Snyk Reviews

The use cases for Snyk are quite progressive. I'm pretty much happy with the solution's performance with SaaS products.

Snyk performs software composition analysis (SCA) similar to other expensive tools.

Snyk can be improved on the reporting aspect regarding the traceability of SCA. It also doesn't have storage. For instance, if you are scanning version 'X' and then you're scanning on another version 'X+1', it doesn't store your information. It doesn't compare particular vulnerabilities between 'X' and 'X+1'. Snyk is helpful and quite handy for people on the development team. The solution's reporting and storage could be improved.

The next release of Snyk should have more training features for developers. The tool offers software composition analysis, and though it says what needs to be fixed, it's in a reactive space. Since DevSecOps has become a culture nowadays, and the industry is going more towards proactive measures, the developers need to be trained.

I have been using Snyk for around a year now.

During our POC, I found no stability issues like application downtime or lags. I rate Snyk a nine out of ten for stability.

I rate Snyk a nine out of ten for scalability. Our clients are enterprise businesses. In the POC state, we don't have an exact number of users because we have one license, but otherwise, five users use Snyk.

A technician was allotted to us, and he responded promptly to our queries and gave timely information. I rate Snyk a nine out of ten for its customer support.

Positive

The support extended during the POC period was excellent, and we had people supporting us because we needed to add another pipeline channel. Snyk's support feature was really good. Leaving aside certain areas of reporting, I rate the initial setup an eight out of ten.

Once you get the license, it's completely the developer or DevOps team's work to deploy it. The complete process takes two days, but the Snyk site does the deployment in a matter of hours. You purchase the SNC license, which is deployed on the cloud, and then you can call those APIs in your CI pipeline. You can always have it integrated. Once your license is enabled, you have to give access to that particular user.

Despite Snyk's coverage, scalability, reliability, and stability, it is available at a very competitive price. According to the Snyk website, the regular licensing cost is around $ 39 and around $74 per user for CI/CD, with a minimum commitment of five users.

I have not seen any additional costs to the standard licensing fees in our agreement. I need to wait till our agreement renewal to answer this question more effectively.

Snyk is a cloud product. AWS is the cloud provider for Snyk.

People should consider using the scalable model of Snyk for SCA before considering other tools. If you are in the initial security phase or newly setting it up for practice in your organization, I recommend starting with Snyk. Anyone starting into the market and not wanting to invest in a large amount should consider Snyk as an alternative. Snyk is a good tool that provides equivalent security standards compared to other expensive tools.

I've seen the evolution of Snyk in the last four to five years. They started with software composition analysis and have now integrated static application security testing. They have partnerships with various dynamic security testing companies like StackHawk, Rapid7, and InsightAppSec. Snyk is progressive, and they have a good R&D team. I work for a service-based organization, where my job is to understand the customer's pain points and provide consultation. Most customers' pain points are the trade-off between cost and security compliance. Most customers come with financial constraints, and at least a few are opting for Snyk as an option because they were able to get the desired results. And Snyk is doing a pretty good job concerning the standard these customers need to extend to their partners.

Overall, I rate Snyk an eight out of ten.

It is for SCA, and we have just been doing the PoC. We are currently using the open-source version for some of the development teams. 

The main functionality that we found useful is scanning. A main feature of Snyk is that when you go with SCA, you do get properly done security composition, also from the licensing and open-source parameters perspective. A lot of companies often use open-source libraries or frameworks in their code, which is a big security concern. Snyk deals with all the things and provides you with a proper report about whether any open-source code or framework that you are using is vulnerable. In that way, Snyk is very good as compared to other tools.

I had a list of what they can improve, and I did share that with them. They are coming up with a beta version. 

It can be improved from the reporting perspective and scanning perspective. They can also improve it on the UI front. When we started the PoC five months ago, we encountered all these things. So, I asked them to improve on them. They have come up with a lot of new features, but they are still lacking on the UI front and the reporting side of things.

If you go to the UI front of Snyk, you won't find it so friendly. Another one is that you can't see the projects clearly. It gets all the sources from the repository. It pulls all the projects from the repository and creates a new project altogether for every new addition. So, you can't group them clearly. For example, if I have one product with different repositories, it creates a number of projects underneath in the Snyk UI. 

When it comes to reporting, if I run a scan on a particular project, I want the report only for that particular project in a PDF format that I can share with others. Currently, you get the notification over an email with all the projects but not in detail. You have to go to Snyk to find the details of a particular project. You only get a generic view, and you don't get a detailed view of a project. You need to go to the tool, export it as a CSV, and then find it, which is ridiculous. With other tools, once the scan is complete, we can just share the report with the development team that is working on that project, but Snyk doesn't let us do that. They still need to work a lot on the reporting structure.

It also needs to be improved in terms of interdependencies. When you run a code scan, the code can have interdependencies. If you have found a vulnerable line somewhere, it might lead to other interdependencies. Currently, Snyk doesn't provide you with interdependencies. For example, it doesn't provide you with the best location to do the fix. Checkmarx does that, and after you fix a particular line of code, all the other dependencies are automatically fixed. Snyk doesn't offer that. So, you have to do the fix one by one, which is a tedious task for the development team. It takes a lot of effort. I shared this feedback with them, and they might be working on it. They told me that they'll consider that.

We have been using Snyk for the past five months.

They are very proactive, sometimes more than what we want them to be. They reach out to us very often, and they are very good with technical support. They reach out to us and just ask us if there are any challenges where they can improve. They're quite open on that front. They don't have any local support as of now, but they are planning for 24/7 support. Currently, they are based only in the US, but they are still very active. Whenever we send out an email, they respond immediately. I would rate them a four out of five.

Positive

I have worked with other solutions. From the open-source composition and the licensing perspective, they are doing well as compared to competitors such as Black Duck, Veracode, and others. They do well on that front.

Checkmarx is the top one. They need to work very hard to match Checkmarx. Checkmarx is really good as compared to Snyk, but Checkmarx is too expensive. That's the reason we went with Snyk. Checkmarx has a very good scanning engine and technical support. It is also user-friendly. It is quite friendly for developers who are beginners. Anyone can use and learn Checkmarx easily, whereas with Snyk, you need some knowledge before you begin with it.

I had an on-prem Checkmarx. They still do on-prem, and now, they're also coming up with the cloud version. Even if you use the on-prem version, it is quite easy to access the database. You can customize everything based on your needs. From the scanning perspective, if I want to change any policies or rules, it is quite easy with Checkmarx. You just need to change the query inside the database, and you can easily set the rules.

We have only done a PoC. We are yet to finalize the pricing and then deploy the product as a whole. When it comes to PoC, it was quite simple. It was not complex at all. The integrations with GenCAN, or even with GitHub, were quite easy for us. There was no complex structure there. It was straightforward. Once we set up the environment, it took us a few hours to do all the integrations with different repositories or CI/CD. I would rate it a four out of five in terms of ease of the setup.

Currently, we have done it on CI/CD. It is kind of automated. Whenever there is a new build, it automatically triggers the scan.

There are about 30 developers who have been working with it for the PoC. They have been using it on a daily basis for the past four months. Last month, we stopped using it because we have finalized it. Going forward, we will be having 500 developers to begin with. 

We did the integration using their documentation. Their documentation was very simple. It was very easy to use.

We are using the open-source version for the scans. We will be going with the full source, license-based version as soon as possible.

I would rate it a seven out of ten.

I have used Snyk in my present and past workplace, along with Veracode, Checkmarx, and GitHub Advanced Security. The main product that really brought Snyk to market was software component scanning for third-party components, however I like the new things that they're doing as well.

They've got container scanning, which they're just now starting to do, and they're also bringing in new use cases such as static analysis (i.e. SAST) and secrets scanning, although I don't know exactly what's happening on that side of things.

In my previous workplace, we had about 100 users as it was still being scaled up and it was a relatively new product at the time. As for the version number, we use the latest version of Snyk since it is a cloud-based SaaS offering which is always kept up to date.

I think all the standard features are quite useful when it comes to software component scanning, but I also like the new features they're coming out with, such as container scanning, secrets scanning, and static analysis with SAST.

The most prominent reason why everybody goes with Snyk as a starting point is because they have an open source offering. As such, it's a developer-friendly solution and our developers really like it for that. In my opinion, that's their very first 'in' from all the avenues within the Software Development Life Cycle, because they deliberately make it developer-friendly from the start, and allow for lots of integration which fits with other tools.

For the areas that they're new in, it's very early stages for them. For example, their expertise is in looking at third-party components and packages, which is their bread-and-butter and what they've been doing for ages, but for newer features such as static analysis I don't think they've got compatibility for all the languages and frameworks yet.

That's something I believe will be expanding over time, but I'm not 100% sure when they're going to get to it. Thus, my main concerns for improvement would definitely be greater language and framework coverage, and on a lesser note I would also like to see a reduced number of false positives on their scans.

Then there's the issue of their support. It's not very good, to be honest, and it hasn't been the best experience to deal with them. I think they need to develop proper customer success managers when it comes to Service Level Agreements and how they engage with their customers. On the other hand, their technical support is okay as all the technical aspects are essentially all written down and you just have to follow them. 

I've been using Snyk for three years up until now.

We've had no issues with stability. You can run it with the CLI or the GUI and the stability is very good on both.

We have successfully scaled it up to 100 users before, so I would say it is scalable. 

Our experience with their customer support wasn't the best. My opinion is that they need to develop their customer support channels better, by providing customer success managers to better engage with their customers, for example.

Otherwise, the technical support is adequate. Most of the issues we've encountered were able to be worked out by our own developers since the technical documentation is all written out and simply needs to be followed. 

When it comes to installation, Snyk is very good. It's probably one of the easiest, most developer-friendly solutions to install.

I didn't think the price was that great, but it wasn't that bad, either. I'd rate their pricing as average in the market.

Overall, Snyk is a satisfactory solution that I believe could be improved by reducing the number of false positives and extending coverage for more languages and frameworks.

I would rate Snyk a seven out of ten.

We use the product mainly for software composition analysis. It is used to identify vulnerabilities in the application plug-ins. If we use Python 3.8, it’ll tell us that the version is outdated and that it has several vulnerabilities. It also helps in threat identification. It also provides infrastructure as code.

Static code analysis is one of the best features of the solution.

The product is very expensive.

I have been using the solution for three years.

The product is stable.

We have around 2000 users. Every developer in the organization has access to it.

The support has improved a lot.

Neutral

We use the SaaS version. The initial setup is easy. We just have to click the buttons.

I do not think that the tool is worth the money. A lot of free tools are available online.

The solution costs half a million dollars per year. It depends on the number of users. If the number of users increases, the cost will increase further.

People who want to use the product must utilize the code analysis on IDE. It would really help a lot of the developers. It performs the shift left concept very well. It is a very good tool, but the pricing is absurd. Overall, I rate the product an eight out of ten.

The product helps me with security vulnerability detection. 

I am impressed with the product's security vulnerability detection. My peers in security are praising the tool for its accuracy in detecting security vulnerabilities. The product is very easy to onboard. It doesn't require a lot of preparation or prerequisites. It's a bit of a plug-and-play as long as you're using a package manager or, for example, you are using a GitHub repository. And that is an advantage for this tool because developers don't want to add more tools to their current use.

The tool needs improvement in license compliance. I would like to see the integration of better policy management in the product's future release. When it comes to the organization I work for, there are a lot of business units since we are a group of companies. Each of these companies has its specific requirements and its own appetite for risk. This should be able to reflect in flexible policies. We need to be able to configure policies that can be adjusted later or overridden by the business unit that is using the product. 

We haven't had big issues in terms of the product's stability. 

The product is scalable. In our company, we have a lot of tools that are used for product and software development. We have been able to onboard them and scale up. However, I have to say that when it comes to displaying a dashboard at the organizational level to see all the vulnerabilities, it takes a bit of time to load, which is annoying.

The product has a fantastic tech support team. We actually have a Slack channel with them, and the customer success managers are a click away from providing us with the latest functionalities and updates if there are any interruptions to the service. So there has always been a transparent dialogue between us; we see them as partners in this journey.

Positive

I wasn't involved in the tool's setup, but from my experience or the experience of my colleagues, the process was positive. I didn't hear them have any horror stories from the days when they set it up.

The solution is less expensive than Black Duck.

I would rate the product a seven out of ten. Snyk is a fantastic tool for security vulnerability detection in third-party open-source software. You can use this product if your focus is on security vulnerability. On the other hand, if you don't want your developers to invest too much time in documentation and reading white papers on configuring the tool to work for them, you need to use this product. 

I would give them extra points for the transparent communication with the customer and their openness towards improving their product. And I think they have a lot of potential to improve and become a great SCA tool.

Snyk protects vulnerabilities in the code as usual, detects abnormal data flow inside the field, and similar tasks.

The specific feature of Snyk that has significantly improved my vulnerability management is its ability to identify vulnerabilities and suggest solutions to fix them. Snyk's automation capabilities streamline my security tasks by scanning code every time I commit.

Snyk's focus on security is a valuable feature. Also, Snyk supports multiple programming languages, which has positively affected my security practices. I use only two or three languages, and when I change the language in a file, it detects it in the same suite.

I find the AI-powered scanning beneficial. Using Snyk's AI-powered scanning, I can detect around ten or twenty errors in my project with about twenty thousand lines of code, so it helps improve my project by identifying a lot of potential vulnerabilities.

I use Snyk alongside Sonar, and Snyk tends to generate a lot of false positives. Improving the overall report quality and reducing false positives would be beneficial.

I don't need additional features; just improving the existing ones would be enough. 

It scans the entire code really fast, and the auto-scan process is done repeatedly.

I would rate the stability of Snyk an eight out of ten.

It detects issues really fast, but it still has a lot of false positives, and sometimes the suggestions aren't quite on point. This can sometimes lead to other vulnerabilities.

I would rate the scalability of Snyk a seven out of ten.

I would rate the initial setup of Snyk a nine out of ten because it's straightforward. The web version is also easy to use. I'm working with both the web version and the IDE at the same time.

For deployment, I just link it to GitHub, upload the repository there and it automatically scans for any errors. It took around a minute to deploy Snyk. 

I'm currently using the free version, which the company offers before buying the full version. So, the price is affordable, especially for an enterprise.

I did evaluate other options before choosing Snyk. I only considered Sonar before Snyk, but I ended up with Snyk because it's faster and more focused on security.

My advice for others considering using Snyk is to rely on it for security issues but still manually review your overall code. It's great for detecting syntax errors but might miss some broader issues, so it's important to do a thorough check yourself.

Based on my experience, I'd rate Snyk an eight overall. Its performance is indeed good.

We are using Snyk along with SonarQube, and we are currently more reliant on SonarQube.

With Snyk, we've been doing security and vulnerability assessments. Even though SonarQube does the same when we install the OWASP plugin, we are looking for a dedicated and kind of expert tool in this area that can handle all the security for the code, not one or two things.

We have the latest version, and we always upgrade it. Our code is deployed on the cloud, but we have attached it directly with the Azure DevOps pipeline.

It is a nice tool to check the dependencies of your open-source code. It is easy to integrate with your Git or source control. 

It has a nice dashboard where I can see all the vulnerabilities and risks that they provided. I can also see the category of any risk, such as medium, high, and low. They provide the input priority-wise. The team can target the highest one first, and then they can go to medium and low ones. 

Its reports are nice and provide information about the issue as well as resolution. They also provide a proper fix. If there's an issue, they provide information in detail about how to remediate that issue.

It is easy to integrate without a pipeline, and we just need to schedule our scanning. It does that overnight and sends the report through email early morning. This is something most of the tools have, but all of these come in a package together.

It never failed, and it is very easy, reliable, and smooth. 

It would be great if they can include dynamic, interactive, and run-time scanning features. Checkmarx and Veracode provide dynamic, interactive, and run-time scanning, but Snyk doesn't do that. That's the reason there is more inclination towards Veracode, Checkmarx, or AppScan. These are a few tools available in the market that do all four types of scanning: static, dynamic, interactive, and run-time.

We have to integrate with their database, which means we need to send our entire code to them to scan, and they send us the report. A company working in the financial domain usually won't like to share its code or any information outside its network with any third-party provider. Such companies try to build the system in-house, and their enterprise-level licensing cost is really huge. There is also an overhead of updating the vulnerability database.

It has been more than one and a half years. 

It is stable. I haven't had any problems with its stability.

It is easy. We have integrated Snyk with two to four projects, and we do run scanning every week to check the status and improvement in the quality of our code.

Currently, only I am using this solution because I'm handling all the stuff related to infrastructure and DevOps stuff in my company. It is a very small company with 100 to 200 people, and I am kind of introducing this tool in our organization to have enterprise-level stuff. I have used this tool in my old organization, and that's why I am trying to implement it here. I am the only DevOps engineer who works in this organization, and I want to integrate it with different code bases.

I've never used their technical support.

It is really straightforward. If someone has set up a simple pipeline, they can just integrate in no time.

Pricing-wise, it is not expensive as compared to other tools. If you have a couple of licenses, you can scan a certain number of projects. It just needs to be attached to them.

I have been using this solution for one and a half years, and I definitely like it. It is awesome in whatever it does right now.

It is a really nice tool if you really want to do the dependency check and security scanning of your code, which falls under static code analysis. You can implement it and go for it for static code analysis, but when it comes to dynamic, interactive, and run-time scanning, you should look for other tools available in the market. These are the only things that are missing in this solution. If it had these features, we would have gone with it because we have already been using it for one and a half years. Now, the time has come where we are looking for new features, but they are not there.

Considering the huge database they have, all the binaries it scans, and other features, I would rate Snyk an eight out of 10. 

Our customers use Snyk for infrastructure scanning, SaaS testing, and continuous vulnerability scans. 

Our customers find container scans most valuable. They are always talking about it.

Offering API access in the lower or free open-source tiers would be better. That would help our customers. If you don't have an enterprise plan, it becomes challenging to integrate with the rest of the systems. Our customers would like to have some open-source integrations in the next release.

I have known about Snyk for about two years.

Snyk is a stable solution. I don't think we faced any issues with it.

Snyk is a scalable product. 

We used to work with SonarQube, which is fast. We also used CoreOS Clare and explored Prisma. The open-source and self-hosted solutions are better suited for smaller startups. They only have to spend on setting it up as running is entirely free.

The initial setup is straightforward because it's a SaaS solution. I didn't have any problems implementing this solution. I think installing and deploying this solution took me about 15 minutes.

I implemented this solution. 

The pricing is acceptable, especially for enterprises. I don't think it's too much of a concern for our customers.  Something like $99 per user is reasonable when the stakes are high.

On a scale from one to ten, I would give Snyk an eight.