Snyk Reviews

We are using Snyk along with SonarQube, and we are currently more reliant on SonarQube.

With Snyk, we've been doing security and vulnerability assessments. Even though SonarQube does the same when we install the OWASP plugin, we are looking for a dedicated and kind of expert tool in this area that can handle all the security for the code, not one or two things.

We have the latest version, and we always upgrade it. Our code is deployed on the cloud, but we have attached it directly with the Azure DevOps pipeline.

It is a nice tool to check the dependencies of your open-source code. It is easy to integrate with your Git or source control. 

It has a nice dashboard where I can see all the vulnerabilities and risks that they provided. I can also see the category of any risk, such as medium, high, and low. They provide the input priority-wise. The team can target the highest one first, and then they can go to medium and low ones. 

Its reports are nice and provide information about the issue as well as resolution. They also provide a proper fix. If there's an issue, they provide information in detail about how to remediate that issue.

It is easy to integrate without a pipeline, and we just need to schedule our scanning. It does that overnight and sends the report through email early morning. This is something most of the tools have, but all of these come in a package together.

It never failed, and it is very easy, reliable, and smooth. 

It would be great if they can include dynamic, interactive, and run-time scanning features. Checkmarx and Veracode provide dynamic, interactive, and run-time scanning, but Snyk doesn't do that. That's the reason there is more inclination towards Veracode, Checkmarx, or AppScan. These are a few tools available in the market that do all four types of scanning: static, dynamic, interactive, and run-time.

We have to integrate with their database, which means we need to send our entire code to them to scan, and they send us the report. A company working in the financial domain usually won't like to share its code or any information outside its network with any third-party provider. Such companies try to build the system in-house, and their enterprise-level licensing cost is really huge. There is also an overhead of updating the vulnerability database.

It has been more than one and a half years. 

It is stable. I haven't had any problems with its stability.

It is easy. We have integrated Snyk with two to four projects, and we do run scanning every week to check the status and improvement in the quality of our code.

Currently, only I am using this solution because I'm handling all the stuff related to infrastructure and DevOps stuff in my company. It is a very small company with 100 to 200 people, and I am kind of introducing this tool in our organization to have enterprise-level stuff. I have used this tool in my old organization, and that's why I am trying to implement it here. I am the only DevOps engineer who works in this organization, and I want to integrate it with different code bases.

I've never used their technical support.

It is really straightforward. If someone has set up a simple pipeline, they can just integrate in no time.

Pricing-wise, it is not expensive as compared to other tools. If you have a couple of licenses, you can scan a certain number of projects. It just needs to be attached to them.

I have been using this solution for one and a half years, and I definitely like it. It is awesome in whatever it does right now.

It is a really nice tool if you really want to do the dependency check and security scanning of your code, which falls under static code analysis. You can implement it and go for it for static code analysis, but when it comes to dynamic, interactive, and run-time scanning, you should look for other tools available in the market. These are the only things that are missing in this solution. If it had these features, we would have gone with it because we have already been using it for one and a half years. Now, the time has come where we are looking for new features, but they are not there.

Considering the huge database they have, all the binaries it scans, and other features, I would rate Snyk an eight out of 10. 

I use the tool in my company to scan open-source projects.

I don't use Snyk anymore. The tool is just used in our company, but not by me anymore.

It is important that the solution has the ability to match up with the OWASP Top 10 list, especially considering that sometimes, it cannot fix certain issues. Users might face 100 vulnerabilities during the production phase, and they may not be able to fix them all. Different companies have different levels of risk appetite. In a highly regulated industry, users of the product should be able to fix all the vulnerabilities, especially the internal ones. The tool should provide more flexibility and guidance to help us fix the top vulnerabilities before we go into production.

I have been using Snyk for three years. I am a user of the tool.

The solution's technical support is okay. I rate the technical support an eight out of ten.

Positive

The product's price is okay. My company isn't actively looking for replacement tools.

The most effective feature in securing project dependencies stems from its ability to highlight security vulnerabilities.

The integration features of the product are okay.

I recommend the product to those who want to buy it.

In a general sense, Snyk is a good product that can be used for governance. If you use a lot of open-source software, Snyk is an application testing tool you can buy.

I rate the tool a seven to eight out of ten.

We use Snyk for the generation of SBOM for Docker. We use it to check the standards of the CSI benchmark that we have implemented in the containers and the applications by Java Spring Boot.

The most valuable feature of Snyk is the SBOM.

It would be helpful if we get a recommendation while doing the scan about the necessary things we need to implement after identifying the vulnerabilities. In short, it will be a remediation for the vulnerabilities identified by Snyk.

I have been using Snyk for two years.

Snyk is a stable solution.

Snyk is a scalable solution. As we are an R&D organization, I am the only person managing the solution. However, there are almost 500 employees who are taking advantage of the report we have generated from the Snyk app.

The solution is easy to use and implement.

The deployment steps were easy. The solution's documentation is also easy to use. It took hardly one and a half hours to implement the solution. We implemented Snyk in our virtual private server (VPS).

For deployment, we followed the instructions and created a server for Snyk. Then, we integrated the server with the plug-in using Jenkins. We created a server for Snyk, then used the GitHub repository that mentioned the document and implemented the same. Later, we used the plug-in to connect the server to the Jenkins server.

When the pipeline was built, the process started, as we had mentioned the stage in the Jenkins file, to generate SBOMs and check whether the Docker images were compliant with CSI Benchmarks.

Snyk is an expensive solution.

Before choosing Snyk, we evaluated a different tool named Dependency-Track. We chose Snyk because Dependency-Track only helped us identify the vulnerabilities in the libraries, and it couldn't solve the issues mentioned in the CIS benchmark.

Snyk helped us identify the composition or the libraries we used in the project, which were vulnerable. It also helped us identify the license agreements from the vendor side.

Software conversion analysis is a mandatory thing that should be implemented in every organization. Most libraries or any third-party libraries are not considered under VAPT. We should also look after the composition of the libraries we use in the project. We should look after these libraries for vulnerabilities, and VAPT should be mandatory in every organization.

I rate Snyk a nine out of ten for the user-friendliness of its user interface.

Currently, my team is looking into whether version numbers are vulnerable. We are also considering the improvisations or research and development we need to do if we need the same library. There are some loopholes that even Snyk has not identified or that it might be working on. Since we have implemented it, we are looking after it.

If a developer requires a particular library with vulnerabilities, we check whether we are using the functions mentioned in the libraries in the project. If we are using it, we are trying to identify exactly which snippet is causing the error. If it is causing a vulnerability, we are considering how to improve it.

We need to think about the decisions we need to make after SCA. It would be a big relief for our organization if Snyk could provide a solution to identify the library snippet that is causing a future vulnerability. We are currently using a team of 30 people to identify this issue.

Overall, I rate Snyk an eight out of ten.

Our customers use Snyk for infrastructure scanning, SaaS testing, and continuous vulnerability scans. 

Our customers find container scans most valuable. They are always talking about it.

Offering API access in the lower or free open-source tiers would be better. That would help our customers. If you don't have an enterprise plan, it becomes challenging to integrate with the rest of the systems. Our customers would like to have some open-source integrations in the next release.

I have known about Snyk for about two years.

Snyk is a stable solution. I don't think we faced any issues with it.

Snyk is a scalable product. 

We used to work with SonarQube, which is fast. We also used CoreOS Clare and explored Prisma. The open-source and self-hosted solutions are better suited for smaller startups. They only have to spend on setting it up as running is entirely free.

The initial setup is straightforward because it's a SaaS solution. I didn't have any problems implementing this solution. I think installing and deploying this solution took me about 15 minutes.

I implemented this solution. 

The pricing is acceptable, especially for enterprises. I don't think it's too much of a concern for our customers.  Something like $99 per user is reasonable when the stakes are high.

On a scale from one to ten, I would give Snyk an eight.

We use the product mainly for software composition analysis. It is used to identify vulnerabilities in the application plug-ins. If we use Python 3.8, it’ll tell us that the version is outdated and that it has several vulnerabilities. It also helps in threat identification. It also provides infrastructure as code.

Static code analysis is one of the best features of the solution.

The product is very expensive.

I have been using the solution for three years.

The product is stable.

We have around 2000 users. Every developer in the organization has access to it.

The support has improved a lot.

Neutral

We use the SaaS version. The initial setup is easy. We just have to click the buttons.

I do not think that the tool is worth the money. A lot of free tools are available online.

The solution costs half a million dollars per year. It depends on the number of users. If the number of users increases, the cost will increase further.

People who want to use the product must utilize the code analysis on IDE. It would really help a lot of the developers. It performs the shift left concept very well. It is a very good tool, but the pricing is absurd. Overall, I rate the product an eight out of ten.

I used it for the security analysis and code vulnerability part. We were also interested in integrating with the pipeline scan and code scan.

The code scans on the source code itself were valuable.

It's very easy to use. It's very fast. 

It was good, but we had a few limitations with it. We were mostly using containerized applications. We were using Microsoft Docker images. It was reporting some vulnerabilities, but we were not able to figure out the fix for them. It was reporting some vulnerabilities in the Docker images given by Microsoft, which were out of our control. That was the only limitation. Otherwise, it was good.

I used it two months ago for a period of two weeks.

Its stability was good during that two-week period.

We didn't do extensive tests on it.

We contacted them for support. They were responsive, and they responded quickly.

We were using Veracode, but with Veracode, we found some limitations. It was not able to scan the source code the way Snyk does. That's a limitation, and Veracode is not that capable even for container applications. From the capability perspective, it was not as good as Snyk.

It's very easy to use. It's very quick. I'd rate it a nine out of ten in terms of the ease of the setup.

Cost-wise, it's similar to Veracode, but I don't know the exact cost. 

I'd recommend the code quality scan, which is helpful for the upfront feedback for developers. It's a very good feature. The container scans are also good, but only for Microsoft images, there are some limitations. If I were to start looking for a vulnerability solution, I'd definitely go with Snyk. It's quick and easy to use.

Overall, I'd rate Snyk a nine out of ten.

Snyk is a security software offering. It helps us identify vulnerabilities or potential weaknesses in the third-party software that we use at our company. 

The solution is meant to give you visibility into open source licensing issues, which you may not necessarily be aware off, such as the way you ingest libraries into your application code for third-party dependencies. There is visibility into anything that could be potentially exploited. 

It provides good reporting and monitoring tools which enable me to keep track of the vulnerabilities found now and/or discovered in the future. It is pretty proactive about telling me what/when something might need mitigation.

Their strength is really about empowering a very heterogeneous software environment, which is very developer-focused and where developers can easily get feedback. If you integrate their offering into the software development life cycle (SDLC), you can get pretty good coverage from a consumer perspective into the libraries that you're using.

It's a good suite of tools tailored and focused towards developers. It ensures their code is safe in regards to their usage of third-party libraries, e.g., libraries not owned or controlled, then incorporated into the product from open sources.

It is meant to be a less intrusive type of solution. It is easy to integrate and doesn't require a lot of effort. It's more a part of the CI/CD pipelines, which doesn't necessarily interfere with developers other than if there are actions/remediations to be taken. From a development impact, it's very lightweight and minimal. 

It is not noticeable for most engineers since it's part of the pipeline. If no new findings are reported, then it goes through without any signals or noise. If there were findings, these are usually legitimate findings and can be configured in such a way that they can be blocked/stopped in your pipelines or be more informational. The user has all the knobs and screws to turn and tweak it towards their use case because there may be areas where security is more critical than in other parts of the company, like development projects. 

We exclusively use their SDE tools. Our CI/CD environments are powered by source code control systems like GitLab and GitHub. BitPocket has also been integrated to some extent. There are CI/CD pipelines where we pull in Snyk as part of the pipeline, jobs, Jenkins environment, etc.

It is a fairly developer-focused product. There are pretty good support and help pages which come with the developer tools, like plugins and modules, which integrate seamlessly into continuous integration, continuous deployment pipelines. E.g., as you build your software, you may update your dependencies along with it. Packages that it supports include CI/CD toolchains, build tools, various platforms, and software/programming languages.

It is one of the best product out there to help developers find and fix vulnerabilities quickly. When we talk about the third-party software vulnerability piece and potentially security issues, it takes the load off the user or developer. They even provide automitigation strategies and an auto-fix feature, which seem to have been adopted pretty well. 

Their focus is really towards developer-friendly integrations, like plug and play. They understand the ecosystem. They listen to developers. It has been a good experience so far with them.

There were some feature requests that we have sent their way in the context of specific needs on containers, like container support and scanning support. 

There are some more language-specific behaviors on their toolchains that we'd like to see some improvements on. The support is more established on some than others. There are some parts that could be fixed around the auto-fix and automitigation tool. They don't always work based on the language used.

I would like them to mature the tech. I am involved with Java and Gradle, and in this context, there are some opportunities to make the tools more robust.

The reporting could be more responsive when working with the tools. I would like to see reports sliced and diced into different dimensions. The reporting also doesn't always fully report.

Scanning on their site, to some extent, is less reliable than running a quick CLI.

We have been engaging with Snyk for close to a year.

I have not encountered any instabilities at this point. 

We have seen cases where tools didn't find or recognize certain dependencies. These are known issues, to some extent, due to the complexity in the language or stack that you using. There are some certain circumstances where the tool isn't actually finding what it's supposed to be finding, then it could be misleading. 

As a SaaS offering, it's been fairly stable.

We have an on-prem type of broker setup, which seems to be a fairly stable. I'm not aware of any particular outages with it. 

We have no concerns regarding scalability. We operate at scale. Their approach is pretty lightweight for integrating tools locally.

We are not fully rolled out across the company; parts of the company are using it more than others. There are some best practices that we still have to establish across our development teams so it feels consistent across our scalable processes. 

I would gauge the technical support as pretty good from our interactions. We are in a licensed partnership, so the response and support that we're getting is part of our license. For quick resolutions, we have standing channels, like Slack, where we can easily get a hold of somebody who can jump in and provide some feedback. The ticketing support system is for medium to long-term requests. It's been pretty good in terms of responsiveness and their ability to support in a very reasonable time frame. Responding in less than a few hours is common in regards surfacing issues and obtaining proactive support with someone who can chime in and provide potential resolution strategies.

The product is tailored towards developers. It has a good implementation and support team who provide quick resolution on support issues. Their support listens to feedback. We engage with them, and they listen to developers' needs. They have also been pretty good in terms of turning things around. Even though we hadn't done a major request with them, they're very supportive, open, and transparent in terms of what makes sense and is reasonable, like shared priorities and roadmaps.

We have been struggling a bit with the GitLab setup, but that's more of a custom solution problem.

Their licensing model is fairly robust and scalable for our needs. I believe we have reached a reasonable agreement on the licensing to enable hundreds of developers to participate in this product offering. The solution is very tailored towards developers and its licensing model works well for us.

It addresses a lot of needs, especially in growing organizations. The more developers, the more heterogeneous your environment will look, as well as needing more tools to help you scale security practices. In this regard, it seems to be a very promising, scalable solution.

We have been utilizing the solution’s container security feature. It is not at full scale, though. We are engaging Snyk on container integrations.

I would rate it an eight (out of 10).

Snyk acts as an SCA and also as a SAST. It's like a mix and match.

Our deployment is more of a hybrid deployment. It is 70% cloud and 30% on-prem. The majority of Snyk is a cloud-based solution, but we do have instances where we have it on-prem for various reasons.

The advantage of Snyk is that Snyk automatically creates a pull request for all the findings that match or are classified according to the policy that we create. So, once we review the PR within Snyk and we approve the PR, Snyk auto-fixes the issue, which is quite interesting and which isn't there in any other product out there. So, Snyk is a step ahead in this particular area. In the development phase, there are lots of dependencies from one module to another, and if it has to be a manual fix, it takes forever for developers to fix it. We do utilize both functionalities. Sometimes, I get the developers to look at the issues and get them manually fixed, and sometimes, based on the criticality and severity of the finding, I just approve the PR, and Snyk automatically fixes it. I don't need to worry about the dependencies.

All such tools should definitely improve the signatures in their database. Snyk is pretty new to the industry. They have a pretty good knowledge base, but Veracode is on top because Veracode has been in this business for a pretty long time. They do have a pretty large database of all the findings, and the way that the correlation engine works is superb. Snyk is also pretty good, but it is not as good as Veracode in terms of maintaining a large space of all the historical data of vulnerabilities.

I have been using this solution for about two years. 

It is easily scalable, and it is pretty easy to integrate and manage. However, the tuning is what requires a lot of attention. Snyk, Veracode, Netsparker, or any other similar solution definitely needs somebody to tune it to work properly. Tuning is a little bit tricky, but that's the nature of such solutions.

I had to work with them initially during the integration phase. Their support was okay. It was not that good, but it was also not that bad. There is room for improvement because the support works based on the categories of requests. Along with the categories, if they have an option for the sensitivity or the urgency of issues, it would be really helpful for users.

It was pretty easy. 

It is pretty expensive. It is not a cheap product.

I would rate it a seven out of ten.