Need advice about which tool to choose?Ask the StackShare community!
Add tool
PMD vs Snyk: What are the differences?
# Introduction
PMD and Snyk are both tools used in the field of software development for different purposes.
1. **Code Analysis Focus**:
PMD primarily focuses on performing static code analysis to identify common programming flaws and maintainability issues in code, whereas Snyk specializes in identifying and fixing security vulnerabilities in open source dependencies.
2. **Language Support**:
PMD supports a wide range of programming languages including Java, JavaScript, XML, and more, while Snyk is mainly focused on supporting JavaScript, Node.js, Python, and Ruby.
3. **Security Emphasis**:
Snyk places a strong emphasis on security by continuously monitoring dependencies for known vulnerabilities and providing actionable insights to developers, whereas PMD's primary focus is on code quality and maintainability.
4. **Integration with CI/CD Pipelines**:
Snyk can easily be integrated into Continuous Integration/Continuous Deployment pipelines to automate security checks, while PMD can also be integrated but is more commonly used as a standalone code analysis tool.
5. **Remediation Recommendations**:
Snyk not only identifies vulnerabilities but also provides specific remediation advice and patches to fix security issues, whereas PMD mainly points out coding issues and leaves the resolution up to developers.
6. **Pricing Model**:
Snyk offers a freemium pricing model where basic functionalities are available for free with premium features requiring a subscription, whereas PMD is an open-source tool available for free without any premium features.
In Summary, PMD and Snyk serve different purposes in software development with PMD focusing on code analysis and maintainability, while Snyk specializes in identifying and fixing security vulnerabilities in open source dependencies.
Advice on PMD and Snyk
Bryan Dady
SRE Manager at Subsplash · | 5 upvotes · 432.5K views
I'm beginning to research the right way to better integrate how we achieve SCA / shift-left / SecureDevOps / secure software supply chain. If you use or have evaluated WhiteSource, Snyk, Sonatype Nexus, SonarQube or similar, I would very much appreciate your perspective on strengths and weaknesses and how you selected your ultimate solution. I want to integrate with GitLab CI.
Replies (1)
Moises Figueroa
DevOps Engineer at Ingenium Code · | 2 upvotes · 29.2K views
Recommends
I'd recommend Snyk since it provides an IDE extension for Developers, SAST, auto PR security fixes, container, IaC and includes open source scanning as well. I like their scoring method as well for better prioritization. I was able to remove most of the containers and cli tools I had in my pipelines since Snyk covers secrets, vulns, security and some code cleaning. SAST has false positives but the scoring helps. Also had to spend time putting some training docs but their engineers helped out with content.
Get Advice from developers at your company using StackShare Enterprise. Sign up for StackShare Enterprise.
Learn MorePros of PMD
Pros of Snyk
Pros of PMD
Be the first to leave a pro
Pros of Snyk
- Github Integration10
- Free for open source projects5
- Finds lots of real vulnerabilities4
- Easy to deployed1
Sign up to add or upvote prosMake informed product decisions
Cons of PMD
Cons of Snyk
Cons of PMD
Be the first to leave a con
Cons of Snyk
- Does not integrated with SonarQube2
- No malware detection1
- No surface monitoring1
- Complex UI1
- False positives1
Sign up to add or upvote consMake informed product decisions
- No public GitHub repository available -
What is PMD?
It is a source code analyzer. It finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth. It includes CPD, the copy-paste-detector.
What is Snyk?
Automatically find & fix vulnerabilities in your code, containers, Kubernetes, and Terraform
Need advice about which tool to choose?Ask the StackShare community!
What companies use PMD?
What companies use Snyk?
What companies use PMD?
What companies use Snyk?
See which teams inside your own company are using PMD or Snyk.
Sign up for StackShare EnterpriseLearn MoreSign up to get full access to all the companiesMake informed product decisions
What tools integrate with PMD?
What tools integrate with Snyk?
What tools integrate with Snyk?
Sign up to get full access to all the tool integrationsMake informed product decisions
Blog Posts
+7 3
1130
What are some alternatives to PMD and Snyk?
SonarQube
SonarQube provides an overview of the overall health of your source code and even more importantly, it highlights issues found on new code. With a Quality Gate set on your project, you will simply fix the Leak and start mechanically improving.
FindBugs
It detects possible bugs in Java programs. Potential errors are classified in four ranks: scariest, scary, troubling and of concern. This is a hint to the developer about their possible impact or severity.
Checkstyle
It is a development tool to help programmers write Java code that adheres to a coding standard. It automates the process of checking Java code to spare humans of this boring (but important) task. This makes it ideal for projects that want to enforce a coding standard.
JavaScript
JavaScript is most known as the scripting language for Web pages, but used in many non-browser environments as well such as node.js or Apache CouchDB. It is a prototype-based, multi-paradigm scripting language that is dynamic,and supports object-oriented, imperative, and functional programming styles.
Git
Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency.