We performed a comparison between Checkmarx Software Composition Analysis and Snyk based on real PeerSpot user reviews.
Find out in this report how the two Software Composition Analysis (SCA) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."The integration part is easy...It's a stable solution right now."
"The customer service and support were good."
"What's most valuable in Checkmarx Software Composition Analysis is its ability to identify vulnerabilities in open-source components, especially if some critical issues exist."
"One of the strong points of this solution is that it allows you to incorporate it into a CICB pipeline. It has the ability to do incremental scans. If you scan a very large application, it might take two hours to do the initial scan. The subsequent scans, as people are making changes to the app, scan the Delta and are very fast. That's a really nice implementation. The way they have incorporated the functionality of the incremental scans is something to be aware of. It is quite good. It has been very solid. We haven't really had any issues, and it does what it advertises to do very nicely."
"What's most valuable in Checkmarx Software Composition Analysis is that it provides security from the start. In the traditional approach, an enterprise or company validates the solution before launching to a production environment, but in the modern approach, security must be checked and provided from the beginning and from the design, and this is where Checkmarx Software Composition Analysis comes in. The solution helps you make sure that every open-source application that you use is secure, and that there's no vulnerability inside that open-source application."
"The tool's visual scan analysis shows me all the libraries' vulnerabilities and license types. It helps identify the most complex issues with licenses. It provides good visibility. SCA shows me all libraries that are vulnerable and the extent of their vulnerability."
"The most valuable feature of Checkmarx Software Composition Analysis is the comprehensive security scan."
"It is very easy and user friendly. It never requires any kind of technical support. You can do everything on your own."
"I find SCA to be valuable. It can read your libraries, your license and bring the best way to resolve your problem in the best scenario."
"The code scans on the source code itself were valuable."
"It has a nice dashboard where I can see all the vulnerabilities and risks that they provided. I can also see the category of any risk, such as medium, high, and low. They provide the input priority-wise. The team can target the highest one first, and then they can go to medium and low ones."
"Snyk has given us really good results because it is fully automated. We don't have to scan projects every time to find vulnerabilities, as it already stores the dependencies that we are using. It monitors 24/7 to find out if there are any issues that have been reported out on the Internet."
"The solution's Open Source feature gives us notifications and suggestions regarding how to address vulnerabilities."
"We're loving some of the Kubernetes integration as well. That's really quite cool. It's still in the early days of our use of it, but it looks really exciting. In the Kubernetes world, it's very good at reporting on the areas around the configuration of your platform, rather than the things that you've pulled in. There's some good advice there that allows you to prioritize whether something is important or just worrying. That's very helpful."
"Provides clear information and is easy to follow with good feedback regarding code practices."
"The most valuable feature is that they add a lot of their own information to the vulnerabilities. They describe vulnerabilities and suggest their own mitigations or version upgrades. The information was the winning factor when we compared Snyk to others. This is what gave it more impact."
"It can have better licensing models."
"Some of the recommendations provided by the product are generic. Even if the recommendations provided by the product are of low level, the appropriate ones can help users deal with vulnerabilities."
"The quality of technical support has decreased over time, and it is not as good as it used to be."
"Its pricing can be improved. It is a little bit high priced. It would be better if it was a little less expensive. It is a good tool, and we're still figuring out how to fully leverage it. There are some questions regarding whether it can scan the MuleSoft code. We don't know if this is a gap in the tool or something else. This is one thing that we're just working through right now, and I am not ready to conclude that there is a weakness there. MuleSoft is kind of its own beast, and we're trying to see how we get it to work with Checkmarx."
"In terms of areas for improvement, what could be improved in Checkmarx Software Composition Analysis is pricing because customers always compare the pricing among secure DevOps solutions in the market. Checkmarx Software Composition Analysis has a lot of competitors yet its features aren't much different. Pricing is the first thing customers consider, and from a partner perspective, if you can offer affordable pricing to your customers, it's more likely you'll have a winning deal. The performance of Checkmarx Software Composition Analysis also needs improvement because sometimes, it's slow, and in particular, scanning could take several hours."
"Checkmarx Software Composition Analysis should improve dynamic analysis."
"Personally, I currently use it as a standalone tool without integrating it with other systems, and it meets my needs adequately. As a suggestion, I request on considering to add a "what if" feature to the application. Currently, when the tool identifies issues and suggests updates, if I want to explore different scenarios, I need to prepare another file, turn it into a ZIP, and run the analysis again. It would be more convenient if there was a "what if" option in the GUI. This feature could simulate a run, allowing me to quickly check the impact of changing one or more files or versions without the need for a full rerun."
"API security is an area with shortcomings that needs improvement."
"Could include other types of security scanning and statistical analysis"
"For the areas that they're new in, it's very early stages for them. For example, their expertise is in looking at third-party components and packages, which is their bread-and-butter and what they've been doing for ages, but for newer features such as static analysis I don't think they've got compatibility for all the languages and frameworks yet."
"We would like to have upfront knowledge on how easy it should be to just pull in an upgraded dependency, e.g., even introduce full automation for dependencies supposed to have no impact on the business side of things. Therefore, we would like some output when you get the report with the dependencies. We want to get additional information on the expected impact of the business code that is using the dependency with the newer version. This probably won't be easy to add, but it would be helpful."
"I would like to give further ability to grouping code repositories, in such a way that you could group them by the teams that own them, then produce alerting to those teams. The way that we are seeing it right now, the alerting only goes to a couple of places. I wish we could configure the code to go to different places."
"Offering API access in the lower or free open-source tiers would be better. That would help our customers. If you don't have an enterprise plan, it becomes challenging to integrate with the rest of the systems. Our customers would like to have some open-source integrations in the next release."
"We have seen cases where tools didn't find or recognize certain dependencies. These are known issues, to some extent, due to the complexity in the language or stack that you using. There are some certain circumstances where the tool isn't actually finding what it's supposed to be finding, then it could be misleading."
"Generating reports and visibility through reports are definitely things they can do better."
"The tool should provide more flexibility and guidance to help us fix the top vulnerabilities before we go into production."
More Checkmarx Software Composition Analysis Pricing and Cost Advice →
Checkmarx Software Composition Analysis is ranked 8th in Software Composition Analysis (SCA) with 12 reviews while Snyk is ranked 2nd in Software Composition Analysis (SCA) with 41 reviews. Checkmarx Software Composition Analysis is rated 9.2, while Snyk is rated 8.2. The top reviewer of Checkmarx Software Composition Analysis writes "Comprehensive security scan, helpful support, and high availability". On the other hand, the top reviewer of Snyk writes "Performs software composition analysis (SCA) similar to other expensive tools". Checkmarx Software Composition Analysis is most compared with Black Duck, JFrog Xray, Semgrep Supply Chain, Fortify Static Code Analyzer and Mend.io, whereas Snyk is most compared with SonarQube, Black Duck, Fortify Static Code Analyzer, Veracode and GitHub Advanced Security. See our Checkmarx Software Composition Analysis vs. Snyk report.
See our list of best Software Composition Analysis (SCA) vendors.
We monitor all Software Composition Analysis (SCA) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.