We use Snyk for the generation of SBOM for Docker. We use it to check the standards of the CSI benchmark that we have implemented in the containers and the applications by Java Spring Boot.
Snyk Runtime Sensor
SnykExternal reviews
140 reviews
from
and
External reviews are not included in the AWS star rating for the product.
An easy-to-use solution that can be used for the generation of SBOM
What is our primary use case?
What is most valuable?
The most valuable feature of Snyk is the SBOM.
What needs improvement?
It would be helpful if we get a recommendation while doing the scan about the necessary things we need to implement after identifying the vulnerabilities. In short, it will be a remediation for the vulnerabilities identified by Snyk.
For how long have I used the solution?
I have been using Snyk for two years.
What do I think about the stability of the solution?
Snyk is a stable solution.
What do I think about the scalability of the solution?
Snyk is a scalable solution. As we are an R&D organization, I am the only person managing the solution. However, there are almost 500 employees who are taking advantage of the report we have generated from the Snyk app.
How was the initial setup?
The solution is easy to use and implement.
What about the implementation team?
The deployment steps were easy. The solution's documentation is also easy to use. It took hardly one and a half hours to implement the solution. We implemented Snyk in our virtual private server (VPS).
For deployment, we followed the instructions and created a server for Snyk. Then, we integrated the server with the plug-in using Jenkins. We created a server for Snyk, then used the GitHub repository that mentioned the document and implemented the same. Later, we used the plug-in to connect the server to the Jenkins server.
When the pipeline was built, the process started, as we had mentioned the stage in the Jenkins file, to generate SBOMs and check whether the Docker images were compliant with CSI Benchmarks.
What's my experience with pricing, setup cost, and licensing?
Snyk is an expensive solution.
Which other solutions did I evaluate?
Before choosing Snyk, we evaluated a different tool named Dependency-Track. We chose Snyk because Dependency-Track only helped us identify the vulnerabilities in the libraries, and it couldn't solve the issues mentioned in the CIS benchmark.
What other advice do I have?
Snyk helped us identify the composition or the libraries we used in the project, which were vulnerable. It also helped us identify the license agreements from the vendor side.
Software conversion analysis is a mandatory thing that should be implemented in every organization. Most libraries or any third-party libraries are not considered under VAPT. We should also look after the composition of the libraries we use in the project. We should look after these libraries for vulnerabilities, and VAPT should be mandatory in every organization.
I rate Snyk a nine out of ten for the user-friendliness of its user interface.
Currently, my team is looking into whether version numbers are vulnerable. We are also considering the improvisations or research and development we need to do if we need the same library. There are some loopholes that even Snyk has not identified or that it might be working on. Since we have implemented it, we are looking after it.
If a developer requires a particular library with vulnerabilities, we check whether we are using the functions mentioned in the libraries in the project. If we are using it, we are trying to identify exactly which snippet is causing the error. If it is causing a vulnerability, we are considering how to improve it.
We need to think about the decisions we need to make after SCA. It would be a big relief for our organization if Snyk could provide a solution to identify the library snippet that is causing a future vulnerability. We are currently using a team of 30 people to identify this issue.
Overall, I rate Snyk an eight out of ten.
Great vulnerability scanning tool
What do you like best about the product?
-Easy integration available for GIthub
-Vulenrabilities false positive rate is slightly better than other tools
-Can be easily integrated within CI/Cd pipline.
-Automatic code scanning and report generation available
-Works with almost all languages
-Very straightforward to use
-Vulenrabilities false positive rate is slightly better than other tools
-Can be easily integrated within CI/Cd pipline.
-Automatic code scanning and report generation available
-Works with almost all languages
-Very straightforward to use
What do you dislike about the product?
-Sometimes vulenrability reported are false positive and also rarely misses some of the genuine vulnerabilities.
What problems is the product solving and how is that benefiting you?
Snyk is a part of the CI/CD pipleline and performs static code scanning and basic sanity check of the code as a first level of testing. Snyk also provides remedition which is very useful. It has built in support for Github so we leverage snyk to perform regular scans on our codebase.
A stable solution that provides excellent features and enables users to identify vulnerabilities in the application plug-ins
What is our primary use case?
We use the product mainly for software composition analysis. It is used to identify vulnerabilities in the application plug-ins. If we use Python 3.8, it’ll tell us that the version is outdated and that it has several vulnerabilities. It also helps in threat identification. It also provides infrastructure as code.
What is most valuable?
Static code analysis is one of the best features of the solution.
What needs improvement?
The product is very expensive.
For how long have I used the solution?
I have been using the solution for three years.
What do I think about the stability of the solution?
The product is stable.
What do I think about the scalability of the solution?
We have around 2000 users. Every developer in the organization has access to it.
How are customer service and support?
The support has improved a lot.
How was the initial setup?
We use the SaaS version. The initial setup is easy. We just have to click the buttons.
What was our ROI?
I do not think that the tool is worth the money. A lot of free tools are available online.
What's my experience with pricing, setup cost, and licensing?
The solution costs half a million dollars per year. It depends on the number of users. If the number of users increases, the cost will increase further.
What other advice do I have?
People who want to use the product must utilize the code analysis on IDE. It would really help a lot of the developers. It performs the shift left concept very well. It is a very good tool, but the pricing is absurd. Overall, I rate the product an eight out of ten.
Check vulnerabilities and rectify potential leaks in GitHub
What is our primary use case?
We use Snyk to check vulnerabilities and rectify potential leaks in GitHub.
What needs improvement?
The tool's initial use is complex.
For how long have I used the solution?
I have been working with the product for three to four months.
What other advice do I have?
I rate the product an eight out of ten.
A scalable tool that needs to add more vulnerability protection features
What is our primary use case?
The major problem my company found in relation to our customers was in the area of Zip Slip security as they don't have any security tools in place. My company's customers don't have any security tools integrated into the CI/CD pipelines they use in their company. With Snyk, SCA checks code and third-party dependencies upfront.
What is most valuable?
When it comes to Snyk, it is not about its features since it is a developer-focused tool, making it possible for developers to easily integrate the tool with other solutions. The automation part and reporting feature of the solution are good. Nowadays, people opt for Cloud Native Pod system architecture, under which good tools are offered to users to use for their applications.
What needs improvement?
I think Snyk should add more of a vulnerability protection feature in the tool since it is an area where it lacks. Snyk needs to focus on the area related to dependencies.
For how long have I used the solution?
I have been using Snyk for ten years.
What do I think about the scalability of the solution?
Snyk is a good and scalable tool. Some of our customers who get to use the scalability options go ahead and compare Snyk with other options like Veracode, which is a highly expensive tool that is also complex. Snyk is a simpler tool compared to Veracode.
My company deals with mostly medium-sized clients who use Snyk.
How are customer service and support?
In our company, the team I deal with, the delivery team, has never raised concerns regarding the support offered by Snyk. I hope the support offered by Snyk is fine.
Which solution did I use previously and why did I switch?
My company has dealt with SonarQube a lot in the past. It is not that my company switches over from one tool to another tool. The tools we use in my company depend on our customers. Some of my company's customers prefer SonarQube, while others prefer Snyk.
How was the initial setup?
The product's initial setup phase was easy.
The solution's deployment model varies from customer to customer. My company deals with a mix of clients, some of whom deploy the tool on the cloud while others deploy it on an on-premises model.
What's my experience with pricing, setup cost, and licensing?
Compared to Veracode, Snyk is definitely a cheaper tool. SonarQube's community version or enterprise version is mostly used, but price-wise, it is okay. The price depends on how many lines of code a customer uses in SonarQube.
What other advice do I have?
The major reason why customers prefer Snyk is that, nowadays, people are moving towards cloud-native tools. People also want a tool that offers safety and security, especially during the integration process and during the coding part. Snyk offers a set of much better features when compared to other tools like SonarQube or Veracode. Smaller companies can choose the team plan or enterprise version offered by Snyk. The major reason why people prefer Snyk is because of the security it offers.
I rate the overall tool a six or seven out of ten.
Centralised vulnerability management for product security
What do you like best about the product?
Centralised vulnerability visibility and reduction for our products that we develop. The UI also provides good reporting on KPI data to provide to the relevant stakeholders for full risk reduction visibility. The integration is easy to setup with GitHub and out of the box.
What do you dislike about the product?
One aspect to consider is if you would like all features available of the platform, there could be a high cost involved, however the Snyk platform is worth the investment in the long run.
What problems is the product solving and how is that benefiting you?
Snyk is helping our organisation to prevent vulnerabilities being coded into our products by using a shifting left approach in our DevSecOps pipeline.
Provides good scalability, but its reporting feature needs improvement
What is most valuable?
The product's most valuable features are an open-source platform, remote functionality, and good pricing.
What needs improvement?
Snyk's API and UI features could work better in terms of speed. Additionally, they could optimize and provide better reports, including reports for security, technical, and developer level.
For how long have I used the solution?
We have been using Snyk for two and a half years.
What do I think about the stability of the solution?
I rate the platform's stability an eight or nine out of ten. Sometimes, we encounter downtime issues, but it has quick recovery. It impacts our system and needs improvement for better outcomes during the development phase.
What do I think about the scalability of the solution?
We have 20 to 50 Snyk users in the development team of our organization. It is a scalable product.
How are customer service and support?
The technical support services are available quickly for developers. However, they should improve their speed of response for customers.
Which solution did I use previously and why did I switch?
I have used Checkmarx and some other open-source software.
How was the initial setup?
The initial setup is neither difficult nor easy. However, it works slowly. It takes some weeks or months to complete the process.
What's my experience with pricing, setup cost, and licensing?
The product has good pricing.
What other advice do I have?
I recommend Snyk to others and rate it a seven out of ten.
Tool for managing your open source vulnerabilities
What do you like best about the product?
Snyk give you a good coverage for your open source vulnerabilities, license probelm and basic static code analysis.
What do you dislike about the product?
The integration part can be misleading, for a real detection you need to integrate it into the ci/cd, and the simple detection of requirements files is not working for all use cases.
Dashboards and reporting can be improved and better organized.
Dashboards and reporting can be improved and better organized.
What problems is the product solving and how is that benefiting you?
Detection and prioritization of vulnerabilities
Synk
What do you like best about the product?
While you are do coding and faces the error in your code sometimes you will not be able to find the error easily so this software wil help to find the error and also solve that error.
What do you dislike about the product?
When you have a many errors and code is very big this software not work properly it not find the error all the time sometimes you have to find error by your self.
What problems is the product solving and how is that benefiting you?
Bugs in the code it will solve so that's why your time will be reduced by this so you can work very fast and very efficiently so for programmers this software very beneficial
Snyk is amazing
What do you like best about the product?
Snyk identifies the library vulnerabilities and give CVSS score right next to it to understand the impact as well as the filters are amazing and easy to use.
What do you dislike about the product?
Snyk doesn't have inbuilt support for marking false positives for test suite software directories like cypress.
What problems is the product solving and how is that benefiting you?
It gives me all insights and leads to check for manual pentesting
showing 21 - 30