sonarqube-vs-veracode

SonarQube and Veracode are application security and code quality management options. SonarQube provides a free and open source community edition and focuses on static code analysis, while Veracode provides SAST, but also DAST, IAST, and penetration testing, as well as application security consulting.SonarQube is deployed among businesses of all sizes, notably midsize and larger companies, while Veracode is more widely adopted, and somewhat more likely to appear in larger enterprises who might wish to take advantage of Veracode’s more extensive services.

Features

Users of SonarQube and Veracode point out distinct advantages to both solutions.

SonarQube is a SAST specialist which excels in its core competency. It allows users to set their own coding standards and enforce them, and ensure best practice. Users describe an excellent code checking process, and detailed issue and bug tracking with commenting and issue highlighting. SonarQube integrates well into a CI/CD pipeline.

Veracode provides CVE (Common Vulnerabilities and Exposures) reporting and its users learn to rely on its vulnerability scanning; Veracode’s static scans are said to provide clear identification of issues, and useful reporting with detailed recommendations for triage. Veracode is not only highly regarded for SAST, but training, consultation, and support, which users also have learned to trust.

Limitations

A few elements of each product may give some users pause when considering which is right for them.

While SonarQube is praised for enforcing coding standards, it is not as well-regarded as a security tool. Also, being less widely adopted, users point to unreliability in some of its integrations (Jira), and an open source community that is not as active as other more widely adopted tools. Also, SonarQube provides SAST only.

While Veracode is appealing as an all-in-one app security and coding standard tool, its DAST features are said by some to be less reliable than alternatives. A large number of users also find the user interface not to their liking, describing a steep learning curve to get started, terminating in a cumbersome process of getting around even for experienced users.

Pricing

Users can get started with SonarQube free via the open source Community Edition. Paid plans are priced per instance per year, starting with the Developer Edition that adds Branch Analysis and other vulnerability detection features for $150, the Enterprise Edition which adds advanced reporting and portfolio management for $20,000, and the Data Center edition available for $130,000. Veracode pricing is not published and shared freely, though present and past users share some information, and describe the service as “pricey,” but fair for its capabilities.