those. The community edition is free to use, can be used on-premises and is integrated seamlessly with Jenkins and others. The Enterprise and Developer commercial editions offer a lot more rules and functionalities.


Veracode is mostly in space of security testing and amongst the leader in this space. It's a commercial product and has no community edition, to the best of my knowledge. 


Depending on your use cases, you will need both of these areas to be covered through these or other tools.

author avatarCurtis Yanko (Shiftleft)
Vendor

Feels like a false choice to me. They each are trying to do different things as other posters have suggested. What are the outcomes you are looking for?

author avatarreviewer1411233 (Security consultant at a tech services company with 1,001-5,000 employees)
Real User

Both products in the industry are practiced slightly for different purposes. If you are after the code then SonarQube and if you are after the security then Veracode.

author avatarMauro Verderosa
Real User

They are mainly two different products. 


If your goal is to set the quality on code then SonarQube is your answer. 


On the other side, if your main goal is to set high-quality standards in terms of cybersecurity (i.e. both security and compliance with regulations), then Veracode is a better match.

author avatarAkash Singh Singh
User

Klocwork

Questions from the Community
Top Answer: I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have  a look… more »
Top Answer: SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use… more »
Top Answer: We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing… more »
Top Answer: The visibility into application status helps reduce risk exposure for our software. Today, any findings provided by the DAST are reviewed by the developers and we have internal processes in place to… more »
Top Answer: Veracode is very, very expensive, one of the most expensive security scanning tools available. We pay an annual license fee that is over $1 million.
Top Answer: Because we're so early in our implementation, we have had minimal feedback in terms of room for improvement. We have seen some minor things within the interface itself that we would love to see some… more »
Ranking
1st
Views
90,271
Comparisons
74,084
Reviews
41
Average Words per Review
461
Rating
7.8
2nd
Views
63,090
Comparisons
34,507
Reviews
22
Average Words per Review
1,204
Rating
8.0
Comparisons
Also Known As
Sonar
Learn More
Overview

SonarQube is the leading tool for continuously inspecting Code Quality and Code Security, and guiding development teams during code reviews. SonarQube provides clear remediation guidance for 27 languages so developers can understand and fix issues, and so teams can deliver better and safer software. SonarQube integrates into your workflow to provide the right feedback at the right time: in-IDE with SonarLint, in pull requests, and in SonarQube itself. With over 225,000 deployments helping small development teams and global organizations, SonarQube provides the means for teams and companies around the world to own and impact their Code Quality and Code Security.

Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.

Offer
Learn more about SonarQube
Keep your software secure

Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.

Sample Customers
Bank of America, Siemens, Cognizant, Thales, Cisco, eBay
State of Missouri, Rekner
Top Industries
REVIEWERS
Computer Software Company24%
Financial Services Firm20%
Comms Service Provider10%
Insurance Company8%
VISITORS READING REVIEWS
Computer Software Company28%
Comms Service Provider17%
Financial Services Firm12%
Manufacturing Company7%
REVIEWERS
Financial Services Firm30%
Computer Software Company12%
Insurance Company9%
Healthcare Company7%
VISITORS READING REVIEWS
Computer Software Company30%
Comms Service Provider16%
Financial Services Firm10%
Manufacturing Company6%
Company Size
REVIEWERS
Small Business28%
Midsize Enterprise18%
Large Enterprise53%
VISITORS READING REVIEWS
Small Business29%
Midsize Enterprise19%
Large Enterprise52%
REVIEWERS
Small Business24%
Midsize Enterprise25%
Large Enterprise51%
VISITORS READING REVIEWS
Small Business24%
Midsize Enterprise31%
Large Enterprise45%
Find out what your peers are saying about SonarQube vs. Veracode and other solutions. Updated: November 2021.
552,305 professionals have used our research since 2012.

SonarQube is ranked 1st in Application Security with 46 reviews while Veracode is ranked 2nd in Application Security with 24 reviews. SonarQube is rated 8.0, while Veracode is rated 8.2. The top reviewer of SonarQube writes "This is a very capable analysis tool for development projects but the free version has limitations". On the other hand, the top reviewer of Veracode writes "Good reporting, comprehensive interface, and integrates well into our build pipeline". SonarQube is most compared with Checkmarx, Coverity, Sonatype Nexus Lifecycle, Micro Focus Fortify on Demand and WhiteSource, whereas Veracode is most compared with Checkmarx, Micro Focus Fortify on Demand, Coverity, OWASP Zap and HCL AppScan. See our SonarQube vs. Veracode report.

See our list of best Application Security vendors.

We monitor all Application Security reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.