Veracode provides us with three kinds of scans, namely:
- Static Scans (SAST) – requires source code and integrated into SLDC
at an early stage - Dynamic Scans (DAST) – requires running instance
and integrated towards the end of SLDC - Manual PenTest
- SCA – part of SAST, checks for vulnerabilities in libraries you are using for your project
For more information on the difference between SAST and DAST: https://www.synopsys.com/blogs/software-security/sast-vs-dast-difference/
After researching for a while CheckMarx can be used as an alternative SAST solution to Veracode and it offers SCA just like Veracode too
solved What are some really good and practical alternatives for Veracode [closed]