We performed a comparison between Checkmarx and Snyk based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Snyk has an edge in this comparison. According to its reviewers, it is a less expensive product than Checkmarx.
"Scan reviews can occur during the development lifecycle."
"It's not an obstacle for developers. They can easily write their code and make it more secure with Checkmarx."
"The SAST component was absolutely 100% stable."
"From my point of view, it is the best product on the market."
"It is a stable product."
"The UI is user-friendly."
"The most valuable feature is that it actually identifies the different criteria you can set to meet whatever standards you're trying to get your system accredited for."
"Our static operation security has been able to identify more security issues since implementing this solution."
"The CLI feature is quite useful because it gives us a lot of flexibility in what we want to do. If you use the UI, all the information is there and you can see what Snyk is showing you, but there is nothing else that you can change. However, when you use the CLI, then you can use commands and can get the output or response back from Snyk. You can also take advantage of that output in a different way. For the same reason, we have been using the CLI for the hard gate in the pipeline: Obtain a particular CDSS score for vulnerability. Based on that information, we can then decide if we want to block or allow the build. We have more flexibility if we use the CLI."
"Snyk is a developer-friendly product."
"There are many valuable features. For example, the way the scanning feature works. The integration is cool because I can integrate it and I don't need to wait until the CACD, I can plug it in to our local ID, and there I can do the scanning. That is the part I like best."
"The most valuable feature of Snyk is the software composition analysis."
"It has improved our vulnerability rating and reduced our vulnerabilities through the tool during the time that we've had it. It's definitely made us more aware, as we have removed scoping for existing vulnerabilities and platforms since we rolled it out up until now."
"Snyk has given us really good results because it is fully automated. We don't have to scan projects every time to find vulnerabilities, as it already stores the dependencies that we are using. It monitors 24/7 to find out if there are any issues that have been reported out on the Internet."
"The most valuable features are their GitLab and JIRA integrations. The GitLab integration lets us pull projects in pretty easily, so that it's pretty minimal for developers to get it set up. Using the JIRA integration, it's also pretty easy to get the information that is generated, as a result of that GitLab integration, back to our teams in a non-intrusive way and in a workflow that we are already using."
"The dependency checks of the libraries are very valuable, but the licensing part is also very important because, with open source components, licensing can be all over the place. Our project is not an open source project, but we do use quite a lot of open source components and we want to make sure that we don't have surprises in there."
"I would like to see the rate of false positives reduced."
"You can't use it in the continuous delivery pipeline because the scanning takes too much time."
"Checkmarx being Windows only is a hindrance. Another problem is: why can't I choose PostgreSQL?"
"One area for improvement in Checkmarx is pricing, as it's more expensive than other products."
"I expect application security vendors to cover all aspects of application security, including SAST, DAST, and even mobile application security testing. And it would be much better if they provided an on-premises and cloud option for all these main application security features."
"Meta data is always needed."
"Checkmarx reports many false positives that we need to manually segregate and mark “Not exploitable”."
"We would like to be able to run scans from our local system, rather than having to always connect to the product server, which is a longer process."
"The tool needs improvement in license compliance. I would like to see the integration of better policy management in the product's future release. When it comes to the organization that I work for, there are a lot of business units since we are a group of companies. Each of these companies has its specific requirements and its own appetite for risk. This should be able to reflect in flexible policies. We need to be able to configure policies that can be adjusted later or overridden by the business unit that is using the product."
"The feature for automatic fixing of security breaches could be improved."
"Could include other types of security scanning and statistical analysis"
"The solution's integration with JFrog Artifactory could be improved."
"It would be great if they can include dynamic, interactive, and run-time scanning features. Checkmarx and Veracode provide dynamic, interactive, and run-time scanning, but Snyk doesn't do that. That's the reason there is more inclination towards Veracode, Checkmarx, or AppScan. These are a few tools available in the market that do all four types of scanning: static, dynamic, interactive, and run-time."
"The tool's initial use is complex."
"It lists projects. So, if you have a number of microservices in an enterprise, then you could have pages of findings. Developers will then spend zero time going through the pages of reports to figure out, "Is there something I need to fix?" While it may make sense to list all the projects and issues in these very long lists for completeness, Snyk could do a better job of bubbling up and grouping items, e.g., a higher level dashboard that draws attention to things that are new, the highest priority things, or things trending in the wrong direction. That would make it a lot easier. They don't quite have that yet in container security."
"The tool should provide more flexibility and guidance to help us fix the top vulnerabilities before we go into production."
Checkmarx One is ranked 3rd in Application Security Tools with 67 reviews while Snyk is ranked 4th in Application Security Tools with 41 reviews. Checkmarx One is rated 7.6, while Snyk is rated 8.2. The top reviewer of Checkmarx One writes "The report function is a great, configurable asset but sometimes yields false positives". On the other hand, the top reviewer of Snyk writes "Performs software composition analysis (SCA) similar to other expensive tools". Checkmarx One is most compared with SonarQube, Veracode, Fortify on Demand, Coverity and Mend.io, whereas Snyk is most compared with SonarQube, Black Duck, GitHub Advanced Security, Fortify Static Code Analyzer and Prisma Cloud by Palo Alto Networks. See our Checkmarx One vs. Snyk report.
See our list of best Application Security Tools vendors and best DevSecOps vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.