Shaping the security code reviews and SCA through Veracode
February 25, 2026

Shaping the security code reviews and SCA through Veracode

Abhineet Sagar | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User

Modules Used

  • Static Analysis (SAST)
  • Software Composition Analysis (SCA)
  • Dynamic Analysis (DAST)
  • Penetration Testing

Overall Satisfaction with Veracode

Pros

  • It proivides insights about most prevelant issues that we currently observe as a security team
  • Helps to monitor Mean time to resolve which is MTTR (very important metric) to support our workflow management
  • Scanning the code security issues on compiled code makes it very initutive about all metrics that matters

Cons

  • The filtering options could be more intuitive — it’s not always easy to find exactly what you’re looking for without trial and error.
  • While Veracode integrates with a decent number of tools, we’ve found it a bit rigid compared to some newer players in the space. Some more API or webhook integrations should be there
  • I remember one usecase where we were looking for a open source tool to scan our limited prod API;s BOLA usecase and Veracode came handy, it directly abled to stored our static creds and perfectly scanned for the use cases. Really saved our effort.
  • MTTR solved our Agile way of working where I was able to establish a SLA across dev accounts
  • Overall it provided a positive ROI talking in terms of flexibility
It's not realistic to expect a single vendor to cover all the bases, especially when it comes to application security.
Different tools are built with different strengths, and trying to stretch one platform to meet every need usually leads to compromise — often in areas that matter.
Take ASPM (Application Security Posture Management) tools for example. They market themselves as central hubs that tie everything together — and to be fair, many do a good job at aggregating data across multiple tools. But when it comes to actually performing hands-on security operations — like triaging vulnerabilities, validating risk, or remediating issues — many fall short.
Reporting and analytics are must have features for any tool, not just Veracode, especially when security is something we have to deal with. Reporting should not just follow a standard practice rather able to be customized based on one's requirements, I still remember using Veracode support to drill down some APIs and then able to add some important metrices into the dashboard for the C-suite people.
I always opt for shift left security where we strictly have guardrails to follow by dev team, Veracode we use in the stage when devs are writting the test cases, then going forward, analysing the code coverages, code smells and security hotspots on all the LOC. We get insights very early to detect potential vulnerabilities in the code.
It helped us to identify many potential issues that can later on turn as Critical P1, repeating with myself that shifting left is very important.
Veracode takes compiled code, so integration, regression based test cases can be evaluated well. Now, it has lot of features ranging from API sec to DAST, so have a code which is well working in live env is very essential to setup and hence giving us an edge over other tools. Perhaps they are not bad, Going with Veracode was just a selection of features for specific use cases amongest them.

Do you think Veracode delivers good value for the price?

Yes

Are you happy with Veracode's feature set?

Yes

Did Veracode live up to sales and marketing promises?

I wasn't involved with the selection/purchase process

Did implementation of Veracode go as expected?

Yes

Would you buy Veracode again?

Yes

Comments

More Reviews of Veracode

  1. Home
  2. Application Security Tools
  3. Veracode Reviews
  4. User Review of Veracode