We performed a comparison between Checkmarx and Snyk based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Snyk has an edge in this comparison. According to its reviewers, it is a less expensive product than Checkmarx.
"It has all the features we need."
"I like that you don't have to compile the code in order to execute static code analysis. So, it's very handy."
"The solution is always updating to continuously add items that create a level of safety from vulnerabilities. It's one of the key features they provide that's an excellent selling point. They're always ahead of the game when it comes to finding any vulnerabilities within the database."
"The UI is user-friendly."
"The ability to track the vulnerabilities inside the code (origin and destination of weak variables or functions)."
"We were using HPE Security Fortify to scan code for security vulnerabilities, but it can scan only after a successful compile. If the code has dependencies or build errors, the scan fails. With Checkmarx, pre-compile scanning is seamless. This allows us to scan more code."
"Checkmarx pinpoints the vulnerability in the code and also presents the flow of malicious input across the application."
"It is very useful because it fits our requirements. It is also easy to use. It is not complex, and we are satisfied with the results."
"The most effective feature in securing project dependencies stems from its ability to highlight security vulnerabilities."
"The CLI feature is quite useful because it gives us a lot of flexibility in what we want to do. If you use the UI, all the information is there and you can see what Snyk is showing you, but there is nothing else that you can change. However, when you use the CLI, then you can use commands and can get the output or response back from Snyk. You can also take advantage of that output in a different way. For the same reason, we have been using the CLI for the hard gate in the pipeline: Obtain a particular CDSS score for vulnerability. Based on that information, we can then decide if we want to block or allow the build. We have more flexibility if we use the CLI."
"The most valuable features of Snyk are vulnerability scanning and automation. The automation the solution brings around vulnerability scanning is useful."
"Our overall security has improved. We are running fewer severities and vulnerabilities in our packages. We fixed a lot of the vulnerabilities that we didn't know were there."
"The solution's Open Source feature gives us notifications and suggestions regarding how to address vulnerabilities."
"The most valuable feature of Snyk is the software composition analysis."
"The solution has great features and is quite stable."
"It has an accurate database of vulnerabilities with a low amount of false positives."
"Checkmarx could be improved with more integration with third-party software."
"I would like the product to include more debugging and developed tools. It needs to also add enhancements on the coding side."
"Checkmarx is not good because it has too many false positive issues."
"I would like to see the rate of false positives reduced."
"The pricing can get a bit expensive, depending on the company's size."
"Checkmarx could improve the REST APIs by including automation."
"The plugins for the development environment have room for improvements such as for Android Studio and X code."
"Checkmarx has a slightly difficult compilation with the CI/CD pipeline."
"There is always more work to do around managing the volume of information when you've got thousands of vulnerabilities. Trying to get those down to zero is virtually impossible, either through ignoring them all or through fixing them. That filtering or information management is always going to be something that can be improved."
"The reporting mechanism of Snyk could improve. The reporting mechanism is available only on the higher level of license. Adjusting the policy of the current setup of recording this report is something that can improve. For instance, if you have a certain license, you receive a rating, and the rating of this license remains the same for any use case. No matter if you are using it internally or using it externally, you cannot make the adjustment to your use case. It will always alert as a risky license. The areas of licenses in the reporting and adjustments can be improve"
"The product is very expensive."
"All such tools should definitely improve the signatures in their database. Snyk is pretty new to the industry. They have a pretty good knowledge base, but Veracode is on top because Veracode has been in this business for a pretty long time. They do have a pretty large database of all the findings, and the way that the correlation engine works is superb. Snyk is also pretty good, but it is not as good as Veracode in terms of maintaining a large space of all the historical data of vulnerabilities."
"The log export function could be easier when shipping logs to other platforms such as Splunk."
"A feature we would like to see is the ability to archive and store historical data, without actually deleting it. It's a problem because it throws my numbers off. When I'm looking at the dashboard's current vulnerabilities, it's not accurate."
"The solution could improve the reports. They have been working on improving the reports but more work could be done."
"Because Snyk has so many integrations and so many things it can do, it's hard to really understand all of them and to get that information to each team that needs it... If there were more self-service, perhaps tutorials or overviews for new teams or developers, so that they could click through and see things themselves, that would help."
Checkmarx One is ranked 3rd in Application Security Tools with 67 reviews while Snyk is ranked 4th in Application Security Tools with 41 reviews. Checkmarx One is rated 7.6, while Snyk is rated 8.2. The top reviewer of Checkmarx One writes "The report function is a great, configurable asset but sometimes yields false positives". On the other hand, the top reviewer of Snyk writes "Performs software composition analysis (SCA) similar to other expensive tools". Checkmarx One is most compared with SonarQube, Veracode, Fortify on Demand, Coverity and Mend.io, whereas Snyk is most compared with SonarQube, Black Duck, GitHub Advanced Security, Fortify Static Code Analyzer and Prisma Cloud by Palo Alto Networks. See our Checkmarx One vs. Snyk report.
See our list of best Application Security Tools vendors and best DevSecOps vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.