SonarQube vs. Veracode
Product | Rating | Most Used By | Product Summary | Starting Price |
---|---|---|---|---|
SonarQube | N/A | SonarQube is a code quality and vulnerability solution for development teams that integrates with CI/CD pipelines to ensure the software you produce is secure, reliable, and maintainable. | $160 per year per installation | |
Veracode | Mid-Size Companies (51-1,000 employees) | Veracode is a software security firm that identifies flaws and vulnerabilities across the software development lifecycle. Veracode’s Software Security Platform uses advanced AI algorithms trained on vast datasets of code, for more precise identification and rectification of security flaws. | N/A |
SonarQube | Veracode | |||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Editions & Modules |
| No answers on this topic | ||||||||||||||
Offerings |
| |||||||||||||||
Entry-level Setup Fee | No setup fee | No setup fee | ||||||||||||||
Additional Details | — | Developer pricing options available | ||||||||||||||
More Pricing Information |
SonarQube | Veracode | |
---|---|---|
Considered Both Products | SonarQube | Veracode |
Top Pros |
| |
Top Cons |
|
|
SonarQube | Veracode | |
---|---|---|
Highlights |
Research Team Insight Published SonarQube and Veracode are application security and code quality management options. SonarQube provides a free and open source community edition and focuses on static code analysis, while Veracode provides SAST, but also DAST, IAST, and penetration testing, as well as application security consulting.SonarQube is deployed among businesses of all sizes, notably midsize and larger companies, while Veracode is more widely adopted, and somewhat more likely to appear in larger enterprises who might wish to take advantage of Veracode’s more extensive services. FeaturesUsers of SonarQube and Veracode point out distinct advantages to both solutions. SonarQube is a SAST specialist which excels in its core competency. It allows users to set their own coding standards and enforce them, and ensure best practice. Users describe an excellent code checking process, and detailed issue and bug tracking with commenting and issue highlighting. SonarQube integrates well into a CI/CD pipeline. Veracode provides CVE (Common Vulnerabilities and Exposures) reporting and its users learn to rely on its vulnerability scanning; Veracode’s static scans are said to provide clear identification of issues, and useful reporting with detailed recommendations for triage. Veracode is not only highly regarded for SAST, but training, consultation, and support, which users also have learned to trust. LimitationsA few elements of each product may give some users pause when considering which is right for them. While SonarQube is praised for enforcing coding standards, it is not as well-regarded as a security tool. Also, being less widely adopted, users point to unreliability in some of its integrations (Jira), and an open source community that is not as active as other more widely adopted tools. Also, SonarQube provides SAST only. While Veracode is appealing as an all-in-one app security and coding standard tool, its DAST features are said by some to be less reliable than alternatives. A large number of users also find the user interface not to their liking, describing a steep learning curve to get started, terminating in a cumbersome process of getting around even for experienced users. PricingUsers can get started with SonarQube free via the open source Community Edition. Paid plans are priced per instance per year, starting with the Developer Edition that adds Branch Analysis and other vulnerability detection features for $150, the Enterprise Edition which adds advanced reporting and portfolio management for $20,000, and the Data Center edition available for $130,000. Veracode pricing is not published and shared freely, though present and past users share some information, and describe the service as “pricey,” but fair for its capabilities. |
SonarQube | Veracode | |
---|---|---|
Small Businesses | GitLab Score 8.8 out of 10 | GitLab Score 8.8 out of 10 |
Medium-sized Companies | GitLab Score 8.8 out of 10 | GitLab Score 8.8 out of 10 |
Enterprises | GitLab Score 8.8 out of 10 | GitLab Score 8.8 out of 10 |
All Alternatives | View all alternatives | View all alternatives |
SonarQube | Veracode | |
---|---|---|
Likelihood to Recommend | 8.8 (34 ratings) | 9.5 (128 ratings) |
Likelihood to Renew | - (0 ratings) | 8.1 (7 ratings) |
Usability | 7.0 (1 ratings) | 7.3 (27 ratings) |
Availability | - (0 ratings) | 9.1 (1 ratings) |
Performance | - (0 ratings) | 6.4 (1 ratings) |
Support Rating | 9.0 (1 ratings) | 7.9 (66 ratings) |
Implementation Rating | - (0 ratings) | 7.3 (2 ratings) |
Configurability | - (0 ratings) | 6.4 (1 ratings) |
Ease of integration | - (0 ratings) | 5.5 (1 ratings) |
Product Scalability | - (0 ratings) | 7.3 (1 ratings) |
Vendor post-sale | - (0 ratings) | 8.9 (2 ratings) |
Vendor pre-sale | - (0 ratings) | 8.2 (1 ratings) |
SonarQube | Veracode | |
---|---|---|
Likelihood to Recommend | Sonar | Veracode |
Pros | Sonar | Veracode |
Cons | Sonar | Veracode |
Likelihood to Renew | Sonar No answers on this topic | Veracode |
Usability | Sonar | Veracode |
Reliability and Availability | Sonar No answers on this topic | Veracode |
Performance | Sonar No answers on this topic | Veracode |
Support Rating | Sonar | Veracode |
Implementation Rating | Sonar No answers on this topic | Veracode |
Alternatives Considered | Sonar | Veracode |
Scalability | Sonar No answers on this topic | Veracode |
Return on Investment | Sonar | Veracode |
ScreenShots | SonarQube Screenshots | Veracode Screenshots |