Snyk OverviewUNIXBusinessApplication

Snyk is the #1 ranked solution in top DevSecOps tools, #2 ranked solution in Container Security Solutions, #2 ranked solution in top Software Composition Analysis (SCA) tools, and #8 ranked solution in application security solutions. PeerSpot users give Snyk an average rating of 8.0 out of 10. Snyk is most commonly compared to SonarQube: Snyk vs SonarQube. Snyk is popular among the large enterprise segment, accounting for 64% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 19% of all views.
Snyk Buyer's Guide

Download the Snyk Buyer's Guide including reviews and more. Updated: February 2023

What is Snyk?

Snyk is a user-friendly security solution that enables users to safely develop and use open source code. Users can create automatic scans that allow them to keep a close eye on their code and prevent bad actors from exploiting vulnerabilities. This enables users to find and remove vulnerabilities soon after they appear.

Benefits of Snyk

Some of the benefits of using Snyk include:

  • Conserves resources: Snyk easily integrates with other security solutions and uses their security features to ensure that the work that users are doing is completely secure. These integrations allow them to protect themselves without pulling resources from their continued integration or continued delivery workflows. Resources can be conserved for areas of the greatest need.
  • Highly flexible: Snyk enables users to customize the system’s security automation features to meet their needs. Users can guarantee that the automation performs the functions that are most essential for their current project. Additionally, users are able to maintain platform governance consistency across their system.
  • Keeps users ahead of emerging threats. Snyk employs a database of threats that help it detect and keep track of potential issues. This database is constantly being updated to reflect the changes that take place in the realm of cybersecurity. It also uses machine learning. Users are prepared to deal with new issues as they arise.
  • Automatically scans projects for threats. Snyk’s command-line interface enables users to schedule the solution to run automatic scans of their projects. Time and manpower can be conserved for the areas of greatest need without sacrificing security.

Reviews from Real Users

Snyk is a security platform for developers that stands out among its competitors for a number of reasons. Two major ones are its ability to integrate with other security solutions and important insights that it can enable users to discover. Snyk enables users to combine its already existing security features with those of other solutions to create far more robust and flexible layers of security than what it can supply on its own. It gives users the ability to dig into the security issues that they may experience. Users are given a clear view of the root causes of these problems. This equips them to address the problem and prevent similar issues in the future.

Cameron G., a security software engineer at a tech company, writes, “The most valuable features are their GitLab and JIRA integrations.The GitLab integration lets us pull projects in pretty easily, so that it's pretty minimal for developers to get it set up. Using the JIRA integration, it's also pretty easy to get the information that is generated, as a result of that GitLab integration, back to our teams in a non-intrusive way and in a workflow that we are already using. Snyk is something of a bridge that we use; we get our projects into it and then get the information out of it. Those two integrations are crucial for us to be able to do that pretty simply.”

Sean M., the chief information security officer of a technology vendor, writes, "From the software composition analysis perspective, it first makes sure that we understand what is happening from a third-party perspective for the particular product that we use. This is very difficult when you are building software and incorporating dependencies from other libraries, because those dependencies have dependencies and that chain of dependencies can go pretty deep. There could be a vulnerability in something that is seven layers deep, and it would be very difficult to understand that is even affecting us. Therefore, Snyk provides fantastic visibility to know, "Yes, we have a problem. Here is where it ultimately comes from." It may not be with what we're incorporating, but something much deeper than that."

Snyk Customers

StartApp, Segment, Skyscanner, DigitalOcean, Comic Relief

Snyk Video

Snyk Pricing Advice

What users are saying about Snyk pricing:
  • "We are using the open-source version for the scans."
  • "Pricing-wise, it is not expensive as compared to other tools. If you have a couple of licenses, you can scan a certain number of projects. It just needs to be attached to them."
  • "I didn't think the price was that great, but it wasn't that bad, either. I'd rate their pricing as average in the market."
  • "It is pretty expensive. It is not a cheap product."
  • "The license model is based on the number of contributing developers. Snyk is expensive, for a startup company will most likely use the community edition, while larger companies will buy the licensed version. The price of Snyk is more than other SLA tools."
  • "Cost-wise, it's similar to Veracode, but I don't know the exact cost."
  • "The pricing is acceptable, especially for enterprises. I don't think it's too much of a concern for our customers. Something like $99 per user is reasonable when the stakes are high."
  • Snyk Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Nixon Bagalkoti - PeerSpot reviewer
    Cyber Security Lead at a media company with 201-500 employees
    Real User
    Top 5Leaderboard
    Does a good analysis from the licensing and open-source perspective, but the UI, reporting, and scanning should be better
    Pros and Cons
    • "A main feature of Snyk is that when you go with SCA, you do get properly done security composition, also from the licensing and open-source parameters perspective. A lot of companies often use open-source libraries or frameworks in their code, which is a big security concern. Snyk deals with all the things and provides you with a proper report about whether any open-source code or framework that you are using is vulnerable. In that way, Snyk is very good as compared to other tools."
    • "It can be improved from the reporting perspective and scanning perspective. They can also improve it on the UI front."

    What is our primary use case?

    It is for SCA, and we have just been doing the PoC. We are currently using the open-source version for some of the development teams. 

    What is most valuable?

    The main functionality that we found useful is scanning. A main feature of Snyk is that when you go with SCA, you do get properly done security composition, also from the licensing and open-source parameters perspective. A lot of companies often use open-source libraries or frameworks in their code, which is a big security concern. Snyk deals with all the things and provides you with a proper report about whether any open-source code or framework that you are using is vulnerable. In that way, Snyk is very good as compared to other tools.

    What needs improvement?

    I had a list of what they can improve, and I did share that with them. They are coming up with a beta version. 

    It can be improved from the reporting perspective and scanning perspective. They can also improve it on the UI front. When we started the PoC five months ago, we encountered all these things. So, I asked them to improve on them. They have come up with a lot of new features, but they are still lacking on the UI front and the reporting side of things.

    If you go to the UI front of Snyk, you won't find it so friendly. Another one is that you can't see the projects clearly. It gets all the sources from the repository. It pulls all the projects from the repository and creates a new project altogether for every new addition. So, you can't group them clearly. For example, if I have one product with different repositories, it creates a number of projects underneath in the Snyk UI. 

    When it comes to reporting, if I run a scan on a particular project, I want the report only for that particular project in a PDF format that I can share with others. Currently, you get the notification over an email with all the projects but not in detail. You have to go to Snyk to find the details of a particular project. You only get a generic view, and you don't get a detailed view of a project. You need to go to the tool, export it as a CSV, and then find it, which is ridiculous. With other tools, once the scan is complete, we can just share the report with the development team that is working on that project, but Snyk doesn't let us do that. They still need to work a lot on the reporting structure.

    It also needs to be improved in terms of interdependencies. When you run a code scan, the code can have interdependencies. If you have found a vulnerable line somewhere, it might lead to other interdependencies. Currently, Snyk doesn't provide you with interdependencies. For example, it doesn't provide you with the best location to do the fix. Checkmarx does that, and after you fix a particular line of code, all the other dependencies are automatically fixed. Snyk doesn't offer that. So, you have to do the fix one by one, which is a tedious task for the development team. It takes a lot of effort. I shared this feedback with them, and they might be working on it. They told me that they'll consider that.

    For how long have I used the solution?

    We have been using Snyk for the past five months.

    Buyer's Guide
    Snyk
    February 2023
    Learn what your peers think about Snyk. Get advice and tips from experienced pros sharing their opinions. Updated: February 2023.
    685,707 professionals have used our research since 2012.

    How are customer service and support?

    They are very proactive, sometimes more than what we want them to be. They reach out to us very often, and they are very good with technical support. They reach out to us and just ask us if there are any challenges where they can improve. They're quite open on that front. They don't have any local support as of now, but they are planning for 24/7 support. Currently, they are based only in the US, but they are still very active. Whenever we send out an email, they respond immediately. I would rate them a four out of five.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    I have worked with other solutions. From the open-source composition and the licensing perspective, they are doing well as compared to competitors such as Black Duck, Veracode, and others. They do well on that front.

    Checkmarx is the top one. They need to work very hard to match Checkmarx. Checkmarx is really good as compared to Snyk, but Checkmarx is too expensive. That's the reason we went with Snyk. Checkmarx has a very good scanning engine and technical support. It is also user-friendly. It is quite friendly for developers who are beginners. Anyone can use and learn Checkmarx easily, whereas with Snyk, you need some knowledge before you begin with it.

    I had an on-prem Checkmarx. They still do on-prem, and now, they're also coming up with the cloud version. Even if you use the on-prem version, it is quite easy to access the database. You can customize everything based on your needs. From the scanning perspective, if I want to change any policies or rules, it is quite easy with Checkmarx. You just need to change the query inside the database, and you can easily set the rules.

    How was the initial setup?

    We have only done a PoC. We are yet to finalize the pricing and then deploy the product as a whole. When it comes to PoC, it was quite simple. It was not complex at all. The integrations with GenCAN, or even with GitHub, were quite easy for us. There was no complex structure there. It was straightforward. Once we set up the environment, it took us a few hours to do all the integrations with different repositories or CI/CD. I would rate it a four out of five in terms of ease of the setup.

    Currently, we have done it on CI/CD. It is kind of automated. Whenever there is a new build, it automatically triggers the scan.

    There are about 30 developers who have been working with it for the PoC. They have been using it on a daily basis for the past four months. Last month, we stopped using it because we have finalized it. Going forward, we will be having 500 developers to begin with. 

    What about the implementation team?

    We did the integration using their documentation. Their documentation was very simple. It was very easy to use.

    What's my experience with pricing, setup cost, and licensing?

    We are using the open-source version for the scans. We will be going with the full source, license-based version as soon as possible.

    What other advice do I have?

    I would rate it a seven out of ten.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Amazon Web Services (AWS)
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Senior DevSecOps/Cloud Engineer at Valeyo
    Real User
    Top 20
    Provides information about the issue as well as resolution, easy to integrate, and never fails
    Pros and Cons
    • "It has a nice dashboard where I can see all the vulnerabilities and risks that they provided. I can also see the category of any risk, such as medium, high, and low. They provide the input priority-wise. The team can target the highest one first, and then they can go to medium and low ones."
    • "Its reports are nice and provide information about the issue as well as resolution. They also provide a proper fix. If there's an issue, they provide information in detail about how to remediate that issue."
    • "It would be great if they can include dynamic, interactive, and run-time scanning features. Checkmarx and Veracode provide dynamic, interactive, and run-time scanning, but Snyk doesn't do that. That's the reason there is more inclination towards Veracode, Checkmarx, or AppScan. These are a few tools available in the market that do all four types of scanning: static, dynamic, interactive, and run-time."
    • "We have to integrate with their database, which means we need to send our entire code to them to scan, and they send us the report. A company working in the financial domain usually won't like to share its code or any information outside its network with any third-party provider."

    What is our primary use case?

    We are using Snyk along with SonarQube, and we are currently more reliant on SonarQube.

    With Snyk, we've been doing security and vulnerability assessments. Even though SonarQube does the same when we install the OWASP plugin, we are looking for a dedicated and kind of expert tool in this area that can handle all the security for the code, not one or two things.

    We have the latest version, and we always upgrade it. Our code is deployed on the cloud, but we have attached it directly with the Azure DevOps pipeline.

    What is most valuable?

    It is a nice tool to check the dependencies of your open-source code. It is easy to integrate with your Git or source control. 

    It has a nice dashboard where I can see all the vulnerabilities and risks that they provided. I can also see the category of any risk, such as medium, high, and low. They provide the input priority-wise. The team can target the highest one first, and then they can go to medium and low ones. 

    Its reports are nice and provide information about the issue as well as resolution. They also provide a proper fix. If there's an issue, they provide information in detail about how to remediate that issue.

    It is easy to integrate without a pipeline, and we just need to schedule our scanning. It does that overnight and sends the report through email early morning. This is something most of the tools have, but all of these come in a package together.

    It never failed, and it is very easy, reliable, and smooth. 

    What needs improvement?

    It would be great if they can include dynamic, interactive, and run-time scanning features. Checkmarx and Veracode provide dynamic, interactive, and run-time scanning, but Snyk doesn't do that. That's the reason there is more inclination towards Veracode, Checkmarx, or AppScan. These are a few tools available in the market that do all four types of scanning: static, dynamic, interactive, and run-time.

    We have to integrate with their database, which means we need to send our entire code to them to scan, and they send us the report. A company working in the financial domain usually won't like to share its code or any information outside its network with any third-party provider. Such companies try to build the system in-house, and their enterprise-level licensing cost is really huge. There is also an overhead of updating the vulnerability database.

    For how long have I used the solution?

    It has been more than one and a half years. 

    What do I think about the stability of the solution?

    It is stable. I haven't had any problems with its stability.

    What do I think about the scalability of the solution?

    It is easy. We have integrated Snyk with two to four projects, and we do run scanning every week to check the status and improvement in the quality of our code.

    Currently, only I am using this solution because I'm handling all the stuff related to infrastructure and DevOps stuff in my company. It is a very small company with 100 to 200 people, and I am kind of introducing this tool in our organization to have enterprise-level stuff. I have used this tool in my old organization, and that's why I am trying to implement it here. I am the only DevOps engineer who works in this organization, and I want to integrate it with different code bases.

    How are customer service and technical support?

    I've never used their technical support.

    How was the initial setup?

    It is really straightforward. If someone has set up a simple pipeline, they can just integrate in no time.

    What's my experience with pricing, setup cost, and licensing?

    Pricing-wise, it is not expensive as compared to other tools. If you have a couple of licenses, you can scan a certain number of projects. It just needs to be attached to them.

    What other advice do I have?

    I have been using this solution for one and a half years, and I definitely like it. It is awesome in whatever it does right now.

    It is a really nice tool if you really want to do the dependency check and security scanning of your code, which falls under static code analysis. You can implement it and go for it for static code analysis, but when it comes to dynamic, interactive, and run-time scanning, you should look for other tools available in the market. These are the only things that are missing in this solution. If it had these features, we would have gone with it because we have already been using it for one and a half years. Now, the time has come where we are looking for new features, but they are not there.

    Considering the huge database they have, all the binaries it scans, and other features, I would rate Snyk an eight out of 10. 

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Buyer's Guide
    Snyk
    February 2023
    Learn what your peers think about Snyk. Get advice and tips from experienced pros sharing their opinions. Updated: February 2023.
    685,707 professionals have used our research since 2012.
    UmarQureshi - PeerSpot reviewer
    Security Lead at a retailer with 10,001+ employees
    Real User
    Top 5
    Developer-friendly with many useful features in the works, but lacks in language and framework coverage
    Pros and Cons
    • "I think all the standard features are quite useful when it comes to software component scanning, but I also like the new features they're coming out with, such as container scanning, secrets scanning, and static analysis with SAST."
    • "For the areas that they're new in, it's very early stages for them. For example, their expertise is in looking at third-party components and packages, which is their bread-and-butter and what they've been doing for ages, but for newer features such as static analysis I don't think they've got compatibility for all the languages and frameworks yet."

    What is our primary use case?

    I have used Snyk in my present and past workplace, along with Veracode, Checkmarx, and GitHub Advanced Security. The main product that really brought Snyk to market was software component scanning for third-party components, however I like the new things that they're doing as well.

    They've got container scanning, which they're just now starting to do, and they're also bringing in new use cases such as static analysis (i.e. SAST) and secrets scanning, although I don't know exactly what's happening on that side of things.

    In my previous workplace, we had about 100 users as it was still being scaled up and it was a relatively new product at the time. As for the version number, we use the latest version of Snyk since it is a cloud-based SaaS offering which is always kept up to date.

    What is most valuable?

    I think all the standard features are quite useful when it comes to software component scanning, but I also like the new features they're coming out with, such as container scanning, secrets scanning, and static analysis with SAST.

    The most prominent reason why everybody goes with Snyk as a starting point is because they have an open source offering. As such, it's a developer-friendly solution and our developers really like it for that. In my opinion, that's their very first 'in' from all the avenues within the Software Development Life Cycle, because they deliberately make it developer-friendly from the start, and allow for lots of integration which fits with other tools.

    What needs improvement?

    For the areas that they're new in, it's very early stages for them. For example, their expertise is in looking at third-party components and packages, which is their bread-and-butter and what they've been doing for ages, but for newer features such as static analysis I don't think they've got compatibility for all the languages and frameworks yet.

    That's something I believe will be expanding over time, but I'm not 100% sure when they're going to get to it. Thus, my main concerns for improvement would definitely be greater language and framework coverage, and on a lesser note I would also like to see a reduced number of false positives on their scans.

    Then there's the issue of their support. It's not very good, to be honest, and it hasn't been the best experience to deal with them. I think they need to develop proper customer success managers when it comes to Service Level Agreements and how they engage with their customers. On the other hand, their technical support is okay as all the technical aspects are essentially all written down and you just have to follow them. 

    For how long have I used the solution?

    I've been using Snyk for three years up until now.

    What do I think about the stability of the solution?

    We've had no issues with stability. You can run it with the CLI or the GUI and the stability is very good on both.

    What do I think about the scalability of the solution?

    We have successfully scaled it up to 100 users before, so I would say it is scalable. 

    How are customer service and support?

    Our experience with their customer support wasn't the best. My opinion is that they need to develop their customer support channels better, by providing customer success managers to better engage with their customers, for example.

    Otherwise, the technical support is adequate. Most of the issues we've encountered were able to be worked out by our own developers since the technical documentation is all written out and simply needs to be followed. 

    How was the initial setup?

    When it comes to installation, Snyk is very good. It's probably one of the easiest, most developer-friendly solutions to install.

    What's my experience with pricing, setup cost, and licensing?

    I didn't think the price was that great, but it wasn't that bad, either. I'd rate their pricing as average in the market.

    What other advice do I have?

    Overall, Snyk is a satisfactory solution that I believe could be improved by reducing the number of false positives and extending coverage for more languages and frameworks.

    I would rate Snyk a seven out of ten.

    Which deployment model are you using for this solution?

    Public Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Security Consultant
    Real User
    Top 5
    Automatically creates PRs and fixes the issues, but the knowledge base can be more extensive
    Pros and Cons
    • "The advantage of Snyk is that Snyk automatically creates a pull request for all the findings that match or are classified according to the policy that we create. So, once we review the PR within Snyk and we approve the PR, Snyk auto-fixes the issue, which is quite interesting and which isn't there in any other product out there. So, Snyk is a step ahead in this particular area."
    • "All such tools should definitely improve the signatures in their database. Snyk is pretty new to the industry. They have a pretty good knowledge base, but Veracode is on top because Veracode has been in this business for a pretty long time. They do have a pretty large database of all the findings, and the way that the correlation engine works is superb. Snyk is also pretty good, but it is not as good as Veracode in terms of maintaining a large space of all the historical data of vulnerabilities."

    What is our primary use case?

    Snyk acts as an SCA and also as a SAST. It's like a mix and match.

    Our deployment is more of a hybrid deployment. It is 70% cloud and 30% on-prem. The majority of Snyk is a cloud-based solution, but we do have instances where we have it on-prem for various reasons.

    What is most valuable?

    The advantage of Snyk is that Snyk automatically creates a pull request for all the findings that match or are classified according to the policy that we create. So, once we review the PR within Snyk and we approve the PR, Snyk auto-fixes the issue, which is quite interesting and which isn't there in any other product out there. So, Snyk is a step ahead in this particular area. In the development phase, there are lots of dependencies from one module to another, and if it has to be a manual fix, it takes forever for developers to fix it. We do utilize both functionalities. Sometimes, I get the developers to look at the issues and get them manually fixed, and sometimes, based on the criticality and severity of the finding, I just approve the PR, and Snyk automatically fixes it. I don't need to worry about the dependencies.

    What needs improvement?

    All such tools should definitely improve the signatures in their database. Snyk is pretty new to the industry. They have a pretty good knowledge base, but Veracode is on top because Veracode has been in this business for a pretty long time. They do have a pretty large database of all the findings, and the way that the correlation engine works is superb. Snyk is also pretty good, but it is not as good as Veracode in terms of maintaining a large space of all the historical data of vulnerabilities.

    For how long have I used the solution?

    I have been using this solution for about two years. 

    What do I think about the scalability of the solution?

    It is easily scalable, and it is pretty easy to integrate and manage. However, the tuning is what requires a lot of attention. Snyk, Veracode, Netsparker, or any other similar solution definitely needs somebody to tune it to work properly. Tuning is a little bit tricky, but that's the nature of such solutions.

    How are customer service and support?

    I had to work with them initially during the integration phase. Their support was okay. It was not that good, but it was also not that bad. There is room for improvement because the support works based on the categories of requests. Along with the categories, if they have an option for the sensitivity or the urgency of issues, it would be really helpful for users.

    How was the initial setup?

    It was pretty easy. 

    What's my experience with pricing, setup cost, and licensing?

    It is pretty expensive. It is not a cheap product.

    What other advice do I have?

    I would rate it a seven out of ten.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Cloud Security Engineer at a manufacturing company with 10,001+ employees
    Real User
    Top 20
    Easily integrated for scanning and analysis
    Pros and Cons
    • "There are many valuable features. For example, the way the scanning feature works. The integration is cool because I can integrate it and I don't need to wait until the CACD, I can plug it in to our local ID, and there I can do the scanning. That is the part I like best."
    • "Basically the licensing costs are a little bit expensive."

    What is our primary use case?

    Snyk is a code analysis tool. It is a vulnerability finding tool. We use it for those purposes. We use this tool to detect issues particular to users.

    Snyk is configured on our local ID environment. So our team and many other teams use it to do a scan before they deploy anything in the production.

    What is most valuable?

    There are many valuable features. For example, the way the scanning feature works. The integration is cool because I can integrate it and I don't need to wait until the CACD, I can plug it in to our local ID, and there I can do the scanning. That is the part I like best.

    What needs improvement?

    Feature wise, I like it so far. Maybe a little bit early to call, but feature wise, I'm okay with it. It may be a little bit expensive, but otherwise, it is a good tool.

    I don't have any complaints. Thankfully, I had help in the decision-making and the initial integration. After that, the actual development and ops teams are using it. So if they are facing issues or they have any concerns, I'm not sure about that.

    Basically the licensing costs are a little bit expensive.

    For how long have I used the solution?

    I have been using Snyk for a year.

    What do I think about the stability of the solution?

    It is a stable solution.

    What do I think about the scalability of the solution?

    In our organization I would say more than 50 and less than a hundred are regularly using Snyk.

    How are customer service and support?

    Tech support is good. They are reliable and available. Some of the teams are using Snyk and they are not complaining about support. The support is better and they are available whenever we need. We can reach out to them for help.

    How was the initial setup?

    The initial setup was neither complex nor easy, I would say it was okay.

    It took a few weeks.

    What about the implementation team?

    A few people helped us with the initial setup.

    Our experience with them was that they're really good.

    Which other solutions did I evaluate?

    Snyk is a security analysis tool. We have other tools, some dynamic security analytics tools, and other tools set up, and we wanted to compare which one we should use. We have Contrast, Coverity, and Snyk, and now we are planning to keep one. That was the main reason I had downloaded the code from your site and from many other sites. In the end we are planning to keep Snyk.

    What other advice do I have?

    Snyk is good. I like to use it. I like to use Snyk over Contrast.

    On a scale of one to ten, I would give Snyk an eight.

    There is no complaint here. 

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Amazon Web Services (AWS)
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    ZvikaRonen - PeerSpot reviewer
    Chief Technology Officer at FOSSAware
    Real User
    Top 5
    Useful software composition analysis, highly scalable, and good support
    Pros and Cons
    • "The most valuable feature of Snyk is the software composition analysis."
    • "The reporting mechanism of Snyk could improve. The reporting mechanism is available only on the higher level of license. Adjusting the policy of the current setup of recording this report is something that can improve. For instance, if you have a certain license, you receive a rating, and the rating of this license remains the same for any use case. No matter if you are using it internally or using it externally, you cannot make the adjustment to your use case. It will always alert as a risky license. The areas of licenses in the reporting and adjustments can be improve"

    What is our primary use case?

    Snyk is used to manage open-source risks in security and licenses.

    What is most valuable?

    The most valuable feature of Snyk is the software composition analysis.

    What needs improvement?

    The reporting mechanism of Snyk could improve. The reporting mechanism is available only on the higher level of license. Adjusting the policy of the current setup of recording this report is something that can improve. For instance, if you have a certain license, you receive a rating, and the rating of this license remains the same for any use case. No matter if you are using it internally or using it externally, you cannot make the adjustment to your use case. It will always alert as a risky license. The areas of licenses in the reporting and adjustments can be improved.

    Having bolting scans into a single solution can be useful, maybe snippet capabilities of reading the actual scan rather than reading the manifest can be very useful.

    For how long have I used the solution?

    I have been using Snyk for several years.

    What do I think about the stability of the solution?

    The stability of Snyk is good.

    What do I think about the scalability of the solution?

    Snyk is highly scalable. The only thing running on the customer side is a command-line interface(CLI). The entire results are been presented on a software as a service-based platform. It doesn't matter if I'm running 10 or 10,000 systems. It's scalable because Snyk has a supportive system, which is not the customer's system, it's Snyk's system.

    How are customer service and support?

    I have not used the support from Snyk. However,  customers are sharing their experiences, and they have said the support is good.

    How was the initial setup?

    The initial setup of Snyk needs their assistance and support. It's not a Windows application that you click next, but it's not rocket science. The implementation typically takes a few days to complete.

    What about the implementation team?

    The company that purchases Snyk typically does the implementation. There are only a few people needed for the deployment of the solution.

    What was our ROI?

    Snyk allows developers and development managers to identify open-source vulnerabilities in every stage. As a result, the fix is much cheaper than identifying something on production. It's up to 100 times less expensive. If you fix a few bugs at an early stage, you cover all the license fees for the annual subscription of Snyk. There is a high return on investment potential.

    What's my experience with pricing, setup cost, and licensing?

    The license model is based on the number of contributing developers. Snyk is expensive, for a startup company will most likely use the community edition, while larger companies will buy the licensed version. The price of Snyk is more than other SLA tools.

    What other advice do I have?

    I rate Snyk an eight out of ten.

    Which deployment model are you using for this solution?

    Public Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    PavanKumar17 - PeerSpot reviewer
    Senior Testing Engineer at a computer software company with 201-500 employees
    Real User
    Top 10
    A fast and easy-to-use solution for improving code security and quality
    Pros and Cons
    • "The code scans on the source code itself were valuable."
    • "We were using Microsoft Docker images. It was reporting some vulnerabilities, but we were not able to figure out the fix for them. It was reporting some vulnerabilities in the Docker images given by Microsoft, which were out of our control. That was the only limitation. Otherwise, it was good."

    What is our primary use case?

    I used it for the security analysis and code vulnerability part. We were also interested in integrating with the pipeline scan and code scan.

    What is most valuable?

    The code scans on the source code itself were valuable.

    It's very easy to use. It's very fast. 

    What needs improvement?

    It was good, but we had a few limitations with it. We were mostly using containerized applications. We were using Microsoft Docker images. It was reporting some vulnerabilities, but we were not able to figure out the fix for them. It was reporting some vulnerabilities in the Docker images given by Microsoft, which were out of our control. That was the only limitation. Otherwise, it was good.

    For how long have I used the solution?

    I used it two months ago for a period of two weeks.

    What do I think about the stability of the solution?

    Its stability was good during that two-week period.

    What do I think about the scalability of the solution?

    We didn't do extensive tests on it.

    How are customer service and support?

    We contacted them for support. They were responsive, and they responded quickly.

    Which solution did I use previously and why did I switch?

    We were using Veracode, but with Veracode, we found some limitations. It was not able to scan the source code the way Snyk does. That's a limitation, and Veracode is not that capable even for container applications. From the capability perspective, it was not as good as Snyk.

    How was the initial setup?

    It's very easy to use. It's very quick. I'd rate it a nine out of ten in terms of the ease of the setup.

    What's my experience with pricing, setup cost, and licensing?

    Cost-wise, it's similar to Veracode, but I don't know the exact cost. 

    What other advice do I have?

    I'd recommend the code quality scan, which is helpful for the upfront feedback for developers. It's a very good feature. The container scans are also good, but only for Microsoft images, there are some limitations. If I were to start looking for a vulnerability solution, I'd definitely go with Snyk. It's quick and easy to use.

    Overall, I'd rate Snyk a nine out of ten.

    Which deployment model are you using for this solution?

    Public Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Product Manager at Ozone.one
    Real User
    A developer security platform with a valuable container scan feature
    Pros and Cons
    • "Our customers find container scans most valuable. They are always talking about it."
    • "Offering API access in the lower or free open-source tiers would be better. That would help our customers. If you don't have an enterprise plan, it becomes challenging to integrate with the rest of the systems. Our customers would like to have some open-source integrations in the next release."

    What is our primary use case?

    Our customers use Snyk for infrastructure scanning, SaaS testing, and continuous vulnerability scans. 

    What is most valuable?

    Our customers find container scans most valuable. They are always talking about it.

    What needs improvement?

    Offering API access in the lower or free open-source tiers would be better. That would help our customers. If you don't have an enterprise plan, it becomes challenging to integrate with the rest of the systems. Our customers would like to have some open-source integrations in the next release.

    For how long have I used the solution?

    I have known about Snyk for about two years.

    What do I think about the stability of the solution?

    Snyk is a stable solution. I don't think we faced any issues with it.

    What do I think about the scalability of the solution?

    Snyk is a scalable product. 

    Which solution did I use previously and why did I switch?

    We used to work with SonarQube, which is fast. We also used CoreOS Clare and explored Prisma. The open-source and self-hosted solutions are better suited for smaller startups. They only have to spend on setting it up as running is entirely free.

    How was the initial setup?

    The initial setup is straightforward because it's a SaaS solution. I didn't have any problems implementing this solution. I think installing and deploying this solution took me about 15 minutes.

    What about the implementation team?

    I implemented this solution. 

    What's my experience with pricing, setup cost, and licensing?

    The pricing is acceptable, especially for enterprises. I don't think it's too much of a concern for our customers.  Something like $99 per user is reasonable when the stakes are high.

    What other advice do I have?

    On a scale from one to ten, I would give Snyk an eight.

    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Download our free Snyk Report and get advice and tips from experienced pros sharing their opinions.
    Updated: February 2023
    Buyer's Guide
    Download our free Snyk Report and get advice and tips from experienced pros sharing their opinions.