It is for SCA, and we have just been doing the PoC. We are currently using the open-source version for some of the development teams.
Cyber Security Lead at a printing company with 201-500 employees
Does a good analysis from the licensing and open-source perspective, but the UI, reporting, and scanning should be better
Pros and Cons
- "A main feature of Snyk is that when you go with SCA, you do get properly done security composition, also from the licensing and open-source parameters perspective. A lot of companies often use open-source libraries or frameworks in their code, which is a big security concern. Snyk deals with all the things and provides you with a proper report about whether any open-source code or framework that you are using is vulnerable. In that way, Snyk is very good as compared to other tools."
- "It can be improved from the reporting perspective and scanning perspective. They can also improve it on the UI front."
What is our primary use case?
What is most valuable?
The main functionality that we found useful is scanning. A main feature of Snyk is that when you go with SCA, you do get properly done security composition, also from the licensing and open-source parameters perspective. A lot of companies often use open-source libraries or frameworks in their code, which is a big security concern. Snyk deals with all the things and provides you with a proper report about whether any open-source code or framework that you are using is vulnerable. In that way, Snyk is very good as compared to other tools.
What needs improvement?
I had a list of what they can improve, and I did share that with them. They are coming up with a beta version.
It can be improved from the reporting perspective and scanning perspective. They can also improve it on the UI front. When we started the PoC five months ago, we encountered all these things. So, I asked them to improve on them. They have come up with a lot of new features, but they are still lacking on the UI front and the reporting side of things.
If you go to the UI front of Snyk, you won't find it so friendly. Another one is that you can't see the projects clearly. It gets all the sources from the repository. It pulls all the projects from the repository and creates a new project altogether for every new addition. So, you can't group them clearly. For example, if I have one product with different repositories, it creates a number of projects underneath in the Snyk UI.
When it comes to reporting, if I run a scan on a particular project, I want the report only for that particular project in a PDF format that I can share with others. Currently, you get the notification over an email with all the projects but not in detail. You have to go to Snyk to find the details of a particular project. You only get a generic view, and you don't get a detailed view of a project. You need to go to the tool, export it as a CSV, and then find it, which is ridiculous. With other tools, once the scan is complete, we can just share the report with the development team that is working on that project, but Snyk doesn't let us do that. They still need to work a lot on the reporting structure.
It also needs to be improved in terms of interdependencies. When you run a code scan, the code can have interdependencies. If you have found a vulnerable line somewhere, it might lead to other interdependencies. Currently, Snyk doesn't provide you with interdependencies. For example, it doesn't provide you with the best location to do the fix. Checkmarx does that, and after you fix a particular line of code, all the other dependencies are automatically fixed. Snyk doesn't offer that. So, you have to do the fix one by one, which is a tedious task for the development team. It takes a lot of effort. I shared this feedback with them, and they might be working on it. They told me that they'll consider that.
For how long have I used the solution?
We have been using Snyk for the past five months.
Buyer's Guide
Snyk
March 2025

Learn what your peers think about Snyk. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
842,672 professionals have used our research since 2012.
How are customer service and support?
They are very proactive, sometimes more than what we want them to be. They reach out to us very often, and they are very good with technical support. They reach out to us and just ask us if there are any challenges where they can improve. They're quite open on that front. They don't have any local support as of now, but they are planning for 24/7 support. Currently, they are based only in the US, but they are still very active. Whenever we send out an email, they respond immediately. I would rate them a four out of five.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I have worked with other solutions. From the open-source composition and the licensing perspective, they are doing well as compared to competitors such as Black Duck, Veracode, and others. They do well on that front.
Checkmarx is the top one. They need to work very hard to match Checkmarx. Checkmarx is really good as compared to Snyk, but Checkmarx is too expensive. That's the reason we went with Snyk. Checkmarx has a very good scanning engine and technical support. It is also user-friendly. It is quite friendly for developers who are beginners. Anyone can use and learn Checkmarx easily, whereas with Snyk, you need some knowledge before you begin with it.
I had an on-prem Checkmarx. They still do on-prem, and now, they're also coming up with the cloud version. Even if you use the on-prem version, it is quite easy to access the database. You can customize everything based on your needs. From the scanning perspective, if I want to change any policies or rules, it is quite easy with Checkmarx. You just need to change the query inside the database, and you can easily set the rules.
How was the initial setup?
We have only done a PoC. We are yet to finalize the pricing and then deploy the product as a whole. When it comes to PoC, it was quite simple. It was not complex at all. The integrations with GenCAN, or even with GitHub, were quite easy for us. There was no complex structure there. It was straightforward. Once we set up the environment, it took us a few hours to do all the integrations with different repositories or CI/CD. I would rate it a four out of five in terms of ease of the setup.
Currently, we have done it on CI/CD. It is kind of automated. Whenever there is a new build, it automatically triggers the scan.
There are about 30 developers who have been working with it for the PoC. They have been using it on a daily basis for the past four months. Last month, we stopped using it because we have finalized it. Going forward, we will be having 500 developers to begin with.
What about the implementation team?
We did the integration using their documentation. Their documentation was very simple. It was very easy to use.
What's my experience with pricing, setup cost, and licensing?
We are using the open-source version for the scans. We will be going with the full source, license-based version as soon as possible.
What other advice do I have?
I would rate it a seven out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.

Security Engineer at a computer software company with 51-200 employees
Helps us meet compliance requirements and educate devs on security in the SDC
Pros and Cons
- "It's very easy for developers to use. Onboarding was an easy process for all of the developers within the company. After a quick, half-an-hour to an hour session, they were fully using it on their own. It's very straightforward. Usability is definitely a 10 out of 10."
- "A feature we would like to see is the ability to archive and store historical data, without actually deleting it. It's a problem because it throws my numbers off. When I'm looking at the dashboard's current vulnerabilities, it's not accurate."
What is our primary use case?
Since some of our development is using open source packages, we need a way to identify the vulnerabilities before using those packages for development. Using Snyk, we can identify all the safe packages, which to use and which to not use, and create a safe repository for developers.
The goal is to catch the vulnerabilities early within the process and fix them before they get to the security review where they can cause deadlines to be pushed out to fix them.
We're using the cloud version.
How has it helped my organization?
It helps us meet compliance requirements, by identifying and fixing vulnerabilities, and to have a robust vulnerability management program. It basically helps keep our company secure, from the application security standpoint.
Snyk also helps improve our company by educating users on the security aspect of the software development cycle. They may have been unaware of all the potential security risks when using open source packages. During this process, they have become educated on what packages to use, the vulnerabilities behind them, and a more secure process for using them.
In addition, its container security feature allows developers to own security for the applications and the containers they run in the cloud. It gives more power to the developers.
Before using Snyk, we weren't identifying the problems. Now, we're seeing the actual problems. It has affected our security posture by identifying open source packages' vulnerabilities and licensing issues. It definitely helps us secure things and see a different facet of security.
It also allows our developers to spend less time securing applications, increasing their productivity. I would estimate the increase in their productivity at 10 to 15 percent, due to Snyk's integration. The scanning is automated through the use of APIs. It's not a manual process. It automates everything and spits out the results. The developers just run a few commands to remediate the vulnerabilities.
What is most valuable?
- The wide range of programming languages it covers, including Python
- Identifying the vulnerabilities and providing information on how to fix them — remediation steps
It's very easy for developers to use. Onboarding was an easy process for all of the developers within the company. After a quick, half-an-hour to an hour session, they were fully using it on their own. It's very straightforward. Usability is definitely a 10 out of 10. Our developers are using the dashboard and command lines. All the documentation is provided and I've never had an issue.
We have integrated Snyk into our software development environment. It's something that is ongoing at the moment. Our SDE is VS Code.
Another important feature is the solution’s vulnerability database, in terms of comprehensiveness and accuracy. It's top-notch. It pulls all the data from the CVE database, the national vulnerability database. It's accurate and frequently updated.
What needs improvement?
We use the solution's container security feature. A lot of the vulnerabilities can't be addressed due to OS restraints. They just can't be fixed, even with their recommendations. I would like to see them improve on this.
A feature we would like to see is the ability to archive and store historical data, without actually deleting it. It's a problem because it throws my numbers off. When I'm looking at the dashboard's current vulnerabilities, it's not accurate.
For how long have I used the solution?
We have been using Snyk for a little more than a year.
What do I think about the stability of the solution?
The stability is very good. I haven't noticed any downtime.
What do I think about the scalability of the solution?
It provides easy deployment for different code repositories, so it's easily scalable.
We have about 20 to 25 users and it's being used very extensively, across all our applications.
How are customer service and technical support?
Their technical support is top-notch, a 10 out of 10. I have a Slack channel for direct discussions with support. And I have my account manager for any questions or issues I run into. Response time ranges between instant and three hours. If they don't know the question or the issue, they'll escalate. They'll have someone else join the Slack or give me a Zoom session.
Which solution did I use previously and why did I switch?
This is the first of its kind, that we are using.
How was the initial setup?
The initial setup was very straightforward. The integrations with our code repositories, like Bitbucket and GitHub, are direct. You enter their required information and just pull data from them. There was no setup for any additional VMs or anything else.
Developer adoption has been pretty positive, since it's easy to use. We have 100 percent adoption. They understand the need for security with software development. Everyone's happy with the product, and it allows them to catch vulnerabilities earlier in the software development cycle, rather than later, so they can fix them before they get to the security-review process.
The deployment took a few hours, maybe even less. I was the only one involved in the process. I just followed the directions. We just planned on identifying the specific repositories linking to Snyk, and then started scanning specific projects.
I also take care of maintenance of the solution and it takes less than 5 percent of my time. There is very little maintenance needed since it's a SaaS product.
What was our ROI?
We have seen ROI, although I don't have any data points on it. It's very valuable. It saves time for the developers and security team by quickly identifying things and fixing them before they get down the pipeline. It prevents the creation of additional roadblocks and complexity and the pushing out of deadlines to address issues once they are too far down the pipeline.
Which other solutions did I evaluate?
We didn't find any other options on the market.
What other advice do I have?
The biggest lesson I've learned from using this solution is the complexity of open source licenses. I wasn't aware of all the different types of licenses, and all the terms and conditions required to use specific open source packages.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Buyer's Guide
Snyk
March 2025

Learn what your peers think about Snyk. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
842,672 professionals have used our research since 2012.
Software Quality Coordinator at a retailer with 10,001+ employees
Enhancing security awareness, and finds major issues while managing risks effectively
Pros and Cons
- "The valuable aspect is its security capabilities."
- "We had some issues integrating into our pipeline, however, they were resolved."
What is our primary use case?
The main tool today is used to check for security issues in our products. We use it to analyze all the projects, and our security efforts are based partly on this tool.
How has it helped my organization?
There are major impacts related to increasing security awareness and managing risks. Snyk has been an essential tool in that aspect.
What is most valuable?
The valuable aspect is its security capabilities. The tool finds any major issue, and the code is blocked from being promoted to production until the issue is corrected.
What needs improvement?
I'm not responsible for the tool. As far as I know, there are no major concerns or features that we lack. We had some issues integrating into our pipeline, however, they were resolved.
For how long have I used the solution?
We have used Snyk for approximately one year.
What do I think about the stability of the solution?
There are no complaints from the security team. There seem to be no major issues of concern.
What do I think about the scalability of the solution?
The security team is responsible for this tool. I don't have more details, however, there are no complaints, so I believe that's okay.
How are customer service and support?
I don't know about the support or customer service details. It's another team's responsibility.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I don't have experience with other products similar to Snyk.
What was our ROI?
I wouldn't be able to say what the company's ROI is.
What's my experience with pricing, setup cost, and licensing?
The pricing and setup are not my responsibilities, so I don't know any details.
Which other solutions did I evaluate?
I have not evaluated any other solutions.
What other advice do I have?
Based on our experience and what I have heard internally, I would recommend Snyk.
I'd rate the solution nine out fo ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Oct 9, 2024
Flag as inappropriateSenior Director, Engineering at Zillow Group
Helps developers find and fix vulnerabilities quickly
Pros and Cons
- "It is one of the best product out there to help developers find and fix vulnerabilities quickly. When we talk about the third-party software vulnerability piece and potentially security issues, it takes the load off the user or developer. They even provide automitigation strategies and an auto-fix feature, which seem to have been adopted pretty well."
- "We have seen cases where tools didn't find or recognize certain dependencies. These are known issues, to some extent, due to the complexity in the language or stack that you using. There are some certain circumstances where the tool isn't actually finding what it's supposed to be finding, then it could be misleading."
What is our primary use case?
Snyk is a security software offering. It helps us identify vulnerabilities or potential weaknesses in the third-party software that we use at our company.
The solution is meant to give you visibility into open source licensing issues, which you may not necessarily be aware off, such as the way you ingest libraries into your application code for third-party dependencies. There is visibility into anything that could be potentially exploited.
It provides good reporting and monitoring tools which enable me to keep track of the vulnerabilities found now and/or discovered in the future. It is pretty proactive about telling me what/when something might need mitigation.
Their strength is really about empowering a very heterogeneous software environment, which is very developer-focused and where developers can easily get feedback. If you integrate their offering into the software development life cycle (SDLC), you can get pretty good coverage from a consumer perspective into the libraries that you're using.
It's a good suite of tools tailored and focused towards developers. It ensures their code is safe in regards to their usage of third-party libraries, e.g., libraries not owned or controlled, then incorporated into the product from open sources.
How has it helped my organization?
It is meant to be a less intrusive type of solution. It is easy to integrate and doesn't require a lot of effort. It's more a part of the CI/CD pipelines, which doesn't necessarily interfere with developers other than if there are actions/remediations to be taken. From a development impact, it's very lightweight and minimal.
It is not noticeable for most engineers since it's part of the pipeline. If no new findings are reported, then it goes through without any signals or noise. If there were findings, these are usually legitimate findings and can be configured in such a way that they can be blocked/stopped in your pipelines or be more informational. The user has all the knobs and screws to turn and tweak it towards their use case because there may be areas where security is more critical than in other parts of the company, like development projects.
We exclusively use their SDE tools. Our CI/CD environments are powered by source code control systems like GitLab and GitHub. BitPocket has also been integrated to some extent. There are CI/CD pipelines where we pull in Snyk as part of the pipeline, jobs, Jenkins environment, etc.
What is most valuable?
It is a fairly developer-focused product. There are pretty good support and help pages which come with the developer tools, like plugins and modules, which integrate seamlessly into continuous integration, continuous deployment pipelines. E.g., as you build your software, you may update your dependencies along with it. Packages that it supports include CI/CD toolchains, build tools, various platforms, and software/programming languages.
It is one of the best product out there to help developers find and fix vulnerabilities quickly. When we talk about the third-party software vulnerability piece and potentially security issues, it takes the load off the user or developer. They even provide automitigation strategies and an auto-fix feature, which seem to have been adopted pretty well.
Their focus is really towards developer-friendly integrations, like plug and play. They understand the ecosystem. They listen to developers. It has been a good experience so far with them.
What needs improvement?
There were some feature requests that we have sent their way in the context of specific needs on containers, like container support and scanning support.
There are some more language-specific behaviors on their toolchains that we'd like to see some improvements on. The support is more established on some than others. There are some parts that could be fixed around the auto-fix and automitigation tool. They don't always work based on the language used.
I would like them to mature the tech. I am involved with Java and Gradle, and in this context, there are some opportunities to make the tools more robust.
The reporting could be more responsive when working with the tools. I would like to see reports sliced and diced into different dimensions. The reporting also doesn't always fully report.
Scanning on their site, to some extent, is less reliable than running a quick CLI.
For how long have I used the solution?
We have been engaging with Snyk for close to a year.
What do I think about the stability of the solution?
I have not encountered any instabilities at this point.
We have seen cases where tools didn't find or recognize certain dependencies. These are known issues, to some extent, due to the complexity in the language or stack that you using. There are some certain circumstances where the tool isn't actually finding what it's supposed to be finding, then it could be misleading.
As a SaaS offering, it's been fairly stable.
We have an on-prem type of broker setup, which seems to be a fairly stable. I'm not aware of any particular outages with it.
What do I think about the scalability of the solution?
We have no concerns regarding scalability. We operate at scale. Their approach is pretty lightweight for integrating tools locally.
We are not fully rolled out across the company; parts of the company are using it more than others. There are some best practices that we still have to establish across our development teams so it feels consistent across our scalable processes.
How are customer service and technical support?
I would gauge the technical support as pretty good from our interactions. We are in a licensed partnership, so the response and support that we're getting is part of our license. For quick resolutions, we have standing channels, like Slack, where we can easily get a hold of somebody who can jump in and provide some feedback. The ticketing support system is for medium to long-term requests. It's been pretty good in terms of responsiveness and their ability to support in a very reasonable time frame. Responding in less than a few hours is common in regards surfacing issues and obtaining proactive support with someone who can chime in and provide potential resolution strategies.
The product is tailored towards developers. It has a good implementation and support team who provide quick resolution on support issues. Their support listens to feedback. We engage with them, and they listen to developers' needs. They have also been pretty good in terms of turning things around. Even though we hadn't done a major request with them, they're very supportive, open, and transparent in terms of what makes sense and is reasonable, like shared priorities and roadmaps.
How was the initial setup?
We have been struggling a bit with the GitLab setup, but that's more of a custom solution problem.
What's my experience with pricing, setup cost, and licensing?
Their licensing model is fairly robust and scalable for our needs. I believe we have reached a reasonable agreement on the licensing to enable hundreds of developers to participate in this product offering. The solution is very tailored towards developers and its licensing model works well for us.
What other advice do I have?
It addresses a lot of needs, especially in growing organizations. The more developers, the more heterogeneous your environment will look, as well as needing more tools to help you scale security practices. In this regard, it seems to be a very promising, scalable solution.
We have been utilizing the solution’s container security feature. It is not at full scale, though. We are engaging Snyk on container integrations.
I would rate it an eight (out of 10).
Disclosure: I am a real user, and this review is based on my own experience and opinions.
VP Enterprise Architecture and Solutioning at a financial services firm with 10,001+ employees
Possesses good ability to highlight security vulnerabilities
Pros and Cons
- "The most effective feature in securing project dependencies stems from its ability to highlight security vulnerabilities."
- "The tool should provide more flexibility and guidance to help us fix the top vulnerabilities before we go into production."
What is our primary use case?
I use the tool in my company to scan open-source projects.
What needs improvement?
I don't use Snyk anymore. The tool is just used in our company, but not by me anymore.
It is important that the solution has the ability to match up with the OWASP Top 10 list, especially considering that sometimes, it cannot fix certain issues. Users might face 100 vulnerabilities during the production phase, and they may not be able to fix them all. Different companies have different levels of risk appetite. In a highly regulated industry, users of the product should be able to fix all the vulnerabilities, especially the internal ones. The tool should provide more flexibility and guidance to help us fix the top vulnerabilities before we go into production.
For how long have I used the solution?
I have been using Snyk for three years. I am a user of the tool.
How are customer service and support?
The solution's technical support is okay. I rate the technical support an eight out of ten.
How would you rate customer service and support?
Positive
What's my experience with pricing, setup cost, and licensing?
The product's price is okay. My company isn't actively looking for replacement tools.
What other advice do I have?
The most effective feature in securing project dependencies stems from its ability to highlight security vulnerabilities.
The integration features of the product are okay.
I recommend the product to those who want to buy it.
In a general sense, Snyk is a good product that can be used for governance. If you use a lot of open-source software, Snyk is an application testing tool you can buy.
I rate the tool a seven to eight out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior DevSecOps/Cloud Engineer at Valeyo
Provides information about the issue as well as resolution, easy to integrate, and never fails
Pros and Cons
- "It has a nice dashboard where I can see all the vulnerabilities and risks that they provided. I can also see the category of any risk, such as medium, high, and low. They provide the input priority-wise. The team can target the highest one first, and then they can go to medium and low ones."
- "Its reports are nice and provide information about the issue as well as resolution. They also provide a proper fix. If there's an issue, they provide information in detail about how to remediate that issue."
- "It would be great if they can include dynamic, interactive, and run-time scanning features. Checkmarx and Veracode provide dynamic, interactive, and run-time scanning, but Snyk doesn't do that. That's the reason there is more inclination towards Veracode, Checkmarx, or AppScan. These are a few tools available in the market that do all four types of scanning: static, dynamic, interactive, and run-time."
- "We have to integrate with their database, which means we need to send our entire code to them to scan, and they send us the report. A company working in the financial domain usually won't like to share its code or any information outside its network with any third-party provider."
What is our primary use case?
We are using Snyk along with SonarQube, and we are currently more reliant on SonarQube.
With Snyk, we've been doing security and vulnerability assessments. Even though SonarQube does the same when we install the OWASP plugin, we are looking for a dedicated and kind of expert tool in this area that can handle all the security for the code, not one or two things.
We have the latest version, and we always upgrade it. Our code is deployed on the cloud, but we have attached it directly with the Azure DevOps pipeline.
What is most valuable?
It is a nice tool to check the dependencies of your open-source code. It is easy to integrate with your Git or source control.
It has a nice dashboard where I can see all the vulnerabilities and risks that they provided. I can also see the category of any risk, such as medium, high, and low. They provide the input priority-wise. The team can target the highest one first, and then they can go to medium and low ones.
Its reports are nice and provide information about the issue as well as resolution. They also provide a proper fix. If there's an issue, they provide information in detail about how to remediate that issue.
It is easy to integrate without a pipeline, and we just need to schedule our scanning. It does that overnight and sends the report through email early morning. This is something most of the tools have, but all of these come in a package together.
It never failed, and it is very easy, reliable, and smooth.
What needs improvement?
It would be great if they can include dynamic, interactive, and run-time scanning features. Checkmarx and Veracode provide dynamic, interactive, and run-time scanning, but Snyk doesn't do that. That's the reason there is more inclination towards Veracode, Checkmarx, or AppScan. These are a few tools available in the market that do all four types of scanning: static, dynamic, interactive, and run-time.
We have to integrate with their database, which means we need to send our entire code to them to scan, and they send us the report. A company working in the financial domain usually won't like to share its code or any information outside its network with any third-party provider. Such companies try to build the system in-house, and their enterprise-level licensing cost is really huge. There is also an overhead of updating the vulnerability database.
For how long have I used the solution?
It has been more than one and a half years.
What do I think about the stability of the solution?
It is stable. I haven't had any problems with its stability.
What do I think about the scalability of the solution?
It is easy. We have integrated Snyk with two to four projects, and we do run scanning every week to check the status and improvement in the quality of our code.
Currently, only I am using this solution because I'm handling all the stuff related to infrastructure and DevOps stuff in my company. It is a very small company with 100 to 200 people, and I am kind of introducing this tool in our organization to have enterprise-level stuff. I have used this tool in my old organization, and that's why I am trying to implement it here. I am the only DevOps engineer who works in this organization, and I want to integrate it with different code bases.
How are customer service and technical support?
I've never used their technical support.
How was the initial setup?
It is really straightforward. If someone has set up a simple pipeline, they can just integrate in no time.
What's my experience with pricing, setup cost, and licensing?
Pricing-wise, it is not expensive as compared to other tools. If you have a couple of licenses, you can scan a certain number of projects. It just needs to be attached to them.
What other advice do I have?
I have been using this solution for one and a half years, and I definitely like it. It is awesome in whatever it does right now.
It is a really nice tool if you really want to do the dependency check and security scanning of your code, which falls under static code analysis. You can implement it and go for it for static code analysis, but when it comes to dynamic, interactive, and run-time scanning, you should look for other tools available in the market. These are the only things that are missing in this solution. If it had these features, we would have gone with it because we have already been using it for one and a half years. Now, the time has come where we are looking for new features, but they are not there.
Considering the huge database they have, all the binaries it scans, and other features, I would rate Snyk an eight out of 10.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Open Source License Compliance Service Owner at Visma
Helps to detect security vulnerabilities with good accuracy
Pros and Cons
- "I am impressed with the product's security vulnerability detection. My peers in security are praising the tool for its accuracy to detect security vulnerabilities. The product is very easy to onboard. It doesn't require a lot of preparation or prerequisites. It's a bit of a plug-and-play as long as you're using a package manager or for example, you are using a GitHub repository. And that is an advantage for this tool because developers don't want to add more tools to what they're currently using."
- "The tool needs improvement in license compliance. I would like to see the integration of better policy management in the product's future release. When it comes to the organization that I work for, there are a lot of business units since we are a group of companies. Each of these companies has its specific requirements and its own appetite for risk. This should be able to reflect in flexible policies. We need to be able to configure policies that can be adjusted later or overridden by the business unit that is using the product."
What is our primary use case?
The product helps me with security vulnerability detection.
What is most valuable?
I am impressed with the product's security vulnerability detection. My peers in security are praising the tool for its accuracy in detecting security vulnerabilities. The product is very easy to onboard. It doesn't require a lot of preparation or prerequisites. It's a bit of a plug-and-play as long as you're using a package manager or, for example, you are using a GitHub repository. And that is an advantage for this tool because developers don't want to add more tools to their current use.
What needs improvement?
The tool needs improvement in license compliance. I would like to see the integration of better policy management in the product's future release. When it comes to the organization I work for, there are a lot of business units since we are a group of companies. Each of these companies has its specific requirements and its own appetite for risk. This should be able to reflect in flexible policies. We need to be able to configure policies that can be adjusted later or overridden by the business unit that is using the product.
What do I think about the stability of the solution?
We haven't had big issues in terms of the product's stability.
What do I think about the scalability of the solution?
The product is scalable. In our company, we have a lot of tools that are used for product and software development. We have been able to onboard them and scale up. However, I have to say that when it comes to displaying a dashboard at the organizational level to see all the vulnerabilities, it takes a bit of time to load, which is annoying.
How are customer service and support?
The product has a fantastic tech support team. We actually have a Slack channel with them, and the customer success managers are a click away from providing us with the latest functionalities and updates if there are any interruptions to the service. So there has always been a transparent dialogue between us; we see them as partners in this journey.
How would you rate customer service and support?
Positive
How was the initial setup?
I wasn't involved in the tool's setup, but from my experience or the experience of my colleagues, the process was positive. I didn't hear them have any horror stories from the days when they set it up.
What's my experience with pricing, setup cost, and licensing?
The solution is less expensive than Black Duck.
What other advice do I have?
I would rate the product a seven out of ten. Snyk is a fantastic tool for security vulnerability detection in third-party open-source software. You can use this product if your focus is on security vulnerability. On the other hand, if you don't want your developers to invest too much time in documentation and reading white papers on configuring the tool to work for them, you need to use this product.
I would give them extra points for the transparent communication with the customer and their openness towards improving their product. And I think they have a lot of potential to improve and become a great SCA tool.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Project Engineer at CDAC
An easy-to-use solution that can be used for the generation of SBOM
Pros and Cons
- "The most valuable feature of Snyk is the SBOM."
- "It would be helpful if we get a recommendation while doing the scan about the necessary things we need to implement after identifying the vulnerabilities."
What is our primary use case?
We use Snyk for the generation of SBOM for Docker. We use it to check the standards of the CSI benchmark that we have implemented in the containers and the applications by Java Spring Boot.
What is most valuable?
The most valuable feature of Snyk is the SBOM.
What needs improvement?
It would be helpful if we get a recommendation while doing the scan about the necessary things we need to implement after identifying the vulnerabilities. In short, it will be a remediation for the vulnerabilities identified by Snyk.
For how long have I used the solution?
I have been using Snyk for two years.
What do I think about the stability of the solution?
Snyk is a stable solution.
What do I think about the scalability of the solution?
Snyk is a scalable solution. As we are an R&D organization, I am the only person managing the solution. However, there are almost 500 employees who are taking advantage of the report we have generated from the Snyk app.
How was the initial setup?
The solution is easy to use and implement.
What about the implementation team?
The deployment steps were easy. The solution's documentation is also easy to use. It took hardly one and a half hours to implement the solution. We implemented Snyk in our virtual private server (VPS).
For deployment, we followed the instructions and created a server for Snyk. Then, we integrated the server with the plug-in using Jenkins. We created a server for Snyk, then used the GitHub repository that mentioned the document and implemented the same. Later, we used the plug-in to connect the server to the Jenkins server.
When the pipeline was built, the process started, as we had mentioned the stage in the Jenkins file, to generate SBOMs and check whether the Docker images were compliant with CSI Benchmarks.
What's my experience with pricing, setup cost, and licensing?
Snyk is an expensive solution.
Which other solutions did I evaluate?
Before choosing Snyk, we evaluated a different tool named Dependency-Track. We chose Snyk because Dependency-Track only helped us identify the vulnerabilities in the libraries, and it couldn't solve the issues mentioned in the CIS benchmark.
What other advice do I have?
Snyk helped us identify the composition or the libraries we used in the project, which were vulnerable. It also helped us identify the license agreements from the vendor side.
Software conversion analysis is a mandatory thing that should be implemented in every organization. Most libraries or any third-party libraries are not considered under VAPT. We should also look after the composition of the libraries we use in the project. We should look after these libraries for vulnerabilities, and VAPT should be mandatory in every organization.
I rate Snyk a nine out of ten for the user-friendliness of its user interface.
Currently, my team is looking into whether version numbers are vulnerable. We are also considering the improvisations or research and development we need to do if we need the same library. There are some loopholes that even Snyk has not identified or that it might be working on. Since we have implemented it, we are looking after it.
If a developer requires a particular library with vulnerabilities, we check whether we are using the functions mentioned in the libraries in the project. If we are using it, we are trying to identify exactly which snippet is causing the error. If it is causing a vulnerability, we are considering how to improve it.
We need to think about the decisions we need to make after SCA. It would be a big relief for our organization if Snyk could provide a solution to identify the library snippet that is causing a future vulnerability. We are currently using a team of 30 people to identify this issue.
Overall, I rate Snyk an eight out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.

Buyer's Guide
Download our free Snyk Report and get advice and tips from experienced pros
sharing their opinions.
Updated: March 2025
Product Categories
Application Security Tools Container Security Software Composition Analysis (SCA) Software Development Analytics DevSecOpsPopular Comparisons
SonarQube Server (formerly SonarQube)
GitLab
Checkmarx One
Veracode
Mend.io
Fortify on Demand
CrowdStrike Falcon Cloud Security
Sonatype Lifecycle
Acunetix
GitHub Advanced Security
PortSwigger Burp Suite Professional
HCL AppScan
Qualys Web Application Scanning
GitHub
Klocwork
Buyer's Guide
Download our free Snyk Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Which software is ideal for code quality and security?
- How does Snyk compare with SonarQube?
- How do you use Snyk for running SAST?
- What do I scan when changing code in Snyk?
- If you had to both encrypt and compress data during transmission, which would you do first and why?
- When evaluating Application Security, what aspect do you think is the most important to look for?
- What are the Top 5 cybersecurity trends in 2022?
- What are the threats associated with using ‘bogus’ cybersecurity tools?
- We're evaluating Tripwire, what else should we consider?
- Which application security solutions include both vulnerability scans and quality checks?