Cancel
You must select at least 2 products to compare!
Mend.io Logo
12,340 views|7,835 comparisons
Snyk Logo
Read 17 Snyk reviews
21,214 views|15,119 comparisons
Sonar Logo
61,610 views|48,882 comparisons
Comparison Buyer's Guide
Executive Summary
Updated on Apr 10, 2022

We performed a comparison between Sync and SonarQube based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.

  • Ease of Deployment: Reviewers agree that the installation of both solutions is a straightforward process.
  • Features: Users of both products are happy with their user-interface, stability, and scalability. Sync users say it integrates well and significantly reduces vulnerabilities. A couple of Sync users mentioned that they would like improved reporting visibility.

    SonarQube users say it is user-friendly, has good code analysis abilities, and supports multiple programming languages. Several users note that SonarQube should provide better exporting and sharing options.
  • Pricing: Most reviewers of both solutions say they are fairly priced.

  • ROI: Reviewers of both products report seeing an ROI.
  • Service and Support: Sync users report being very satisfied with the level of support they receive. Some SonarQube are satisfied with the support they receive while others write that their support’s response time is slow.

Comparison Results: Sync comes out on top in this comparison. It is secure and reliable. In addition, it has excellent support and a significant ROI.

To learn more, read our detailed Snyk vs. SonarQube Report (Updated: November 2023).
744,865 professionals have used our research since 2012.
Featured Review
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"There are multiple different integrations there. We use Mend for CI/CD that goes through Azure as well. It works seamlessly. We never have any issues with it.""We set the solution up and enabled it and we had everything running pretty quickly.""I am the organizational deployment administrator for this tool, and I, along with other users in our company, especially the security team, appreciate the solution for several reasons. The UI is excellent, and scanning for security threats fits well into our workflow.""The best feature is that the Mend R&D team does their due diligence for all the vulnerabilities. In case they observe any important or critical vulnerabilities, such as the Log4j-related vulnerability, we usually get a dedicated email from our R&D team saying that this particular vulnerability has been exploited in the world, and we should definitely check our project for this and take corrective actions.""We use a lot of open sources with a variety of containers, and the different open sources come with different licenses. Some come with dual licenses, some are risky and some are not. All our three use cases are equally important to us and we found WhiteSource handles them decently.""The dashboard view and the management view are most valuable.""The vulnerability analysis is the best aspect of the solution.""The inventory management as well as the ability to identify security vulnerabilities has been the most valuable for our business."

More Mend.io Pros →

"Provides clear information and is easy to follow with good feedback regarding code practices.""The solution has great features and is quite stable.""The most valuable features of Snyk are vulnerability scanning and automation. The automation the solution brings around vulnerability scanning is useful.""I find SCA to be valuable. It can read your libraries, your license and bring the best way to resolve your problem in the best scenario.""Our customers find container scans most valuable. They are always talking about it.""A main feature of Snyk is that when you go with SCA, you do get properly done security composition, also from the licensing and open-source parameters perspective. A lot of companies often use open-source libraries or frameworks in their code, which is a big security concern. Snyk deals with all the things and provides you with a proper report about whether any open-source code or framework that you are using is vulnerable. In that way, Snyk is very good as compared to other tools.""Snyk helps me pinpoint security errors in my code.""The product's most valuable features are an open-source platform, remote functionality, and good pricing."

More Snyk Pros →

"We've configured it to run on each commit, providing feedback on our software quality. ]""We consider it a handy tool that helps to resolve our issues immediately.""The most valuable features are the dashboard, the ability to drill down to the code, user-friendly, and the technical debt estimation.""SonarQube is one of the more popular solutions because it supports 29 languages.""This solution has helped with the integration and building of our CICD pipeline.""This solution has the capability to analyze source code in almost all the languages in the market.""Can tweak rules and feed them into our build pipelines.""There are many options and examples available in the tool that help us fix the issues it shows us."

More SonarQube Pros →

Cons
"Mend lets you create custom policies. They're not too complicated to set up, but it would be helpful if they had some preconfigured policies to match what we have in Azure DevOps. That would save us a lot of time. It's tedious to configure the policies manually, and I lack the capacity to do it right now. Other products have preconfigured packs and templates, and Mend doesn't.""I rated the solution an eight out of ten because WhiteSource hasn't built in a couple of features that we would have loved to use and they say they're on their roadmap. I'm hoping that they'll be able to build and deliver in 2022.""I would like to have an additional compliance pack. Currently, it does not have anything for the CIS framework or the NIST framework. If we directly run a scan, and it is under the CIS framework, we can directly tell the auditor that this product is now CIS compliant.""The turnaround time for upgrading databases for this tool as well as the accuracy could be improved.""It should support multiple SBOM formats to be able to integrate with old industry standards.""Mend supports most of the common package managers, but it doesn't support some that we use. I would appreciate it if they can quickly make these changes to add new package managers when necessary.""They're working on a UI refresh. That's probably been one of the pain points for us as it feels like a really old application.""At times, the latency of getting items out of the findings after they're remediated is higher than it should be."

More Mend.io Cons →

"For the areas that they're new in, it's very early stages for them. For example, their expertise is in looking at third-party components and packages, which is their bread-and-butter and what they've been doing for ages, but for newer features such as static analysis I don't think they've got compatibility for all the languages and frameworks yet.""They need to improve the Snyk plugins and make it easier to make your optimizations based on your own needs or features.""I think Snyk should add more of a vulnerability protection feature in the tool since it is an area where it lacks.""DAST has shortcomings, and Snyk needs to improve and overcome such shortcomings.""The log export function could be easier when shipping logs to other platforms such as Splunk.""The solution could improve the reports. They have been working on improving the reports but more work could be done.""We use Bamboo for CI.CD, and we had problems integrating Snyk with it. Ultimately, we got the two solutions to work together, but it was difficult.""We were using Microsoft Docker images. It was reporting some vulnerabilities, but we were not able to figure out the fix for them. It was reporting some vulnerabilities in the Docker images given by Microsoft, which were out of our control. That was the only limitation. Otherwise, it was good."

More Snyk Cons →

"New plug-ins should be integrated into SonarCloud to give more flexibility to the product.""During the setup process, we only had one issue related to the number of available files. To perform the analysis, you have quite a lot of available file handles, so we had to increase that limit.""SonarQube needs to improve its support model. They do not work 24/7, and they do not provide weekend support in case things go wrong. They only have a standard 8:00 am to 5:00 pm support model in which you have to raise a support ticket and wait. The support model is not effective for premium customers.""Currently requires multiple tools, lacking one overall tool.""The learning curve can be fairly steep at first, but then, it's not an entry-level type of application. It's not like an introduction to C programming. You should know not just C programming and how to make projects but also how to apply its findings to the bigger picture. I've had users who said that they wish it was easier to understand how to configure, but I don't know if that's doable because what it's doing is a very complicated thing. I don't know if it is possible to make a complicated thing trivially simple.""This is a well-rounded solution, however, some features could be made available on the free version. The price of the solution could be reduced.""SonarQube could be improved with more dynamic testing—basically, now, it's a static code analysis scan. For example, when the developer writes the code and does the corresponding unit test, he can cover functional and non-functional. So the SonarQube could be improved by helping to execute unit tests and test dynamically, using various parameters, and to help detect any vulnerabilities. Currently, it'll just give the test case and say whether it passes or fails—it won't give you any other input or dynamic testing. They could use artificial intelligence to build a feature that would help developers identify and fix issues in the early stages, which would help us deliver the product and reduce costs. Another area with room for improvement is in regard to automating things, since the process currently needs to be done manually.""For improvement, this solution could be offered on Docker and the cloud and the support for this solution could be improved. Customizing rules could also be made simpler."

More SonarQube Cons →

Pricing and Cost Advice
  • "This is an expensive solution."
  • "When comparing the price of WhiteSource to the competition it is priced well. The cost for 50 users is approximately $18,000 annually."
  • "Its pricing model is per developer. It depends on the number of developers in the company. The license is for a minimum of 20 developers. So, even if you are a small startup with less than 10 developers, you have to buy a license for 20 developers on a yearly subscription, which makes it quite expensive for startup customers. I provide consultation to startup accelerators. They're small at the beginning, and only once they grow to 20 developers, they can afford this tool. As a result, WhiteSource is missing this target audience. Their licensing is not flexible."
  • "We always negotiate for the best price possible, and as far as I know, Mend has done an excellent job with their pricing. Our management is happy with the pricing, which has led to renewals."
  • "Pricing and licensing are comparable to other tools. When we started, it was less than our existing solution. I can't go into specifics, but it isn't cheap."
  • "Mend is costly but not overly expensive. The license was quite expensive this year, but we managed to negotiate the price down to the same as last year. At the same time, it's a good value. We're getting what we're paying for and still not using all the features. We could probably get more out of the tool and make it more valuable. At the moment, we don't have the capacity to do that."
  • "Over the last two years, they have tried to add more and more features to their license packages, but the price is a little bit high, comparatively."
  • "It is fairly priced."
  • More Mend.io Pricing and Cost Advice →

  • "It is pretty expensive. It is not a cheap product."
  • "The license model is based on the number of contributing developers. Snyk is expensive, for a startup company will most likely use the community edition, while larger companies will buy the licensed version. The price of Snyk is more than other SLA tools."
  • "I didn't think the price was that great, but it wasn't that bad, either. I'd rate their pricing as average in the market."
  • "We are using the open-source version for the scans."
  • "Cost-wise, it's similar to Veracode, but I don't know the exact cost."
  • "The pricing is acceptable, especially for enterprises. I don't think it's too much of a concern for our customers. Something like $99 per user is reasonable when the stakes are high."
  • "The price of the solution is expensive compared to other solutions."
  • "Presently, my company uses an open-source version of the solution. The solution's pricing can be considered quite reasonable owing to the features they offer."
  • More Snyk Pricing and Cost Advice →

  • "My guess is that we have a yearly subscription. We use it quite extensively, so a monthly license wouldn't make sense. Yearly subscriptions are usually cheaper. In addition to the standard licensing fee, there is just the cost of running the hardware where it is hosted."
  • "Compared to similar solutions, SonarQube was more accessible to us and had more benefits, with regards to size of the code base and supported languages. Apart from the Enterprise licensing fee, there are no additional costs."
  • "SonarQube enterprise, I am not sure of the price but from what I understand they are charging a fee. It's is not clear if it is an annual fee or a one-off."
  • "The free version of SonarQube does everything that we need it to."
  • "We're using an older version because it is the open-source flavor of it and we can continue using it at no cost. We're not paying any licensing at all, which was another factor in choosing this route so that we can learn and grow with it and not be committed to licenses and other similar things. If we choose to get something else, we have to relearn, but we don't have to relicense. Basically, we're paying no license costs."
  • "We are using the Developer Edition and the cost is based on the amount of code that is being processed."
  • "As a user and a consumer of this solution, it can be pricey for my company to support and use, even though there are many benefits. For this reason, we use the free version. In the future, as our product cycles develop and evolve at a more steady pace, we hope to invest in the licensing for this tool."
  • "We are using the Community edition of SonarQube."
  • More SonarQube Pricing and Cost Advice →

    report
    Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
    744,865 professionals have used our research since 2012.
    Answers from the Community
    Tej Muchhala
    Vishal-Goyal - PeerSpot reviewerVishal-Goyal
    Real User

    @Tej Muchhala ​: Code Quality and Security are 2 different domains and depending on how deep you want to go, the choice of tools will vary.

    1. SonarQube - This has both community editions and commercial editions. The community has limited scope and no reporting. The enterprise version has a far broader scope covered with excellent reporting capabilities. SQ does have rules to compare against OWASP's Top 10 for both 2017 and 2021. Wrt Code Quality, SQ looks at unit-level issues and not necessarily module/design issues.

    2. CAST Software Intelligence - This has 2 products - CAST Highlights can do very rapid analysis and provide you software health and also open source safety assessment for 3rd party libraries you might be using. SQ does not look into 3rd party libraries' assessment. CAST also has a dedicated security dashboard that checks code against various industry standards like OWASP, ISO 5055, CWE Top 25, NIST, etc.

    3. Snyk again has multiple products to cater to different areas of security. This is a great product and has seamless integrations into your CI pipeline.

    Regards,
    Vishal.

    Lev Lesokhin - PeerSpot reviewerLev Lesokhin
    Real User

    Hi Tej, you should also check out CAST (castsoftware.com). Their kit does a very thorough analysis that may be a good option depending on the complexity of your codebase. 

    Ayub  Shaik - PeerSpot reviewerAyub Shaik
    Real User

    Hi Tej, as per my experience, SonarQube provides a better understanding of the code, it gives you a detailed analysis of the code up to the line level. It finds vulnerabilities in the code and runs test cases for you (if you add them). Also, you can customize the quality gate rules to define the parameters your code should pass like reliability, repetition of lines, etc. On the other hand, Snyk offers you an overview of the tools you are using, or the APIs you are using inside the code and gives vulnerability notifications and fixes. SonarQube doesn't fix or doesn't give any suggestions but Snyk will give you suggestions on which version of that dependency should be used and why. I have integrated both Snyk and SonarQube as both are open source up to a certain level. 

    Questions from the Community
    Top Answer:Red Hat Ceph does well in simplifying storage integration by replacing the need for numerous storage solutions. This… more »
    Top Answer:We researched Black Duck but ultimately chose WhiteSource when looking for an application security tool. WhiteSource is… more »
    Top Answer:The best feature is that the Mend R&D team does their due diligence for all the vulnerabilities. In case they observe… more »
    Top Answer:Snyk does a great job identifying and reducing vulnerabilities. This solution is fully automated and monitors 24/7 to… more »
    Top Answer:The product's most valuable features are an open-source platform, remote functionality, and good pricing.
    Top Answer:Snyk's API and UI features could work better in terms of speed. Additionally, they could optimize and provide better… more »
    Top Answer:I am not very familiar with SonarQube and their solutions, so I can not answer But if you are asking me about which… more »
    Top Answer:SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis… more »
    Top Answer:We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security… more »
    Comparisons
    Also Known As
    WhiteSource, Mend SCA
    Sonar
    Learn More
    Overview

    Mend.io is a software composition analysis tool that secures what developers create. The solution provides an automated reduction of the software attack surface, reduces developer burdens, and accelerates app delivery. Mend.io provides open-source analysis with its in-house and other multiple sources of software vulnerabilities. In addition, the solution offers license and policy violation alerts, has great pipeline integration, and, since it is a SaaS (software as a service), it doesn’t require you to physically maintain servers or data centers for any implementation. Not only does Mend.io reduce enterprise application security risk, it also helps developers meet deadlines faster.

    Mend.io Features

    Mend.io has many valuable key features. Some of the most useful ones include:

    • Vulnerability analysis
    • Automated remediation
    • Seamless integration
    • Business prioritization
    • Limitless scalability
    • Intuitive interface
    • Language support
    • Integration
    • Continuous monitoring
    • Remediation suggestions
    • Customization

    Mend.io Benefits

    There are many benefits to implementing Mend.io. Some of the biggest advantages the solution offers include:

    • Easy to use: The Mend.io platform is very user-friendly and easy to set up.
    • Third-party libraries: The solution eases the process of keeping track of all the used third-party dependencies within a product. It not only scans for the pure occurrence (also transitively) but also takes care of licenses and vulnerabilities.
    • Static code analysis: With Mend.io’s static code analysis, you can quickly identify security weaknesses in custom code across desktop, web, and mobile applications.
    • Broad support: Mend.io provides 27 different programming languages and various programming frameworks.
    • Easy integration: Mend.io makes integration very easy with existing DevOps environments and CI/CD pipelines so developers don’t need to manually configure or trigger the scan.
    • Ultra-fast scanning engine: The solution’s scanning engine generates results up to ten times faster than legacy SAST solutions.
    • Unified developer experience: Mend.io has a unified developer experience inside the code repository that shows side-by-side security alerts and remediation suggestions for custom code and open-source code.

    Reviews from Real Users

    Below are some reviews and helpful feedback written by PeerSpot users currently using the Mend.io solution.

    Jeffrey H., System Manager of Cloud Engineering at Common Spirit, says, “Finding vulnerabilities is pretty easy. Mend.io (formerly WhiteSource) does a great job of that and we had quite a few when we first put this in place. Mend.io does a very good job of finding the open-source, checking the versions, and making sure they're secure. They notify us of critical high, medium, and low impacts, and if anything is wrong. We find the product very easy to use and we use it as a core part of our strategy for scanning product code moving toward release.”

    PeerSpot reviewer Ben D., Head of Software Engineering at a legal firm, mentions, “The way WhiteSource scans the code is great. It’s easy to identify and remediate open source vulnerabilities using this solution. WhiteSource helped reduce our mean time to resolution since we adopted the product. In terms of integration, it's pretty easy.”

    An IT Service Manager at a wholesaler/distributor comments, “Mend.io provides threat detection and an excellent UI in a highly stable solution, with outstanding technical support.”

    Another reviewer, Kevin D., Intramural OfficialIntramural at Northeastern University, states, "The vulnerability analysis is the best aspect of the solution."

    Snyk is a user-friendly security solution that enables users to safely develop and use open source code. Users can create automatic scans that allow them to keep a close eye on their code and prevent bad actors from exploiting vulnerabilities. This enables users to find and remove vulnerabilities soon after they appear.

    Benefits of Snyk

    Some of the benefits of using Snyk include:

    • Conserves resources: Snyk easily integrates with other security solutions and uses their security features to ensure that the work that users are doing is completely secure. These integrations allow them to protect themselves without pulling resources from their continued integration or continued delivery workflows. Resources can be conserved for areas of the greatest need.
    • Highly flexible: Snyk enables users to customize the system’s security automation features to meet their needs. Users can guarantee that the automation performs the functions that are most essential for their current project. Additionally, users are able to maintain platform governance consistency across their system.
    • Keeps users ahead of emerging threats. Snyk employs a database of threats that help it detect and keep track of potential issues. This database is constantly being updated to reflect the changes that take place in the realm of cybersecurity. It also uses machine learning. Users are prepared to deal with new issues as they arise.
    • Automatically scans projects for threats. Snyk’s command-line interface enables users to schedule the solution to run automatic scans of their projects. Time and manpower can be conserved for the areas of greatest need without sacrificing security.

    Reviews from Real Users

    Snyk is a security platform for developers that stands out among its competitors for a number of reasons. Two major ones are its ability to integrate with other security solutions and important insights that it can enable users to discover. Snyk enables users to combine its already existing security features with those of other solutions to create far more robust and flexible layers of security than what it can supply on its own. It gives users the ability to dig into the security issues that they may experience. Users are given a clear view of the root causes of these problems. This equips them to address the problem and prevent similar issues in the future.

    Cameron G., a security software engineer at a tech company, writes, “The most valuable features are their GitLab and JIRA integrations.The GitLab integration lets us pull projects in pretty easily, so that it's pretty minimal for developers to get it set up. Using the JIRA integration, it's also pretty easy to get the information that is generated, as a result of that GitLab integration, back to our teams in a non-intrusive way and in a workflow that we are already using. Snyk is something of a bridge that we use; we get our projects into it and then get the information out of it. Those two integrations are crucial for us to be able to do that pretty simply.”

    Sean M., the chief information security officer of a technology vendor, writes, "From the software composition analysis perspective, it first makes sure that we understand what is happening from a third-party perspective for the particular product that we use. This is very difficult when you are building software and incorporating dependencies from other libraries, because those dependencies have dependencies and that chain of dependencies can go pretty deep. There could be a vulnerability in something that is seven layers deep, and it would be very difficult to understand that is even affecting us. Therefore, Snyk provides fantastic visibility to know, "Yes, we have a problem. Here is where it ultimately comes from." It may not be with what we're incorporating, but something much deeper than that."

    SonarQube, a core component of the Sonar solution, is an open source, self managed tool that systematically helps developers and organizations deliver Clean Code. SonarQube integrates into the developers' CI/CD pipeline and DevOps platform to detect and help fix issues in the code while performing continuous inspections of projects. Learn more:https://www.sonarsource.com/

    Supported by Sonar Clean as You Code methodology, only code that meets the defined quality standard can be released to production. SonarQube analyzes the most popular programming languages, frameworks, and infrastructure technologies and supports over 5,000 Clean Code rules. 

    Trusted by 7 million developers and 400,000 organizations globally to clean more than half a trillion lines of code, Sonar has become integral to delivering better software.


    Offer
    Learn more about Mend.io
    Learn more about Snyk
    Learn more about SonarQube
    Sample Customers
    Microsoft, Autodesk, NCR, Target, IBM, vodafone, Siemens, GE digital, KPMG, LivePerson, Jack Henry and Associates
    StartApp, Segment, Skyscanner, DigitalOcean, Comic Relief
    Bank of America, Siemens, Cognizant, Thales, Cisco, eBay
    Top Industries
    REVIEWERS
    Computer Software Company33%
    Financial Services Firm11%
    Media Company6%
    Wholesaler/Distributor6%
    VISITORS READING REVIEWS
    Computer Software Company17%
    Financial Services Firm16%
    Manufacturing Company9%
    Insurance Company5%
    REVIEWERS
    Computer Software Company31%
    Financial Services Firm23%
    Individual & Family Service8%
    Comms Service Provider8%
    VISITORS READING REVIEWS
    Computer Software Company16%
    Financial Services Firm14%
    Manufacturing Company7%
    Insurance Company6%
    REVIEWERS
    Computer Software Company30%
    Financial Services Firm21%
    Comms Service Provider8%
    Insurance Company6%
    VISITORS READING REVIEWS
    Financial Services Firm18%
    Computer Software Company15%
    Manufacturing Company10%
    Government6%
    Company Size
    REVIEWERS
    Small Business36%
    Midsize Enterprise7%
    Large Enterprise57%
    VISITORS READING REVIEWS
    Small Business20%
    Midsize Enterprise14%
    Large Enterprise66%
    REVIEWERS
    Small Business47%
    Midsize Enterprise25%
    Large Enterprise28%
    VISITORS READING REVIEWS
    Small Business22%
    Midsize Enterprise14%
    Large Enterprise64%
    REVIEWERS
    Small Business25%
    Midsize Enterprise17%
    Large Enterprise58%
    VISITORS READING REVIEWS
    Small Business17%
    Midsize Enterprise12%
    Large Enterprise71%
    Buyer's Guide
    Snyk vs. SonarQube
    November 2023
    Find out what your peers are saying about Snyk vs. SonarQube and other solutions. Updated: November 2023.
    744,865 professionals have used our research since 2012.

    Snyk is ranked 4th in Application Security Tools with 17 reviews while SonarQube is ranked 1st in Application Security Tools with 27 reviews. Snyk is rated 7.8, while SonarQube is rated 8.2. The top reviewer of Snyk writes "A cost-effective solution that makes scanning your repositories a cinch". On the other hand, the top reviewer of SonarQube writes "Open-source, stable, and finds the problems for you and tells you where they are". Snyk is most compared with Black Duck, Fortify Static Code Analyzer, Veracode, Checkmarx and Aqua Cloud Security Platform, whereas SonarQube is most compared with Checkmarx, SonarCloud, Coverity, Veracode and OWASP Zap. See our Snyk vs. SonarQube report.

    See our list of best Application Security Tools vendors.

    We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.