Try our new research platform with insights from 80,000+ expert users

Semgrep vs Snyk comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Mar 9, 2025

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

Semgrep
Ranking in Software Composition Analysis (SCA)
13th
Average Rating
8.0
Reviews Sentiment
7.8
Number of Reviews
1
Ranking in other categories
Static Application Security Testing (SAST) (25th), Supply Chain Management Software (3rd), Static Code Analysis (7th)
Snyk
Ranking in Software Composition Analysis (SCA)
3rd
Average Rating
8.0
Reviews Sentiment
7.4
Number of Reviews
45
Ranking in other categories
Application Security Tools (4th), Container Security (8th), Software Development Analytics (2nd), DevSecOps (1st)
 

Featured Reviews

Henry Mwawai - PeerSpot reviewer
Automated code reviews and good scalability with custom rule adaptability
We use Semgrep to check custom user pipelines and test their claims for any vulnerabilities. We process the code by passing it through the testing process for any operability issues before sending feedback to the developers and providing the final product. This is part of the static testing…
meetharoon - PeerSpot reviewer
Affordable tool boosts code scanning efficiency but faces integration hurdles
The most important feature of Snyk is its cost-effectiveness compared to other solutions such as Check Point. It is easy to consolidate Snyk across multiple entities within a large organization. Additionally, our integration of Snyk into GitHub allows us to automatically scan codebases and identify issues, which has improved efficiency.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The most valuable feature is the ability to write our custom rules."
"The most valuable feature of Snyk is the software composition analysis."
"The CLI feature is quite useful because it gives us a lot of flexibility in what we want to do. If you use the UI, all the information is there and you can see what Snyk is showing you, but there is nothing else that you can change. However, when you use the CLI, then you can use commands and can get the output or response back from Snyk. You can also take advantage of that output in a different way. For the same reason, we have been using the CLI for the hard gate in the pipeline: Obtain a particular CDSS score for vulnerability. Based on that information, we can then decide if we want to block or allow the build. We have more flexibility if we use the CLI."
"A main feature of Snyk is that when you go with SCA, you do get properly done security composition, also from the licensing and open-source parameters perspective. A lot of companies often use open-source libraries or frameworks in their code, which is a big security concern. Snyk deals with all the things and provides you with a proper report about whether any open-source code or framework that you are using is vulnerable. In that way, Snyk is very good as compared to other tools."
"We use Snyk to check vulnerabilities and rectify potential leaks in GitHub."
"Snyk performs software composition analysis (SCA) similar to other expensive tools."
"There are many valuable features. For example, the way the scanning feature works. The integration is cool because I can integrate it and I don't need to wait until the CACD, I can plug it in to our local ID, and there I can do the scanning. That is the part I like best."
"The advantage of Snyk is that Snyk automatically creates a pull request for all the findings that match or are classified according to the policy that we create. So, once we review the PR within Snyk and we approve the PR, Snyk auto-fixes the issue, which is quite interesting and which isn't there in any other product out there. So, Snyk is a step ahead in this particular area."
"I am impressed with the product's security vulnerability detection. My peers in security are praising the tool for its accuracy to detect security vulnerabilities. The product is very easy to onboard. It doesn't require a lot of preparation or prerequisites. It's a bit of a plug-and-play as long as you're using a package manager or for example, you are using a GitHub repository. And that is an advantage for this tool because developers don't want to add more tools to what they're currently using."
 

Cons

"There should be more information on how to acquire the system, catering to beginners in application security, to make it more user-friendly."
"Generating reports and visibility through reports are definitely things they can do better."
"There are some new features that we would like to see added, e.g., more visibility into library usage for the code. Something along the lines where it's doing the identification of where vulnerabilities are used, etc. This would cause them to stand out in the market as a much different platform."
"They were a couple of issues which happened because Snyk lacked some documentation on the integration side. Snyk is lacking a lot of documentation, and I would like to see them improve this. This is where we struggle a bit. For example, if something breaks, we can't figure out how to fix that issue. It may be a very simple thing, but because we don't have the proper documentation around an issue, it takes us a bit longer."
"We use Bamboo for CI.CD, and we had problems integrating Snyk with it. Ultimately, we got the two solutions to work together, but it was difficult."
"The log export function could be easier when shipping logs to other platforms such as Splunk."
"The solution could improve the reports. They have been working on improving the reports but more work could be done."
"The solution's reporting and storage could be improved."
"A feature we would like to see is the ability to archive and store historical data, without actually deleting it. It's a problem because it throws my numbers off. When I'm looking at the dashboard's current vulnerabilities, it's not accurate."
 

Pricing and Cost Advice

Information not available
"With Snyk, you get what you pay for. It is not a cheap solution, but you get a comprehensiveness and level of coverage that is very good. The dollars in the security budget only go so far. If I can maximize my value and be able to have some funds left over for other initiatives, I want to do that. That is what drives me to continue to say, "What's out there in the market? Snyk's expensive, but it's good. Is there something as good, but more affordable?" Ultimately, I find we could go cheaper, but we would lose the completeness of vision or scope. I am not willing to do that because Snyk does provide a pretty important benefit for us."
"Snyk is an expensive solution."
"It's good value. That's the primary thing. It's not cheap-cheap, but it's good value."
"We are using the open-source version for the scans."
"Cost-wise, it's similar to Veracode, but I don't know the exact cost."
"The product's price is okay."
"We do have some missing licenses issues, especially with non-SPDX compliant one, but we expect this to be fixed soon"
"Their licensing model is fairly robust and scalable for our needs. I believe we have reached a reasonable agreement on the licensing to enable hundreds of developers to participate in this product offering. The solution is very tailored towards developers and its licensing model works well for us."
report
Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.
848,716 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
20%
Computer Software Company
14%
Manufacturing Company
12%
Comms Service Provider
5%
Financial Services Firm
16%
Computer Software Company
14%
Manufacturing Company
10%
Insurance Company
7%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
No data available
 

Questions from the Community

What needs improvement with Semgrep?
There should be more information on how to acquire the system, catering to beginners in application security, to make it more user-friendly.
What is your primary use case for Semgrep?
We use Semgrep to check custom user pipelines and test their claims for any vulnerabilities. We process the code by passing it through the testing process for any operability issues before sending ...
How does Snyk compare with SonarQube?
Snyk does a great job identifying and reducing vulnerabilities. This solution is fully automated and monitors 24/7 to find any issues reported on the internet. It will store dependencies that you a...
What do you like most about Snyk?
The most effective feature in securing project dependencies stems from its ability to highlight security vulnerabilities.
What needs improvement with Snyk?
There are a lot of false positives that need to be identified and separated. The inclusion of AI to remove false positives would be beneficial. So far, I've not seen any AI features to enhance vuln...
 

Comparisons

 

Also Known As

Semgrep Code, Semgrep Supply Chain, Semgrep AppSec Platform
No data available
 

Overview

 

Sample Customers

Policygenius, Tide, Lyft, Thinkific, FloQast, Vanta, and Fareportal
StartApp, Segment, Skyscanner, DigitalOcean, Comic Relief
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Static Application Security Testing (SAST). Updated: April 2025.
848,716 professionals have used our research since 2012.