Need advice about which tool to choose?Ask the StackShare community!

Dependabot

102
101
+ 1
1
Snyk

353
344
+ 1
18
Add tool

Dependabot vs Snyk: What are the differences?

What is Dependabot? Automated dependency updates for Ruby, JavaScript, Python, Elixir, Java, PHP and Rust. Dependabot helps you keep your dependencies up to date. Every day, it checks your dependency files for outdated requirements and opens individual PRs for any it finds. You review, merge, and get to work on the latest, most secure releases.

What is Snyk? Fix vulnerabilities in Node & npm dependencies with a click. Fix vulnerabilities in Node & npm dependencies with a click.

Dependabot and Snyk belong to "Dependency Monitoring" category of the tech stack.

Advice on Dependabot and Snyk
Bryan Dady
SRE Manager at Subsplash · | 5 upvotes · 377.4K views

I'm beginning to research the right way to better integrate how we achieve SCA / shift-left / SecureDevOps / secure software supply chain. If you use or have evaluated WhiteSource, Snyk, Sonatype Nexus, SonarQube or similar, I would very much appreciate your perspective on strengths and weaknesses and how you selected your ultimate solution. I want to integrate with GitLab CI.

See more
Replies (1)
Moises Figueroa
DevOps Engineer at Ingenium Code · | 2 upvotes · 12.6K views
Recommends

I'd recommend Snyk since it provides an IDE extension for Developers, SAST, auto PR security fixes, container, IaC and includes open source scanning as well. I like their scoring method as well for better prioritization. I was able to remove most of the containers and cli tools I had in my pipelines since Snyk covers secrets, vulns, security and some code cleaning. SAST has false positives but the scoring helps. Also had to spend time putting some training docs but their engineers helped out with content.

See more
Get Advice from developers at your company using StackShare Enterprise. Sign up for StackShare Enterprise.
Learn More
Pros of Dependabot
Pros of Snyk
  • 1
    Free for github projects
  • 9
    Github Integration
  • 4
    Finds lots of real vulnerabilities
  • 4
    Free for open source projects
  • 1
    Easy to deployed

Sign up to add or upvote prosMake informed product decisions

Cons of Dependabot
Cons of Snyk
    Be the first to leave a con
    • 1
      Does not integrated with SonarQube

    Sign up to add or upvote consMake informed product decisions

    What is Dependabot?

    Dependabot helps you keep your dependencies up to date. Every day, it checks your dependency files for outdated requirements and opens individual PRs for any it finds. You review, merge, and get to work on the latest, most secure releases.

    What is Snyk?

    Automatically find & fix vulnerabilities in your code, containers, Kubernetes, and Terraform

    Need advice about which tool to choose?Ask the StackShare community!

    What companies use Dependabot?
    What companies use Snyk?
    See which teams inside your own company are using Dependabot or Snyk.
    Sign up for StackShare EnterpriseLearn More

    Sign up to get full access to all the companiesMake informed product decisions

    What tools integrate with Dependabot?
    What tools integrate with Snyk?

    Sign up to get full access to all the tool integrationsMake informed product decisions

    Blog Posts

    What are some alternatives to Dependabot and Snyk?
    GreenKeeper
    Real-time monitoring for npm dependencies. Let a bot send you informative and actionable issues so you can easily keep your software up to date and in working condition.
    AutoFac
    It is an addictive Inversion of Control container for .NET Core, ASP.NET Core, .NET 4.5.1+, Universal Windows apps, and more. It provides activation events to let you know when components are being activated or released, allowing for a lot of customization with little code.
    FOSSA
    Continuously scan and comply with open source licenses across your deep dependencies.
    WhiteSource
    The leading solution for agile open source security and license compliance management, WhiteSource integrates with the DevOps pipeline to detect vulnerable open source libraries in real-time.
    Tidelift
    Automatic compliance testing for all of the dependencies in your application.
    See all alternatives