Try our new research platform with insights from 80,000+ expert users

SonarQube Server (formerly SonarQube) vs Veracode comparison

Sonar and Veracode are both solutions in the Application Security Tools category. Sonar is ranked #1 with an average rating of 8.2, while Veracode is ranked #2 with an average rating of 8.1. Sonar holds a 26.7% mindshare in AS, compared to Veracode’s 10.4% mindshare. Additionally, 81% of Sonar users are willing to recommend the solution, compared to 90% of Veracode users who would recommend it.
SonarQube Server (formerly ...
Read 113 SonarQube Server (formerly SonarQube) reviews
  • 43,481 Views
  • 35,347 Comparison Views
81% willing to recommend
Veracode
Read 197 Veracode reviews
  • 20,804 Views
  • 14,313 Comparison Views
90% willing to recommend
 

Comparison Buyer's Guide

Download the report
Executive SummaryUpdated on Oct 30, 2024

Veracode and SonarQube both compete in the application security and code quality market. Veracode holds an upper hand in comprehensive security measures and direct integration into the development process, while SonarQube excels in code quality management with a strong open-source community.

Features: Veracode offers comprehensive static and dynamic scanning capabilities with strong integration into development environments, alongside providing detailed remediation advice and support for various languages. SonarQube provides extensive support for a wide range of languages, focusing on customizable code quality management with both community and paid plugins available.

Room for Improvement: Veracode needs to lower false positives and enhance integration with third-party tools and newer languages. Its user interface and customer support during integrations can also be improved. SonarQube could expand support for dynamic analysis and strengthen its security scanning, along with refining its interface and customization options for better usability.

Ease of Deployment and Customer Service: Veracode is noted for strong customer support and extensive consultation offerings, though its complex licensing model can be a barrier. It suits large enterprises able to leverage its premium features. SonarQube offers cost-effective open-source options, with private cloud and on-premises deployment and community-driven support, although professional support can be costly.

Pricing and ROI: Veracode is known for its high cost, matching its expansive features and premium support, leading to a strong ROI for large organizations. SonarQube, however, provides a free community edition with optional paid features, presenting a cost-effective solution for businesses of all sizes, enhancing ROI through improved code quality and early defect detection.

DOWNLOAD THE COMPLETE REPORT
To learn more, read our detailed SonarQube Server (formerly SonarQube) vs. Veracode Report (Updated: October 2024).
Buyer's Guide
SonarQube Server (formerly SonarQube) vs. Veracode
October 2024
Download the complete report
Helped 814,528 peers since 2012
 

Categories and Ranking

SonarQube Server (formerly ...
Ranking in Application Security Tools
1st
Ranking in Static Application Security Testing (SAST)
1st
Average Rating
8.0
Number of Reviews
113
Ranking in other categories
Software Development Analytics (1st)
Veracode
Ranking in Application Security Tools
2nd
Ranking in Static Application Security Testing (SAST)
2nd
Average Rating
8.2
Number of Reviews
197
Ranking in other categories
Container Security (4th), Software Composition Analysis (SCA) (2nd), Penetration Testing Services (3rd), Static Code Analysis (1st), Application Security Posture Management (ASPM) (1st)
 

Mindshare comparison

As of November 2024, in the Application Security Tools category, the mindshare of SonarQube Server (formerly SonarQube) is 26.7%, down from 27.7% compared to the previous year. The mindshare of Veracode is 10.4%, down from 11.3% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Application Security Tools
 

Q&A Highlights

NC
Nov 15, 2021
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use and understand, SonarQube is a great solution if you want to quickly focus on functional requirements. There were some security issues with our code that SonarQube did not find. Defining the quality of rules should be improved to ensure that low-performance code does not move forward to production. We would like to see better security scanning and statistical analysis from SonarQube. Using Veracode, on the other hand, we have never had a problem with vulnerable code going into production. We like the visibility of application status across all testing types which Veracode presents in a single dashboard. Even if you are running different types of scans, you have everything in one place, which is very convenient. Veracode helps us keep a high-security standard, which is very important to us. It would really improve Veracode if the mitigation process was somehow added to the dashboard or made more streamlined. Currently, one has to go back and forth between one or more screens and it makes it a bit complicated. Regarding the pipeline scan, we found Veracode can be very fast with Java-based applications but slow with other applications. It would be helpful if the scan completion and scan progress would improve - the time estimates are not always accurate. Conclusion These are two great solutions, each with a slightly different focus. SonarQube has a solid focus on code quality. It offers a very good free version. The SonarQube free version covers 10-15 languages, which can be very limiting for some and there are also some limitations with support. The integration is there, but you do not get full integration with the free version. Overall, the SonarQube free version is a very good option for small businesses. SonarQube does offer an Enterprise license that is very competitively priced. Veracode's main focus is security. It is more closely related to an application security scanning solution. There is no free version and it is considered an expensive solution when comparing price with other similar solutions. However, Veracode offers many features and applications that other solutions do not. One favorite is scanning for compliance; we have some situations where we need to consistently scan code for security to satisfy different compliance regulations. Veracode helps us do that.
See all answers
 

Featured Reviews

Wang Dayong - PeerSpot reviewer
May 10, 2023
Easy to integrate and has a plug-in that supports both C and C++ languages
We use the product to review our software codes. We have integrated the product to review our new delivery code When we deliver a code, the solution scans the code and reports whether the code has bugs or any other vulnerability issues. Thus the solution helps us identify issues and improve the…
Read full review
Sajal Sharma - PeerSpot reviewer
Aug 6, 2024
Offers shift-left security strategy and helps us with the latest security configurations, OWASP standards, and SAST standards
It's robustness is the main benefit to the organization. As it gets upgraded with time, it also improves the coverage – security configuration coverages and vulnerability coverages. It also updates itself with the latest known vulnerabilities that are uploaded to the NVD, OWASP, or other databases. So it gets upgraded itself with that. And so with each upgrade, it gets better and better. The solution offers the ability to prevent vulnerable code from going into production. It provides us with a report containing multiple remediations and mitigations for each vulnerability. For example, if it finds a cross-site scripting vulnerability, it will also include references like CWE and CVE records, instructions on how to fix it, and the specific line of code or module where the vulnerability is present. This helps us fix the issues accordingly. I'm a penetration tester and DevSecOps engineer. I evaluate the findings, mark false positives, and manually exploit vulnerabilities if they exist. If we need further clarification, we raise a ticket with the Veracode team and get consultancy from them. We are a software development team. If we find a vulnerability, I exploit it and come back with the best possible mitigation, and the dev team fixes it. If we use Veracode Fix, it might use third-party implementations or make changes we aren't aware of. We need to be very aware of what our application is using internally. It should be known to us. As per my experience, the solution's policy reporting ensures compliance with industry standards. It comes with multiple features. I get the most out of it, and it's good. The solution provides visibility into application status at every phase of development. Like static analysis, dynamic analysis, software composition, and manual penetration tests - throughout the SDLC We have a pipeline that I maintain. I use the Veracode API account and have integrated it with AWS and our Jenkins pipeline. We use Snyk for SCA and Veracode for SAST scanning. At the earliest stage of the build, the SAST scan runs along with the JS and PHP files. It provides us with reports, which are then handed over to the other tools we depend on. If I validate the report or check the Veracode dashboard and find vulnerabilities, I mark them as false positives or existing issues. We work on multiple projects, but the one I'm handling these days only uses Veracode for SAST. It's been about one and a half years since I've been working with Veracode and this project. It is quite impressive. There are some things Veracode cannot find, like code obfuscations inside the code and some insecure randoms. Sometimes, it misses those flaws. But overall, if I compare it with other tools, it is better. I will definitely recommend others to use this tool. We run the scan before each deployment. If the dev team builds a new module or something, we scan it along with all the files. If we find anything, we get it fixed. That's how it works. Veracode is quite important to the organization's shift-left security strategy because we make a scan for each deployment. Sometimes, if I think we need to perform a shift-left, I just make a scan before deployment and check for any misconfiguration or vulnerability in the code.
Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"It is a very good tool for analysis despite its limitations."
"If code coverage is a low number then that's of great value to me."
"SonarQube is admin friendly."
"The most valuable features are the dashboard, the ability to drill down to the code, user-friendly, and the technical debt estimation."
"We have worked with the support from SonarQube and we have had good experiences."
"The static code analysis is very good."
"We consider it a handy tool that helps to resolve our issues immediately."
"It provides the security that is required from a solution for financial businesses."
More SonarQube Server (formerly SonarQube) pros
"Informs me of code security vulnerabilities. Bamboo build automation with Veracode API calls are used.​"
"It is SaaS hosted. That makes it very convenient to use. There is no initial time needed to set up an application. Scanning is a matter of minutes. You just log in, create an application profile, associate a security configuration, and that's about it. It takes 10 minutes to start. The lack of initial lead time or initial overhead to get going is the primary advantage."
"Static Scanning is the most valuable feature of Veracode."
"The analysis of the vulnerabilities and the results are the most valuable features."
"It gives feedback to developers on the effectiveness of their secure coding practices."
"I contacted the solution's technical support during the automation part, and it went well, after which I never faced any issues."
"Another feature of Veracode is that they provide e-learning, but the e-learning is not basic, rather it is quite advanced... in the e-learning you can check into best practices for developing code and how to prevent improper management of some component of the code that could lead to a vulnerability. The e-learning that Veracode provides is an extremely good tool."
"I believe the static analysis is Veracode's best and most valuable feature. Software composition analysis is a feature that most people don't use, and we don't use SCA for most of our applications. However, this is an essential feature because it provides insight into the third-party libraries we use."
More Veracode pros
 

Cons

"We called support and complained but have not received any information as we use the free version. We had to fix it on our own and could not escalate it to the tool's developer."
"We had some issues where the Quality Gate check sometimes gets stuck and it is unclear."
"Ease of use/interface."
"Monitoring is a feature that can be improved in the next version."
"The exporting capabilities could be improved. Currently, exporting is fully dependent on the SonarQube environment."
"There are limitations to the free version that limit development options as far as languages."
"The implementation of the solution is straightforward. However, we did have some initial initialization issues at the of the projects. I don't think it was SonarQube's fault. It was the way it was implemented in our organization because it's mainly integrated with many software, such as Jira, Confluence, and Butler."
"Code security could be better. They are already focusing on it, but I see a lot of improvement opportunities over there. I can see a lot of false positives in terms of security. They need to make the tests more accurate so that the false positives are not detected so frequently. It would also help if they provided us with an installer."
More SonarQube Server (formerly SonarQube) cons
"Sometimes the scans are not done quickly, but the solutions that it provides are really good. The quality is high, but the analysis is not done extremely quickly."
"The feature that allows me to read which mitigation answer was submitted, and to approve it, requires me to use do so in different screens. That makes it a little bit more complicated because I have to read and then I have to go back and make sure it falls under the same number ID number. That part is a little bit complicated from my perspective, because that's what I use the most."
"The Web portal, at times, is not necessarily intuitive. I can get around when I want to but there are times when I have to email my account manager on: "Hey, where do I find this report?" Or "How do I do this?" They always respond with, "Here's how you do it." But that points to a somewhat non-intuitive portal."
"On-premise implementation is not available."
"One concern is that scans take a long time to run. We scan at the end of the day because we know it will take a lot of time. We leave it to run and the report will be generated by the next day when we arrive. The scanning time could be reduced."
"The only areas that I'm concerned with are some of the newer code libraries, things that we're starting to see people dabble with. They move quickly enough to get them into the Analysis Engine, so I wouldn't even say it is a complaint. It is probably the only thing I worry about: Occasionally hitting something that is built in some other obscure development model, where we either can't scan it or can't scan it very well."
"One area for improvement is the navigation in the UI. For junior developers or newcomers to the team, it can be confusing. The UI doesn't clearly bundle together certain elements associated with a scan. While running a scan, there are various aspects linked to it, but in the UI, they appear separate. It would be beneficial if they could redesign the UI to make it more intuitive for users."
"The only notable problem we have had is that when new versions of Swift have come out, we have found Veracode tends to be a bit behind in updates to support the new language changes."
More Veracode cons
 

Pricing and Cost Advice

"SonarQube is a fairly affordable solution for a larger scale if you have a specific role or specific department for secure code."
"The price of this solution is more expensive than competitors. However, it works better than competitors."
"The beauty of this solution is the free open-source version is capable enough in doing pretty much what an enterprise-level version can do."
"This is open source."
"The free version of SonarQube does everything that we need it to."
"The price of the solution could be reduced."
"I was using the Community Edition, which is available free of charge."
"This product is open source and very convenient."
More SonarQube Server (formerly SonarQube) pricing and cost advice
"Users in some forums mentioned that pricing for this solution can be quite high."
"The pricing is really fair compared to a lot of other tools on the market."
"There are no setup or implementation charges. They offer a free trial and free consulting services... The price depends on your requirements, your source code sizes, and how complicated your source code is."
"For enterprises, Veracode has done a fairly good job, but its pricing is not suitable for startups. The microservice distributed architecture for a startup is very small. I had to do a lot of discussions on the pricing initially. I previously worked in an enterprise organization where I used Veracode, and that's how I got to know about Veracode, but that was a big organization with more than a thousand employees. So, the cost is very different for them because the size of the application is different. Its pricing makes sense there, but when we try to onboard this solution for the startup ecosystem, pricing is not friendly. Because I knew the product and I knew its value, I onboarded it, but I don't think any other startup at our scale will onboard it."
"The price of Veracode Static Analysis is on the higher side."
"Veracode provides value for the cost, with no additional charges apart from the standard licensing fee."
"The pricing is pretty high."
"No issues, the pricing seems reasonable."
More Veracode pricing and cost advice
report
See which vendors are best for you
Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
See recommendations
814,528 professionals have used our research since 2012.
 

Answers from the Community

NC
Nov 15, 2021
Nov 15, 2021
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use and understand, SonarQube is a great solution if you want to quickly focus on functional requirements. There were some security issues with our code that SonarQube did not find. Defining the quality...
2 out of 6 answers
AS
Sep 6, 2021
Klocwork
Read full answer
MV
Sep 6, 2021
They are mainly two different products.  If your goal is to set the quality on code then SonarQube is your answer.  On the other side, if your main goal is to set high-quality standards in terms of cybersecurity (i.e. both security and compliance with regulations), then Veracode is a better match.
Read full answer
See all 6 answers
 

Top Industries

By visitors reading reviews
Financial Services Firm
17%
Computer Software Company
15%
Manufacturing Company
13%
Government
6%
Financial Services Firm
18%
Computer Software Company
16%
Manufacturing Company
8%
Government
7%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

Is SonarQube the best tool for static analysis?
I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have a look...
See all answers
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
See all answers
How would you decide between Coverity and Sonarqube?
We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing rem...
See all answers
What do you like most about Veracode?
The SAST and DAST modules are great.
See all answers
What is your experience regarding pricing and costs for Veracode?
The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and database features. It is worth the money.
See all answers
What needs improvement with Veracode?
Veracode Greenlight scans the code while the developer writes it. It will be beneficial for developers if Veracode Greenlight includes Python.
See all answers
 

Comparisons

Checkmarx One vs SonarQube Server (formerly SonarQube) Logo
Checkmarx One vs SonarQube Server (formerly SonarQube)
Compared 17% of the time
Coverity vs SonarQube Server (formerly SonarQube) Logo
Coverity vs SonarQube Server (formerly SonarQube)
Compared 12% of the time
SonarQube Cloud (formerly SonarCloud) vs SonarQube Server (formerly SonarQube) Logo
SonarQube Cloud (formerly SonarCloud) vs SonarQube Server (formerly SonarQube)
Compared 12% of the time
GitHub Advanced Security vs SonarQube Server (formerly SonarQube) Logo
GitHub Advanced Security vs SonarQube Server (formerly SonarQube)
Compared 9% of the time
Snyk vs SonarQube Server (formerly SonarQube) Logo
Snyk vs SonarQube Server (formerly SonarQube)
Compared 5% of the time
More SonarQube Server (formerly SonarQube) Competitors
Checkmarx One vs Veracode Logo
Checkmarx One vs Veracode
Compared 13% of the time
Fortify on Demand vs Veracode Logo
Fortify on Demand vs Veracode
Compared 7% of the time
Snyk vs Veracode Logo
Snyk vs Veracode
Compared 5% of the time
GitHub Advanced Security vs Veracode Logo
GitHub Advanced Security vs Veracode
Compared 5% of the time
SonarQube Cloud (formerly SonarCloud) vs Veracode Logo
SonarQube Cloud (formerly SonarCloud) vs Veracode
Compared 4% of the time
More Veracode Competitors
 

Product Reports

Buyer's Guide
SonarQube Server (formerly SonarQube)
October 2024
SonarQube Server (formerly SonarQube) reportDownload SonarQube Server (formerly SonarQube) product report
Buyer's Guide
Veracode
October 2024
Veracode reportDownload Veracode product report
 

Also Known As

Sonar
Crashtest Security , Veracode Detect
 

Learn More

Sonar
Veracode
 

Interactive Demo

Sonar
Demo not available
Veracode
 

Overview

SonarQube Server enhances code quality and security via static code analysis. It detects vulnerabilities, improves standards, and reduces technical debt, integrating into CI/CD pipelines.

SonarQube Server is a comprehensive tool for enhancing code quality and security. It offers static code analysis to identify vulnerabilities, improve coding standards, and reduce technical debt. By integrating into CI/CD pipelines, it provides automated checks for adherence to best practices. Organizations use it for code inspection, security testing, and compliance, ensuring development environments with better maintainability and fewer issues.

What are the key features of SonarQube Server?
  • Support for 20+ languages: Extensive programming language support suitable for diverse coding environments.
  • Custom coding rules: Allows for tailored rule sets to match specific coding standards.
  • Flexible quality gates: Define criteria for code acceptance at various intervals.
  • CI/CD integration: Seamless integration with Continuous Integration/Continuous Deployment tools.
  • Rich interface: User-friendly dashboard with detailed visual insights.
What benefits should users expect from SonarQube Server?
  • Improved code quality: Enhanced analysis contributes to fewer bugs and improved coding practices.
  • Security enhancements: Identifies and mitigates security vulnerabilities pre-emptively.
  • Maintainability: Reduces technical debt, yielding long-term development efficiency.
  • Customizable: Flexibility in configuration aligns with specific project needs.

Many industries implement SonarQube Server to uphold coding standards, maintain security protocols, and streamline their software development lifecycle. In sectors like finance and healthcare, adhering to regulations and ensuring reliable software is critical, making SonarQube Server invaluable. It is often integrated into CI/CD pipelines, ensuring that code changes meet set standards before deployment. This approach enhances productivity and maintains compliance with industry-specific requirements.

Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.

Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing. These tools are designed to help developers detect vulnerabilities early in development while maintaining speed in deployment. Veracode also emphasizes scalability, offering features for enterprises that manage a large number of applications across different teams. Its robust reporting and analytics capabilities allow organizations to continuously monitor their security posture and track progress toward remediation.

What are the key features of Veracode?

  • Static Analysis (SAST) - Scans source code for vulnerabilities before deployment.
  • Dynamic Analysis (DAST) - Examines applications in a running state to detect flaws in real-time.
  • Software Composition Analysis (SCA) - Identifies risks in open-source libraries and third-party components.
  • Manual Penetration Testing - Offers expert analysis for more complex vulnerabilities.
  • Integrations with DevOps tools - Seamlessly integrates with CI/CD pipelines for automated security checks.

What benefits should users consider in Veracode reviews?

  • Early detection of vulnerabilities - Helps developers fix security issues early in the development process.
  • Scalability - Supports organizations with large-scale application portfolios.
  • Compliance support - Ensures applications meet various security standards and regulations.
  • Developer training - Provides tools for educating developers on secure coding practices.
  • Comprehensive reporting - Offers detailed reports that track remediation and risk trends.

Veracode is widely adopted in industries like finance, healthcare, and government, where compliance and security are critical. It helps these organizations maintain strict security standards while enabling rapid development through its integration with Agile and DevOps methodologies.


Veracode helps businesses secure their applications efficiently, ensuring they can deliver safe and compliant software at scale.

 

Sample Customers

Information Not Available
Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.
Buyer's Guide
SonarQube Server (formerly SonarQube) vs. Veracode
October 2024
Free Report: SonarQube Server (formerly SonarQube) vs. Veracode
Find out what your peers are saying about SonarQube Server (formerly SonarQube) vs. Veracode and other solutions. Updated: October 2024.
DOWNLOAD NOW
814,528 professionals have used our research since 2012.
See our SonarQube Server (formerly SonarQube) vs. Veracode report.
See our list of best Application Security Tools vendors and best Static Application Security Testing (SAST) vendors.

We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.