My Veracode Review
October 12, 2020

My Veracode Review

Anonymous | TrustRadius Reviewer
Score 1 out of 10
Vetted Review
Verified User

Modules Used

  • Static Analysis (SAST)
  • Software Composition Analysis (SCA)

Overall Satisfaction with Veracode

Veracode is standard tooling adopted within the company to secure our software.
  • The SCA agent is pretty fast at executing.
  • The user interface is a mess.
  • Reporting is inconsistent, different views give conflicting data
  • False-positive management is too basic.
  • Collaboration is absent.
  • No public availability for open source
  • No integration in GitHub PR view
  • Very slow at uploading artifacts for static analysis
  • Wasting a lot of time trying to get useful information from the user interface
  • SSO is so cumbersome that I have to explain to people how to get in from OKTA as there isn't a decent login page.
  • Some customers force us to get the security reports from Veracode by contract, which is the only reason why we haven't ditched it yet.
  • We had to hire a Security Architect to deal with the tool as for developers it's so unusable that it wastes a lot of their time.
Snyk and WhiteSource have fewer features. WhiteSource UI is as bad as Veracode; Snyk is integrated better in GitHub but provides decent results only for JavaScript. The best one for reporting and quality of results across languages is Meterian, which does not appear in this list, or the open-source OWASP dependency check (although it requires lots of work to create a file for false-positives).
The support for Veracode is incredibly good and helpful and removes lots of frustration in using such a bad product. Still, sometimes they are ashamed as well of what they support, for example, when they had to explain the cumbersome SSO login that not even the most amateurish open source tool has.
The UI is dated, messy, unresponsive, a real nightmare. SourceClear before it was integrated was better, now it's a mess that only support can explain.

Do you think Veracode delivers good value for the price?

Not sure

Are you happy with Veracode's feature set?


Did Veracode live up to sales and marketing promises?

I wasn't involved with the selection/purchase process

Did implementation of Veracode go as expected?


Would you buy Veracode again?


It's a product that does a lot of things in a very unusable way. It's been chosen as it ticks plenty of boxes but the quality of what's provided makes its reports and issue integration pretty useless. I always have to revert to other tools I trust more like Meterian or OWASP.