Snyk Reviews

We are using Snyk along with SonarQube, and we are currently more reliant on SonarQube.

With Snyk, we've been doing security and vulnerability assessments. Even though SonarQube does the same when we install the OWASP plugin, we are looking for a dedicated and kind of expert tool in this area that can handle all the security for the code, not one or two things.

We have the latest version, and we always upgrade it. Our code is deployed on the cloud, but we have attached it directly with the Azure DevOps pipeline.

It is a nice tool to check the dependencies of your open-source code. It is easy to integrate with your Git or source control. 

It has a nice dashboard where I can see all the vulnerabilities and risks that they provided. I can also see the category of any risk, such as medium, high, and low. They provide the input priority-wise. The team can target the highest one first, and then they can go to medium and low ones. 

Its reports are nice and provide information about the issue as well as resolution. They also provide a proper fix. If there's an issue, they provide information in detail about how to remediate that issue.

It is easy to integrate without a pipeline, and we just need to schedule our scanning. It does that overnight and sends the report through email early morning. This is something most of the tools have, but all of these come in a package together.

It never failed, and it is very easy, reliable, and smooth. 

It would be great if they can include dynamic, interactive, and run-time scanning features. Checkmarx and Veracode provide dynamic, interactive, and run-time scanning, but Snyk doesn't do that. That's the reason there is more inclination towards Veracode, Checkmarx, or AppScan. These are a few tools available in the market that do all four types of scanning: static, dynamic, interactive, and run-time.

We have to integrate with their database, which means we need to send our entire code to them to scan, and they send us the report. A company working in the financial domain usually won't like to share its code or any information outside its network with any third-party provider. Such companies try to build the system in-house, and their enterprise-level licensing cost is really huge. There is also an overhead of updating the vulnerability database.

It has been more than one and a half years. 

It is stable. I haven't had any problems with its stability.

It is easy. We have integrated Snyk with two to four projects, and we do run scanning every week to check the status and improvement in the quality of our code.

Currently, only I am using this solution because I'm handling all the stuff related to infrastructure and DevOps stuff in my company. It is a very small company with 100 to 200 people, and I am kind of introducing this tool in our organization to have enterprise-level stuff. I have used this tool in my old organization, and that's why I am trying to implement it here. I am the only DevOps engineer who works in this organization, and I want to integrate it with different code bases.

I've never used their technical support.

It is really straightforward. If someone has set up a simple pipeline, they can just integrate in no time.

Pricing-wise, it is not expensive as compared to other tools. If you have a couple of licenses, you can scan a certain number of projects. It just needs to be attached to them.

I have been using this solution for one and a half years, and I definitely like it. It is awesome in whatever it does right now.

It is a really nice tool if you really want to do the dependency check and security scanning of your code, which falls under static code analysis. You can implement it and go for it for static code analysis, but when it comes to dynamic, interactive, and run-time scanning, you should look for other tools available in the market. These are the only things that are missing in this solution. If it had these features, we would have gone with it because we have already been using it for one and a half years. Now, the time has come where we are looking for new features, but they are not there.

Considering the huge database they have, all the binaries it scans, and other features, I would rate Snyk an eight out of 10. 

I use the tool in my company to scan open-source projects.

I don't use Snyk anymore. The tool is just used in our company, but not by me anymore.

It is important that the solution has the ability to match up with the OWASP Top 10 list, especially considering that sometimes, it cannot fix certain issues. Users might face 100 vulnerabilities during the production phase, and they may not be able to fix them all. Different companies have different levels of risk appetite. In a highly regulated industry, users of the product should be able to fix all the vulnerabilities, especially the internal ones. The tool should provide more flexibility and guidance to help us fix the top vulnerabilities before we go into production.

I have been using Snyk for three years. I am a user of the tool.

The solution's technical support is okay. I rate the technical support an eight out of ten.

Positive

The product's price is okay. My company isn't actively looking for replacement tools.

The most effective feature in securing project dependencies stems from its ability to highlight security vulnerabilities.

The integration features of the product are okay.

I recommend the product to those who want to buy it.

In a general sense, Snyk is a good product that can be used for governance. If you use a lot of open-source software, Snyk is an application testing tool you can buy.

I rate the tool a seven to eight out of ten.

It is a source composition analysis tool that we use to perform vulnerability scanning for those vulnerabilities within open source libraries.

This is a SaaS solution.

It has improved our vulnerability rating and reduced our vulnerabilities through the tool during the time that we've had it. It's definitely made us more aware, as we have removed scoping for existing vulnerabilities and platforms since we rolled it out up until now.

We were aware of problems that were there, but we weren't looking for them until we had Snyk. It is definitely showing us things that we should have been concerned about, and we have found a lot of value in resolving those things since we've discovered them.

It's reduced the amount of active vulnerabilities in our applications, providing both a more stable and secure environment for us in the libraries that we develop. It has highlighted a number of things we weren't aware of in our applications and the reduction of those is definitely a benefit and value-add to our applications.

The general source composition analysis is the key to the piece. That is the feature to check our open source libraries for vulnerabilities and the primary feature that we use the tool for.

It is extremely easy to use and very simple to catch on for every team that we train on it. We generally have our development teams leverage the tool themselves. It's extremely easy to teach them how to use it and get them to onboard it.

From a speed perspective, we use Git repository. It was very easy to integrate into that platform.

The solution’s ability to help developers find and fix vulnerabilities quickly is very good and convenient. It provides the ability to easily work the platform into our existing repositories and leverage our repository. It also pulls notifications as a means for notifying developers of vulnerabilities within the projects that are developing.

The solution’s vulnerability database is very comprehensive and accurate.

There are some new features that we would like to see added, e.g., more visibility into library usage for the code. Something along the lines where it's doing the identification of where vulnerabilities are used, etc. This would cause them to stand out in the market as a much different platform.

We have been using Snyk for about a year.

It is very stable.

We use existing staff to maintain and operationalize it.

It is extremely easy to scale and hooks into all of our application repositories without any issues. We use the product extensively in the projects that we are currently running. We are using the product at close to 100 percent.

Developer-adoption of the solution has been good. It is one of the better tools in our application security library from an adoption perspective and needs of use. It has the most positive feedback out of all our solutions.

There are probably 50 users who are security/developers and development-focused security professionals.

The only technical support that we have received has been through our account team, and it's been fantastic. I haven't actually had to open any tickets or anything using the tool. The only time we've ever needed assistance was to open up a ticket for single sign-on configuration. It was extremely quick. They had a very easy, fast response for how to deliver it.

We previously used Black Duck. We switched to Snyk because of its better false positive ratings along with its ease of use, integration, and deployment.

The initial setup was straightforward. It was just extremely easy to integrate into our repositories, get the code scanning working, and add our projects into the application.

The deployment was quick. We had our first application in it within minutes.

Implementation strategy: We hooked up our applications and integrated them into the tool. Then, we started to address vulnerabilities as we saw fit from a risk perspective.

We have seen ROI with Snyk. It has showed us a lot of things that we were not privy to before. This has opened our eyes to a lot of very important things, e.g., vulnerabilities.

The solution has reduced the amount of time it takes to fix problems. It has done a great job explaining what the problem is and how to resolve it with remediation. It gives you a lot of details about versioning and such for the library. It is definitely helpful there.

The time-to-value of the solution in our company was almost immediate.

It's inexpensive and easy to license. It comes in standard package sizing, which is straightforward. This information is publicly found on their website.

We focused our evaluation specifically on Black Duck and Snyk, plus Veracode as a larger product offering.

The Snyk platform does everything we've expected it to do. It works much better than some of the competitors we looked at during our assessment.

If you're looking for a source composition analysis tool or a tool to monitor your open source security, then it's a fantastic solution.

SAST and DAST are very important functions. We have alternative options for those though. I wouldn't say the solution’s lack of SAST and DAST hurts or affects us. It would be nice if these were a platform or offering that they did have.

We don't use the solution’s Container security feature at the moment, but we are planning on using it.

I would rate this solution as an eight or nine (out of 10).

We use Snyk for the generation of SBOM for Docker. We use it to check the standards of the CSI benchmark that we have implemented in the containers and the applications by Java Spring Boot.

The most valuable feature of Snyk is the SBOM.

It would be helpful if we get a recommendation while doing the scan about the necessary things we need to implement after identifying the vulnerabilities. In short, it will be a remediation for the vulnerabilities identified by Snyk.

I have been using Snyk for two years.

Snyk is a stable solution.

Snyk is a scalable solution. As we are an R&D organization, I am the only person managing the solution. However, there are almost 500 employees who are taking advantage of the report we have generated from the Snyk app.

The solution is easy to use and implement.

The deployment steps were easy. The solution's documentation is also easy to use. It took hardly one and a half hours to implement the solution. We implemented Snyk in our virtual private server (VPS).

For deployment, we followed the instructions and created a server for Snyk. Then, we integrated the server with the plug-in using Jenkins. We created a server for Snyk, then used the GitHub repository that mentioned the document and implemented the same. Later, we used the plug-in to connect the server to the Jenkins server.

When the pipeline was built, the process started, as we had mentioned the stage in the Jenkins file, to generate SBOMs and check whether the Docker images were compliant with CSI Benchmarks.

Snyk is an expensive solution.

Before choosing Snyk, we evaluated a different tool named Dependency-Track. We chose Snyk because Dependency-Track only helped us identify the vulnerabilities in the libraries, and it couldn't solve the issues mentioned in the CIS benchmark.

Snyk helped us identify the composition or the libraries we used in the project, which were vulnerable. It also helped us identify the license agreements from the vendor side.

Software conversion analysis is a mandatory thing that should be implemented in every organization. Most libraries or any third-party libraries are not considered under VAPT. We should also look after the composition of the libraries we use in the project. We should look after these libraries for vulnerabilities, and VAPT should be mandatory in every organization.

I rate Snyk a nine out of ten for the user-friendliness of its user interface.

Currently, my team is looking into whether version numbers are vulnerable. We are also considering the improvisations or research and development we need to do if we need the same library. There are some loopholes that even Snyk has not identified or that it might be working on. Since we have implemented it, we are looking after it.

If a developer requires a particular library with vulnerabilities, we check whether we are using the functions mentioned in the libraries in the project. If we are using it, we are trying to identify exactly which snippet is causing the error. If it is causing a vulnerability, we are considering how to improve it.

We need to think about the decisions we need to make after SCA. It would be a big relief for our organization if Snyk could provide a solution to identify the library snippet that is causing a future vulnerability. We are currently using a team of 30 people to identify this issue.

Overall, I rate Snyk an eight out of ten.

We use the product mainly for software composition analysis. It is used to identify vulnerabilities in the application plug-ins. If we use Python 3.8, it’ll tell us that the version is outdated and that it has several vulnerabilities. It also helps in threat identification. It also provides infrastructure as code.

Static code analysis is one of the best features of the solution.

The product is very expensive.

I have been using the solution for three years.

The product is stable.

We have around 2000 users. Every developer in the organization has access to it.

The support has improved a lot.

Neutral

We use the SaaS version. The initial setup is easy. We just have to click the buttons.

I do not think that the tool is worth the money. A lot of free tools are available online.

The solution costs half a million dollars per year. It depends on the number of users. If the number of users increases, the cost will increase further.

People who want to use the product must utilize the code analysis on IDE. It would really help a lot of the developers. It performs the shift left concept very well. It is a very good tool, but the pricing is absurd. Overall, I rate the product an eight out of ten.

I used it for the security analysis and code vulnerability part. We were also interested in integrating with the pipeline scan and code scan.

The code scans on the source code itself were valuable.

It's very easy to use. It's very fast. 

It was good, but we had a few limitations with it. We were mostly using containerized applications. We were using Microsoft Docker images. It was reporting some vulnerabilities, but we were not able to figure out the fix for them. It was reporting some vulnerabilities in the Docker images given by Microsoft, which were out of our control. That was the only limitation. Otherwise, it was good.

I used it two months ago for a period of two weeks.

Its stability was good during that two-week period.

We didn't do extensive tests on it.

We contacted them for support. They were responsive, and they responded quickly.

We were using Veracode, but with Veracode, we found some limitations. It was not able to scan the source code the way Snyk does. That's a limitation, and Veracode is not that capable even for container applications. From the capability perspective, it was not as good as Snyk.

It's very easy to use. It's very quick. I'd rate it a nine out of ten in terms of the ease of the setup.

Cost-wise, it's similar to Veracode, but I don't know the exact cost. 

I'd recommend the code quality scan, which is helpful for the upfront feedback for developers. It's a very good feature. The container scans are also good, but only for Microsoft images, there are some limitations. If I were to start looking for a vulnerability solution, I'd definitely go with Snyk. It's quick and easy to use.

Overall, I'd rate Snyk a nine out of ten.

It is for SCA, and we have just been doing the PoC. We are currently using the open-source version for some of the development teams. 

The main functionality that we found useful is scanning. A main feature of Snyk is that when you go with SCA, you do get properly done security composition, also from the licensing and open-source parameters perspective. A lot of companies often use open-source libraries or frameworks in their code, which is a big security concern. Snyk deals with all the things and provides you with a proper report about whether any open-source code or framework that you are using is vulnerable. In that way, Snyk is very good as compared to other tools.

I had a list of what they can improve, and I did share that with them. They are coming up with a beta version. 

It can be improved from the reporting perspective and scanning perspective. They can also improve it on the UI front. When we started the PoC five months ago, we encountered all these things. So, I asked them to improve on them. They have come up with a lot of new features, but they are still lacking on the UI front and the reporting side of things.

If you go to the UI front of Snyk, you won't find it so friendly. Another one is that you can't see the projects clearly. It gets all the sources from the repository. It pulls all the projects from the repository and creates a new project altogether for every new addition. So, you can't group them clearly. For example, if I have one product with different repositories, it creates a number of projects underneath in the Snyk UI. 

When it comes to reporting, if I run a scan on a particular project, I want the report only for that particular project in a PDF format that I can share with others. Currently, you get the notification over an email with all the projects but not in detail. You have to go to Snyk to find the details of a particular project. You only get a generic view, and you don't get a detailed view of a project. You need to go to the tool, export it as a CSV, and then find it, which is ridiculous. With other tools, once the scan is complete, we can just share the report with the development team that is working on that project, but Snyk doesn't let us do that. They still need to work a lot on the reporting structure.

It also needs to be improved in terms of interdependencies. When you run a code scan, the code can have interdependencies. If you have found a vulnerable line somewhere, it might lead to other interdependencies. Currently, Snyk doesn't provide you with interdependencies. For example, it doesn't provide you with the best location to do the fix. Checkmarx does that, and after you fix a particular line of code, all the other dependencies are automatically fixed. Snyk doesn't offer that. So, you have to do the fix one by one, which is a tedious task for the development team. It takes a lot of effort. I shared this feedback with them, and they might be working on it. They told me that they'll consider that.

We have been using Snyk for the past five months.

They are very proactive, sometimes more than what we want them to be. They reach out to us very often, and they are very good with technical support. They reach out to us and just ask us if there are any challenges where they can improve. They're quite open on that front. They don't have any local support as of now, but they are planning for 24/7 support. Currently, they are based only in the US, but they are still very active. Whenever we send out an email, they respond immediately. I would rate them a four out of five.

Positive

I have worked with other solutions. From the open-source composition and the licensing perspective, they are doing well as compared to competitors such as Black Duck, Veracode, and others. They do well on that front.

Checkmarx is the top one. They need to work very hard to match Checkmarx. Checkmarx is really good as compared to Snyk, but Checkmarx is too expensive. That's the reason we went with Snyk. Checkmarx has a very good scanning engine and technical support. It is also user-friendly. It is quite friendly for developers who are beginners. Anyone can use and learn Checkmarx easily, whereas with Snyk, you need some knowledge before you begin with it.

I had an on-prem Checkmarx. They still do on-prem, and now, they're also coming up with the cloud version. Even if you use the on-prem version, it is quite easy to access the database. You can customize everything based on your needs. From the scanning perspective, if I want to change any policies or rules, it is quite easy with Checkmarx. You just need to change the query inside the database, and you can easily set the rules.

We have only done a PoC. We are yet to finalize the pricing and then deploy the product as a whole. When it comes to PoC, it was quite simple. It was not complex at all. The integrations with GenCAN, or even with GitHub, were quite easy for us. There was no complex structure there. It was straightforward. Once we set up the environment, it took us a few hours to do all the integrations with different repositories or CI/CD. I would rate it a four out of five in terms of ease of the setup.

Currently, we have done it on CI/CD. It is kind of automated. Whenever there is a new build, it automatically triggers the scan.

There are about 30 developers who have been working with it for the PoC. They have been using it on a daily basis for the past four months. Last month, we stopped using it because we have finalized it. Going forward, we will be having 500 developers to begin with. 

We did the integration using their documentation. Their documentation was very simple. It was very easy to use.

We are using the open-source version for the scans. We will be going with the full source, license-based version as soon as possible.

I would rate it a seven out of ten.

Snyk is a security software offering. It helps us identify vulnerabilities or potential weaknesses in the third-party software that we use at our company. 

The solution is meant to give you visibility into open source licensing issues, which you may not necessarily be aware off, such as the way you ingest libraries into your application code for third-party dependencies. There is visibility into anything that could be potentially exploited. 

It provides good reporting and monitoring tools which enable me to keep track of the vulnerabilities found now and/or discovered in the future. It is pretty proactive about telling me what/when something might need mitigation.

Their strength is really about empowering a very heterogeneous software environment, which is very developer-focused and where developers can easily get feedback. If you integrate their offering into the software development life cycle (SDLC), you can get pretty good coverage from a consumer perspective into the libraries that you're using.

It's a good suite of tools tailored and focused towards developers. It ensures their code is safe in regards to their usage of third-party libraries, e.g., libraries not owned or controlled, then incorporated into the product from open sources.

It is meant to be a less intrusive type of solution. It is easy to integrate and doesn't require a lot of effort. It's more a part of the CI/CD pipelines, which doesn't necessarily interfere with developers other than if there are actions/remediations to be taken. From a development impact, it's very lightweight and minimal. 

It is not noticeable for most engineers since it's part of the pipeline. If no new findings are reported, then it goes through without any signals or noise. If there were findings, these are usually legitimate findings and can be configured in such a way that they can be blocked/stopped in your pipelines or be more informational. The user has all the knobs and screws to turn and tweak it towards their use case because there may be areas where security is more critical than in other parts of the company, like development projects. 

We exclusively use their SDE tools. Our CI/CD environments are powered by source code control systems like GitLab and GitHub. BitPocket has also been integrated to some extent. There are CI/CD pipelines where we pull in Snyk as part of the pipeline, jobs, Jenkins environment, etc.

It is a fairly developer-focused product. There are pretty good support and help pages which come with the developer tools, like plugins and modules, which integrate seamlessly into continuous integration, continuous deployment pipelines. E.g., as you build your software, you may update your dependencies along with it. Packages that it supports include CI/CD toolchains, build tools, various platforms, and software/programming languages.

It is one of the best product out there to help developers find and fix vulnerabilities quickly. When we talk about the third-party software vulnerability piece and potentially security issues, it takes the load off the user or developer. They even provide automitigation strategies and an auto-fix feature, which seem to have been adopted pretty well. 

Their focus is really towards developer-friendly integrations, like plug and play. They understand the ecosystem. They listen to developers. It has been a good experience so far with them.

There were some feature requests that we have sent their way in the context of specific needs on containers, like container support and scanning support. 

There are some more language-specific behaviors on their toolchains that we'd like to see some improvements on. The support is more established on some than others. There are some parts that could be fixed around the auto-fix and automitigation tool. They don't always work based on the language used.

I would like them to mature the tech. I am involved with Java and Gradle, and in this context, there are some opportunities to make the tools more robust.

The reporting could be more responsive when working with the tools. I would like to see reports sliced and diced into different dimensions. The reporting also doesn't always fully report.

Scanning on their site, to some extent, is less reliable than running a quick CLI.

We have been engaging with Snyk for close to a year.

I have not encountered any instabilities at this point. 

We have seen cases where tools didn't find or recognize certain dependencies. These are known issues, to some extent, due to the complexity in the language or stack that you using. There are some certain circumstances where the tool isn't actually finding what it's supposed to be finding, then it could be misleading. 

As a SaaS offering, it's been fairly stable.

We have an on-prem type of broker setup, which seems to be a fairly stable. I'm not aware of any particular outages with it. 

We have no concerns regarding scalability. We operate at scale. Their approach is pretty lightweight for integrating tools locally.

We are not fully rolled out across the company; parts of the company are using it more than others. There are some best practices that we still have to establish across our development teams so it feels consistent across our scalable processes. 

I would gauge the technical support as pretty good from our interactions. We are in a licensed partnership, so the response and support that we're getting is part of our license. For quick resolutions, we have standing channels, like Slack, where we can easily get a hold of somebody who can jump in and provide some feedback. The ticketing support system is for medium to long-term requests. It's been pretty good in terms of responsiveness and their ability to support in a very reasonable time frame. Responding in less than a few hours is common in regards surfacing issues and obtaining proactive support with someone who can chime in and provide potential resolution strategies.

The product is tailored towards developers. It has a good implementation and support team who provide quick resolution on support issues. Their support listens to feedback. We engage with them, and they listen to developers' needs. They have also been pretty good in terms of turning things around. Even though we hadn't done a major request with them, they're very supportive, open, and transparent in terms of what makes sense and is reasonable, like shared priorities and roadmaps.

We have been struggling a bit with the GitLab setup, but that's more of a custom solution problem.

Their licensing model is fairly robust and scalable for our needs. I believe we have reached a reasonable agreement on the licensing to enable hundreds of developers to participate in this product offering. The solution is very tailored towards developers and its licensing model works well for us.

It addresses a lot of needs, especially in growing organizations. The more developers, the more heterogeneous your environment will look, as well as needing more tools to help you scale security practices. In this regard, it seems to be a very promising, scalable solution.

We have been utilizing the solution’s container security feature. It is not at full scale, though. We are engaging Snyk on container integrations.

I would rate it an eight (out of 10).