We performed a comparison between Black Duck and Snyk based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Snyk is the clear winner in this comparison. It is easy to deploy, secure, and powerful. In addition, it has excellent customer support and an impressive ROI.
"The UI is the solution's most valuable feature since it allows for easy pipeline integration."
"It highlights what the developers have done, and it shows the impact from an intellectual property point of view."
"I like the fact that the product auto analyzes components."
"The solution is stable."
"It is able to drill down to the source level."
"The installation is very easy."
"The cloud option of the product is always available and a positive aspect of the solution."
"We didn't have a central inventory to quickly identify issues or determine how many products were affected. Now under Black Duck, it's all consolidated. You search for a component and immediately see which products use it."
"I find SCA to be valuable. It can read your libraries, your license and bring the best way to resolve your problem in the best scenario."
"The advantage of Snyk is that Snyk automatically creates a pull request for all the findings that match or are classified according to the policy that we create. So, once we review the PR within Snyk and we approve the PR, Snyk auto-fixes the issue, which is quite interesting and which isn't there in any other product out there. So, Snyk is a step ahead in this particular area."
"The most effective feature in securing project dependencies stems from its ability to highlight security vulnerabilities."
"Its reports are nice and provide information about the issue as well as resolution. They also provide a proper fix. If there's an issue, they provide information in detail about how to remediate that issue."
"Snyk performs software composition analysis (SCA) similar to other expensive tools."
"The CLI feature is quite useful because it gives us a lot of flexibility in what we want to do. If you use the UI, all the information is there and you can see what Snyk is showing you, but there is nothing else that you can change. However, when you use the CLI, then you can use commands and can get the output or response back from Snyk. You can also take advantage of that output in a different way. For the same reason, we have been using the CLI for the hard gate in the pipeline: Obtain a particular CDSS score for vulnerability. Based on that information, we can then decide if we want to block or allow the build. We have more flexibility if we use the CLI."
"I think all the standard features are quite useful when it comes to software component scanning, but I also like the new features they're coming out with, such as container scanning, secrets scanning, and static analysis with SAST."
"We're loving some of the Kubernetes integration as well. That's really quite cool. It's still in the early days of our use of it, but it looks really exciting. In the Kubernetes world, it's very good at reporting on the areas around the configuration of your platform, rather than the things that you've pulled in. There's some good advice there that allows you to prioritize whether something is important or just worrying. That's very helpful."
"The initial setup could be simplified. It was somewhat complex."
"We're not too sure about the extension of the firewall. It never shows up in the Hub."
"Due to the fact that, with our software developer life cycle, we don't need to scan our source code every day or every week. For that reason, we find the cost is too high. We might only actually use it five to ten times a year, which makes it expensive."
"We have been having some issues with the latest releases where we are not able to scan our applications with the help of Black Duck."
"The scanner client is limited by the size of software it can handle."
"It is a cloud-only solution. In many cases, companies like to evaluate the software, but they're very reluctant to give you the software. It would be great if they could offer an on-prem component that could be used to scan the code and then upload the discovery results to the cloud and get all the information from there, but there is no such possibility. You have to upload the code to the Black Duck cloud system. Of course, they have a strong legal department, and they offer some configuration, but it is never enough. You have to give the code, which is a drawback. In modern designs like Snyk or FOSSA, you don't need to give the code. It requires more native integration with Coverity because they go together technically. You need both Coverity and Black Duck Hub. It would be really helpful for companies working in this space to get a combined offer from the same company. They should provide an option to buy Coverity for an additional fee. Coverity combined with Black Duck Hub will provide a one-step analysis to get everything you need and a unified report. It would be really great to be able to connect Black Duck Hub with Coverity unified reports."
"The tool's documentation and support are areas of concern where improvements are required."
"Black Duck can improve the time it takes for a scan. Most of the time it's not ideal when integrated with the live DevSecOps pipeline. We have to create a separate job to scan the library because it takes a couple of hours to scan all those libraries. The scanning could be faster."
"Offering API access in the lower or free open-source tiers would be better. That would help our customers. If you don't have an enterprise plan, it becomes challenging to integrate with the rest of the systems. Our customers would like to have some open-source integrations in the next release."
"We would like to have upfront knowledge on how easy it should be to just pull in an upgraded dependency, e.g., even introduce full automation for dependencies supposed to have no impact on the business side of things. Therefore, we would like some output when you get the report with the dependencies. We want to get additional information on the expected impact of the business code that is using the dependency with the newer version. This probably won't be easy to add, but it would be helpful."
"We have to integrate with their database, which means we need to send our entire code to them to scan, and they send us the report. A company working in the financial domain usually won't like to share its code or any information outside its network with any third-party provider."
"It lists projects. So, if you have a number of microservices in an enterprise, then you could have pages of findings. Developers will then spend zero time going through the pages of reports to figure out, "Is there something I need to fix?" While it may make sense to list all the projects and issues in these very long lists for completeness, Snyk could do a better job of bubbling up and grouping items, e.g., a higher level dashboard that draws attention to things that are new, the highest priority things, or things trending in the wrong direction. That would make it a lot easier. They don't quite have that yet in container security."
"We were using Microsoft Docker images. It was reporting some vulnerabilities, but we were not able to figure out the fix for them. It was reporting some vulnerabilities in the Docker images given by Microsoft, which were out of our control. That was the only limitation. Otherwise, it was good."
"The log export function could be easier when shipping logs to other platforms such as Splunk."
"They were a couple of issues which happened because Snyk lacked some documentation on the integration side. Snyk is lacking a lot of documentation, and I would like to see them improve this. This is where we struggle a bit. For example, if something breaks, we can't figure out how to fix that issue. It may be a very simple thing, but because we don't have the proper documentation around an issue, it takes us a bit longer."
"Basically the licensing costs are a little bit expensive."
Black Duck is ranked 1st in Software Composition Analysis (SCA) with 19 reviews while Snyk is ranked 2nd in Software Composition Analysis (SCA) with 41 reviews. Black Duck is rated 7.8, while Snyk is rated 8.2. The top reviewer of Black Duck writes "Enables applications to be secure, but it must provide more open APIs". On the other hand, the top reviewer of Snyk writes "Performs software composition analysis (SCA) similar to other expensive tools". Black Duck is most compared with Fortify Static Code Analyzer, JFrog Xray, Mend.io, FOSSA and Sonatype Lifecycle, whereas Snyk is most compared with SonarQube, GitHub Advanced Security, Fortify Static Code Analyzer, Veracode and Checkmarx One. See our Black Duck vs. Snyk report.
See our list of best Software Composition Analysis (SCA) vendors.
We monitor all Software Composition Analysis (SCA) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.