Need advice about which tool to choose?Ask the StackShare community!
Gemnasium vs Snyk: What are the differences?
Gemnasium and Snyk are both software development tools that help to identify and manage vulnerabilities in a project's dependencies. They offer some similar features but also have some distinct differences that set them apart from each other.
Dependency Management: Gemnasium primarily focuses on dependency management by monitoring and analyzing the dependencies declared in a project's Gemfile or package.json file. It provides notifications about any updates or vulnerabilities related to these dependencies. On the other hand, Snyk goes beyond dependency management and also offers vulnerability testing and remediation for a wide range of programming languages and package managers.
Continuous Integration: Snyk offers seamless integration with continuous integration (CI) systems, allowing developers to easily incorporate security checks into their CI pipelines. This enables automatic scans of code repositories and provides detailed reports on any vulnerabilities found. Gemnasium, however, does not have built-in CI integration, requiring manual triggering of scans or regular monitoring.
Remediation Guidance: Snyk provides detailed remediation guidance to help developers fix vulnerabilities in their projects. It offers actionable recommendations with information about available patches, alternate package versions, or code changes to resolve the vulnerabilities. Gemnasium, on the other hand, focuses more on providing vulnerability alerts without providing specific guidance on how to resolve them.
Integration Options: While both tools offer integrations with popular code repository platforms like GitHub and GitLab, Snyk provides integrations with a wider range of development and security tools. These integrations allow developers to incorporate vulnerability testing and monitoring into their existing workflows, providing a more comprehensive approach to security.
License Compliance: Gemnasium includes features for tracking and monitoring software licenses, allowing developers to ensure compliance with licensing requirements. Snyk, however, does not have built-in capabilities for license compliance tracking.
Supported Languages: Snyk supports a wider range of programming languages and package managers compared to Gemnasium. Snyk can identify and test for vulnerabilities in projects built with languages such as JavaScript, Python, Java, Ruby, .NET, and more. Gemnasium, on the other hand, focuses primarily on Ruby and JavaScript projects.
In summary, while both Gemnasium and Snyk offer vulnerability scanning and monitoring, Snyk provides a more comprehensive solution with broader language support, better integration options, and additional features like CI integration, remediation guidance, and license compliance tracking.
I'm beginning to research the right way to better integrate how we achieve SCA / shift-left / SecureDevOps / secure software supply chain. If you use or have evaluated WhiteSource, Snyk, Sonatype Nexus, SonarQube or similar, I would very much appreciate your perspective on strengths and weaknesses and how you selected your ultimate solution. I want to integrate with GitLab CI.
I'd recommend Snyk since it provides an IDE extension for Developers, SAST, auto PR security fixes, container, IaC and includes open source scanning as well. I like their scoring method as well for better prioritization. I was able to remove most of the containers and cli tools I had in my pipelines since Snyk covers secrets, vulns, security and some code cleaning. SAST has false positives but the scoring helps. Also had to spend time putting some training docs but their engineers helped out with content.
Pros of Gemnasium
Pros of Snyk
- Github Integration10
- Free for open source projects5
- Finds lots of real vulnerabilities4
- Easy to deployed1
Sign up to add or upvote prosMake informed product decisions
Cons of Gemnasium
Cons of Snyk
- Does not integrated with SonarQube2
- No malware detection1
- No surface monitoring1
- Complex UI1
- False positives1