We performed a comparison between Sync and SonarQube based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Sync comes out on top in this comparison. It is secure and reliable. In addition, it has excellent support and a significant ROI.
"The most valuable feature of Snyk is the software composition analysis."
"The solution's vulnerability database, in terms of comprehensiveness and accuracy, is very high-level. As far as I know, it's the best among their competitors."
"The most valuable features of Snyk are vulnerability scanning and automation. The automation the solution brings around vulnerability scanning is useful."
"I find SCA to be valuable. It can read your libraries, your license and bring the best way to resolve your problem in the best scenario."
"We use Snyk to check vulnerabilities and rectify potential leaks in GitHub."
"It is a stable solution. Stability-wise, I rate the solution a ten out of ten."
"We have integrated it into our software development environment. We have it in a couple different spots. Developers can use it at the point when they are developing. They can test it on their local machine. If the setup that they have is producing alerts or if they need to upgrade or patch, then at the testing phase when a product is being built for automated testing integrates with Snyk at that point and also produces some checks."
"Provides clear information and is easy to follow with good feedback regarding code practices."
"SonarQube has a lot of value, it reviews the basic coding standards and security vulnerabilities of code that help to reduce issues."
"It provides you with many features, as it does with the premium model, but there are still extra features that can be purchased if needed."
"The most valuable features are the segregation containment and the suspension of product services."
"The most valuable features are the dashboard reports and the ease of integrating it with Jenkins."
"The product itself has a friendly UI."
"There's plenty of documentation available to users."
"SonarQube is useful for controlling all of our Azure task tracking and scanning."
"The solution's user interface is very user-friendly."
"It lists projects. So, if you have a number of microservices in an enterprise, then you could have pages of findings. Developers will then spend zero time going through the pages of reports to figure out, "Is there something I need to fix?" While it may make sense to list all the projects and issues in these very long lists for completeness, Snyk could do a better job of bubbling up and grouping items, e.g., a higher level dashboard that draws attention to things that are new, the highest priority things, or things trending in the wrong direction. That would make it a lot easier. They don't quite have that yet in container security."
"The solution could improve the reports. They have been working on improving the reports but more work could be done."
"The feature for automatic fixing of security breaches could be improved."
"Because Snyk has so many integrations and so many things it can do, it's hard to really understand all of them and to get that information to each team that needs it... If there were more self-service, perhaps tutorials or overviews for new teams or developers, so that they could click through and see things themselves, that would help."
"We tried to integrate it into our software development environment but it went really badly. It took a lot of time and prevented the developers from using the IDE. Eventually, we didn't use it in the development area... I would like to see better integrations to help the developers get along better with the tool. And the plugin for the IDE is not so good. This is something we would like to have..."
"We were using Microsoft Docker images. It was reporting some vulnerabilities, but we were not able to figure out the fix for them. It was reporting some vulnerabilities in the Docker images given by Microsoft, which were out of our control. That was the only limitation. Otherwise, it was good."
"Basically the licensing costs are a little bit expensive."
"There is always more work to do around managing the volume of information when you've got thousands of vulnerabilities. Trying to get those down to zero is virtually impossible, either through ignoring them all or through fixing them. That filtering or information management is always going to be something that can be improved."
"An improvement is with false positives. Sometimes the tool can say there is an issue in your code but, really, you have to do things in a certain way due to external dependencies, and I think it's very hard to indicate this is the case."
"If I configure a project in SonarQube, it generates a token. When we're compiling our code with SonarQube, we have to provide the token for security reasons. If IP-based connectivity is established with the solution, the project should automatically be populated without providing any additional token. It will be easy to provide just the IP address. It currently supports this functionality, but it makes a different branch in the project dashboard. From the configuration and dashboard point of view, it should have some transformations. There can be dashboard integration so that we can configure the dashboard for different purposes."
"There is no automation. You need to put the code there and test. You then pull the results and put them back in the development environment. There is no integration with the development environment. We would like it to be integrated with our development environment, which is basically the CI/CD pipeline or the IDE that we have."
"SonarQube needs to improve its support model. They do not work 24/7, and they do not provide weekend support in case things go wrong. They only have a standard 8:00 am to 5:00 pm support model in which you have to raise a support ticket and wait. The support model is not effective for premium customers."
"The product's pricing could be lower."
"The reporting is good, but I am not able to download a specific report as a PDF, so downloading reports is something that should be looked at."
"There are times that we have the database crash. However, this might be an issue with how we have configured it and not a software issue. Apart from this, I do not see any issues with the solution."
"If the product could assist us with fixing issues by giving us more pointers then it would help to resolve more of the warnings without such a commitment in terms of time."
Snyk is ranked 4th in Application Security Tools with 41 reviews while SonarQube is ranked 1st in Application Security Tools with 110 reviews. Snyk is rated 8.2, while SonarQube is rated 8.0. The top reviewer of Snyk writes "Performs software composition analysis (SCA) similar to other expensive tools". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Snyk is most compared with Black Duck, GitHub Advanced Security, Fortify Static Code Analyzer, Veracode and Checkmarx One, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Veracode and GitHub Advanced Security. See our Snyk vs. SonarQube report.
See our list of best Application Security Tools vendors and best Software Development Analytics vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
@Tej Muchhala : Code Quality and Security are 2 different domains and depending on how deep you want to go, the choice of tools will vary.
1. SonarQube - This has both community editions and commercial editions. The community has limited scope and no reporting. The enterprise version has a far broader scope covered with excellent reporting capabilities. SQ does have rules to compare against OWASP's Top 10 for both 2017 and 2021. Wrt Code Quality, SQ looks at unit-level issues and not necessarily module/design issues.
2. CAST Software Intelligence - This has 2 products - CAST Highlights can do very rapid analysis and provide you software health and also open source safety assessment for 3rd party libraries you might be using. SQ does not look into 3rd party libraries' assessment. CAST also has a dedicated security dashboard that checks code against various industry standards like OWASP, ISO 5055, CWE Top 25, NIST, etc.
3. Snyk again has multiple products to cater to different areas of security. This is a great product and has seamless integrations into your CI pipeline.
Regards,
Vishal.
Hi Tej, you should also check out CAST (castsoftware.com). Their kit does a very thorough analysis that may be a good option depending on the complexity of your codebase.
Hi Tej, as per my experience, SonarQube provides a better understanding of the code, it gives you a detailed analysis of the code up to the line level. It finds vulnerabilities in the code and runs test cases for you (if you add them). Also, you can customize the quality gate rules to define the parameters your code should pass like reliability, repetition of lines, etc. On the other hand, Snyk offers you an overview of the tools you are using, or the APIs you are using inside the code and gives vulnerability notifications and fixes. SonarQube doesn't fix or doesn't give any suggestions but Snyk will give you suggestions on which version of that dependency should be used and why. I have integrated both Snyk and SonarQube as both are open source up to a certain level.