Software Engineer at a computer software company with 11-50 employees
Real User
Top 10
Nov 15, 2025
Although Snyk is strong, sometimes it flags vulnerabilities that are not reachable, not exploitable, and not relevant to a project. Better reachability analysis and context-aware scanning could improve this. Snyk could benefit from a more optimized scanning engine and incremental scan caching.
Technically, we have better vulnerabilities detection in Checkmarx and Veracode. Both of them are more precise about vulnerabilities detection. Snyk is slightly less effective, but this is something they can improve on in the future.
Information Security Strategy at a insurance company with 10,001+ employees
Real User
Top 5
Jun 30, 2025
Snyk should improve the scanning capabilities for other languages. For example, Veracode is strong with different languages such as Java, C#, and others. However, Snyk performs better at mobile source code scanning compared to Veracode. If both capabilities were combined, that would be exceptional. As we are moving toward GenAI, we expect Snyk to leverage AI features to improve code scanning findings. One key feature we are currently examining with Veracode is AIVSS (Artificial Intelligence VSS), which is an extension of CVSS to cover use cases or top 10 LLM findings during code scanning. Since this is relatively new, we expect upcoming features to cover AI scoring. We have AI projects currently deploying in our organization, and we want to cover not only normal CVSS but also receive an AI assessment score. Both Veracode and Snyk should implement this new scoring system for CVSS and AIVSS.
There are a lot of false positives that need to be identified and separated. The inclusion of AI to remove false positives would be beneficial. So far, I've not seen any AI features to enhance vulnerability detection or to address the issues I mentioned.
Snyk has several limitations, including issues with Gradle, NPM, and Xcode, and trouble with AutoPR. It lacks the ability to select branches on its Web UI, forcing users to rely on CLI or CI/CD for that functionality. These limitations were documented in a book that I wrote.
I'm not responsible for the tool. As far as I know, there are no major concerns or features that we lack. We had some issues integrating into our pipeline, however, they were resolved.
I use Snyk alongside Sonar, and Snyk tends to generate a lot of false positives. Improving the overall report quality and reducing false positives would be beneficial. I don't need additional features; just improving the existing ones would be enough.
VP Enterprise Architecture and Solutioning at a financial services firm with 10,001+ employees
Real User
Top 5
Mar 19, 2024
I don't use Snyk anymore. The tool is just used in our company, but not by me anymore. It is important that the solution has the ability to match up with the OWASP Top 10 list, especially considering that sometimes, it cannot fix certain issues. Users might face 100 vulnerabilities during the production phase, and they may not be able to fix them all. Different companies have different levels of risk appetite. In a highly regulated industry, users of the product should be able to fix all the vulnerabilities, especially the internal ones. The tool should provide more flexibility and guidance to help us fix the top vulnerabilities before we go into production.
It would be helpful if we get a recommendation while doing the scan about the necessary things we need to implement after identifying the vulnerabilities. In short, it will be a remediation for the vulnerabilities identified by Snyk.
Devops & Cloud Architect at Hexaware Technologies Limited
Reseller
Nov 14, 2023
I think Snyk should add more of a vulnerability protection feature in the tool since it is an area where it lacks. Snyk needs to focus on the area related to dependencies.
Snyk's API and UI features could work better in terms of speed. Additionally, they could optimize and provide better reports, including reports for security, technical, and developer level.
They need to improve the Snyk plugins and make it easier to make your optimizations based on your own needs or features. It's very basic right now. For example, you need to make many workarounds to get reports from API RUSH. Improving how the plugin works is the best way to get any partnership with most tools. This way, Snyk could, for example, integrate with the Atlassian Bitbucket pipeline. If the plugins could be improved, I could integrate plugins in a few seconds instead of making many workarounds using API REST.
I can't comment if there are missing features at this time. For the last six to eight months I didn't work with Fugue. I don't have an up-to-date product roadmap to comment on what is or is not available, what they do or do not provide. I would need to review their current roadmap to be able to accurately comment on what is or is not available. Fugue capabilities are not well understood on the market. If there was one thing they could improve, it would be to basically explain in simple terms to market what it is they do. Right now, understanding what they do requires substantial experience and expertise. It wasn't a challenge for me to identify this area, however, I'm the exception. Generally speaking, there is not sufficient understanding in the broad market of what Fugue does. This is the area they need to focus on. The general input I have is that there is an opportunity for them to better align with other similar tools and better align with similar capabilities that cloud suppliers deliver natively. What happens is they extend and augment capabilities that cloud suppliers offer. There is additional integrational and operational benefits that can be realized in how they extend and how they position themselves as compared to what cloud suppliers deliver.
It would be ideal if there was customization with a focus on specific cybersecurity areas or capabilities. Fugue is cybersecurity, an operational monitoring solution, which has a broad set of capabilities. However, one needs to have substantial know-how in the cybersecurity domain to be able to identify and zero in on specific Fugue capabilities that may be relevant to a particular project or workstream pursuit. Being a system integrator, for us, it isn't an issue. For a client that is new to Fugue or relatively new to cybersecurity, it would be quite challenging to zero in on a specific sweet spot or capability.
Snyk excels in integrating security within the development lifecycle, providing teams with an AI Trust Platform that combines speed with security efficiency, ensuring robust AI application development.Snyk empowers developers with AI-ready engines offering broad coverage, accuracy, and speed essential for modern development. With AI-powered visibility and security, Snyk allows proactive threat prevention and swift threat remediation. The platform supports shifts toward LLM engineering and AI...
Although Snyk is strong, sometimes it flags vulnerabilities that are not reachable, not exploitable, and not relevant to a project. Better reachability analysis and context-aware scanning could improve this. Snyk could benefit from a more optimized scanning engine and incremental scan caching.
Technically, we have better vulnerabilities detection in Checkmarx and Veracode. Both of them are more precise about vulnerabilities detection. Snyk is slightly less effective, but this is something they can improve on in the future.
Snyk should improve the scanning capabilities for other languages. For example, Veracode is strong with different languages such as Java, C#, and others. However, Snyk performs better at mobile source code scanning compared to Veracode. If both capabilities were combined, that would be exceptional. As we are moving toward GenAI, we expect Snyk to leverage AI features to improve code scanning findings. One key feature we are currently examining with Veracode is AIVSS (Artificial Intelligence VSS), which is an extension of CVSS to cover use cases or top 10 LLM findings during code scanning. Since this is relatively new, we expect upcoming features to cover AI scoring. We have AI projects currently deploying in our organization, and we want to cover not only normal CVSS but also receive an AI assessment score. Both Veracode and Snyk should implement this new scoring system for CVSS and AIVSS.
There are a lot of false positives that need to be identified and separated. The inclusion of AI to remove false positives would be beneficial. So far, I've not seen any AI features to enhance vulnerability detection or to address the issues I mentioned.
Snyk has several limitations, including issues with Gradle, NPM, and Xcode, and trouble with AutoPR. It lacks the ability to select branches on its Web UI, forcing users to rely on CLI or CI/CD for that functionality. These limitations were documented in a book that I wrote.
I'm not responsible for the tool. As far as I know, there are no major concerns or features that we lack. We had some issues integrating into our pipeline, however, they were resolved.
I use Snyk alongside Sonar, and Snyk tends to generate a lot of false positives. Improving the overall report quality and reducing false positives would be beneficial. I don't need additional features; just improving the existing ones would be enough.
I don't use Snyk anymore. The tool is just used in our company, but not by me anymore. It is important that the solution has the ability to match up with the OWASP Top 10 list, especially considering that sometimes, it cannot fix certain issues. Users might face 100 vulnerabilities during the production phase, and they may not be able to fix them all. Different companies have different levels of risk appetite. In a highly regulated industry, users of the product should be able to fix all the vulnerabilities, especially the internal ones. The tool should provide more flexibility and guidance to help us fix the top vulnerabilities before we go into production.
The solution's integration with JFrog Artifactory could be improved.
It would be helpful if we get a recommendation while doing the scan about the necessary things we need to implement after identifying the vulnerabilities. In short, it will be a remediation for the vulnerabilities identified by Snyk.
The product is very expensive.
The tool's initial use is complex.
I think Snyk should add more of a vulnerability protection feature in the tool since it is an area where it lacks. Snyk needs to focus on the area related to dependencies.
Snyk's API and UI features could work better in terms of speed. Additionally, they could optimize and provide better reports, including reports for security, technical, and developer level.
DAST has shortcomings, and Snyk needs to improve and overcome such shortcomings.
They need to improve the Snyk plugins and make it easier to make your optimizations based on your own needs or features. It's very basic right now. For example, you need to make many workarounds to get reports from API RUSH. Improving how the plugin works is the best way to get any partnership with most tools. This way, Snyk could, for example, integrate with the Atlassian Bitbucket pipeline. If the plugins could be improved, I could integrate plugins in a few seconds instead of making many workarounds using API REST.
I can't comment if there are missing features at this time. For the last six to eight months I didn't work with Fugue. I don't have an up-to-date product roadmap to comment on what is or is not available, what they do or do not provide. I would need to review their current roadmap to be able to accurately comment on what is or is not available. Fugue capabilities are not well understood on the market. If there was one thing they could improve, it would be to basically explain in simple terms to market what it is they do. Right now, understanding what they do requires substantial experience and expertise. It wasn't a challenge for me to identify this area, however, I'm the exception. Generally speaking, there is not sufficient understanding in the broad market of what Fugue does. This is the area they need to focus on. The general input I have is that there is an opportunity for them to better align with other similar tools and better align with similar capabilities that cloud suppliers deliver natively. What happens is they extend and augment capabilities that cloud suppliers offer. There is additional integrational and operational benefits that can be realized in how they extend and how they position themselves as compared to what cloud suppliers deliver.
It would be ideal if there was customization with a focus on specific cybersecurity areas or capabilities. Fugue is cybersecurity, an operational monitoring solution, which has a broad set of capabilities. However, one needs to have substantial know-how in the cybersecurity domain to be able to identify and zero in on specific Fugue capabilities that may be relevant to a particular project or workstream pursuit. Being a system integrator, for us, it isn't an issue. For a client that is new to Fugue or relatively new to cybersecurity, it would be quite challenging to zero in on a specific sweet spot or capability.