Snyk Runtime Sensor

We are a customer of Snyk , which is a SaaS solution. We are one of the tenants using Snyk  services but are not doing any enhancement development. We are purely a customer availing Snyk services.

We are also using a separate DAST tool, though I am not aware of the tool name as it is managed by a different team.

We utilize two main capabilities: application vulnerability detection and SCA  capabilities. The primary reason we use Snyk is for SAST , as we want to scan our applications for any security vulnerabilities and address them.

Snyk is finding all the issues we have. It suggests solutions for every vulnerability, and we are getting patches frequently. As someone from an enterprise, I want to share feedback that might help others. There are multiple teams involved in our organization. We have a separate cyber team that works with Snyk and keeps on updating, though I am not fully aware of all the details in that area.

I have not explored from that perspective. Being from an application perspective, I cannot say anything that needs real improvement. I have not explored from that angle. Till now, we did not face any scaling issues and I did not hear of any. I would rate this at 9 because I always keep one number in reserve, as there is always scope for improvement for any tool.

We have been using Snyk for more than a year.

Till now, we did not face any scaling issues and I did not hear of any. I would rate this at 9 because I always keep one number in reserve, as there is always scope for improvement for any tool.

We do not raise issues directly with Snyk. We have a common team that liaises with Snyk. Whenever we have issues, we raise them with the cybersecurity team within our company who supports Snyk, and they in turn interact with Snyk.

Earlier, I used Checkmarx, which is another SAST  tool. By default, any company and any SAST tool like Checkmarx or Snyk provides a plugin.

Snyk is integrated. I have not used it directly, though I may have used it indirectly.

I am from an enterprise and want to share feedback that might help others. There are multiple teams involved in our organization. I am from the application team, so I know the vulnerabilities and how to fix them. However, there is a platform team that takes care of giving permission for Snyk and access levels, which I am not fully aware of. At a high level, we have a Snyk admin team in our company that gives permissions, though I do not know all the details of what they do. I cannot share feedback on the admin area, but I can share that vulnerability-wise, I am happy with what Snyk provides and the solutions it gives.

When Snyk identifies issues, our pull request process will not allow us to merge them in the first place. Snyk helps us by blocking critical issues and vulnerabilities. If someone bypassed the pull request check, we have another check in place before production release where we validate everything and block the code if it violates our standards. Based on Snyk categorization, we block issues from our end while raising a pull request and also before releasing to production.

We need Snyk because we are in the banking industry with thousands of applications. Every day, we deploy code to production, releasing almost every day except weekends, though we sometimes release on weekends for very large deployments. Anything that goes to production should not have any security vulnerabilities. Being in the banking industry and having applications used by end customers, we are dealing with end customer data. No one should steal data in any format, and with authentication, one user cannot see another user's data. Snyk is paramount and extremely important for us. Every application that goes into production must pass Snyk vulnerability scanning before it can be deployed. If you ask whether it is important, it is absolutely critical. I would rate it 10 out of 10.

Internally, whenever a Snyk scan runs, we have created GitHub Actions . Our target state is GitHub Actions  everywhere. When we run the GitHub Actions, it will connect to the latest Snyk scanning through API and automatically gets all open issues, then creates a GitHub  issue. First, our internal tool pulls out all Snyk security issues through the API and creates GitHub  issues. We manually open a GitHub issue and give a command prompt to our AI agent. That prompt internally might work with Snyk autofix capability and gets the fixes correctly and creates a pull request. We review and check in the pull request, which is reviewed by experienced team members. This is the process we follow: create an issue based on a Snyk scan and for every issue, run a prompt so that it creates a pull request automatically with the fixes.

We do use Snyk documentation. We internally do not have many resources because we do not want to duplicate. Snyk guide is purely open and not logged in, so we use it.

Snyk documentation is extremely useful. Vulnerability-wise, I do not go to Snyk documentation frequently because in the current world, with my 25 plus years of experience, I used to fix many things manually before these tools existed. I need to know the intricacies of how to fix code. If you take 10 years back, there were tools and libraries which you could integrate with one or two lines, which solved the problem. With the current AI world, I do not even need that. If I get some issues, I do not even need to go to the Snyk website and read how to fix. I have an AI tool that can fix it if I ask it to. From an engineer's perspective, I still read the documentation. As a person who came from the manual world 25 years back, I still read the fix documentation. The documentation is very good, and being a general one, I understand the SAST world, so I did not find much problem with the documentation.

We are using Snyk, which is a SAST tool. There is a team in our organization who developed some AI agent on top of Snyk capabilities. I do not know exactly how they integrated Snyk, but our organization provides an AI agent which, if we run, automatically fixes issues and raises a pull request. In that case, we are indirectly using Snyk.

My overall rating for Snyk is 10 out of 10.

I typically use Snyk  for checking the security and vulnerabilities in my repositories.

Recently, I have used Snyk  in one of my repositories for security and vulnerability checks, providing comprehensive knowledge about the repository, including what it does and where the security vulnerabilities are located.

I am using Snyk for the first time and did not use any vulnerability scanning solution before this. I was previously doing Red Hat vulnerability scanning locally for dependency checks, which was not what I wanted.

Snyk's main features include open-source vulnerability scanning, code security, container security, infrastructure as code security, risk-based prioritization, development-first integration, continuous monitoring and alerting, automation, and remediation. The best features I appreciate are the vulnerability checking, vulnerability scanning, and code security capabilities, as Snyk scans all open-source dependencies for known vulnerabilities and helps with license compliance for open-source components.

Snyk integrates into IDEs, allowing issues to be caught as they appear in the code dynamically and prioritizes risk while providing remediation advice.

Snyk provides actionable remediation advice on where vulnerabilities can exist and where code security is compromised, automatically scanning everything and providing timely alerts.

Snyk has positively impacted my organization by improving the security posture across all software repositories, resulting in fewer critical vulnerabilities, more confidence in overall product security, and faster security compliance for project clients.

Snyk has helped reduce vulnerabilities significantly. Initially, the repository had 17 to 31 critical and high vulnerabilities, but Snyk has helped manage them down to just five vulnerabilities, which are now lower and not high or critical.

Although Snyk is strong, sometimes it flags vulnerabilities that are not reachable, not exploitable, and not relevant to a project. Better reachability analysis and context-aware scanning could improve this.

Snyk could benefit from a more optimized scanning engine and incremental scan caching.

I have been using Snyk for the previous one year.

I have no issues with Snyk's reliability; it is stable.

Snyk is very scalable and can handle my organization's growth and changing needs, allowing us to scale up to many stages and reduce developer costs, especially when we have fewer developers.

I never reached out to customer support because I never encountered any issues.

I considered SonarQube  in detail before choosing Snyk.

My experience with pricing, setup cost, and licensing is good, as the overall setup experience is smooth with easy onboarding for connection with GitHub  and GitLab . I primarily use it with GitHub , requiring just a few clicks to set up Snyk.

I can see that Snyk saves the costs of hiring security developers for vulnerability scanning and security checks, as that responsibility is now managed by Snyk.

Pricing is good for small teams, with a free tier or low-usage pricing available, and the licensing experience is straightforward but not very flexible.

My advice for others looking into using Snyk is that if you are starting a repository that is free from vulnerabilities and security checks, Snyk is a good option. It automatically provides advice on how to improve for reducing vulnerabilities and security issues, allowing for easy removal of vulnerabilities. You can use it for a free trial, and if it impacts your organization positively, you can consider further usage.

Snyk is a very good product for vulnerability code scanning and can be used effectively. I would rate this product a nine point five out of ten.