SonarQube is a code quality and vulnerability solution for development teams that integrates with CI/CD pipelines to ensure the software you produce is secure, reliable, and maintainable.
$720
per year per installation
Veracode
Score 8.7 out of 10
Mid-Size Companies (51-1,000 employees)
Veracode provides advanced application security solutions, trusted by enterprises to develop and maintain secure software. Its platform identifies exploitable risks, speeds up vulnerability remediation, and reduces security debt at scale using a proprietary AI-assisted remediation engine.
N/A
Pricing
SonarQube Server
Veracode
Editions & Modules
Community
Free
Developer EDITION
starting at $720
per year per installation
Enterprise EDITION
Contact sales for pricing
per year per installation
Data Center EDITION
Contact sales for pricing
per year per installation
No answers on this topic
Offerings
Pricing Offerings
SonarQube Server
Veracode
Free Trial
Yes
Yes
Free/Freemium Version
Yes
Yes
Premium Consulting/Integration Services
No
No
Entry-level Setup Fee
No setup fee
No setup fee
Additional Details
—
Developer pricing options available
More Pricing Information
Community Pulse
SonarQube Server
Veracode
Considered Both Products
SonarQube Server
Verified User
Anonymous
Chose SonarQube Server
Some are still under consideration. Pricing is a big component. Some FOSS products have been considered is at par (at least for our needs) or catching up. Although the amazing support in the community weighs hard on the value. So, if it went away...so would some arguments …
SonarQube is more focused on code quality, whereas Veracode does a better job of finding security vulnerabilities. We lean towards SonarQube because we are looking for quality.
Jenkins and Gitlab are not exact alternatives for SonarQube, however, they do provide functionality for running and executing build pipelines for various languages and generating reports. However, they are not extensible, have no integration with IDEs and not suitable for …
SonarQube deployment worked well with our pipeline and had the right integrations with our IDE as well as it worked well with analyzing .NET frameworks when compared to GitHub and GitLab which has some of the functionality and can do some checks, but SonarQube made more sense …
SonarQube is a SAST, SOOS focuses on SCA and DAST - both of which we felt were out of scope for our immediate needs. Plus, through plugins SonarQube is able to accomplish some SCA.
SonarQube identifies significant more thing compared to the built-in suggestions in IntelliJ IDEA. The suggestions how to correct issues are also a lot better with SonarQube. IntelliJ IDEA provides great refactoring support to make it easy to refactor the code to solve issues. …
Getting SonarQube instead of the other tools we tested was an easy choice. Snyk was way too much limited to only Docker images and dependency analysis at that time. And Checkmarx was very hard to adapt to our needs : configuring custom quality gates was way too much of a …
SonarQube is much improved version as compared to SonarLint and Findbugs or any other software we found in similar category. It's open source and can be easily integrated with code pipeline.
I have used GitHub more that fortify so I am more familiar with GitHub for checking for vulnerabilities. I have noticed GitHub is good for checking different packages within your project but as far as checking code Quality and coverage Sonar is the better one in my opinion. …
I have used other tools like SoapUI and Postman, but their working and use case are totally different from the SonarQube, so basically cannot compare SonarQube with them. We use SonarQube in our project to basically calculate the code quality report mostly. In that report, we …
I personally evaluated klocwork in a previous company and it worked well for Static Code Analysis for C++ applications but the Java support was not as good as SonarQube.
Also the overall tooling and integrations provided by SonarQube is stellar and very other competitors can …
SonarQube is an open-source. It's a scalable product. The costs for this application, for the kind of job it does, are pretty descent. Pipeline scan is more secured in SonarQube. Its a very good tool and its support multiple languages. Its main core competency is of static code …
SonarQube contains all of their features. Findbugs has very limited capabilities. It is just a static code analyser and does not check for a continous code quality and also not possible to integrate its plugin azure devops .net pipelines and more importantly SonarQube ui is …
Sonar Qube doesn't do as good of a job of finding security vulnerabilities as dedicated SAST software, but it does more for code quality that the developers want to see. A comparison of Sonar Qube to something like Veracode or Fortify isn't apples to apples since they're not …
We found SonarQube right at the beginning of our research process and found that it met most of our needs. SonarQube fit very nicely into our TFS continuous integration process. We seamlessly integrated the SonarQube steps into our TFS process via the Microsoft Marketplace. …
Gitlab, if you have the right license, ships with a static analysis tool. It integrates better with Gitlab, but didn't seem to have the same quality output that Sonarqube did. Sonarqube's community version is plenty suitable for day to day analysis operations.
We selected Veracode after testing these tools with 3 important solutions and Veracode had a great ratio of findings, with low false positive, and the best price between the tools that were good enough.
I found SonarQube to have some decent data for code quality checks but it underperformed for code security.
Snyk is a decent product and strong competitor to Veracode for SCA. Snyk's SAST offering is not as good as Veracode and does not support as many languages.
Sonatype only identifies and scans third-party dependency and not custom-developed code—at least that's what it was doing back in 2018 when I used to utilize its services. Interface-wise, too, Veracode looks much cleaner and easier to navigate than Sonatype. Support and …
As mentioned previously, we're always considering other options. Veracode is what we need right now, and I don't think it would be fair to competitors to compare them to what we need right now. Tomorrow, we might need something else and not require Veracode—that isn't a change …
Veracode seems to provide better support and good scan coverage. Veracode also provides multiple scan types like Dynamic, Static Code, Software Composition which others may only offer 1 or 2. I might be missing it but some others like Sentinel provide schedule monthly, …
Veracode is slower with scan results however the flaws discovered and sites crawled are almost the same. Rapid7 InsightAppSec only does dynamic scans. Veracode did find more links on a site crawl. Rapid7 InsightappSec has more out of the box reports than Veracode. Both …
Veracode was brought in to supplement services previously provided by other vendors. As our org recently acquired another organization, we identified Veracode as a 'go-forward' system needed to consolidate security tooling in the organization.
Mend.IO formerly WhiteSource software is a product we used prior to Vericode. It did not have all of the capabilities or depth of Vericode. Additionally, Whitesource did not offer automatic scanning as part of their product and there was no Certification program to speak of.
The maturity of the Veracode and the continuous improvements in its products it's one of the principal characteristics of chosee it, Veracode it's a SaaS platform and was born in the cloud, so this is a great option for our clients to be quick to implement also the easy of …
Checkmarx and Veracode have a few common points and some features which are different. Checkmarx UI is more user-friendly, but the level of detailing in Veracode reports is better. Veracode is a good choice for static analysis of code. if the user interface can be made smoother …
As the developer, not the business stakeholder, I did not select Veracode specifically. However, after using the application I believe it was the right choice. Veracode is thorough in its analyses, in its database of flaws, in its methodology of uncovering vulnerabilities, and …
SonarQube and Veracode are application security and code quality management options. SonarQube provides a free and open source community edition and focuses on static code analysis, while Veracode provides SAST, but also DAST, IAST, and penetration testing, as well as application security consulting.SonarQube is deployed among businesses of all sizes, notably midsize and larger companies, while Veracode is more widely adopted, and somewhat more likely to appear in larger enterprises who might wish to take advantage of Veracode’s more extensive services.
Features
Users of SonarQube and Veracode point out distinct advantages to both solutions.
SonarQube is a SAST specialist which excels in its core competency. It allows users to set their own coding standards and enforce them, and ensure best practice. Users describe an excellent code checking process, and detailed issue and bug tracking with commenting and issue highlighting. SonarQube integrates well into a CI/CD pipeline.
Veracode provides CVE (Common Vulnerabilities and Exposures) reporting and its users learn to rely on its vulnerability scanning; Veracode’s static scans are said to provide clear identification of issues, and useful reporting with detailed recommendations for triage. Veracode is not only highly regarded for SAST, but training, consultation, and support, which users also have learned to trust.
Limitations
A few elements of each product may give some users pause when considering which is right for them.
While SonarQube is praised for enforcing coding standards, it is not as well-regarded as a security tool. Also, being less widely adopted, users point to unreliability in some of its integrations (Jira), and an open source community that is not as active as other more widely adopted tools. Also, SonarQube provides SAST only.
While Veracode is appealing as an all-in-one app security and coding standard tool, its DAST features are said by some to be less reliable than alternatives. A large number of users also find the user interface not to their liking, describing a steep learning curve to get started, terminating in a cumbersome process of getting around even for experienced users.
Pricing
Users can get started with SonarQube free via the open source Community Edition. Paid plans are priced per instance per year, starting with the Developer Edition that adds Branch Analysis and other vulnerability detection features for $150, the Enterprise Edition which adds advanced reporting and portfolio management for $20,000, and the Data Center edition available for $130,000. Veracode pricing is not published and shared freely, though present and past users share some information, and describe the service as “pricey,” but fair for its capabilities.
Large codebase: The tool's static analysis capabilities can help teams quickly identify and fix bugs, vulnerabilities, and code smells in large codebases.
Compliance and security: The tool can check the code against industry standards or regulations, such as OWASP and CWE, and identify any issues that need to be addressed.
Agile development: SonarQube can be integrated with CI/CD pipelines allowing teams to continuously monitor and improve code quality throughout the development process.
Teams using multiple languages: Teams that use multiple programming languages can benefit from using SonarQube, as the tool supports a wide range of languages and can be integrated with a variety of development tools.
Scenarios where SonarQube may be less appropriate:
Small codebase: Organizations with a small codebase may not see the full benefits of using SonarQube, as the tool's static analysis capabilities may be overkill for a smaller codebase.
Limited resources: Organizations with limited resources may find it difficult to set up and configure SonarQube, as the tool can be complex and may require specialized expertise.
Limited integration: Organizations that use development tools or IDEs that are not supported by SonarQube may find it difficult to integrate the tool into their existing development workflow.
Limited scalability: Large organizations with millions of lines of code may find SonarQube's performance and scalability to be an issue. It may take longer for the analysis to finish and the results may not be as accurate.
* (+) Report generation for our clients: reports are very comprehensive and look professional. * (-) Veracode pipeline scan: takes too much time, need to split our application so that it can fit within the timeout (2h). Currently we're not able to use it, we still use "upload & scan" functionality in our CI pipelines. This is a showstopper to be able to break the build in case of new vuln, and also to use Fix AI based tool.
We would like to see Veracode continue to improve the integrations available, particularly with respect to .NET IDEs. Part of our development team uses JetBrains' Rider which is, as of this time, unsupported for static integration.
We would also like to see Veracode continue to improve their dynamic scan offerings; with the recent addition of DAST Essentials we feel this improvement may come sooner than later.
At this time, and we just renewed a month ago, I dont see any products out there overall that can offer what Veracode does. Yes, its not cheap by any means, but for the money its the best application security scanning tool out there.
- Almost no setup required and easy to configure - Very easy to use, intuitive UI with integrated analytics and learning portals. - Seamless to review the results, triage them, generate reports. - Security progression of the product/application is tracked via successive scans. - Privileges/Roles nicely fine grained and tightly controlled to let teams "view" only their products.
We we easily able to integrate the SonarQube steps into our TFS process via the Microsoft Marektplace, we didn't have the need to call SonarQube support. We've used their online documentation and community forum if we ran into any issues.
Overall, Veracode support is helpful, community support is great, and documentation is available for self-service. Our Customer Success Manager is very helpful and reaches out regularly to see if we need assistance. We have not utilized many of the other resources offered by Veracode, however, in the future we would like to leverage secure coding training for our Development teams.
We use it as a SAS service, so really just getting our teams to mold the use of Veracode into their SDLC has been a process of years in the making. It comes down to what your teams are ready and willing to accept and change. Management is key in getting their groups on board with using it regularly. If it doesnt have management backing, your security teams have little to no influence in getting this process off the ground fully.
SonarQube identifies significant more thing compared to the built-in suggestions in IntelliJ IDEA. The suggestions how to correct issues are also a lot better with SonarQube. IntelliJ IDEA provides great refactoring support to make it easy to refactor the code to solve issues. We use these tools together and they really complement each other.
Sonatype only identifies and scans third-party dependency and not custom-developed code—at least that's what it was doing back in 2018 when I used to utilize its services. Interface-wise, too, Veracode looks much cleaner and easier to navigate than Sonatype. Support and consultation with how-to guides and documents make Veracode easier to use.
Positive ROI from the standpoint of flagging several issues that would have otherwise likely been unaddressed and caused more time to be spent closer to launch
Slightly positive ROI from time-saving perspective (it's an automated check which is nice, but depending on the issues it finds, can take developers time to investigate and resolve)
Positive: Scanning all our applications on Veracode provides us an overview of our cyber security posture for the organization as a whole.
Positive: Performing the SAST, SCA and DAST scanning for all the applications at the early stages of the SDLC helps us identify and mitigate security vulnerabilities early, reducing the risk of data breaches and cyber-attacks.
Negative: Sometimes Veracode SAST scanner closed and reopens some findings, leading to reliability issues on the scanner itself.