We performed a comparison between Sync and SonarQube based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Sync comes out on top in this comparison. It is secure and reliable. In addition, it has excellent support and a significant ROI.
"The solution has great features and is quite stable."
"Static code analysis is one of the best features of the solution."
"There are many valuable features. For example, the way the scanning feature works. The integration is cool because I can integrate it and I don't need to wait until the CACD, I can plug it in to our local ID, and there I can do the scanning. That is the part I like best."
"The dependency checks of the libraries are very valuable, but the licensing part is also very important because, with open source components, licensing can be all over the place. Our project is not an open source project, but we do use quite a lot of open source components and we want to make sure that we don't have surprises in there."
"Snyk performs software composition analysis (SCA) similar to other expensive tools."
"Our overall security has improved. We are running fewer severities and vulnerabilities in our packages. We fixed a lot of the vulnerabilities that we didn't know were there."
"The solution's vulnerability database, in terms of comprehensiveness and accuracy, is very high-level. As far as I know, it's the best among their competitors."
"The product's most valuable features are an open-source platform, remote functionality, and good pricing."
"The product is simple."
"It is a very good tool for analysis and security vulnerability checking."
"It easily ties into our continuous integration pipeline."
"I like the by-default policies that are they, as they seem to cover most of what I need."
"This has improved our organization because it has helped to find Security Vulnerabilities."
"The most valuable features are that it is user-friendly, easy to access, and they provide good training files."
"SonarQube is one of the more popular solutions because it supports 29 languages."
"The reporting and the results are quick. It gets integrated within the pipeline well."
"The solution's reporting and storage could be improved."
"Because Snyk has so many integrations and so many things it can do, it's hard to really understand all of them and to get that information to each team that needs it... If there were more self-service, perhaps tutorials or overviews for new teams or developers, so that they could click through and see things themselves, that would help."
"A feature we would like to see is the ability to archive and store historical data, without actually deleting it. It's a problem because it throws my numbers off. When I'm looking at the dashboard's current vulnerabilities, it's not accurate."
"They were a couple of issues which happened because Snyk lacked some documentation on the integration side. Snyk is lacking a lot of documentation, and I would like to see them improve this. This is where we struggle a bit. For example, if something breaks, we can't figure out how to fix that issue. It may be a very simple thing, but because we don't have the proper documentation around an issue, it takes us a bit longer."
"We were using Microsoft Docker images. It was reporting some vulnerabilities, but we were not able to figure out the fix for them. It was reporting some vulnerabilities in the Docker images given by Microsoft, which were out of our control. That was the only limitation. Otherwise, it was good."
"We use Bamboo for CI.CD, and we had problems integrating Snyk with it. Ultimately, we got the two solutions to work together, but it was difficult."
"All such tools should definitely improve the signatures in their database. Snyk is pretty new to the industry. They have a pretty good knowledge base, but Veracode is on top because Veracode has been in this business for a pretty long time. They do have a pretty large database of all the findings, and the way that the correlation engine works is superb. Snyk is also pretty good, but it is not as good as Veracode in terms of maintaining a large space of all the historical data of vulnerabilities."
"We tried to integrate it into our software development environment but it went really badly. It took a lot of time and prevented the developers from using the IDE. Eventually, we didn't use it in the development area... I would like to see better integrations to help the developers get along better with the tool. And the plugin for the IDE is not so good. This is something we would like to have..."
"The product must improve security analysis."
"Ease of use/interface."
"The software testing tool capability could improve. It does not always integrate well. You have to use a specific plugin and the plugin does not always go in Apple's applications."
"For improvement, this solution could be offered on Docker and the cloud and the support for this solution could be improved. Customizing rules could also be made simpler."
"We could use some team support, but since we are using the community version, it's not available."
"Monitoring is a feature that can be improved in the next version."
"SonarQube could improve its static application security testing as per the industry standard."
"When we have a thousand products published over it, we expect it to be more efficient in terms of serving requests from the browser."
Snyk is ranked 4th in Application Security Tools with 41 reviews while SonarQube is ranked 1st in Application Security Tools with 110 reviews. Snyk is rated 8.2, while SonarQube is rated 8.0. The top reviewer of Snyk writes "Performs software composition analysis (SCA) similar to other expensive tools". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Snyk is most compared with Black Duck, GitHub Advanced Security, Fortify Static Code Analyzer, Veracode and Checkmarx One, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Veracode and GitHub Advanced Security. See our Snyk vs. SonarQube report.
See our list of best Application Security Tools vendors and best Software Development Analytics vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
@Tej Muchhala : Code Quality and Security are 2 different domains and depending on how deep you want to go, the choice of tools will vary.
1. SonarQube - This has both community editions and commercial editions. The community has limited scope and no reporting. The enterprise version has a far broader scope covered with excellent reporting capabilities. SQ does have rules to compare against OWASP's Top 10 for both 2017 and 2021. Wrt Code Quality, SQ looks at unit-level issues and not necessarily module/design issues.
2. CAST Software Intelligence - This has 2 products - CAST Highlights can do very rapid analysis and provide you software health and also open source safety assessment for 3rd party libraries you might be using. SQ does not look into 3rd party libraries' assessment. CAST also has a dedicated security dashboard that checks code against various industry standards like OWASP, ISO 5055, CWE Top 25, NIST, etc.
3. Snyk again has multiple products to cater to different areas of security. This is a great product and has seamless integrations into your CI pipeline.
Regards,
Vishal.
Hi Tej, you should also check out CAST (castsoftware.com). Their kit does a very thorough analysis that may be a good option depending on the complexity of your codebase.
Hi Tej, as per my experience, SonarQube provides a better understanding of the code, it gives you a detailed analysis of the code up to the line level. It finds vulnerabilities in the code and runs test cases for you (if you add them). Also, you can customize the quality gate rules to define the parameters your code should pass like reliability, repetition of lines, etc. On the other hand, Snyk offers you an overview of the tools you are using, or the APIs you are using inside the code and gives vulnerability notifications and fixes. SonarQube doesn't fix or doesn't give any suggestions but Snyk will give you suggestions on which version of that dependency should be used and why. I have integrated both Snyk and SonarQube as both are open source up to a certain level.