Veracode is a comprehensive application security platform primarily utilized by development and security teams to integrate security practices early into the software development lifecycle. Reviewers consistently highlight its robust capabilities in Static Application Security Testing (SAST) and Software Composition Analysis (SCA), with 83% of users leveraging these core functions to scan code, repositories, and CI/CD pipelines. The platform excels at enabling a "shift left" security approach, empowering developers to identify and remediate vulnerabilities proactively, a benefit noted by 50% of reviewers. This proactive stance significantly enhances an organization's overall security posture, with 83% of users reporting improved effectiveness in detecting insecure code and preventing critical vulnerabilities from reaching production. A key strength of Veracode lies in its deep integration capabilities, specifically with Integrated Development Environments (IDEs) and Continuous Integration/Continuous Delivery (CI/CD) pipelines, which 50% of reviewers praised for facilitating early security scanning. Its effective scanning of compiled code and comprehensive reporting dashboards were also frequently cited by half of the reviewers, providing valuable insights for managing security issues. This integration and robust scanning contribute to tangible business benefits, including cost and time savings through security tool consolidation, as reported by 50% of users, and accelerated release cycles. However, Veracode presents areas for improvement that impact user experience and flexibility. Half of the reviewers expressed a desire for more robust and adaptable integration and API options, indicating a need for greater connectivity. Similarly, 50% of users pointed to the user interface and overall web experience as needing modernization and more intuitive navigation. Enhancements to reporting and analytics capabilities were also suggested by half of the reviewers, implying a desire for deeper data presentation and customization. Despite these areas for refinement, Veracode's contribution to developer education and efficiency, noted by 50% of users, underscores its value in fostering a more secure development culture.

Pros

Comprehensive SAST and SCA capabilities for various code types.
Deep integration with IDEs and CI/CD pipelines for early security scanning.
Effective scanning of compiled code.
Robust reporting and dashboard features for security insights.
Significant improvement in application security posture and ROI.

Cons

Limited integration and API flexibility.
Outdated user interface and web experience.
Need for enhanced reporting and analytics capabilities.

Why it matters:

Veracode significantly strengthens an organization's security posture by proactively identifying and mitigating vulnerabilities. Five of six reviewers explicitly stated that the platform effectively detects insecure code, preventing critical or high-severity issues from reaching production and making software offerings safer.

“No critical or high vulnerabilities get to production”

Why it matters:

Reviewers extensively leverage Veracode for its core capabilities in Static Application Security Testing (SAST) and Software Composition Analysis (SCA). Five out of six reviewers specifically mentioned using these features to scan their codebases, repositories, and CI/CD pipelines, indicating its role as a fundamental tool for identifying security vulnerabilities and managing open-source dependencies. This widespread adoption underscores its utility in comprehensive application security assessments across the development lifecycle.

“We use Veracode to perform Static Application Security Testing (SAST) and Software Composition Analysis (SCA) scans against our code, repositories, and CI/CD pipelines for code deployments.”

Why it matters:

Reporting and analytics are considered highly important by reviewers, with 5 of 7 reviewers identifying them as essential for their use cases. Reviewers value these features for their ability to measure security maturity across various development teams and to provide relevant and accurate data to executives and program stakeholders. While internal reporting within the tool is seen as strong, some users indicated that reports for external stakeholders, such as developers, could be enhanced, and there is a desire for more customizable reporting options to meet specific organizational metrics.

“Reporting and analytics are must have features for any tool, not just Veracode, especially when security is something we have to deal with.”

What positive or negative impact (i.e. Return on Investment or ROI) has Veracode had on your overall business objectives?

From 6 reviews

Summary

Veracode has demonstrated a positive impact on the business objectives of its users, primarily by significantly enhancing their security posture. Five of six reviewers noted a marked improvement in application security, citing high effectiveness in detecting insecure code and preventing critical vulnerabilities from reaching production environments. This enhanced security contributes to broader operational efficiencies, with 3 of 6 reviewers reporting direct cost and time savings by consolidating security tools and reducing efforts. Furthermore, the platform aids in streamlining development processes, as observed by 2 of 6 reviewers, who highlighted its role in accelerating release cycles and establishing security controls within deployments. The integration of security earlier in the development lifecycle also contributes to developer education and efficiency, which 3 of 6 reviewers identified as a key benefit.

Top Quotes

Improved Security Posture

“No critical or high vulnerabilities get to production”

Developer Efficiency and Education

“Better communication with Development teams”

Cost and Time Savings

“Really saved our effort.”

Besides Veracode, what other software do you regularly use? How likely would you be to recommend it to a friend or colleague?

From 6 reviews

Summary

Reviewers frequently utilize a diverse array of security tools in addition to Veracode, with a notable emphasis on solutions for static analysis and security monitoring. A significant majority of reviewers, 4 of 6, cited various static analysis tools, indicating a common practice of integrating multiple solutions for code quality and vulnerability detection. These tools often complement each other, covering different aspects of the software development lifecycle. Beyond code-level analysis, a smaller segment of reviewers, 2 of 6, also highlighted their use of security monitoring platforms. The landscape of tools mentioned suggests that organizations are employing a layered security approach, leveraging specialized software across different domains to enhance their overall security posture. While specific recommendations were not explicitly detailed for each tool, the breadth of products listed implies a search for comprehensive coverage rather than reliance on a single vendor for all security needs.

Top Quotes

Static Analysis Tools

“Appdome, OneTrust Third-Party Management, HackEDU”

Security Monitoring

“IntSights Cyber Intelligence, from Rapid7, Netskope CASB”

Describe how you use Veracode in your organization. What are the business problems the product addresses and what is the scope of your use case?

From 6 reviews

Summary

Organizations primarily leverage Veracode to bolster their application security and integrate security practices earlier into the development lifecycle. A significant majority of reviewers, 5 out of 6, reported utilizing Veracode for its core capabilities in Static Application Security Testing (SAST) and Software Composition Analysis (SCA) to scan various components, including code, repositories, and CI/CD pipelines. This widespread application across the software development process helps in the identification of vulnerabilities and the management of technical debt. Furthermore, half of the reviewers, 3 out of 6, highlighted Veracode's effectiveness in enabling a "shift left" security approach, empowering developers to detect and remediate code issues earlier in their workflows. This proactive strategy aims to prevent new security flaws from reaching production environments, thereby enhancing overall development efficiency and streamlining vulnerability management processes.

Top Quotes

SAST and SCA usage

“We use Veracode to perform Static Application Security Testing (SAST) and Software Composition Analysis (SCA) scans against our code, repositories, and CI/CD pipelines for code deployments.”

Shifting security left

“We use Veracode to identify and help remediate high risk technical debt, as well as shift left for our developers so that they are fully equipped to prevent new flaws from making it to production code.”

Please provide some detailed examples of areas where Veracode has room for improvement.

From 6 reviews

Summary

Reviewers of Veracode consistently identified several areas for potential improvement, with three key themes emerging from the feedback. Concerns regarding integration and API flexibility were noted by 3 of 6 reviewers, who expressed a desire for more robust and adaptable connectivity options. Similarly, the user interface and overall web experience were cited by 3 of 6 reviewers as needing modernization and more intuitive navigation. The third significant area for enhancement, also mentioned by 3 of 6 reviewers, revolved around reporting and analytics capabilities. These observations collectively suggest that while the core functionality may be present, refining the user interaction, external connectivity, and data presentation layers could significantly enhance the overall product experience for users.

Top Quotes

Integration and API flexibility

“While Veracode integrates with a decent number of tools, we’ve found it a bit rigid compared to some newer players in the space. Some more API or webhook integrations should be there”

User Interface and Web Experience

“The web interface needs some getting used to”

Reporting and Analytics

“Authorization model for reports and dashboard”

Please provide some detailed examples of things that Veracode does particularly well.

From 6 reviews

Summary

Veracode is consistently highlighted by reviewers for its comprehensive capabilities in application security, particularly its integration into development workflows and robust reporting. Three of six reviewers specifically praised its ability to integrate with Integrated Development Environments (IDEs) and Continuous Integration/Continuous Delivery (CI/CD) pipelines, enabling security scanning early in the development lifecycle. This integration is seen as a key factor in reducing code vulnerabilities. Concurrently, 3 of 6 reviewers noted the effectiveness of its scanning capabilities, particularly for compiled code, which provides critical security metrics. Furthermore, the platform's reporting and dashboard features were frequently mentioned by half of the reviewers, providing valuable insights for product owners and security teams. These features collectively contribute to a streamlined approach to identifying, analyzing, and managing security issues throughout the software development process.

Top Quotes

IDE and CI/CD Integration

“CI/CD integration”

Scanning Capabilities

“Scanning the code security issues on compiled code makes it very initutive about all metrics that matters”

Reporting and Dashboards

“Reporting”

How important are the reporting and analytic features of a solution for your use case? How are you using Veracode’s reporting and analytics?

From 7 reviews

Summary

Reviewers consistently emphasize the critical role of reporting and analytic features within Veracode, with 5 of 7 reviewers highlighting their importance for various stakeholders. The sentiment regarding these features is mixed, indicating both strong foundational capabilities and specific areas for enhancement. Many users find these features essential for evaluating overall security posture and program maturity, particularly when communicating with executives and non-technical management. The ability to measure security maturity across different development teams is a key benefit derived from the existing reporting capabilities. However, while internal reporting within the tool is generally well-regarded, some reviewers suggest that reports intended for external stakeholders, such as developers, could be improved. The need for greater customization in reporting to meet specific organizational requirements, especially for C-suite level metrics, also emerged as an area for development, though one reviewer noted success in achieving this with Veracode support. The data indicates that while Veracode provides valuable insights, opportunities exist to refine the output for diverse audiences and specific analytical needs.

Related topics

Reporting for stakeholders

Top Quotes

Reporting for stakeholders

“Reporting and analytics are must have features for any tool, not just Veracode, especially when security is something we have to deal with.”

Veracode promotes secure software development lifecycles by ensuring software being built is secure and meets compliance requirements. At what stages of your application development process do you use Veracode?

From 7 reviews

Summary

Reviewers indicate that Veracode is primarily utilized across multiple stages of the software development lifecycle, with a strong emphasis on integrating security checks early and continuously. A significant portion of the feedback, cited by 3 of 7 reviewers, highlights the product's application from the initial coding phase through to deployment, enabling the detection of vulnerabilities at the earliest possible point. This early stage scanning is complemented by integration into developer environments, with 2 of 7 reviewers specifically mentioning the use of IDE integration to scan code as it is being developed. Furthermore, the platform's ability to integrate into CI/CD pipelines is also a key use case, noted by 2 of 7 reviewers, facilitating automated security checks during pull requests and code merges. This comprehensive approach suggests Veracode is valued for its capacity to embed security directly into the development workflow rather than as a post-development audit. The consistent positive sentiment across all mentioned integration points underscores its perceived effectiveness in promoting secure software development practices.

Top Quotes

IDE Integration

“We use the IDE integration to scan code as it is being developed”

CI/CD Pipeline Integration

“At Development IDE, at CI/CD pipelines, post deployment as well.”

Early Stage Scanning

“Veracode we use in the stage when devs are writting the test cases, then going forward, analysing the code coverages, code smells and security hotspots on all the LOC. We get insights very early to detect potential vulnerabilities in the code.”

Given your security program needs, do you prefer to consolidate your solutions to one vendor or diversify your solutions through multiple vendors?

From 6 reviews

Summary

Reviewers expressed divided opinions regarding the optimal strategy for security program solutions, with an equal number favoring either consolidation with a single vendor or diversification across multiple vendors. Half of the reviewers (3 of 6) indicated a preference for diversifying solutions, often highlighting that no single vendor can realistically cover all security needs, particularly in specialized areas like application security. Conversely, the other half of reviewers (3 of 6) advocated for consolidating solutions with one primary vendor, though some suggested augmenting this approach with supporting or channel vendors for specific functionalities. This suggests that while consolidation offers perceived benefits, the limitations of a single vendor's comprehensive capabilities, noted by 2 of 6 reviewers, often drive the consideration for a multi-vendor strategy. The decision appears to hinge on specific project needs and the recognition that even broad-spectrum vendors may not achieve excellence across their entire product portfolio.

Top Quotes

Diversify solutions multiple vendors

“I would say to diversify the solutions through multiple vendors, depending on the project needs.”

Consolidate solutions one vendor

“My preference is to consolidate when possible.”

Vendor specialization limitations

“It's not realistic to expect a single vendor to cover all the bases, especially when it comes to application security.”

Reviews

141 Reviews

Best tool to analyse security threats in coding

Rating: 10 out of 10

Incentivized

May 19, 2026

Use Cases and Deployment Scope

Veracode Application security is incredibly useful software for identifying and addressing security vulnerabilities. It offers reliable code analysis for each step for the entire software development lifecycle. It conducts effective security scans with comprehensive reports. The static analysis feature is invaluable for preventing SQL injections and cross-site scripting attacks. Veracode has maintained best coding practices and fixed security defects within the development ecosystem.

Pros

Identification of security vulnerabilities
Code analysis
Monitoring application development lifecycle

Cons

The platform has demonstrated resilience in enhancing best coding practices.

Likelihood to Recommend

It is effectively suited in addressing most security vulnerabilities within the application development lifecycle. It offers coding insights that maintains smooth and solid workflows on the entire application development chain. The customer support team is proactive and usually offers exceptional guidelines when we face challenges. We can conduct both static and dynamic security testing on most applications.

Elaine Davis

Senior Software Engineer in Information Technology at Hexaview Technologies Inc. (201-500 employees)

Vetted Review

2 years of experience

Veracode and me . . .

Rating: 8 out of 10

Incentivized

March 26, 2026

Use Cases and Deployment Scope

Veracode is our primary Vulnerability Management solution, to help us identify vulnerabilities in our applications as early in our development lifecycle as possible. The data is sent into our central monitoring and data visualisation tool. We are trying to reduce our attack surface without compromising our ability to do business.

Pros

Documentation
Customer Support
Roadmaps

Cons

Data Visualisation
Sharing data in human readable format
Integrations with SecOps tooling

Likelihood to Recommend

The people in the organisation are world class, the tool could do with a refresh and revamp - it feels dated compared to others, especially in a world where data is moved from one platform to another i.e. SIEM, SOAR, etc.

Verified User

General Manager in Information Technology (10,001+ employees)

Vetted Review

2 years of experience

Veracode A Powerful Code Security Tool

Rating: 9 out of 10

Incentivized

February 25, 2026

Use Cases and Deployment Scope

We use Veracode to identify and help remediate high risk technical debt, as well as shift left for our developers so that they are fully equipped to prevent new flaws from making it to production code. Veracode has been a highly useful tool, albeit complicated, in meeting our application security goals.

Pros

Application Security
Flaw Analytics
Dashboards and Metrics

Cons

Ease of Use
Integration Complexity
Analytics Complexity

Likelihood to Recommend

Veracode is well suited to organizations that are willing to pull teeth to hit that 99-100 percent application security efficacy through a robust, potentially automated app security program. It is generally not suitable for organizations that are okay with less security efficacy in exchange for more ease of adoption & use, and lower overall cost.

Verified User

Strategist in Information Technology (10,001+ employees)

Vetted Review

3 years of experience

Shaping the security code reviews and SCA through Veracode

Rating: 8 out of 10

Incentivized

February 25, 2026

Pros

It proivides insights about most prevelant issues that we currently observe as a security team
Helps to monitor Mean time to resolve which is MTTR (very important metric) to support our workflow management
Scanning the code security issues on compiled code makes it very initutive about all metrics that matters

Cons

The filtering options could be more intuitive — it’s not always easy to find exactly what you’re looking for without trial and error.
While Veracode integrates with a decent number of tools, we’ve found it a bit rigid compared to some newer players in the space. Some more API or webhook integrations should be there

Likelihood to Recommend

Abhineet Sagar

DevSecOps Engineer II in Engineering at Helpshift (501-1000 employees)

Vetted Review

3 years of experience

Verified on LinkedIn

Secure your code from IDE to production

Rating: 9 out of 10

Incentivized

May 9, 2025

Use Cases and Deployment Scope

We use it a a SAST and SCA tool for all the developments in our organization. All our developers analyze the code they write using the IDE plugin and Veracode Fix to help make the software more secure.

Pros

IDE integration
Gitlab Enterprise integration
Reporting for Product Owners

Cons

SAML integration when you have multiple domains
Scan whole repos to get a sense of security maturity
Authorization model for reports and dashboard

Likelihood to Recommend

It is very good as a SAST & SCA tool when you want to work with your developers so they start generating more secure apps.
It doesn't work very well if you want to measure your security level without including the devs in the process, specially if the way they work and how they use git is heterogeneous.

Verified User

Manager in Information Technology (5001-10,000 employees)

Vetted Review

1 year of experience

One-stop SDLC Security

Rating: 10 out of 10

Incentivized

December 19, 2024

Use Cases and Deployment Scope

We use Veracode as part of our SDLC, to provide for our SAST, DAST and SCA

Pros

Assemblies
Code scanning
Dynamic scanning
Presenting results

Cons

The web interface needs some getting used to
Some parts seem a little off, as its a different piece of software that Veracode is trying to fit in

Likelihood to Recommend

Veracode might be less appropriate for small companies, which need the functionality but can’t afford it (yet)

Verified User

Manager in Information Technology (11-50 employees)

Vetted Review

1 year of experience

Superior code scanning enabling faster and more secure code.

Rating: 9 out of 10

Incentivized

December 14, 2024

Use Cases and Deployment Scope

We use Veracode to perform Static Application Security Testing (SAST) and Software Composition Analysis (SCA) scans against our code, repositories, and CI/CD pipelines for code deployments. We also utilized the IDE integration for software engineers to identify code issues earlier in the development lifecycle.

One of the areas Veracode excels in is their reporting. Our application development releases required a Veracode report to be included showing now high/critical findings.

Pros

SAST scanning
SCA scanning
Reporting
CI/CD integration

Cons

UI and UX felt a little outdates in some of the screens.
Lack of flexibility on their outdated pricing model. This has since been corrected in 2023/2024.

Likelihood to Recommend

Veracode has robust coverage of supported programming languages. We faced an issue with a competitor product where we could not scan compiled javascript (jar) files. Veracode is able to scan jar files no problem in addition to many other languages.

Verified User

Director in Information Technology (51-200 employees)

Vetted Review

4 years of experience

My experience using Veracode tool

Rating: 9 out of 10

November 18, 2024

Use Cases and Deployment Scope

I have been using Veracode for nearly 2 years, we are using its SAST and DAST features. Previously there was no source code validation in our software development life cycle. We used this tool to shift the security to left, and tried to make the process as automate as possible. The best use case of this tool is that it can be fit anywhere with flexible plugins at different stages of SDLC. Even the support is very good and co-operative.

Pros

Veracode does integrate into IDE where the development starts. IDE Scans will help in reducing the versions of code.
The best thing about Veracode is, that it is a SAAS platform, and we can run the scan and do our other work parallelly.
Veracode dynamic analysis is pretty good as it clearly shows the requests it sends to the server and the response it receives from the server. Which helps in analyzing the vulnerabilities more easily.

Cons

Reporting work can be improved.

Likelihood to Recommend

It is best suited for the Agile model projects, where business will have the continuous releases of their products. Other than that I can't comment on the scenario where it is less appropriate as I need to experience it more.

Sairam Bathini

DevSecOps Engineer in Information Technology at DesIdea Software Technologies (51-200 employees)

Vetted Review

3 years of experience

View profile

Good SaaS service for finding security vulnerabilities in code.

Rating: 9 out of 10

Incentivized

September 25, 2024

Use Cases and Deployment Scope

In my organization, Veracode is used as an enterprise mandate to scan any application or service built by the development teams before deploying it into higher or pre-production/testing environments. After the scans, the security team reviews the results to mitigate or fix the vulnerabilities found by Veracode static and dynamic scans following the recommendations provided by the tool, sometimes like upgrading a third-party library to a newer version through SCA.

Pros

It is good at recommending fixing issues with third-party dependencies used in application code with detailed version information and knowing which version fixes what.
It has a very nice interface for triaging flaws. One can sort the vulnerabilities found in code from Very Likely to be exploited to least likely to be exploited.
There is a collections feature that allows us to group together groups of application profiles belonging to the same suite of applications.

Cons

The Veracode CLI can be provided as a setup or installer file instead of the powershell command to install it from the script.
There should be a copy feature that takes comments from vulnerabilities found in one application profile and imports them into matching flaws of another application profile.
The automated module selection at the review step just after the upload should be better at identifying entry points and should select only custom-developed code modules instead of third-party ones (at least the common ones).

Likelihood to Recommend

Veracode is well suited for development applications that can be made more secure right from the beginning. There is an excellent extension in Visual Studio that scans code from the IDE. However, it is less appropriate or incompatible with scanning SOAP or WSDL APIs. It supports only REST APIs.

Verified User

Team Lead in Information Technology (5001-10,000 employees)

Vetted Review

1 year of experience

My experience with Veracode

Rating: 7 out of 10

Incentivized

September 17, 2024

Use Cases and Deployment Scope

* We run static scans on a regular basis (integrated in our continuous integration) on all our major branches.
* We review the Software Composition Analysis and the "Triage flaws" section on a regular basis (minimum every week).
* We run a dynamic scan before each major version release.
* Our goal is to fix all the Very high/high/medium vulnerabilities this year. We'll then look at the minor ones.

Pros

Report generation
Flaws description and remediation strategy
Consultation requests

Cons

Scan results stability: from one scan to another, additional flaws appear whereas code did not change.
Entry points selection: hard to be sure selection is optimal, should be automatized or hidden.
Branches management: we currently use sandboxes to scan different branches of our software. Would be good to have real branches management.

Likelihood to Recommend

* (+) Report generation for our clients: reports are very comprehensive and look professional.
* (-) Veracode pipeline scan: takes too much time, need to split our application so that it can fit within the timeout (2h). Currently we're not able to use it, we still use "upload & scan" functionality in our CI pipelines. This is a showstopper to be able to break the build in case of new vuln, and also to use Fix AI based tool.

Nicolas Garcin

R&D manager in Research & Development at Neoxam (501-1000 employees)

Vetted Review

5 years of experience

View profile

Loading Reviews List....

Video reviews

View playlist

Good SaaS service for finding security vulnerabilities in code.

Rating: 9 out of 10

Incentivized

September 25, 2024

Use Cases and Deployment Scope

Pros

It is good at recommending fixing issues with third-party dependencies used in application code with detailed version information and knowing which version fixes what.
It has a very nice interface for triaging flaws. One can sort the vulnerabilities found in code from Very Likely to be exploited to least likely to be exploited.
There is a collections feature that allows us to group together groups of application profiles belonging to the same suite of applications.

Cons

The Veracode CLI can be provided as a setup or installer file instead of the powershell command to install it from the script.
There should be a copy feature that takes comments from vulnerabilities found in one application profile and imports them into matching flaws of another application profile.
The automated module selection at the review step just after the upload should be better at identifying entry points and should select only custom-developed code modules instead of third-party ones (at least the common ones).

Likelihood to Recommend

Verified User

Team Lead in Information Technology (5001-10,000 employees)

Vetted Review

1 year of experience