The most recent client had experience with other products that did not have some features Snyk provides, such as Fortify in the old version before OpenText acquisition. They gave feedback about the precision in discovering vulnerabilities. They found that Snyk can provide more insights about vulnerabilities than older applications in SAST and SCA.

We have integration with GitHub Actions to analyze the code and we use a double check in the pipeline. Our strategy is about shift left. The developers connect with Snyk, Git, and use this with the pipeline.

They evolved their maturity because they could find the vulnerabilities before the pipeline runs. They can find and correct these vulnerabilities in a step before the pushes and PRs to GitHub. They think it is a very positive feature.

I appreciate the UI. It is simple, fast, and I value the precision in the tests. The responses are positive.

Regarding the vulnerability database and AI, we have good experience with that. I cannot compare with other providers or vendors such as Veracode, Checkmarx, and others. All the tests are positive in my analysis.

Technically, we have better vulnerabilities detection in Checkmarx and Veracode. Both of them are more precise about vulnerabilities detection. Snyk is slightly less effective, but this is something they can improve on in the future.

We have been using the solution for one and a half years. Not much time.

We did not need support during the proof of concept.

The documentation is good. It is one of the reasons we did not need support. We could understand the implementation of the product and other features without the need for human interaction.

Positive

I made a proof of concept for a client with Checkmarx for about one month. I provided them a review about my experience. Now they are analyzing my results and considerations about other products too. I do not know if they already have a response about which product they will buy.

Snyk is less expensive.

It is simpler than other vendors. We have some difficulties with other license models. They are more complex and involve an acquisition of more products such as Synopsys and Checkmarx used a complex license model. Snyk has a license model simpler than most of the other vendors.

It was one of my three recommendations for my client. I am satisfied with the product. I rate Snyk 8.5 out of 10.

The best feature of Snyk is the integration with our ticketing system, which is Jira. That integration was one we were specifically looking for. The deep integration with our IDE and repository is another valuable feature. In terms of deploying these features, it's seamless.

Snyk should improve the scanning capabilities for other languages. For example, Veracode is strong with different languages such as Java, C#, and others. However, Snyk performs better at mobile source code scanning compared to Veracode. If both capabilities were combined, that would be exceptional.

As we are moving toward GenAI, we expect Snyk to leverage AI features to improve code scanning findings. One key feature we are currently examining with Veracode is AIVSS (Artificial Intelligence VSS), which is an extension of CVSS to cover use cases or top 10 LLM findings during code scanning. Since this is relatively new, we expect upcoming features to cover AI scoring. We have AI projects currently deploying in our organization, and we want to cover not only normal CVSS but also receive an AI assessment score. Both Veracode and Snyk should implement this new scoring system for CVSS and AIVSS.

We are a customer of Snyk, not a partner.

We have contacted Snyk's technical support regarding several issues, and they have resolved them successfully.

Snyk's technical support deserves a rating of seven or eight out of ten. Their response time aligns with their SLA commitments.

Positive

My previous company continues to use Snyk.

The initial setup of Snyk was straightforward.

We discussed pricing with their account manager and secured a favorable deal. Initially, we planned to subscribe through AWS Marketplace at standard rates. After negotiations, we received a special package with a good price point. We signed a two-year contract, and they provided special links for subscription. The payment structure operates on a monthly prepaid basis.

While Snyk may not be the absolute best option in the market, it offers the most seamless experience currently available. Based on their price point and features, it's both affordable and fair considering the license package offered.

During our implementation, we conducted a pilot test with Snyk for approximately two weeks during our UAT session. We spent an additional two to three weeks obtaining management approvals for production repository access. The testing was performed on development repositories before moving to production. While the actual implementation took about a week, the complete process duration was extended due to internal organizational approval processes.

I rate Snyk 8 out of 10.

I lead a code security practice for our organization. We integrated Snyk into our GitHub, using CLI to automatically scan codebases and identify issues. We are a large organization with three independent entities, consolidating Snyk across all entities. 

We also provide access through numerous CI/CD tools. Our default implementation mechanism is CLI, but we also use the Web UI for a comprehensive view and recommendations.

For large organizations like ours, cost is a major factor. Snyk is the most cost-effective solution compared to others like Checkmarx. 

We consolidated Snyk across three entities that used different tools. As a result, our organization became one of the largest in implementing Snyk.

The most important feature of Snyk is its cost-effectiveness compared to other solutions such as Checkmarx. It is easy to consolidate Snyk across multiple entities within a large organization. 

Additionally, our integration of Snyk into GitHub allows us to automatically scan codebases and identify issues, which has improved efficiency.

Snyk has several limitations, including issues with Gradle, NPM, and Xcode, and trouble with AutoPR. It lacks the ability to select branches on its Web UI, forcing users to rely on CLI or CI/CD for that functionality. These limitations were documented in a book that I wrote.

We implemented Snyk starting last year, and it has been in use for around two and a half years.

Snyk allows for scaling across large organizations, accommodating tens of thousands of applications and over 60,000 repositories, making it suitable for wide-scale deployment.

Our organization maintains a good relationship with Snyk's customer support team. Despite potential variations in service quality for smaller organizations, our long-standing association has ensured smooth communication, resulting in favorable support experiences and satisfactory issue resolution.

Positive

Previously, we used Synopsys Coverity and later migrated to Checkmarx and Mend before Snyk. Synopsys Coverity was costly, prompting a switch. Snyk's affordability and consolidating capabilities across the entities led to its adoption.

The initial setup of Snyk is simple and straightforward compared to Synopsys Coverity, which is complex. Checkmarx falls in between, not too complicated or easy, but a reliable option. Snyk's ease of implementation makes it user-friendly.

We have different teams managing aspects like licensing and engagement with the support team. They facilitate setup and maintenance, optimally integrating Snyk into our GitHub and CI/CD processes.

Snyk is recognized as the cheapest option we have evaluated. In comparison to eight or nine other solutions, it ranks among the most affordable, providing cost-effective scalability across organizational units.

In my comparative evaluations, I considered tools like AppScan, Veracode, Checkmarx, Synopsys Coverity, and six to eight other alternatives.

Snyk is optimal for organizations starting or looking for an affordable, effective tool. Despite false positives, it combines SAST, SCA, containers, and IaS in one Web UI. On a scale of one to ten, I rate Snyk at six.

The main tool today is used to check for security issues in our products. We use it to analyze all the projects, and our security efforts are based partly on this tool.

There are major impacts related to increasing security awareness and managing risks. Snyk has been an essential tool in that aspect.

The valuable aspect is its security capabilities. The tool finds any major issue, and the code is blocked from being promoted to production until the issue is corrected.

I'm not responsible for the tool. As far as I know, there are no major concerns or features that we lack. We had some issues integrating into our pipeline, however, they were resolved.

We have used Snyk for approximately one year.

There are no complaints from the security team. There seem to be no major issues of concern.

The security team is responsible for this tool. I don't have more details, however, there are no complaints, so I believe that's okay.

I don't know about the support or customer service details. It's another team's responsibility.

Positive

I don't have experience with other products similar to Snyk.

I wouldn't be able to say what the company's ROI is.

The pricing and setup are not my responsibilities, so I don't know any details.

I have not evaluated any other solutions.

Based on our experience and what I have heard internally, I would recommend Snyk.

I'd rate the solution nine out fo ten.

Snyk protects vulnerabilities in the code as usual, detects abnormal data flow inside the field, and similar tasks.

The specific feature of Snyk that has significantly improved my vulnerability management is its ability to identify vulnerabilities and suggest solutions to fix them. Snyk's automation capabilities streamline my security tasks by scanning code every time I commit.

Snyk's focus on security is a valuable feature. Also, Snyk supports multiple programming languages, which has positively affected my security practices. I use only two or three languages, and when I change the language in a file, it detects it in the same suite.

I find the AI-powered scanning beneficial. Using Snyk's AI-powered scanning, I can detect around ten or twenty errors in my project with about twenty thousand lines of code, so it helps improve my project by identifying a lot of potential vulnerabilities.

I use Snyk alongside Sonar, and Snyk tends to generate a lot of false positives. Improving the overall report quality and reducing false positives would be beneficial.

I don't need additional features; just improving the existing ones would be enough. 

It scans the entire code really fast, and the auto-scan process is done repeatedly.

I would rate the stability of Snyk an eight out of ten.

It detects issues really fast, but it still has a lot of false positives, and sometimes the suggestions aren't quite on point. This can sometimes lead to other vulnerabilities.

I would rate the scalability of Snyk a seven out of ten.

I would rate the initial setup of Snyk a nine out of ten because it's straightforward. The web version is also easy to use. I'm working with both the web version and the IDE at the same time.

For deployment, I just link it to GitHub, upload the repository there and it automatically scans for any errors. It took around a minute to deploy Snyk. 

I'm currently using the free version, which the company offers before buying the full version. So, the price is affordable, especially for an enterprise.

I did evaluate other options before choosing Snyk. I only considered Sonar before Snyk, but I ended up with Snyk because it's faster and more focused on security.

My advice for others considering using Snyk is to rely on it for security issues but still manually review your overall code. It's great for detecting syntax errors but might miss some broader issues, so it's important to do a thorough check yourself.

Based on my experience, I'd rate Snyk an eight overall. Its performance is indeed good.

I use the tool in my company to scan open-source projects.

I don't use Snyk anymore. The tool is just used in our company, but not by me anymore.

It is important that the solution has the ability to match up with the OWASP Top 10 list, especially considering that sometimes, it cannot fix certain issues. Users might face 100 vulnerabilities during the production phase, and they may not be able to fix them all. Different companies have different levels of risk appetite. In a highly regulated industry, users of the product should be able to fix all the vulnerabilities, especially the internal ones. The tool should provide more flexibility and guidance to help us fix the top vulnerabilities before we go into production.

I have been using Snyk for three years. I am a user of the tool.

The solution's technical support is okay. I rate the technical support an eight out of ten.

Positive

The product's price is okay. My company isn't actively looking for replacement tools.

The most effective feature in securing project dependencies stems from its ability to highlight security vulnerabilities.

The integration features of the product are okay.

I recommend the product to those who want to buy it.

In a general sense, Snyk is a good product that can be used for governance. If you use a lot of open-source software, Snyk is an application testing tool you can buy.

I rate the tool a seven to eight out of ten.

We are using an enterprise version of Snyk for image scanning. We use Snyk to identify and address vulnerabilities in our open-source dependencies and to scan the Docker images.

The solution's Open Source feature gives us notifications and suggestions regarding how to address vulnerabilities.

The solution's integration with JFrog Artifactory could be improved.

We have been using Snyk for two years.

I rate the solution an eight out of ten for stability.

We use Snyk for microservices, and more than 100 users use it in our organization twice a week.

I rate the solution a seven out of ten for scalability.

The solution’s technical support team was involved during the architecture integration. We got their support, but I think we could probably get a faster response from them.

Neutral

Snyk's initial setup is not very difficult.

On a scale from one to ten, where one is difficult and ten is easy, I rate the solution's initial setup a seven out of ten.

The solution's initial setup took a few weeks. The solution's deployment was done by our app system, and four people were highly engaged in this activity.

Before choosing Snyk, we were exploring different solutions like JFrog Xray and Aqua scan for image scanning. We chose Snyk because we could do both image scanning and SCA with it.

We are comparing Snyk with GitHub Advanced Security, which has a better vulnerability database. They have more vulnerabilities enlisted in their database.

The solution has improved or streamlined our process a lot for securing container images. We wanted to make sure we are deploying the secure Docker images. Snyk allowed us to check whether it is following our standard of docker images or not.

We use Azure DevOps as our platform, and Snyk's integration with Azure DevOps was okay. However, Snyk's integration with JFrog Artifactory didn't go well. We use JFrog Artifactory to store the artifacts we download. We wanted to integrate Snyk with JFrog Artifactory to scan the binary artifacts we downloaded, but that broke our JFrog Artifactory for some reason. Instead of using it there, we are calling it directly from the pipeline.

Snyk's automation features significantly reduced remediation times a couple of times. Sometimes, our developers scan the code from the environment and find some Java vulnerabilities. We fixed those vulnerabilities in the lower environment itself. The solution does not require any maintenance.

The accuracy of Snyk's vulnerability detection is pretty good compared to other tools. I rate the solution's vulnerability detection feature an eight out of ten. I would recommend Snyk to other users because it is easy to implement and integrate with Azure DevOps and GitHub.

Overall, I rate the solution a seven out of ten.

We use Snyk for the generation of SBOM for Docker. We use it to check the standards of the CSI benchmark that we have implemented in the containers and the applications by Java Spring Boot.

The most valuable feature of Snyk is the SBOM.

It would be helpful if we get a recommendation while doing the scan about the necessary things we need to implement after identifying the vulnerabilities. In short, it will be a remediation for the vulnerabilities identified by Snyk.

I have been using Snyk for two years.

Snyk is a stable solution.

Snyk is a scalable solution. As we are an R&D organization, I am the only person managing the solution. However, there are almost 500 employees who are taking advantage of the report we have generated from the Snyk app.

The solution is easy to use and implement.

The deployment steps were easy. The solution's documentation is also easy to use. It took hardly one and a half hours to implement the solution. We implemented Snyk in our virtual private server (VPS).

For deployment, we followed the instructions and created a server for Snyk. Then, we integrated the server with the plug-in using Jenkins. We created a server for Snyk, then used the GitHub repository that mentioned the document and implemented the same. Later, we used the plug-in to connect the server to the Jenkins server.

When the pipeline was built, the process started, as we had mentioned the stage in the Jenkins file, to generate SBOMs and check whether the Docker images were compliant with CSI Benchmarks.

Snyk is an expensive solution.

Before choosing Snyk, we evaluated a different tool named Dependency-Track. We chose Snyk because Dependency-Track only helped us identify the vulnerabilities in the libraries, and it couldn't solve the issues mentioned in the CIS benchmark.

Snyk helped us identify the composition or the libraries we used in the project, which were vulnerable. It also helped us identify the license agreements from the vendor side.

Software conversion analysis is a mandatory thing that should be implemented in every organization. Most libraries or any third-party libraries are not considered under VAPT. We should also look after the composition of the libraries we use in the project. We should look after these libraries for vulnerabilities, and VAPT should be mandatory in every organization.

I rate Snyk a nine out of ten for the user-friendliness of its user interface.

Currently, my team is looking into whether version numbers are vulnerable. We are also considering the improvisations or research and development we need to do if we need the same library. There are some loopholes that even Snyk has not identified or that it might be working on. Since we have implemented it, we are looking after it.

If a developer requires a particular library with vulnerabilities, we check whether we are using the functions mentioned in the libraries in the project. If we are using it, we are trying to identify exactly which snippet is causing the error. If it is causing a vulnerability, we are considering how to improve it.

We need to think about the decisions we need to make after SCA. It would be a big relief for our organization if Snyk could provide a solution to identify the library snippet that is causing a future vulnerability. We are currently using a team of 30 people to identify this issue.

Overall, I rate Snyk an eight out of ten.

We use the product mainly for software composition analysis. It is used to identify vulnerabilities in the application plug-ins. If we use Python 3.8, it’ll tell us that the version is outdated and that it has several vulnerabilities. It also helps in threat identification. It also provides infrastructure as code.

Static code analysis is one of the best features of the solution.

The product is very expensive.

I have been using the solution for three years.

The product is stable.

We have around 2000 users. Every developer in the organization has access to it.

The support has improved a lot.

Neutral

We use the SaaS version. The initial setup is easy. We just have to click the buttons.

I do not think that the tool is worth the money. A lot of free tools are available online.

The solution costs half a million dollars per year. It depends on the number of users. If the number of users increases, the cost will increase further.

People who want to use the product must utilize the code analysis on IDE. It would really help a lot of the developers. It performs the shift left concept very well. It is a very good tool, but the pricing is absurd. Overall, I rate the product an eight out of ten.