Snyk does a great job identifying and reducing vulnerabilities. This solution is fully automated and monitors 24/7 to find any issues reported on the internet. It will store dependencies that you are using so you don’t have to scan projects all the time. This solution fixed vulnerabilities quickly - even ones we didn’t know were there.
SonarQube is easy to deploy and configure. It also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. It is great if you want to quickly focus on functional requirements. This solution is very easy to use and understand.
Snyk has some scalability issues, especially if you are using a lot of code. This may potentially slow things down, affecting productivity. The notifications regarding vulnerabilities seem too broad to me. I think it would be better if there was a filtering process to more precisely report varied vulnerabilities. Snyk is also lacking slightly on the documentation end; we can’t always figure out how to fix an issue because proper documentation is not there, so it takes us longer to find the fix.
There were some security issues with our code that SonarQube did not find. Defining the quality of rules should be improved to ensure that low-performance code does not move forward to production. We would like to see better security scanning and statistical analysis from this solution
Conclusion
These tools provide many of the same valuable problem-solving traits and resolutions. They are both very good. We liked Snyk better for its ease of use and great integration with other tools. We also found that the information Snyk provided with regard to issues and resolutions were what our team liked best.
@reviewer1650858 : Did you use Snyk for both SAST and SCA analysis. If yes, for SAST, did you upload source code to synk platform for getting results. As per documentation, they need source code to be uploaded for 24 hrs after which they remove it.
SonarQube Server and Snyk are key competitors in the code quality and security domain. SonarQube Server leads in static code analysis and organizational improvement features, while Snyk excels in comprehensive vulnerability scanning and remediation.Features: SonarQube Server provides static code analysis, customizable rule sets, and metrics visualization, helping organizations with code quality management. Snyk focuses heavily on vulnerability detection, integrating smoothly with developer...
Snyk does a great job identifying and reducing vulnerabilities. This solution is fully automated and monitors 24/7 to find any issues reported on the internet. It will store dependencies that you are using so you don’t have to scan projects all the time. This solution fixed vulnerabilities quickly - even ones we didn’t know were there.
SonarQube is easy to deploy and configure. It also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. It is great if you want to quickly focus on functional requirements. This solution is very easy to use and understand.
Snyk has some scalability issues, especially if you are using a lot of code. This may potentially slow things down, affecting productivity. The notifications regarding vulnerabilities seem too broad to me. I think it would be better if there was a filtering process to more precisely report varied vulnerabilities. Snyk is also lacking slightly on the documentation end; we can’t always figure out how to fix an issue because proper documentation is not there, so it takes us longer to find the fix.
There were some security issues with our code that SonarQube did not find. Defining the quality of rules should be improved to ensure that low-performance code does not move forward to production. We would like to see better security scanning and statistical analysis from this solution
Conclusion
These tools provide many of the same valuable problem-solving traits and resolutions. They are both very good. We liked Snyk better for its ease of use and great integration with other tools. We also found that the information Snyk provided with regard to issues and resolutions were what our team liked best.
@reviewer1650858 : Did you use Snyk for both SAST and SCA analysis. If yes, for SAST, did you upload source code to synk platform for getting results. As per documentation, they need source code to be uploaded for 24 hrs after which they remove it.