Try our new research platform with insights from 80,000+ expert users

FOSSA vs Snyk comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Nov 5, 2024
 

Categories and Ranking

FOSSA
Ranking in Software Composition Analysis (SCA)
10th
Average Rating
8.6
Number of Reviews
15
Ranking in other categories
No ranking in other categories
Snyk
Ranking in Software Composition Analysis (SCA)
3rd
Average Rating
8.2
Reviews Sentiment
7.3
Number of Reviews
43
Ranking in other categories
Application Security Tools (4th), Container Security (7th), Software Development Analytics (2nd), DevSecOps (1st)
 

Mindshare comparison

As of November 2024, in the Software Composition Analysis (SCA) category, the mindshare of FOSSA is 3.7%, down from 4.5% compared to the previous year. The mindshare of Snyk is 18.0%, up from 17.9% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Software Composition Analysis (SCA)
 

Featured Reviews

Hanumanth Ramsetty - PeerSpot reviewer
Oct 24, 2024
Proactively mitigate deployment vulnerabilities with seamless dependency tracking
In our current project, we are using FOSSA as part of our CI/CD pipeline. It is used to scan our projects to ensure that our dependencies are up to date and do not introduce vulnerabilities to our code Before using FOSSA, we could only identify issues after deployment in the Cloud Run. Now, with…
Jayashree Acharyya - PeerSpot reviewer
Mar 4, 2024
Used for image scanning and identifying vulnerabilities, but its integration with other services could be improved
The solution has improved or streamlined our process a lot for securing container images. We wanted to make sure we are deploying the secure Docker images. Snyk allowed us to check whether it is following our standard of docker images or not. We use Azure DevOps as our platform, and Snyk's integration with Azure DevOps was okay. However, Snyk's integration with JFrog Artifactory didn't go well. We use JFrog Artifactory to store the artifacts we download. We wanted to integrate Snyk with JFrog Artifactory to scan the binary artifacts we downloaded, but that broke our JFrog Artifactory for some reason. Instead of using it there, we are calling it directly from the pipeline. Snyk's automation features significantly reduced remediation times a couple of times. Sometimes, our developers scan the code from the environment and find some Java vulnerabilities. We fixed those vulnerabilities in the lower environment itself. The solution does not require any maintenance. The accuracy of Snyk's vulnerability detection is pretty good compared to other tools. I rate the solution's vulnerability detection feature an eight out of ten. I would recommend Snyk to other users because it is easy to implement and integrate with Azure DevOps and GitHub. Overall, I rate the solution a seven out of ten.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"What I really need from FOSSA, and it does a really good job of this, is to flag me when there are particular open source licenses that cause me or our legal department concern. It points out where a particular issue is, where it comes from, and the chain that brought it in, which is the most important part to me."
"The most valuable feature is its ability to identify all of the components in a build, and then surface the licenses that are associated with it, allowing us to make a decision as to whether or not we allow a team to use the components. That eliminates the risk that comes with running consumer software that contains open source components."
"The support team has just been amazing, and it helps us to have a great support team from FOSSA. They are there to triage and answer all our questions which come up by using their product."
"FOSSA allows us to keep track of all dependencies to ensure they are up to date and not causing any vulnerabilities."
"Policies and identification of open-source licensing issues are the most valuable features. It reduces the time needed to identify open-source software licensing issues."
"Their CLI tool is very efficient. It does not send your source code over to their servers. It just does fingerprinting. It is also very easy to integrate into software development practices."
"I found FOSSA's out-of-the-box policy engine to be accurate and that it was tuned appropriately to the settings that we were looking for. The policy engine is pretty straightforward... I find it to be very straightforward to make small modifications to, but it's very rare that we have to make modifications to it. It's easy to use. It's a four-category system that handles most cases pretty well."
"The most valuable feature is definitely the ease and speed of integrating into build pipelines, like a Jenkins pipeline or something along those lines. The ease of a new development team coming on board and integrating FOSSA with a new project, or even an existing project, can be done so quickly that it's invaluable and it's easy to ask the developers to use a tool like this. Those developers greatly value the very quick feedback they get on any licensing or security vulnerability issues."
"I think all the standard features are quite useful when it comes to software component scanning, but I also like the new features they're coming out with, such as container scanning, secrets scanning, and static analysis with SAST."
"The valuable aspect is its security capabilities."
"Our overall security has improved. We are running fewer severities and vulnerabilities in our packages. We fixed a lot of the vulnerabilities that we didn't know were there."
"I am impressed with the product's security vulnerability detection. My peers in security are praising the tool for its accuracy to detect security vulnerabilities. The product is very easy to onboard. It doesn't require a lot of preparation or prerequisites. It's a bit of a plug-and-play as long as you're using a package manager or for example, you are using a GitHub repository. And that is an advantage for this tool because developers don't want to add more tools to what they're currently using."
"A main feature of Snyk is that when you go with SCA, you do get properly done security composition, also from the licensing and open-source parameters perspective. A lot of companies often use open-source libraries or frameworks in their code, which is a big security concern. Snyk deals with all the things and provides you with a proper report about whether any open-source code or framework that you are using is vulnerable. In that way, Snyk is very good as compared to other tools."
"We're loving some of the Kubernetes integration as well. That's really quite cool. It's still in the early days of our use of it, but it looks really exciting. In the Kubernetes world, it's very good at reporting on the areas around the configuration of your platform, rather than the things that you've pulled in. There's some good advice there that allows you to prioritize whether something is important or just worrying. That's very helpful."
"The advantage of Snyk is that Snyk automatically creates a pull request for all the findings that match or are classified according to the policy that we create. So, once we review the PR within Snyk and we approve the PR, Snyk auto-fixes the issue, which is quite interesting and which isn't there in any other product out there. So, Snyk is a step ahead in this particular area."
"Snyk performs software composition analysis (SCA) similar to other expensive tools."
 

Cons

"We have seen some inaccuracies or incompleteness with the distribution acknowledgments for an application, so there's certainly some room for improvement there. Another big feature that's missing that should be introduced is snippet matching, meaning, not just matching an entire component, but matching a snippet of code that had been for another project and put in different files that one of our developers may have created."
"If you have thousands of applications, organizing them all into teams or tags is challenging."
"One thing that can sometimes be difficult with FOSSA is understanding all that it can do. One of the ways that I've been able to unlock some of those more advanced features is through conversations with the absolutely awesome customer success team at FOSSA, but it has been a little bit difficult to find some of that information separately on my own through FAQs and other information channels that FOSSA has. The improvement is less about the product itself and more about empowering FOSSA customers to know and understand how to unlock its full potential."
"I would like the FOSSA API to be broader. I would like not to have to interact with the GUI at all, to do the work that I want to do. I would like them to do API-first development, rather than a focus on the GUI."
"FOSSA does not show the exact line of code with vulnerabilities, which adds time to the process as we have to locate these manually."
"On the legal and policy sides, there is some room for improvement. I know that our legal team has raised complaints about having to approve the same dependency multiple times, as opposed to having them it across the entire organization."
"On the dashboard, there should be an option to increase the column width so that we can see the complete name of the GitHub repository. Currently, on the dashboard, we see the list of projects, but to see the complete name, you have to hover your mouse over an item, which is annoying."
"Security scanning is an area for improvement. At this point, our experience is that we're only scanning for license information in components, and we're not scanning for security vulnerability information. We don't have access to that data. We use other tools for that. It would be an improvement for us to use one tool instead of two, so that we just have to go through one process instead of two."
"The product is very expensive."
"We've also had technical issues with blocking newly introduced vulnerabilities in PRs and that was creating a lot of extra work for developers in trying to close and reopen the PR to get rid of some areas. We ended up having to disable that feature altogether because it wasn't really working for us and it was actually slowing down developer velocity."
"I think Snyk should add more of a vulnerability protection feature in the tool since it is an area where it lacks."
"It would be great if they can include dynamic, interactive, and run-time scanning features. Checkmarx and Veracode provide dynamic, interactive, and run-time scanning, but Snyk doesn't do that. That's the reason there is more inclination towards Veracode, Checkmarx, or AppScan. These are a few tools available in the market that do all four types of scanning: static, dynamic, interactive, and run-time."
"Could include other types of security scanning and statistical analysis"
"One area where Snyk could improve is in providing developers with the line where the error occurs."
"Compatibility with other products would be great."
"I would like to give further ability to grouping code repositories, in such a way that you could group them by the teams that own them, then produce alerting to those teams. The way that we are seeing it right now, the alerting only goes to a couple of places. I wish we could configure the code to go to different places."
 

Pricing and Cost Advice

"FOSSA is not cheap, but their offering is top-notch. It is very much a "you get what you pay for" scenario. Regardless of the price, I highly recommend FOSSA."
"The solution's pricing is good and reasonable because you can literally use a lot of it for free."
"FOSSA is a fairly priced product. It is not either cheaper or expensive. The pricing lies somewhere in the middle. The solution is worth the money that we are spending to use it."
"The solution's cost is a five out of ten."
"Its price is reasonable as compared to the market. It is competitively priced in comparison to other similar solutions on the market. It is also quite affordable in terms of the value that it delivers as compared to its alternative of hiring a team."
"We do have some missing licenses issues, especially with non-SPDX compliant one, but we expect this to be fixed soon"
"Presently, my company uses an open-source version of the solution. The solution's pricing can be considered quite reasonable owing to the features they offer."
"The product's price is okay."
"With Snyk, you get what you pay for. It is not a cheap solution, but you get a comprehensiveness and level of coverage that is very good. The dollars in the security budget only go so far. If I can maximize my value and be able to have some funds left over for other initiatives, I want to do that. That is what drives me to continue to say, "What's out there in the market? Snyk's expensive, but it's good. Is there something as good, but more affordable?" Ultimately, I find we could go cheaper, but we would lose the completeness of vision or scope. I am not willing to do that because Snyk does provide a pretty important benefit for us."
"Their licensing model is fairly robust and scalable for our needs. I believe we have reached a reasonable agreement on the licensing to enable hundreds of developers to participate in this product offering. The solution is very tailored towards developers and its licensing model works well for us."
"The license model is based on the number of contributing developers. Snyk is expensive, for a startup company will most likely use the community edition, while larger companies will buy the licensed version. The price of Snyk is more than other SLA tools."
"For what Snyk offers, it has the best cost-benefit I have ever seen because you're buying the license per user."
"It's inexpensive and easy to license. It comes in standard package sizing, which is straightforward. This information is publicly found on their website."
report
Use our free recommendation engine to learn which Software Composition Analysis (SCA) solutions are best for your needs.
814,649 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Manufacturing Company
28%
Computer Software Company
15%
Financial Services Firm
13%
Healthcare Company
6%
Financial Services Firm
15%
Computer Software Company
15%
Manufacturing Company
9%
Insurance Company
7%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

What do you like most about FOSSA?
I am impressed with the tool’s seamless integration and quick results.
What is your experience regarding pricing and costs for FOSSA?
The solution's pricing is good and reasonable because you can literally use a lot of it for free. You have to pay for the features you need, which I think is fair. If you want to get value for free...
What needs improvement with FOSSA?
If you have thousands of applications, organizing them all into teams or tags is challenging. There is a point where you start using FOSSA at a very large scale, and the user interface needs to adj...
How does Snyk compare with SonarQube?
Snyk does a great job identifying and reducing vulnerabilities. This solution is fully automated and monitors 24/7 to find any issues reported on the internet. It will store dependencies that you a...
What do you like most about Snyk?
The most effective feature in securing project dependencies stems from its ability to highlight security vulnerabilities.
What needs improvement with Snyk?
I'm not responsible for the tool. As far as I know, there are no major concerns or features that we lack. We had some issues integrating into our pipeline, however, they were resolved.
 

Comparisons

 

Learn More

Video not available
 

Overview

 

Sample Customers

AppDyanmic, Uber, Twitter, Zendesk, Confluent
StartApp, Segment, Skyscanner, DigitalOcean, Comic Relief
Find out what your peers are saying about FOSSA vs. Snyk and other solutions. Updated: October 2024.
814,649 professionals have used our research since 2012.