Snyk does a great job identifying and reducing vulnerabilities. This solution is fully automated and monitors 24/7 to find any issues reported on the internet. It will store dependencies that you are using so you don’t have to scan projects all the time. This solution fixed vulnerabilities quickly - even ones we didn’t know were there.
SonarQube is easy to deploy and configure. It also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. It is great if you want to quickly focus on functional requirements. This solution is very easy to use and understand.
Snyk has some scalability issues, especially if you are using a lot of code. This may potentially slow things down, affecting productivity. The notifications regarding vulnerabilities seem too broad to me. I think it would be better if there was a filtering process to more precisely report varied vulnerabilities. Snyk is also lacking slightly on the documentation end; we can’t always figure out how to fix an issue because proper documentation is not there, so it takes us longer to find the fix.
There were some security issues with our code that SonarQube did not find. Defining the quality of rules should be improved to ensure that low-performance code does not move forward to production. We would like to see better security scanning and statistical analysis from this solution
Conclusion
These tools provide many of the same valuable problem-solving traits and resolutions. They are both very good. We liked Snyk better for its ease of use and great integration with other tools. We also found that the information Snyk provided with regard to issues and resolutions were what our team liked best.
@reviewer1650858 : Did you use Snyk for both SAST and SCA analysis. If yes, for SAST, did you upload source code to synk platform for getting results. As per documentation, they need source code to be uploaded for 24 hrs after which they remove it.
SonarQube and Snyk compete in the software quality and security space with a focus on code quality and vulnerability detection. SonarQube has the upper hand in affordability and flexibility, while Snyk excels in vulnerability management and actionable insights.Features: SonarQube offers features such as support for over 20 programming languages, pre-commit checks, custom coding rules, unit tests, and code duplication checks. It provides users the ability to create quality profiles and gates,...
Snyk does a great job identifying and reducing vulnerabilities. This solution is fully automated and monitors 24/7 to find any issues reported on the internet. It will store dependencies that you are using so you don’t have to scan projects all the time. This solution fixed vulnerabilities quickly - even ones we didn’t know were there.
SonarQube is easy to deploy and configure. It also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. It is great if you want to quickly focus on functional requirements. This solution is very easy to use and understand.
Snyk has some scalability issues, especially if you are using a lot of code. This may potentially slow things down, affecting productivity. The notifications regarding vulnerabilities seem too broad to me. I think it would be better if there was a filtering process to more precisely report varied vulnerabilities. Snyk is also lacking slightly on the documentation end; we can’t always figure out how to fix an issue because proper documentation is not there, so it takes us longer to find the fix.
There were some security issues with our code that SonarQube did not find. Defining the quality of rules should be improved to ensure that low-performance code does not move forward to production. We would like to see better security scanning and statistical analysis from this solution
Conclusion
These tools provide many of the same valuable problem-solving traits and resolutions. They are both very good. We liked Snyk better for its ease of use and great integration with other tools. We also found that the information Snyk provided with regard to issues and resolutions were what our team liked best.
@reviewer1650858 : Did you use Snyk for both SAST and SCA analysis. If yes, for SAST, did you upload source code to synk platform for getting results. As per documentation, they need source code to be uploaded for 24 hrs after which they remove it.