We performed a comparison between Sync and SonarQube based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Sync comes out on top in this comparison. It is secure and reliable. In addition, it has excellent support and a significant ROI.
"The most valuable feature of Snyk is the SBOM."
"Snyk is a good and scalable tool."
"The most effective feature in securing project dependencies stems from its ability to highlight security vulnerabilities."
"Snyk categorizes the level of vulnerability into high, medium, and low, which helps organizations prioritize which issues to tackle first."
"There are many valuable features. For example, the way the scanning feature works. The integration is cool because I can integrate it and I don't need to wait until the CACD, I can plug it in to our local ID, and there I can do the scanning. That is the part I like best."
"It's very easy for developers to use. Onboarding was an easy process for all of the developers within the company. After a quick, half-an-hour to an hour session, they were fully using it on their own. It's very straightforward. Usability is definitely a 10 out of 10."
"It has an accurate database of vulnerabilities with a low amount of false positives."
"We use Snyk to check vulnerabilities and rectify potential leaks in GitHub."
"SonarQube has a lot of value, it reviews the basic coding standards and security vulnerabilities of code that help to reduce issues."
"The product itself has a friendly UI."
"The most valuable feature of this solution is that it is free."
"It is very good at identifying technical debt."
"I like that it covers most programming languages for source code review."
"Strong code evaluation for budget-minded clients."
"The solution is stable."
"SonarQube is one of the more popular solutions because it supports 29 languages."
"The tool's initial use is complex."
"Scalability has some issues because we have a lot of code and its use is mandatory. Therefore, it can be slow at times, especially because there are a lot of projects and reporting. Some UI improvements could help with this."
"They need to improve the Snyk plugins and make it easier to make your optimizations based on your own needs or features."
"Offering API access in the lower or free open-source tiers would be better. That would help our customers. If you don't have an enterprise plan, it becomes challenging to integrate with the rest of the systems. Our customers would like to have some open-source integrations in the next release."
"The log export function could be easier when shipping logs to other platforms such as Splunk."
"There is always more work to do around managing the volume of information when you've got thousands of vulnerabilities. Trying to get those down to zero is virtually impossible, either through ignoring them all or through fixing them. That filtering or information management is always going to be something that can be improved."
"We have to integrate with their database, which means we need to send our entire code to them to scan, and they send us the report. A company working in the financial domain usually won't like to share its code or any information outside its network with any third-party provider."
"We use Bamboo for CI.CD, and we had problems integrating Snyk with it. Ultimately, we got the two solutions to work together, but it was difficult."
"In terms of what can be improved, the areas that need more attention in the solution are its architecture and development."
"A better design of the interface and add some new rules."
"The security in SonarQube could be better."
"There are sometimes security breaches in our code, which aren't be caught by SonarQube. In the security area, SonarCube has to improve. It needs to better compete with other products."
"Monitoring is a feature that can be improved in the next version."
"Lacks sufficient visibility and documentation."
"I find it is light on the security side."
"It does not provide deeper scanning of vulnerabilities in an application, on a live session. This is something we are not happy about. Maybe the reason for that is we are running the community edition currently, but other editions may improve on that aspect."
Snyk is ranked 4th in Application Security Tools with 41 reviews while SonarQube is ranked 1st in Application Security Tools with 108 reviews. Snyk is rated 8.2, while SonarQube is rated 8.0. The top reviewer of Snyk writes "Performs software composition analysis (SCA) similar to other expensive tools". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Snyk is most compared with Black Duck, Fortify Static Code Analyzer, Veracode, GitHub Advanced Security and Checkmarx One, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Veracode and Sonatype Lifecycle. See our Snyk vs. SonarQube report.
See our list of best Application Security Tools vendors and best Software Development Analytics vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
@Tej Muchhala : Code Quality and Security are 2 different domains and depending on how deep you want to go, the choice of tools will vary.
1. SonarQube - This has both community editions and commercial editions. The community has limited scope and no reporting. The enterprise version has a far broader scope covered with excellent reporting capabilities. SQ does have rules to compare against OWASP's Top 10 for both 2017 and 2021. Wrt Code Quality, SQ looks at unit-level issues and not necessarily module/design issues.
2. CAST Software Intelligence - This has 2 products - CAST Highlights can do very rapid analysis and provide you software health and also open source safety assessment for 3rd party libraries you might be using. SQ does not look into 3rd party libraries' assessment. CAST also has a dedicated security dashboard that checks code against various industry standards like OWASP, ISO 5055, CWE Top 25, NIST, etc.
3. Snyk again has multiple products to cater to different areas of security. This is a great product and has seamless integrations into your CI pipeline.
Regards,
Vishal.
Hi Tej, you should also check out CAST (castsoftware.com). Their kit does a very thorough analysis that may be a good option depending on the complexity of your codebase.
Hi Tej, as per my experience, SonarQube provides a better understanding of the code, it gives you a detailed analysis of the code up to the line level. It finds vulnerabilities in the code and runs test cases for you (if you add them). Also, you can customize the quality gate rules to define the parameters your code should pass like reliability, repetition of lines, etc. On the other hand, Snyk offers you an overview of the tools you are using, or the APIs you are using inside the code and gives vulnerability notifications and fixes. SonarQube doesn't fix or doesn't give any suggestions but Snyk will give you suggestions on which version of that dependency should be used and why. I have integrated both Snyk and SonarQube as both are open source up to a certain level.