Try our new research platform with insights from 80,000+ expert users

SonarQube Server (formerly SonarQube) vs Veracode comparison

Sonar and Veracode are both solutions in the Application Security Tools category. Sonar is ranked #1 with an average rating of 8.2, while Veracode is ranked #2 with an average rating of 8.1. Sonar holds a 26.4% mindshare in AS, compared to Veracode’s 10.4% mindshare. Additionally, 81% of Sonar users are willing to recommend the solution, compared to 90% of Veracode users who would recommend it.
SonarQube Server (formerly ...
Read 113 SonarQube Server (formerly SonarQube) reviews
  • 38,620 Views
  • 31,543 Comparison Views
81% willing to recommend
Veracode
Read 195 Veracode reviews
  • 18,064 Views
  • 12,646 Comparison Views
90% willing to recommend
 

Comparison Buyer's Guide

Download the report
Executive SummaryUpdated on Oct 30, 2024

Veracode and SonarQube both compete in the application security and code quality market. Veracode holds an upper hand in comprehensive security measures and direct integration into the development process, while SonarQube excels in code quality management with a strong open-source community.

Features: Veracode offers comprehensive static and dynamic scanning capabilities with strong integration into development environments, alongside providing detailed remediation advice and support for various languages. SonarQube provides extensive support for a wide range of languages, focusing on customizable code quality management with both community and paid plugins available.

Room for Improvement: Veracode needs to lower false positives and enhance integration with third-party tools and newer languages. Its user interface and customer support during integrations can also be improved. SonarQube could expand support for dynamic analysis and strengthen its security scanning, along with refining its interface and customization options for better usability.

Ease of Deployment and Customer Service: Veracode is noted for strong customer support and extensive consultation offerings, though its complex licensing model can be a barrier. It suits large enterprises able to leverage its premium features. SonarQube offers cost-effective open-source options, with private cloud and on-premises deployment and community-driven support, although professional support can be costly.

Pricing and ROI: Veracode is known for its high cost, matching its expansive features and premium support, leading to a strong ROI for large organizations. SonarQube, however, provides a free community edition with optional paid features, presenting a cost-effective solution for businesses of all sizes, enhancing ROI through improved code quality and early defect detection.

DOWNLOAD THE COMPLETE REPORT
To learn more, read our detailed SonarQube Server (formerly SonarQube) vs. Veracode Report (Updated: January 2025).
Buyer's Guide
SonarQube Server (formerly SonarQube) vs. Veracode
January 2025
Download the complete report
Helped 830,726 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

SonarQube Server (formerly ...
Ranking in Application Security Tools
1st
Ranking in Static Application Security Testing (SAST)
1st
Average Rating
8.0
Reviews Sentiment
7.5
Number of Reviews
113
Ranking in other categories
Software Development Analytics (1st)
Veracode
Ranking in Application Security Tools
2nd
Ranking in Static Application Security Testing (SAST)
2nd
Average Rating
8.2
Reviews Sentiment
7.0
Number of Reviews
195
Ranking in other categories
Container Security (5th), Software Composition Analysis (SCA) (2nd), Penetration Testing Services (3rd), Static Code Analysis (1st), Application Security Posture Management (ASPM) (1st)
 

Mindshare comparison

As of January 2025, in the Application Security Tools category, the mindshare of SonarQube Server (formerly SonarQube) is 26.4%, down from 27.4% compared to the previous year. The mindshare of Veracode is 10.4%, down from 11.0% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Application Security Tools
 

Q&A Highlights

NC
Nov 15, 2021
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use and understand, SonarQube is a great solution if you want to quickly focus on functional requirements. There were some security issues with our code that SonarQube did not find. Defining the quality of rules should be improved to ensure that low-performance code does not move forward to production. We would like to see better security scanning and statistical analysis from SonarQube. Using Veracode, on the other hand, we have never had a problem with vulnerable code going into production. We like the visibility of application status across all testing types which Veracode presents in a single dashboard. Even if you are running different types of scans, you have everything in one place, which is very convenient. Veracode helps us keep a high-security standard, which is very important to us. It would really improve Veracode if the mitigation process was somehow added to the dashboard or made more streamlined. Currently, one has to go back and forth between one or more screens and it makes it a bit complicated. Regarding the pipeline scan, we found Veracode can be very fast with Java-based applications but slow with other applications. It would be helpful if the scan completion and scan progress would improve - the time estimates are not always accurate. Conclusion These are two great solutions, each with a slightly different focus. SonarQube has a solid focus on code quality. It offers a very good free version. The SonarQube free version covers 10-15 languages, which can be very limiting for some and there are also some limitations with support. The integration is there, but you do not get full integration with the free version. Overall, the SonarQube free version is a very good option for small businesses. SonarQube does offer an Enterprise license that is very competitively priced. Veracode's main focus is security. It is more closely related to an application security scanning solution. There is no free version and it is considered an expensive solution when comparing price with other similar solutions. However, Veracode offers many features and applications that other solutions do not. One favorite is scanning for compliance; we have some situations where we need to consistently scan code for security to satisfy different compliance regulations. Veracode helps us do that.
See all answers
 

Featured Reviews

Chetan Jayatheertha - PeerSpot reviewer
Has a great quality gate feature and improves the code coverage in your core base
We would like to have more visibility and more documentation, starting with the installation. It needs to be more standardized and explain all the features. We'd also like to get an idea of the level of stability we can get for our larger-sized projects. The notifications from the channel queue can be improved including email notifications. We currently rely on getting those notifications passed onto us and that should not be the case. The customization of different languages would also be helpful. If all the above could be implemented, SonarQube would be the best vulnerability security scanning tool.
Read full review
Reyansh Kumar - PeerSpot reviewer
Provides detailed analysis and reports of code vulnerabilities throughout the SDLC
The user interface is excellent, the code review process is quick and provides great analytics to understand our code better, and the SAST scan is high-speed. Veracode is excellent at preventing vulnerable code from going into production; the scans are speedy and give us a detailed analysis of our code. We use the Software Bill of Materials feature; it's essential and advantageous. We can't do a bill of materials manually, so it's excellent that Veracode provides this. SBOM helps us manage our risks, as every company has software that needs to be run appropriately throughout the user and client base. It's necessary to have a security audit or security compliance in such applications, and Veracode enables this functionality so we can easily identify security flaws and take measurable action. Creating a report using the SBOM feature is straightforward, and it's important to our organization because it provides a return on our investment. Previously, we sometimes required a third-party resource to create reports, but with Veracode, it's easier to take care of that on our end. The solution's policy reporting allows us to set our standards, group policies, and regulations, so ensuring code compliance is part of its analysis. Veracode notifies us if any flaws are detected, allowing us to take action to correct them. The solution provides visibility into application status at every development phase throughout the SDLC; we can use Veracode during the development, design, testing, and implementation phases. We can easily analyze our code before commencing large production deployments and fix any issues.
Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"SonarQube is good for checking and maintaining code quality."
"Apart from the security point of view, I like that it makes it easy to detect code smells and other issues in terms of code quality and standards."
"It is a very good tool for analysis and security vulnerability checking."
"The static code analysis is very good."
"SonarQube: Recording of issues over a period of time, with an indication of the addition in the new issues or the reduction of existing issues (which were fixed)."
"Some of the most valuable features have been the latest up-to-date of the OWASP, the monitoring, the reporting, and the ease of use with the IDE plugins, in terms of integration."
"This has improved our organization because it has helped to find Security Vulnerabilities."
"It automatically scans for code, detects vulnerabilities, and generates daily reports."
More SonarQube Server (formerly SonarQube) pros
"I like the way the flaws are reported in the system."
"The policy reporting for ensuring compliance with industry standards and regulations is pretty comprehensive, especially around PCI. If you do the static analysis, the dynamic analysis, and then a manual penetration test, it aggregates all of these results into one report. And then they create a PCI-specific report around it which helps to illustrate how the application adheres to different standards."
"We have to look at it from the perspectives of how important it is to fix something and when it should be prioritized for fixing. The JSON output from the agent-based scans gives us the CVS core, and that makes things much easier."
"Allows us to track the remediation and handling of identified vulnerabilities."
"I like Veracode's static scanning and SCA. We use three static scans, software composition analysis, and dynamic scans. We haven't used dynamic scanning as much, but we're trying to integrate that into our environment more."
"Vericode's policy reporting for ensuring compliance with industry standards and regulations is great. I"
"Veracode provides faster scans compared to other static analysis security testing tools."
"The user interface is quick, familiar, and user-friendly and makes navigation to other software very easy."
More Veracode pros
 

Cons

"There is no automation. You need to put the code there and test. You then pull the results and put them back in the development environment. There is no integration with the development environment. We would like it to be integrated with our development environment, which is basically the CI/CD pipeline or the IDE that we have."
"During the setup process, we only had one issue related to the number of available files. To perform the analysis, you have quite a lot of available file handles, so we had to increase that limit."
"SonarQube could be improved by implementing inter-procedural code analysis capabilities, allowing for a more comprehensive detection of defects and vulnerabilities across the entire codebase."
"I would like to see improvements in defining the quality sets of rules and the quality to ensure code with low-performance does not end up in production."
"We also use Fortify, which is another tool to find security errors. Fortify is a better security tool. It is better than SonarQube in finding errors. Sometimes, SonarQube doesn't find some of the errors that Fortify is able to find. Fortify also has a community, which SonarQube doesn't have. Its installation is a little bit complex. We need to install a database, install the product, and specify the version of the database and the product. They can simplify the installation and make it easier. We use docker for the installation because it is easier to use. Its dashboard needs to be improved. It is not intuitive. It is hard to understand the interface, and it can be improved to provide a better user experience."
"I am not very pleased with the technical debt computation."
"There could be better integration with other products."
"I don't believe you can have metrics of code quality based upon code analysis. I don't think it's possible for a computer to do it."
More SonarQube Server (formerly SonarQube) cons
"Veracode Static Analysis can improve the false positive. There are always improvements that can be done to the false positive rate. There are some things that get flagged that are not an issue. However, it is not a huge concern."
"The JIRA integration automation aspect of it could be improved significantly. We want to have a way to create tickets that are going to allow people to work through those flaws that we're finding. We don't want people to feel like they're missing out on something or that they're not following directions in the right way."
"Veracode should include the feature to run multiple scales at a time."
"I haven't heard about any problems so far. However, it would be great if Veracode automatically packaged stuff up for you."
"There are many times when their product goes to check my code and it dies, and I don't know why. I've contacted support and they're not really helpful with this particular problem. I go to the logs and I look at what I can but I can't tell why the check process has essentially just died in the middle of checking."
"Veracode is a little costly. It's cost-effective for a large enterprise, but it may be too expensive for small businesses."
"Security can always be improved."
"It would be ideal if it was able to demonstrate higher levels of cybersecurity certifications like becoming FedRAMP compliant or working in those areas."
More Veracode cons
 

Pricing and Cost Advice

"The beauty of this solution is the free open-source version is capable enough in doing pretty much what an enterprise-level version can do."
"The price point on SonarQube is good."
"We are using the open-source version, which is available free of cost."
"I requested this license for one million lines of code and they accepted this."
"There are many different packages with different pricing options available. We are able to try what we have and if we need extra features we can upgrade the license."
"Can try developer version for 14 days on the free trial."
"People can try the free licenses and later can seek buying plugins/support, etc. once they started liking it."
"We are using the community version of the solution and we plan on purchasing licenses for the upgraded version soon. There is a limitation on how many lines of code can be scanned and this is why we are going to purchase a license for an increased amount."
More SonarQube Server (formerly SonarQube) pricing and cost advice
"The product’s price is a bit higher compared to other solutions."
"I think it's a great value. It's at a price point that a small company like mine can afford to use versus, if it was too exorbitant, I wouldn't be able to use this product. The cost of the license is small in comparison to the value it brings"
"They just changed their pricing model two weeks ago. They went from a per-app license to a per-megabyte license. I know that the dynamic scan was $500 per app. Static analysis was about $4500 yearly. The license is only for the number of users, it doesn't matter what data you put in there. That was the old model. I do not know how the new model works."
"The pricing for Veracode is high, making it difficult for beginners to afford."
"The pricing depends on the functionality each client desires."
"It's very expensive, especially when you are a very small organization. If you're using Veracode at an individual level, for example, you're a developer or you run agents, the pricing might not affect you, but if you're using it at a company level to troubleshoot security issues, the pricing is not quite favorable. It may affect ROI."
"I don't really know about the pricing, but I'd say it's worth whatever Veracode is charging, because the solution is that good."
"I know that Veracode is a semi-pricey solution. If you are serious about security, I would recommend that you use an open-source option to learn how the scanning process works and then look into Veracode if you want to really step up your game and have an all-in-one solution."
More Veracode pricing and cost advice
report
See which vendors are best for you
Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
See recommendations
830,726 professionals have used our research since 2012.
 

Answers from the Community

NC
Nov 15, 2021
Nov 15, 2021
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use and understand, SonarQube is a great solution if you want to quickly focus on functional requirements. There were some security issues with our code that SonarQube did not find. Defining the quality...
2 out of 6 answers
reviewer1553658 - PeerSpot reviewer
Sep 6, 2021
Klocwork
Read full answer
MV
Sep 6, 2021
They are mainly two different products.  If your goal is to set the quality on code then SonarQube is your answer.  On the other side, if your main goal is to set high-quality standards in terms of cybersecurity (i.e. both security and compliance with regulations), then Veracode is a better match.
Read full answer
See all 6 answers
 

Top Industries

By visitors reading reviews
Financial Services Firm
17%
Computer Software Company
15%
Manufacturing Company
13%
Government
6%
Financial Services Firm
17%
Computer Software Company
16%
Manufacturing Company
8%
Government
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

Is SonarQube the best tool for static analysis?
I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have a look...
See all answers
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
See all answers
How would you decide between Coverity and Sonarqube?
We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing rem...
See all answers
What do you like most about Veracode?
The SAST and DAST modules are great.
See all answers
What is your experience regarding pricing and costs for Veracode?
The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and database features. It is worth the money.
See all answers
What needs improvement with Veracode?
Veracode Greenlight scans the code while the developer writes it. It will be beneficial for developers if Veracode Greenlight includes Python.
See all answers
 

Comparisons

Checkmarx One vs SonarQube Server (formerly SonarQube) Logo
Checkmarx One vs SonarQube Server (formerly SonarQube)
Compared 15% of the time
Coverity vs SonarQube Server (formerly SonarQube) Logo
Coverity vs SonarQube Server (formerly SonarQube)
Compared 12% of the time
SonarQube Cloud (formerly SonarCloud) vs SonarQube Server (formerly SonarQube) Logo
SonarQube Cloud (formerly SonarCloud) vs SonarQube Server (formerly SonarQube)
Compared 12% of the time
GitHub Advanced Security vs SonarQube Server (formerly SonarQube) Logo
GitHub Advanced Security vs SonarQube Server (formerly SonarQube)
Compared 10% of the time
Snyk vs SonarQube Server (formerly SonarQube) Logo
Snyk vs SonarQube Server (formerly SonarQube)
Compared 4% of the time
More SonarQube Server (formerly SonarQube) Competitors
Checkmarx One vs Veracode Logo
Checkmarx One vs Veracode
Compared 12% of the time
Fortify on Demand vs Veracode Logo
Fortify on Demand vs Veracode
Compared 7% of the time
Snyk vs Veracode Logo
Snyk vs Veracode
Compared 6% of the time
GitHub Advanced Security vs Veracode Logo
GitHub Advanced Security vs Veracode
Compared 5% of the time
Fortify Static Code Analyzer vs Veracode Logo
Fortify Static Code Analyzer vs Veracode
Compared 4% of the time
More Veracode Competitors
 

Product Reports

Buyer's Guide
SonarQube Server (formerly SonarQube)
December 2024
SonarQube Server (formerly SonarQube) reportDownload SonarQube Server (formerly SonarQube) product report
Buyer's Guide
Veracode
December 2024
Veracode reportDownload Veracode product report
 

Also Known As

Sonar
Crashtest Security , Veracode Detect
 

Learn More

Sonar
Veracode
 

Interactive Demo

Sonar
Demo not available
Veracode
 

Overview

SonarQube Server enhances code quality and security via static code analysis. It detects vulnerabilities, improves standards, and reduces technical debt, integrating into CI/CD pipelines.

SonarQube Server is a comprehensive tool for enhancing code quality and security. It offers static code analysis to identify vulnerabilities, improve coding standards, and reduce technical debt. By integrating into CI/CD pipelines, it provides automated checks for adherence to best practices. Organizations use it for code inspection, security testing, and compliance, ensuring development environments with better maintainability and fewer issues.

What are the key features of SonarQube Server?
  • Support for 20+ languages: Extensive programming language support suitable for diverse coding environments.
  • Custom coding rules: Allows for tailored rule sets to match specific coding standards.
  • Flexible quality gates: Define criteria for code acceptance at various intervals.
  • CI/CD integration: Seamless integration with Continuous Integration/Continuous Deployment tools.
  • Rich interface: User-friendly dashboard with detailed visual insights.
What benefits should users expect from SonarQube Server?
  • Improved code quality: Enhanced analysis contributes to fewer bugs and improved coding practices.
  • Security enhancements: Identifies and mitigates security vulnerabilities pre-emptively.
  • Maintainability: Reduces technical debt, yielding long-term development efficiency.
  • Customizable: Flexibility in configuration aligns with specific project needs.

Many industries implement SonarQube Server to uphold coding standards, maintain security protocols, and streamline their software development lifecycle. In sectors like finance and healthcare, adhering to regulations and ensuring reliable software is critical, making SonarQube Server invaluable. It is often integrated into CI/CD pipelines, ensuring that code changes meet set standards before deployment. This approach enhances productivity and maintains compliance with industry-specific requirements.

Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.

Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing. These tools are designed to help developers detect vulnerabilities early in development while maintaining speed in deployment. Veracode also emphasizes scalability, offering features for enterprises that manage a large number of applications across different teams. Its robust reporting and analytics capabilities allow organizations to continuously monitor their security posture and track progress toward remediation.

What are the key features of Veracode?

  • Static Analysis (SAST) - Scans source code for vulnerabilities before deployment.
  • Dynamic Analysis (DAST) - Examines applications in a running state to detect flaws in real-time.
  • Software Composition Analysis (SCA) - Identifies risks in open-source libraries and third-party components.
  • Manual Penetration Testing - Offers expert analysis for more complex vulnerabilities.
  • Integrations with DevOps tools - Seamlessly integrates with CI/CD pipelines for automated security checks.

What benefits should users consider in Veracode reviews?

  • Early detection of vulnerabilities - Helps developers fix security issues early in the development process.
  • Scalability - Supports organizations with large-scale application portfolios.
  • Compliance support - Ensures applications meet various security standards and regulations.
  • Developer training - Provides tools for educating developers on secure coding practices.
  • Comprehensive reporting - Offers detailed reports that track remediation and risk trends.

Veracode is widely adopted in industries like finance, healthcare, and government, where compliance and security are critical. It helps these organizations maintain strict security standards while enabling rapid development through its integration with Agile and DevOps methodologies.


Veracode helps businesses secure their applications efficiently, ensuring they can deliver safe and compliant software at scale.

 

Sample Customers

Information Not Available
Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.
Buyer's Guide
SonarQube Server (formerly SonarQube) vs. Veracode
January 2025
Free Report: SonarQube Server (formerly SonarQube) vs. Veracode
Find out what your peers are saying about SonarQube Server (formerly SonarQube) vs. Veracode and other solutions. Updated: January 2025.
DOWNLOAD NOW
830,726 professionals have used our research since 2012.
See our SonarQube Server (formerly SonarQube) vs. Veracode report.
See our list of best Application Security Tools vendors and best Static Application Security Testing (SAST) vendors.

We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.