Snyk Reviews

I have used Snyk in my present and past workplace, along with Veracode, Checkmarx, and GitHub Advanced Security. The main product that really brought Snyk to market was software component scanning for third-party components, however I like the new things that they're doing as well.

They've got container scanning, which they're just now starting to do, and they're also bringing in new use cases such as static analysis (i.e. SAST) and secrets scanning, although I don't know exactly what's happening on that side of things.

In my previous workplace, we had about 100 users as it was still being scaled up and it was a relatively new product at the time. As for the version number, we use the latest version of Snyk since it is a cloud-based SaaS offering which is always kept up to date.

I think all the standard features are quite useful when it comes to software component scanning, but I also like the new features they're coming out with, such as container scanning, secrets scanning, and static analysis with SAST.

The most prominent reason why everybody goes with Snyk as a starting point is because they have an open source offering. As such, it's a developer-friendly solution and our developers really like it for that. In my opinion, that's their very first 'in' from all the avenues within the Software Development Life Cycle, because they deliberately make it developer-friendly from the start, and allow for lots of integration which fits with other tools.

For the areas that they're new in, it's very early stages for them. For example, their expertise is in looking at third-party components and packages, which is their bread-and-butter and what they've been doing for ages, but for newer features such as static analysis I don't think they've got compatibility for all the languages and frameworks yet.

That's something I believe will be expanding over time, but I'm not 100% sure when they're going to get to it. Thus, my main concerns for improvement would definitely be greater language and framework coverage, and on a lesser note I would also like to see a reduced number of false positives on their scans.

Then there's the issue of their support. It's not very good, to be honest, and it hasn't been the best experience to deal with them. I think they need to develop proper customer success managers when it comes to Service Level Agreements and how they engage with their customers. On the other hand, their technical support is okay as all the technical aspects are essentially all written down and you just have to follow them. 

I've been using Snyk for three years up until now.

We've had no issues with stability. You can run it with the CLI or the GUI and the stability is very good on both.

We have successfully scaled it up to 100 users before, so I would say it is scalable. 

Our experience with their customer support wasn't the best. My opinion is that they need to develop their customer support channels better, by providing customer success managers to better engage with their customers, for example.

Otherwise, the technical support is adequate. Most of the issues we've encountered were able to be worked out by our own developers since the technical documentation is all written out and simply needs to be followed. 

When it comes to installation, Snyk is very good. It's probably one of the easiest, most developer-friendly solutions to install.

I didn't think the price was that great, but it wasn't that bad, either. I'd rate their pricing as average in the market.

Overall, Snyk is a satisfactory solution that I believe could be improved by reducing the number of false positives and extending coverage for more languages and frameworks.

I would rate Snyk a seven out of ten.

At a high level, Fugue extends and augments compliant reporting capabilities provided by major cloud suppliers. It enhances the visibility, again, from a compliance standpoint, into cloud-based or multi-cloud-based environments.

The solution offers good flexibility in customization. From a compliance and visibility reporting perspective, the fact that it can be applicable for multi-cloud environments is very helpful. It's not a single cloud supplier. It's most of them. The fact that it provides visibility, compliance-related visibility, that is not readily available by cloud suppliers themselves, is its most valuable aspect. It's the additional set of compliance reporting and compliance visibility features that Fugue provides that is what makes it so very useful.

The initial setup is simple and straightforward. 

I can't comment if there are missing features at this time. For the last six to eight months I didn't work with Fugue. I don't have an up-to-date product roadmap to comment on what is or is not available, what they do or do not provide. I would need to review their current roadmap to be able to accurately comment on what is or is not available.

Fugue capabilities are not well understood on the market. If there was one thing they could improve, it would be to basically explain in simple terms to market what it is they do. Right now, understanding what they do requires substantial experience and expertise. It wasn't a challenge for me to identify this area, however, I'm the exception. Generally speaking, there is not sufficient understanding in the broad market of what Fugue does. This is the area they need to focus on.

The general input I have is that there is an opportunity for them to better align with other similar tools and better align with similar capabilities that cloud suppliers deliver natively. What happens is they extend and augment capabilities that cloud suppliers offer. There is additional integrational and operational benefits that can be realized in how they extend and how they position themselves as compared to what cloud suppliers deliver.

I've used the solution for some time. It's likely been more than a year. There were a couple of specific projects which were two months long in terms of duration. I'd work with it on and off for those.

There was no issue with scaling at the time I was deploying it. I did not have a chance to work with it at a really industrial scale, such as an enterprise scale. It was a fairly limited deployment, a fairly limited project. I did not see any issues with the scalability of the architecture or the environment itself.

I worked with their professional services organization. I did not have a chance to go to support, so I cannot comment on the efficiency or effectiveness of the support organization. I didn't interact with them.

The setup was actually fairly simple and they can start delivering value in a very short time. That said, t business value is a subjective thing. The business value itself is something that they need to explain. It's not self-evident.

There were no issues related to the setup. It's a cloud-native solution. It's available nearly instantaneously. Being able to interpret the results and being able to consume the value that they provide and understand the value that they provide, however, needs to be better explained to the market.

The Fugue solution can be handled by a relatively small team - so long as they understand it.

In general, for maintenance, the team is relatively small, however, the level of understanding that the team needs to possess, to have, in order to effectively use it, is quite high.

I don't have direct visibility and the pricing, from what I understand, is negotiable. It's not an effective area for me to comment on.

Considering that they deliver a unique set of capabilities, the money that they charge is likely worth it. That said, one needs to understand the value to fully appreciate it.

We are consultants. We don't have any alliance or partnership relationship. It's similar to the relationship with other technology suppliers that we have in the same space.

I'd advise others to definitely try it out. 

I would rate the solution at an eight out of ten. 

Our customers use Snyk for infrastructure scanning, SaaS testing, and continuous vulnerability scans. 

Our customers find container scans most valuable. They are always talking about it.

Offering API access in the lower or free open-source tiers would be better. That would help our customers. If you don't have an enterprise plan, it becomes challenging to integrate with the rest of the systems. Our customers would like to have some open-source integrations in the next release.

I have known about Snyk for about two years.

Snyk is a stable solution. I don't think we faced any issues with it.

Snyk is a scalable product. 

We used to work with SonarQube, which is fast. We also used CoreOS Clare and explored Prisma. The open-source and self-hosted solutions are better suited for smaller startups. They only have to spend on setting it up as running is entirely free.

The initial setup is straightforward because it's a SaaS solution. I didn't have any problems implementing this solution. I think installing and deploying this solution took me about 15 minutes.

I implemented this solution. 

The pricing is acceptable, especially for enterprises. I don't think it's too much of a concern for our customers.  Something like $99 per user is reasonable when the stakes are high.

On a scale from one to ten, I would give Snyk an eight.

I used it for the security analysis and code vulnerability part. We were also interested in integrating with the pipeline scan and code scan.

The code scans on the source code itself were valuable.

It's very easy to use. It's very fast. 

It was good, but we had a few limitations with it. We were mostly using containerized applications. We were using Microsoft Docker images. It was reporting some vulnerabilities, but we were not able to figure out the fix for them. It was reporting some vulnerabilities in the Docker images given by Microsoft, which were out of our control. That was the only limitation. Otherwise, it was good.

I used it two months ago for a period of two weeks.

Its stability was good during that two-week period.

We didn't do extensive tests on it.

We contacted them for support. They were responsive, and they responded quickly.

We were using Veracode, but with Veracode, we found some limitations. It was not able to scan the source code the way Snyk does. That's a limitation, and Veracode is not that capable even for container applications. From the capability perspective, it was not as good as Snyk.

It's very easy to use. It's very quick. I'd rate it a nine out of ten in terms of the ease of the setup.

Cost-wise, it's similar to Veracode, but I don't know the exact cost. 

I'd recommend the code quality scan, which is helpful for the upfront feedback for developers. It's a very good feature. The container scans are also good, but only for Microsoft images, there are some limitations. If I were to start looking for a vulnerability solution, I'd definitely go with Snyk. It's quick and easy to use.

Overall, I'd rate Snyk a nine out of ten.

We use Snyk to check vulnerabilities and rectify potential leaks in GitHub.

The tool's initial use is complex. 

I have been working with the product for three to four months. 

I rate the product an eight out of ten. 

I use Snyk to review my code. 

Snyk helps me pinpoint security errors in my code. 

Sometimes we have problems upgrading a library because it's too old. The only thing we can do is use another library. 

It is easy to scale Snyk once you install it, but it depends on your cloud service provider. Everything will scale smoothly if you have the correct cloud server settings. 

I rate Snyk support eight out of 10. 

Positive

Setting up Snyk is relatively complex if you're working with multiple developers who use different IDEs. It can be complicated if, for example, one developer uses Visual Studio and another developer uses a different editor. 

Snyk is cloud-based. We use Bamboo for CI/CD, and we had problems integrating Snyk with it. Ultimately, we got the two solutions to work together, but it was difficult.

I rate Snyk three out of 10 for affordability. The price is relatively high, but it's worth it. 

I rate Snyk seven out of 10. 

Snyk's major use case is to check our code for vulnerabilities that may exist in the dependencies or the security of the code. This allows developers to identify and address potential security issues that can be resolved.

Snyk offers two key advantages for organizations. Firstly, it allows all issues to be fixed in one centralized location, streamlining the process of addressing vulnerabilities. Secondly, Snyk categorizes the level of vulnerability into high, medium, and low, which helps organizations prioritize which issues to tackle first. This feature ensures that low-priority vulnerabilities are not addressed before high-priority ones.

One area where Snyk could improve is in providing developers with the line where the error occurs.

As of now, I have been using Snyk for two weeks. Also, I am using the latest version of the solution. So, my company is an end-user and customer of the solution.

I haven't faced any stability issues at all while using the solution. Stability-wise, it is a fine product. I rate its stability a nine out of ten.

Only three users are using the solution in my company. Even though there are around fifteen developers in my company, since the solution is still in the integration stage, many developers can't use it yet. So, once the seniors get accustomed to Snyk, then the juniors will follow.

From a scalability standpoint, I haven't explored the solution yet.

I haven't faced any issues that I can take to them. So, all the documents Snyk provides have solutions to the potential issues one could face. I did not need to use the internet to check for the resolutions to my issues with the solution.

I have used SonarQube previously. We still use SonarQube and might migrate to Snyk completely in the future. Also, we may even consider using both parallelly.

SonarQube notifies us of the error. It also mentions the line where that error is and gives the exact line of code along with the line number. While it doesn't give any solution, it does give an alternate solution. So, it will just show what can be removed, where the vulnerabilities are, and what needs to be changed.

In Snyk, it notifies its user what an old version is and how to take it to another stable version. It also notifies its users about the vulnerabilities in a version before suggesting a new version that doesn't have such vulnerabilities.

Integration in Snyk was easier since, during SonarQube's integration process in our company, we always faced technical issues during its setup or while trying to operate it. Snyk is a very user-friendly tool, giving it a huge plus point.

SonarQube detects in a code if any line is commented or any variable is defined but not used. Snyk, on the other hand, doesn't detect such details but detects vulnerabilities on a higher level.

The deployment model for the solution is a cloud-based one.

Regarding Snyk's deployment, we have integrated everything with Jenkins so that the deployment happens automatically. Also, in Jenkins itself, we have integrated Snyk. The deployment process for Snyk took less than an hour. Once a person goes through the documents provided by Snyk, the deployment process becomes easy. The deployment process in my company was carried out without needing any help from external sources.

Presently, my company uses an open-source version of the solution. The solution's pricing can be considered quite reasonable owing to the features they offer. There are no extra costs attached to the solution because there is no need for extra hardware or other software since it has been integrated with the Jenkins CICD automation pipeline, and the dashboard gives everything in one place.

Upon reviewing Snyk's operations, I found it helpful, although not entirely comprehensive. Specifically, it provides valuable information regarding the status of vulnerabilities and the details of dependencies used in our projects. The solution also can identify issues that could be resolved manually or through alternative means. Snyk gives all the required information, while SonarQube doesn't. In SonarQube, data is presented in a different format that is required to be reviewed by us on a line-by-line basis. One of Snyk's strengths was its ability to consolidate all identified issues into a single location.

Currently, our company has not utilized any expensive solutions. So, we opted for SonarQube's open-source version. In the future, if the need arises, we may consider purchasing a solution. However, as this is for a proof-of-concept (POC), I am currently exploring trial or open-source versions, which are free of cost. If a solution is successfully integrated into our projects and our developers become familiar, we may consider purchasing a particular solution. For now, we are focusing on finding a solution that meets our needs for the POC without incurring any unnecessary expenses.

I would definitely recommend the solution to those planning to use it. Overall, I rate the solution a seven and a half out of ten. To be more specific, I would rate it an eight out of ten.

Snyk is used to manage open-source risks in security and licenses.

The most valuable feature of Snyk is the software composition analysis.

The reporting mechanism of Snyk could improve. The reporting mechanism is available only on the higher level of license. Adjusting the policy of the current setup of recording this report is something that can improve. For instance, if you have a certain license, you receive a rating, and the rating of this license remains the same for any use case. No matter if you are using it internally or using it externally, you cannot make the adjustment to your use case. It will always alert as a risky license. The areas of licenses in the reporting and adjustments can be improved.

Having bolting scans into a single solution can be useful, maybe snippet capabilities of reading the actual scan rather than reading the manifest can be very useful.

I have been using Snyk for several years.

The stability of Snyk is good.

Snyk is highly scalable. The only thing running on the customer side is a command-line interface(CLI). The entire results are been presented on a software as a service-based platform. It doesn't matter if I'm running 10 or 10,000 systems. It's scalable because Snyk has a supportive system, which is not the customer's system, it's Snyk's system.

I have not used the support from Snyk. However,  customers are sharing their experiences, and they have said the support is good.

The initial setup of Snyk needs their assistance and support. It's not a Windows application that you click next, but it's not rocket science. The implementation typically takes a few days to complete.

The company that purchases Snyk typically does the implementation. There are only a few people needed for the deployment of the solution.

Snyk allows developers and development managers to identify open-source vulnerabilities in every stage. As a result, the fix is much cheaper than identifying something on production. It's up to 100 times less expensive. If you fix a few bugs at an early stage, you cover all the license fees for the annual subscription of Snyk. There is a high return on investment potential.

The license model is based on the number of contributing developers. Snyk is expensive, for a startup company will most likely use the community edition, while larger companies will buy the licensed version. The price of Snyk is more than other SLA tools.

I rate Snyk an eight out of ten.