Veracode or SonarQube? How about both?
December 08, 2021

Veracode or SonarQube? How about both?

Edwin Delph | TrustRadius Reviewer
Score 7 out of 10
Vetted Review
Verified User

Modules Used

  • Static Analysis (SAST)
  • Software Composition Analysis (SCA)

Overall Satisfaction with Veracode

We use Veracode to scan our code for static code analysis and 3rd party dependency to identify security vulnerabilities. Scanning is done using pipelines in our continuous integration process.
  • Identify vulnerabilities in static code without too many false positives[.]
  • Identify vulnerabilities in 3rd party dependencies without too many false positives[.]
  • The speed of scanning can use some improvement, especially when trying to use automated scans in continuous integration pipelines.
  • Static Code Analysis
  • Software Composition Analysis
  • Too soon to tell[.]
SonarQube is better at identifying code smells (code quality) but Veracode is better at identifying vulnerabilities when it comes to csharp.

Do you think Veracode delivers good value for the price?

Not sure

Are you happy with Veracode's feature set?


Did Veracode live up to sales and marketing promises?

I wasn't involved with the selection/purchase process

Did implementation of Veracode go as expected?


Would you buy Veracode again?


Veracode is well suited for detecting vulnerabilities. It is not as well suited for identifying code smells (code quality).