We performed a comparison between Checkmarx and Snyk based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Snyk has an edge in this comparison. According to its reviewers, it is a less expensive product than Checkmarx.
"The solution improved the efficiency of our code security reviews. It helps tremendously because it finds hundreds of potential problems sometimes."
"We were using HPE Security Fortify to scan code for security vulnerabilities, but it can scan only after a successful compile. If the code has dependencies or build errors, the scan fails. With Checkmarx, pre-compile scanning is seamless. This allows us to scan more code."
"Overall, the ability to find vulnerabilities in the code is better than the tool that we were using before."
"The solution has good performance, it is able to compute in 10 to 15 minutes."
"The setup is very easy. There is a lot of information in the documents which makes the install not difficult at all."
"The product's most valuable feature is static code and supply chain effect analysis. It provides a lot of visibility."
"The setup is fairly easy. We didn't struggle with the process at all."
"One of the most valuable features is it is flexible."
"Our customers find container scans most valuable. They are always talking about it."
"The solution has great features and is quite stable."
"The most valuable feature of Snyk is the software composition analysis."
"The most valuable features include enriched information around the vulnerabilities for better triaging, in terms of the vulnerability layer origin and vulnerability tree."
"It has an accurate database of vulnerabilities with a low amount of false positives."
"Provides clear information and is easy to follow with good feedback regarding code practices."
"The dependency checks of the libraries are very valuable, but the licensing part is also very important because, with open source components, licensing can be all over the place. Our project is not an open source project, but we do use quite a lot of open source components and we want to make sure that we don't have surprises in there."
"Snyk is a developer-friendly product."
"I expect application security vendors to cover all aspects of application security, including SAST, DAST, and even mobile application security testing. And it would be much better if they provided an on-premises and cloud option for all these main application security features."
"We want to have a holistic view of the portfolio-level dashboard and not just an individual technical project level."
"The cost per user is high and should be reduced."
"We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code. The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything."
"The validation process needs to be sped up."
"We would like to be able to run scans from our local system, rather than having to always connect to the product server, which is a longer process."
"Checkmarx could improve by reducing the price."
"It provides us with quite a handful of false positive issues. If Checkmarx could reduce this number, it would be a great tool to use."
"The documentation sometimes is not relevant. It does not cover the latest updates, scanning, and configurations. The documentation for some things is wrong and does not cover some configuration scannings for the multiple project settings."
"There are some new features that we would like to see added, e.g., more visibility into library usage for the code. Something along the lines where it's doing the identification of where vulnerabilities are used, etc. This would cause them to stand out in the market as a much different platform."
"We would like to have upfront knowledge on how easy it should be to just pull in an upgraded dependency, e.g., even introduce full automation for dependencies supposed to have no impact on the business side of things. Therefore, we would like some output when you get the report with the dependencies. We want to get additional information on the expected impact of the business code that is using the dependency with the newer version. This probably won't be easy to add, but it would be helpful."
"I think Snyk should add more of a vulnerability protection feature in the tool since it is an area where it lacks."
"Generating reports and visibility through reports are definitely things they can do better."
"A feature we would like to see is the ability to archive and store historical data, without actually deleting it. It's a problem because it throws my numbers off. When I'm looking at the dashboard's current vulnerabilities, it's not accurate."
"One area where Snyk could improve is in providing developers with the line where the error occurs."
"DAST has shortcomings, and Snyk needs to improve and overcome such shortcomings."
Checkmarx One doesn't meet the minimum requirements to be ranked in DevSecOps with 67 reviews while Snyk is ranked 1st in DevSecOps with 41 reviews. Checkmarx One is rated 7.6, while Snyk is rated 8.2. The top reviewer of Checkmarx One writes "The report function is a great, configurable asset but sometimes yields false positives". On the other hand, the top reviewer of Snyk writes "Performs software composition analysis (SCA) similar to other expensive tools". Checkmarx One is most compared with SonarQube, Veracode, Fortify on Demand, Coverity and Mend.io, whereas Snyk is most compared with SonarQube, Black Duck, Fortify Static Code Analyzer, GitHub Advanced Security and Prisma Cloud by Palo Alto Networks. See our Checkmarx One vs. Snyk report.
See our list of best DevSecOps vendors and best Application Security Tools vendors.
We monitor all DevSecOps reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.