Snyk Reviews

We enable Snyk on all of our repos to do continuous scanning for open-source dependency, vulnerabilities, and for license compliance. We also do some infrastructure and code scanning for Kubernetes and our Docker containers.

Snyk integrates with GitHub which lets us monitor all private and public repositories in our organization and it enables developers to easily find and fix up source dependency vulnerabilities, container-image vulnerabilities, and ensures licenses are compliant with our company policies.

It's given us more insight in terms of what our risk is to open-source dependencies and helps us reduce the quantity of open-source dependency vulnerabilities that we have within our code base.

Snyk has absolutely reduced the amount of time it takes to find problems, with its automated PR. The challenge, initially, was that there were a lot of false positives with the previous product that we had. We had to eliminate the noise ratio. Snyk is accurately detecting the vulnerabilities and pinpointing the sources of where they exist. In terms of discovery and accuracy, it has reduced the time involved by 50 percent.

It's also giving our developers informed insights to take action on where vulnerabilities are introduced into the code. Depending on how you define "productivity" you could say it's reducing their productivity because it's showing that they have issues with their code and that they have to go back and fix it. It might not necessarily be increasing productivity, but in the sense of not incurring tech or security debt, it's improving those aspects. Overall, that should lead to an improvement in productivity.

The most valuable features include 

• detection 
• the reporting aspect where we can get an overall glance at vulnerabilities across all of our organizational repos 
• the enriched information around the vulnerabilities for better triaging, in terms of the vulnerability layer origin and vulnerability tree.

Its actionable advice about container vulnerabilities is good. The container security feature definitely allows developers to own security for the applications and the containers they run in the cloud. They have the ability to go in and review the vulnerabilities and to remediate as needed. Currently, it's only scanning. We're not doing any type of blocking. We're putting more of the onus on the developers and owners to go and fix the vulnerabilities. They're bound to internal SLAs.

The solution’s vulnerability database is very comprehensive and accurate. One thing we were looking at is the Exploit Maturity, which is a relatively new feature. We haven't really gotten back to tune that, but it is something we were looking at so we can know the exploit maturity, based on these vulnerabilities. That is super-valuable in understanding what our true risk is, based on the severity. If something is out in the wild and actively being exploited, that definitely bumps the priority in terms of what we're trying to remediate. So it helps with risk-prioritization based on the Exploit Maturity.

There is room for improvement in the licensing-compliance aspect. There have been some improvements with it, but we create severities based on the license type and, in some cases, there might be an exception. For example, if we actually own the license for something, we'd want to be able to allow based on that. That specific license type might exist in different repos, but it could be that in a specific repo we might own the license for it, in which case we wouldn't be able to say this one is accepted. That would be an area of improvement for legal, specifically.

We've also had technical issues with blocking newly introduced vulnerabilities in PRs and that was creating a lot of extra work for developers in trying to close and reopen the PR to get rid of some areas. We ended up having to disable that feature altogether because it wasn't really working for us and it was actually slowing down developer velocity. To be honest, that's where it's at today. We haven't been using it much in that way, to block anything. We work in a non-blocking fashion and we give the ownership to the developers. And then we monitor and alert based on what we have and what we've discovered.

We have been using Snyk for about a year.

I haven't noticed any stability issues.

There have definitely some been some software flaws, bugs, of course, but that just comes with the nature of software in general. But the customer support team has been very responsive when we actually need something. They've been reaching out to us, they've gotten engineers on the calls to talk through our problems. It's been good enough in that way.

It's scalable.

We previously used a solution called Black Duck and the reason we switched was because there were a lot of false positives. There was a lot of noise and it wasn't useful to developers.

As my organization's security program continued to mature, our team was looking for ways to effectively build a more secure product. One area of risk we wanted to address was the use of open-source software. Although open-source software has many benefits, it includes vulnerabilities that, if not managed properly, could expose us to potential breaches. To address this risk, we purchased Snyk.

Snyk's extensive vulnerability database helps us stay on top of those occurrences as they surface. In addition, we use Snyk to help ensure compliance with open-source security policies. We replaced Black Duck with Snyk as a more developer-friendly solution to help us govern our security and license compliance as well as to reduce false positive findings.

The initial setup was pretty straightforward. You just sign up for an account and then you work with the sales engineers, the technical engineers, to enable it across your organization. Then you just import all the repos you want to start scanning on and that's pretty much it. Out-of-the-box it works.

The deployment took a day or two days. It wasn't very intensive. The main thing was the internal process of getting buy-in from leadership and getting things put into place.

In terms of our deployment strategy, we ran it against the master branch of select repositories. We picked a handful of repos that we wanted to start scanning against. We disabled tests on pull requests temporarily and we enabled SSO so people could log in via Okta to start reviewing reports. Everybody had access to it in R&D. Everybody then had the ability to start opening Snyk pull requests for vulnerabilities that were discovered. Then we established how we would treat the information coming from Snyk, including SLAs tied to the severity, etc.

We told people to expect that Snyk would be enabled on the master branches of all our repositories and that it continuously scans the dependency files such as the package.json, requirements.txt, Gemfile.lock, etc., on a scheduled basis. If new vulnerabilities are discovered, we told them findings would be generated and could be viewed on a new dashboard and developers could customize their notification settings in Snyk's console. For each pull request we test for new vulnerabilities.

The rollout plan was working with two squads per month to begin the implementation. The security team would embed with them to understand how they were using the tool and learn about their process — if things weren't working, or were working and they liked it. We would gradually roll it out to the next squad and the next squad. We have 600 engineers here, so we didn't want to just flip the switch and turn it on all at once. We worked with teams individually to understand their workflows, and to see if they disliked it or liked it.

We were also tuning the SLAs for remediation for vulnerabilities. We didn't want to be too aggressive in what we were asking from the developers around the SLA for remediation. And because we were putting the SLAs in place, we were blocking other product-feature work that was coming down the pipeline. We're also an Agile development shop. Customer security usually comes after, so we were dealing with those trade-offs.

We had a few bumps along the way with enabling newly introduced vulnerabilities on an open PR. We pulled back on the entire project and just left it running. The security team really hasn't had a chance to go back and tune it.

Developer adoption of the solution has been low in our company. Management isn't really enforcing the use of the tool yet. There have been more pressing issues. So the low adoption is more more the result of an internal process than it is because of actual value from the product. They do find a lot of value with it when they start using it properly. Overall, we've had positive feedback from developers.

The time-to-value of Snyk is still still a work-in-progress in our company.

I would advise that there be communication within the organization about how the tool is going to be used, what it's going to be used for, and for establishing and communicating a rollout plan. The steps that I listed previously about our rollout plan were well received and followed. With larger organizations, that's probably the best path forward: limiting the number of people using the tool, up front, to work out workflows, and then gradually rolling it out to the wider audience until you get full coverage.

We understood that the full implementation of Snyk into the development and operations lifecycle introduced a change. We also understood that fixing all the existing vulnerabilities immediately would not be a viable strategy. So we started with a partial implementation to gain insight from developers on the preferred ways of working, which would help us manage business priorities and roadmap initiatives. From there, we established a policy on how we retreat information coming from Snyk, including SLAs tied to the severity of findings. 

After that, depending on the size of your organization, the suggestion would be to work with select teams. For us, it was two teams per month, focusing on the process of remediating existing vulnerabilities until we worked with all teams across the organization. 

In addition, Snyk offered free onsite training if requested, so take advantage of that.

Everything that the product promises it will do, it's been doing that for us. It's good. It's serving its purpose. We have definitely had some technical issues with it. We really haven't had a lot of time to spend with it and to focus on tuning it since we procured the solution, and to actively get it into our development pipeline. But from what it promises, I would rate it at eight out of ten.

We are using Snyk to find the vulnerabilities inside dependencies. It is one of the best tool in the market for this. 

It is pretty easy and straightforward to use because integration won't take more than 15 minutes to be honest. After that, developers don't have to do anything. Snyk automatically monitors their projects. All they need to do is wait and see if any vulnerabilities have been reported, and if yes, how to fix those vulnerability. 

So far, Snyk has given us really good results because it is fully automated. We don't have to scan projects every time to find vulnerabilities, as it already stores the dependencies that we are using. It monitors 24/7 to find out if there are any issues that have been reported out on the Internet.

Whenever Snyk reports to us about a vulnerability, it always reports to us the whole issue in detail:

• What is the issue.
• What is the fix.
• What version we should use.

E.g., if upgrading to a new version may break an application, developers can easily understand the references and details that we receive from Snyk regarding what could break if we upgrade the version.

The solution allows our developers to spend less time securing applications, increasing their productivity. As soon as there is a fix available, developers don't have to look into what was affected. They can easily upgrade their dependencies using Snyk's recommendation. After that, all they need is to test their application to determine if the new upgrade is breaking their application. Therefore, they are completely relaxed on the security side. 

Snyk is playing a big role in our security tooling. There were a couple of breaches in the past, which used vulnerability dependencies. If they had been using Snyk and had visibility into what vulnerabilities they had in their dependencies, they could have easily patched it and saved themselves from their breaches.

So far, we have really good feedback from our developers. They enjoy using it. When they receive a notification that they have a vulnerability in their project, they find that they like using Snyk as they have a very easy way to fix an issue. They don't have to spend time on the issue and can also fix it. This is the first time I have seen in my career that developers like a security tool.

I'm the only person who is currently maintaining everything for Snyk. We don't need more resources to maintain Snyk or work full-time on it. The solution has Slack integration, which is a good feature. We have a public channel where we are reporting all our vulnerabilities. This provides visibility for our developers. They can see vulnerabilities in their projects and fix them on their own without the help of security.

Snyk integrations and notifications with Slack are the most valuable feature because they are really handy. By monitoring dependencies, if there is a vulnerability reported, Snyk will fire off a Slack message to us. With that Slack message, we can create a request just from the notifications which we receive on Slack. It's like having visibility in a general channel and also flexibility to fix that issue with a few clicks.

The solution’s vulnerability database is always accurate since the chances of getting a false positive is very rare. It only reports the vulnerabilities which have already been reported publicly.

The solution’s Container security feature allows developers to own security for the applications and the containers they run in in the cloud. Without using Snyk, developers might be not aware if they are creating a vulnerability in their Docker images. While using Snyk, they have at least a layer of protection where they can be notified by a Snyk if there is a vulnerability in the Docker images or communities.

If the Snyk had a SAST or DAST solution, then we could have easily gone with just one vendor rather than buying more tools from other vendors. It would save us time, not having to maintain relationships with other vendors. We would just need to manage with one vendor. From a profitability standpoint, we will always choose the vendor who gives us multiple services. Though, we went ahead with Snyk because it was a strong tool.

Snyk needs to support more languages. It's not supporting all our languages, e.g., Sift packages for our iOS applications. They don't support that but are working to build it for us. They are also missing some plugins for IDEs, which is the application that we are using for developers to code.

There are a couple of feature request that I have asked from Snyk. For example, I would like Snyk to create a Jira ticket from Slack notifications. We already have Snyk creating a pull request from Slack notifications, so I asked if we could create a Jira ticket as well so we can track the vulnerability.

I started working with at my company eight months ago and Snyk was already in place. As for my own experience, I was using this solution before I joined the company, so I was familiar with the tool and how it works.

They were a couple of issues which happened because Snyk lacked some documentation on the integration side. Snyk is lacking a lot of documentation, and I would like to see them improve this. This is where we struggle a bit. For example, if something breaks, we can't figure out how to fix that issue. It may be a very simple thing, but because we don't have the proper documentation around an issue, it takes us a bit longer.

So far, we have onboarded all our developers to Snyk, and it's still running fine. However, they could improve it. For example, if I create a bulk request for more than 15 or 20 vulnerabilities, then it takes a bit longer than it should in terms of time.

Including security, the total developers that we have on Snyk is almost 50 at this time. We are pushing more to the developers and would like to have 200 developers in the coming month or two.

The people with whom I'm connected are really good. If I have issues, they will quickly jump on a call and I will start troubleshooting with them over the call. The people with whom I'm talking are very technical.

Before using Snyk, we didn't have visibility into how many dependencies we were using or importing into our projects. Snyk gives us how many third-party libraries we are using and what version they are running on. Also, it let us know if there are any vulnerabilities in those libraries when we are writing our code. Because of the potential impact, we have to ensure that there aren't any vulnerabilities in these libraries (since we have no visibility) when we are importing. 

The initial setup was straightforward. Onboarding projects didn't take me too long. It was pretty straightforward and easy to integrate with event/packet cloud and import all our projects from there. Then, it was easy to generate the organizational ID and API key, then add it to the Snyk plug-in that we are using in our build pipeline.

Snyk was already onboard when I joined. Deployment of my 23 projects took me an hour. 

The solution has reduced the amount of time it takes to find problems by three or four hours per day. 

The solution has reduced the amount of time by at least two to three hours a day to fix problems because the documentation which we receive is very helpful. This also depends on a couple of factors, such as, how big a project or library is.

Developer productivity has increased a lot. Considering all the projects about security vulnerabilities, we are saving at least six to seven hours a day.

It saves a lot of my time and the developers' time. Also, because everything is super simple and straightforward in one place, it is really convenient for the security team to keep an eye on vulnerabilities in their projects.

Having this type of tool for a security team is really helpful. In my previous role, we didn't have this type of tool for our team. We struggled a lot with how we could enhance our visibility or see our projects: what dependencies they were using and if we could monitor those dependencies for any vulnerabilities. Without the tool, we could be attacked by some random vulnerability which we were not even aware of. Thus, I strongly recommend having this type of tool for a security team.

This is integrated with our CI/CD.

For Containers, we are still not fully rolled out and working around it. 

I would rate this solution as a seven (out of 10).

It is a source composition analysis tool that we use to perform vulnerability scanning for those vulnerabilities within open source libraries.

This is a SaaS solution.

It has improved our vulnerability rating and reduced our vulnerabilities through the tool during the time that we've had it. It's definitely made us more aware, as we have removed scoping for existing vulnerabilities and platforms since we rolled it out up until now.

We were aware of problems that were there, but we weren't looking for them until we had Snyk. It is definitely showing us things that we should have been concerned about, and we have found a lot of value in resolving those things since we've discovered them.

It's reduced the amount of active vulnerabilities in our applications, providing both a more stable and secure environment for us in the libraries that we develop. It has highlighted a number of things we weren't aware of in our applications and the reduction of those is definitely a benefit and value-add to our applications.

The general source composition analysis is the key to the piece. That is the feature to check our open source libraries for vulnerabilities and the primary feature that we use the tool for.

It is extremely easy to use and very simple to catch on for every team that we train on it. We generally have our development teams leverage the tool themselves. It's extremely easy to teach them how to use it and get them to onboard it.

From a speed perspective, we use Git repository. It was very easy to integrate into that platform.

The solution’s ability to help developers find and fix vulnerabilities quickly is very good and convenient. It provides the ability to easily work the platform into our existing repositories and leverage our repository. It also pulls notifications as a means for notifying developers of vulnerabilities within the projects that are developing.

The solution’s vulnerability database is very comprehensive and accurate.

There are some new features that we would like to see added, e.g., more visibility into library usage for the code. Something along the lines where it's doing the identification of where vulnerabilities are used, etc. This would cause them to stand out in the market as a much different platform.

We have been using Snyk for about a year.

It is very stable.

We use existing staff to maintain and operationalize it.

It is extremely easy to scale and hooks into all of our application repositories without any issues. We use the product extensively in the projects that we are currently running. We are using the product at close to 100 percent.

Developer-adoption of the solution has been good. It is one of the better tools in our application security library from an adoption perspective and needs of use. It has the most positive feedback out of all our solutions.

There are probably 50 users who are security/developers and development-focused security professionals.

The only technical support that we have received has been through our account team, and it's been fantastic. I haven't actually had to open any tickets or anything using the tool. The only time we've ever needed assistance was to open up a ticket for single sign-on configuration. It was extremely quick. They had a very easy, fast response for how to deliver it.

We previously used Black Duck. We switched to Snyk because of its better false positive ratings along with its ease of use, integration, and deployment.

The initial setup was straightforward. It was just extremely easy to integrate into our repositories, get the code scanning working, and add our projects into the application.

The deployment was quick. We had our first application in it within minutes.

Implementation strategy: We hooked up our applications and integrated them into the tool. Then, we started to address vulnerabilities as we saw fit from a risk perspective.

We have seen ROI with Snyk. It has showed us a lot of things that we were not privy to before. This has opened our eyes to a lot of very important things, e.g., vulnerabilities.

The solution has reduced the amount of time it takes to fix problems. It has done a great job explaining what the problem is and how to resolve it with remediation. It gives you a lot of details about versioning and such for the library. It is definitely helpful there.

The time-to-value of the solution in our company was almost immediate.

It's inexpensive and easy to license. It comes in standard package sizing, which is straightforward. This information is publicly found on their website.

We focused our evaluation specifically on Black Duck and Snyk, plus Veracode as a larger product offering.

The Snyk platform does everything we've expected it to do. It works much better than some of the competitors we looked at during our assessment.

If you're looking for a source composition analysis tool or a tool to monitor your open source security, then it's a fantastic solution.

SAST and DAST are very important functions. We have alternative options for those though. I wouldn't say the solution’s lack of SAST and DAST hurts or affects us. It would be nice if these were a platform or offering that they did have.

We don't use the solution’s Container security feature at the moment, but we are planning on using it.

I would rate this solution as an eight or nine (out of 10).

The product's most valuable features are an open-source platform, remote functionality, and good pricing.

Snyk's API and UI features could work better in terms of speed. Additionally, they could optimize and provide better reports, including reports for security, technical, and developer level.

We have been using Snyk for two and a half years.

I rate the platform's stability an eight or nine out of ten. Sometimes, we encounter downtime issues, but it has quick recovery. It impacts our system and needs improvement for better outcomes during the development phase.

We have 20 to 50 Snyk users in the development team of our organization. It is a scalable product.

The technical support services are available quickly for developers. However, they should improve their speed of response for customers.

Neutral

I have used Checkmarx and some other open-source software.

The initial setup is neither difficult nor easy. However, it works slowly. It takes some weeks or months to complete the process.

The product has good pricing. 

I recommend Snyk to others and rate it a seven out of ten.

I am using Snyk for DevOps and security.

The most valuable features of Snyk are vulnerability scanning and automation. The automation the solution brings around vulnerability scanning is useful.

The solution could improve the reports. They have been working on improving the reports but more work could be done.

I have been using Snyk for a few months.

The stability of Snyk is good.

We have not had any challenges with the scalability of Snyk.

There are good resources to answer questions when we have issues.

I have not used a testing solution prior to Snyk.

The initial setup of Snyk was easy.

The price of the solution is expensive compared to other solutions.

I would recommend people use the free tier first before they purchase.

I rate Snyk a ten out of ten.

The solution is set up in a test lab for proof of concept on the ACIA component. Our client is proposing the solution in an RFP response that will include 3,000 users when awarded. 

The solution has great features and is quite stable. 

The log export function could be easier when shipping logs to other platforms such as Splunk. 

I have been using the solution for months.

The stability is quite good. 

The solution is scalable with no issues. 

I have not needed technical support. 

The initial setup is quite straightforward and took fifteen minutes. 

We implemented the solution in-house. 

In our lab environment, the deployment strategy is to install and run with no complex operations. 

I rate the solution a nine out of ten. 

We use this product for security analysis. It enables us to analyze the development code and find the security vulnerabilities and best practices. We have around 20 developers testing this solution. I'm the senior DevOps and we are users of Snyk.

The solution is very easy to install. It provides clear information and is easy to follow. We get good feedback regarding code practices and how to fix security issues. Another benefit is that it has worked with containers for a long time and has a partnership with Docker. They have a lot of experience and good expertise in security.

I think they could improve the feature for automatic fixing of security breaches. If they had a Kubernetes coverage of vulnerabilities that would be helpful.

I've been using this solution for two months. 

The solution is stable. 

The solution is scalable. 

The technical support is good. They are very helpful and also offered us a demo.  

The initial setup is not complicated, it's just configuring the connection, and connecting to the server.

We're using the open source version for now.

I think it's worthwhile to try this product and I rate it nine out of 10. 

I am a reseller. We provide solutions for our customers.

It's a good product. I haven't seen any weakness.

Snyk is a developer-friendly product.

Compatibility with other products would be great.

I have not contacted technical support.

Previously, I was working with Micro Focus Fortify.

The initial setup is easy.

We have also evaluated Prisma Cloud by Palo Alto.

We tried to partner up with Snyk, but we were not successful in gaining a partnership. We are not authorized Snyk resellers.

I would rate Snyk an eight out of ten.