Seamless Dev-First Security with Fast Scans and Actionable Fixes
What do you like best about the product?
What I like best about Snyk is how it integrates security into the developer workflow without disrupting it. The VS Code and JetBrains plugins give real-time vulnerability feedback as I write code, cutting remediation time significantly. Instead of just flagging a CVE, Snyk tells you exactly which version to upgrade to and often opens a fix PR automatically, saving hours of manual cross-referencing. The dependency graph makes transitive vulnerabilities easy to understand, and the reachability analysis means we focus on what's genuinely exploitable rather than drowning in false positives.
Performance-wise, scans run fast even on large monorepos, and the dashboard stays responsive without lag, it never feels like a bottleneck in the CI pipeline.
On pricing and ROI, the value becomes clear quickly. Catching vulnerabilities pre-deployment rather than post-production saves significant incident response costs, and the free tier is generous enough for smaller teams to see real value before committing. Onboarding was smooth too, connecting GitHub repos took minutes and gave us an immediate risk picture. It feels like a security tool built for developers, which makes adoption across engineering teams much easier.
What do you dislike about the product?
A few friction points stand out. The noise from low-severity vulnerabilities can be overwhelming, especially on larger projects, while prioritization helps, tuning the filters to fit your specific risk tolerance takes time and trial and error. The licensing issue detection, though useful, sometimes flags things that aren't actually a concern in your use case, adding to that noise.
Pricing can become a pain point as teams scale. The jump between tiers feels steep, and some features that feel essential, like deeper reporting or SSO, are locked behind higher plans, which can be frustrating for mid-sized teams trying to justify the upgrade.
Occasionally the fix suggestions aren't actionable because the recommended version introduces breaking changes, so you still end up doing manual research. It would be more helpful if Snyk flagged compatibility risks alongside the fix recommendation. The Snyk Code (SAST) results can also feel less mature compared to the SCA side, more false positives and less context around why something is flagged.
Overall these are manageable drawbacks, but they do add friction for teams trying to run lean.
What problems is the product solving and how is that benefiting you?
Snyk solves the core problem of security being an afterthought in the development lifecycle. Before using it, vulnerabilities were typically caught late, during dedicated security audits or worse, post-deployment, making fixes costly and disruptive. Snyk shifts that detection to where the code is actually written, which changes the economics of security entirely.
The biggest benefit has been reducing the gap between vulnerability discovery and remediation. Developers get context-rich alerts in their IDE and PRs rather than a spreadsheet from a security team weeks later, which means fixes happen faster and with less back-and-forth.
It also solves the visibility problem across open source dependencies. With complex dependency trees, it was previously difficult to know what you were actually running in production and whether it was safe. Snyk gives a clear, continuously updated picture of that risk without requiring manual audits.
From a team dynamic standpoint, it bridges the gap between developers and security teams by speaking the developer's language, showing fixes, not just findings. This has made security a shared responsibility rather than a blocker, which speeds up release cycles without compromising on risk management.
The ROI shows up in avoided incidents, faster PR cycles, and less time spent in reactive fire-fighting mode, all of which compound over time.
Seamless DevSecOps with Smart PR Patching and Actionable Vulnerability Insights
What do you like best about the product?
Snyk integrates seamlessly with GitHub, AWS, ECR, and Artifactory to provide a seamless devsecops experience for developers and release engineers. One of the best things that I like about Snyk is its ability to push vulnerability patches via PR on its own (if enabled). Other features include reachability and exploitability intelligence that provides us with surgical data to act upon, reducing vulnerability overload and cutting noise. The newer analytics and reports section allows us to determine SLA and breach timelines for each vulnerability
What do you dislike about the product?
We have seen that Snyk UI and Snyk CLI have misleading results in some cases. While this is not true for most of the cases, we have seen ~2-3% of cases where such anomalies have caused confusion amongst developers.
What problems is the product solving and how is that benefiting you?
Provides accurate visibility on security vulnerabilities by reachability and exploitability attributes, enables us manage SLAs by releases and allows us to measure security across all development touchpoints
Easy Setup and Trusted Vulnerability Scanning
What do you like best about the product?
Snyk is easy to set up and start using. Setting it up to run as a GitHub Action allows it to integrate seamlessly alongside other existing CI processes. Along with this, I like that its vulnerability scanning is pretty much universally trusted amongst engineers, this trust allows for peace of mind.
What do you dislike about the product?
This might have changed since the last time I worked with this product, but at the time Snyk was a bit expensive compared to similar products.
What problems is the product solving and how is that benefiting you?
Snyk makes it easy to stay informed about possible vaulneabilities in software and it's dependencies. Snyk's dependency vulnerability scanning is particularly valuable since in most cases downstream dependencies are numerous and more difficult to audit than an applications main code. Warnings and alerts produced Snyk are prompt and trustworthy.
Effortless Vulnerability Detection, But Licensing Needs Attention
What do you like best about the product?
I like that Snyk easily runs scans and even provides the versions in which vulnerabilities are fixed. This feature is valuable because it helps me identify security risks or bad implementations in my code changes without having to test and update my code and dependencies manually. I also appreciate the easy setup process; the extension for Snyk is available in Visual Studio Code, and after downloading it, I just needed to sign up and authenticate my project.
What do you dislike about the product?
I've seen that Snyk does not do that well with the vulnerabilities that are related to licensing.
What problems is the product solving and how is that benefiting you?
I use Snyk to find open source vulnerabilities, ensuring my code is secure. It helps identify vulnerabilities in third-party projects like Spring Boot and Tomcat. I like how easily it runs scans and shows fixed versions, saving testing time and improving my product's standard.
Extensive Vulnerability Detection and Seamless CI/CD Integration
What do you like best about the product?
Snyk has an extensive and up-to-date vulnerability database which helps early detection of vulnerabilities in applications. It is very developer friendly with easy integration set-up and descriptive remediation advice for detected vulnerabilities. I use it daily running in CI/CD pipelines.
What do you dislike about the product?
Sometimes it flags false positives. Scans can take a few minutes for a medium sized repository which can slow down pipeline.
What problems is the product solving and how is that benefiting you?
Snyk scans repositories for security vulnerabilities in code and also its dependencies. Catches the vulnerabilities early before deploying to codebase.
Intuitive, Customizable, and Seamless Integration with Snyk
What do you like best about the product?
Snyk's product features a highly intuitive GUI, making it straightforward to identify and address vulnerabilities. The platform allows you to organize developers into Orgs, which is helpful for ensuring that only specific development teams can view the vulnerabilities related to their own products. This structure also enhances the reporting capabilities. Integration with GitHub Cloud is relatively simple; you can use a GitHub app to onboard individual repositories to team orgs. Implementation is also quite manageable, provided you know which teams are responsible for which repositories and the products or services they support. Customer support is accessible online through the portal, making it easy to submit a ticket or arrange a call when needed. Snyk is fairly customisable per org too, allowing you to decide which settings you want to enable on a per team / product basis, so you can get quite granular in terms of what PR's get raised for which activities. Feedback is also provided in GitHub itself, which is useful for the developers.
What do you dislike about the product?
It's DAST product is in a seperate interface and not integrated into the Snyk product itself, I beleive this was due to it being an acquisition. Equally, their secret detection capability is not very good and they don't focus on code quality so you will need a different product for that.
What problems is the product solving and how is that benefiting you?
It's supporting us with integrating security into the development lifecycle, and moving towards shifting left, to try to enable developers to fix security issues before they release issues into their products / services.
Accurate, Beginner-Friendly SAST Tool with CI/CD Integration
What do you like best about the product?
What I appreciate most about Snyk is its "Reachability" feature. This means that if a vulnerable or exploitable library or package is imported in the code but not actually called or used, it is identified as a false positive and does not require remediation. However, this feature is only available in the paid subscription, not in the free version. It significantly reduces the time the VAPT team spends validating issues, and also helps the DevOps team address problems more efficiently.
Another aspect I value is how quickly Snyk adapts to new CVEs. If a zero-day exploit appears, Snyk updates its CVE database within a maximum of 24 hours, helping to keep the code secure.
What do you dislike about the product?
After some months of project being imported, scanned, and tested, snyk starts providing false-positives issues as well.
What problems is the product solving and how is that benefiting you?
Snyk scans the code for the latest bugs and issues, offers remediation steps, and keeps its CVE database up to date. The entire process is automated and does not require any human intervention. Scans are scheduled daily, and Snyk sends notifications, generates alerts via email, provides remediation guidance, and can even create Jira tickets for clients. By establishing its own ecosystem, Snyk is helping to reduce the workload of the VAPT team when it comes to SAST tasks. This has been a direct benefit for me and my team, allowing us to focus more on DAST operations.
Improves security posture by actively reducing critical vulnerabilities and guiding remediation
What is our primary use case?
I typically use Snyk for checking the security and vulnerabilities in my repositories.
Recently, I have used Snyk in one of my repositories for security and vulnerability checks, providing comprehensive knowledge about the repository, including what it does and where the security vulnerabilities are located.
I am using Snyk for the first time and did not use any vulnerability scanning solution before this. I was previously doing Red Hat vulnerability scanning locally for dependency checks, which was not what I wanted.
What is most valuable?
Snyk's main features include open-source vulnerability scanning, code security, container security, infrastructure as code security, risk-based prioritization, development-first integration, continuous monitoring and alerting, automation, and remediation. The best features I appreciate are the vulnerability checking, vulnerability scanning, and code security capabilities, as Snyk scans all open-source dependencies for known vulnerabilities and helps with license compliance for open-source components.
Snyk integrates into IDEs, allowing issues to be caught as they appear in the code dynamically and prioritizes risk while providing remediation advice.
Snyk provides actionable remediation advice on where vulnerabilities can exist and where code security is compromised, automatically scanning everything and providing timely alerts.
Snyk has positively impacted my organization by improving the security posture across all software repositories, resulting in fewer critical vulnerabilities, more confidence in overall product security, and faster security compliance for project clients.
Snyk has helped reduce vulnerabilities significantly. Initially, the repository had 17 to 31 critical and high vulnerabilities, but Snyk has helped manage them down to just five vulnerabilities, which are now lower and not high or critical.
What needs improvement?
Although Snyk is strong, sometimes it flags vulnerabilities that are not reachable, not exploitable, and not relevant to a project. Better reachability analysis and context-aware scanning could improve this.
Snyk could benefit from a more optimized scanning engine and incremental scan caching.
For how long have I used the solution?
I have been using Snyk for the previous one year.
What do I think about the stability of the solution?
I have no issues with Snyk's reliability; it is stable.
What do I think about the scalability of the solution?
Snyk is very scalable and can handle my organization's growth and changing needs, allowing us to scale up to many stages and reduce developer costs, especially when we have fewer developers.
How are customer service and support?
I never reached out to customer support because I never encountered any issues.
Which solution did I use previously and why did I switch?
I considered SonarQube in detail before choosing Snyk.
How was the initial setup?
My experience with pricing, setup cost, and licensing is good, as the overall setup experience is smooth with easy onboarding for connection with GitHub and GitLab. I primarily use it with GitHub, requiring just a few clicks to set up Snyk.
What was our ROI?
I can see that Snyk saves the costs of hiring security developers for vulnerability scanning and security checks, as that responsibility is now managed by Snyk.
What's my experience with pricing, setup cost, and licensing?
Pricing is good for small teams, with a free tier or low-usage pricing available, and the licensing experience is straightforward but not very flexible.
What other advice do I have?
My advice for others looking into using Snyk is that if you are starting a repository that is free from vulnerabilities and security checks, Snyk is a good option. It automatically provides advice on how to improve for reducing vulnerabilities and security issues, allowing for easy removal of vulnerabilities. You can use it for a free trial, and if it impacts your organization positively, you can consider further usage.
Snyk is a very good product for vulnerability code scanning and can be used effectively. I would rate this product a nine point five out of ten.
Has improved development workflows through early vulnerability detection and accurate insights
What is our primary use case?
The most recent client had experience with other products that did not have some features Snyk provides, such as Fortify in the old version before OpenText acquisition. They gave feedback about the precision in discovering vulnerabilities. They found that Snyk can provide more insights about vulnerabilities than older applications in SAST and SCA.
We have integration with GitHub Actions to analyze the code and we use a double check in the pipeline. Our strategy is about shift left. The developers connect with Snyk, Git, and use this with the pipeline.
How has it helped my organization?
They evolved their maturity because they could find the vulnerabilities before the pipeline runs. They can find and correct these vulnerabilities in a step before the pushes and PRs to GitHub. They think it is a very positive feature.
What is most valuable?
I appreciate the UI. It is simple, fast, and I value the precision in the tests. The responses are positive.
Regarding the vulnerability database and AI, we have good experience with that. I cannot compare with other providers or vendors such as Veracode, Checkmarx, and others. All the tests are positive in my analysis.
What needs improvement?
Technically, we have better vulnerabilities detection in Checkmarx and Veracode. Both of them are more precise about vulnerabilities detection. Snyk is slightly less effective, but this is something they can improve on in the future.
For how long have I used the solution?
We have been using the solution for one and a half years. Not much time.
What do I think about the stability of the solution?
We did not need support during the proof of concept.
How are customer service and support?
The documentation is good. It is one of the reasons we did not need support. We could understand the implementation of the product and other features without the need for human interaction.
Which solution did I use previously and why did I switch?
I made a proof of concept for a client with Checkmarx for about one month. I provided them a review about my experience. Now they are analyzing my results and considerations about other products too. I do not know if they already have a response about which product they will buy.
What's my experience with pricing, setup cost, and licensing?
Which other solutions did I evaluate?
It is simpler than other vendors. We have some difficulties with other license models. They are more complex and involve an acquisition of more products such as Synopsys and Checkmarx used a complex license model. Snyk has a license model simpler than most of the other vendors.
What other advice do I have?
It was one of my three recommendations for my client. I am satisfied with the product. I rate Snyk 8.5 out of 10.
Seamless integration and affordable pricing ensure efficient deployment while AI enhancements can further elevate feature set
What is most valuable?
The best feature of Snyk is the integration with our ticketing system, which is Jira. That integration was one we were specifically looking for. The deep integration with our IDE and repository is another valuable feature. In terms of deploying these features, it's seamless.
What needs improvement?
Snyk should improve the scanning capabilities for other languages. For example, Veracode is strong with different languages such as Java, C#, and others. However, Snyk performs better at mobile source code scanning compared to Veracode. If both capabilities were combined, that would be exceptional.
As we are moving toward GenAI, we expect Snyk to leverage AI features to improve code scanning findings. One key feature we are currently examining with Veracode is AIVSS (Artificial Intelligence VSS), which is an extension of CVSS to cover use cases or top 10 LLM findings during code scanning. Since this is relatively new, we expect upcoming features to cover AI scoring. We have AI projects currently deploying in our organization, and we want to cover not only normal CVSS but also receive an AI assessment score. Both Veracode and Snyk should implement this new scoring system for CVSS and AIVSS.
For how long have I used the solution?
We are a customer of Snyk, not a partner.
How are customer service and support?
We have contacted Snyk's technical support regarding several issues, and they have resolved them successfully.
Snyk's technical support deserves a rating of seven or eight out of ten. Their response time aligns with their SLA commitments.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
My previous company continues to use Snyk.
How was the initial setup?
The initial setup of Snyk was straightforward.
What's my experience with pricing, setup cost, and licensing?
We discussed pricing with their account manager and secured a favorable deal. Initially, we planned to subscribe through AWS Marketplace at standard rates. After negotiations, we received a special package with a good price point. We signed a two-year contract, and they provided special links for subscription. The payment structure operates on a monthly prepaid basis.
What other advice do I have?
While Snyk may not be the absolute best option in the market, it offers the most seamless experience currently available. Based on their price point and features, it's both affordable and fair considering the license package offered.
During our implementation, we conducted a pilot test with Snyk for approximately two weeks during our UAT session. We spent an additional two to three weeks obtaining management approvals for production repository access. The testing was performed on development repositories before moving to production. While the actual implementation took about a week, the complete process duration was extended due to internal organizational approval processes.
I rate Snyk 8 out of 10.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
