Home
DevOps
Build, Test, Deploy
Dependency Monitoring

FOSSA vs Snyk

Need advice about which tool to choose?Ask the StackShare community!

FOSSA
29
36
+ 1
4
Snyk
457
369
+ 1
20
Add tool

FOSSA vs Snyk: What are the differences?

Introduction

FOSSA and Snyk are both software development tools that focus on managing and ensuring the security of open source components used in projects. However, there are key differences between the two:

  1. Integration with CI/CD pipelines: FOSSA provides extensive support for integration with a wide range of CI/CD pipelines, including popular options like Jenkins, GitLab, and Travis CI. This allows developers to seamlessly incorporate FOSSA's capabilities into their existing development workflows. On the other hand, Snyk offers similar integration options but with a more limited selection of CI/CD pipelines.

  2. License compliance management: While both FOSSA and Snyk offer features for identifying open source dependencies and their associated licenses, FOSSA goes a step further by providing comprehensive license compliance management. FOSSA's platform allows users to track the licenses used in their projects, assess license compatibility, and enforce compliance policies. Snyk, on the other hand, primarily focuses on vulnerability detection and mitigation.

  3. Enterprise-grade security: FOSSA positions itself as an enterprise-grade solution, with advanced security features tailored for large organizations. FOSSA offers features such as fine-grained access control, audit logs, and security reports that provide deep insights into the security posture of projects at scale. While Snyk also targets enterprise users, FOSSA's security capabilities are specifically designed to address the needs of larger organizations.

  4. Dependency management: Both FOSSA and Snyk provide dependency management capabilities, allowing developers to track and manage their project's open source dependencies. However, Snyk places a stronger emphasis on this aspect and offers additional features such as automated dependency updates and support for different package managers. FOSSA, on the other hand, focuses more on comprehensive security and compliance management.

  5. Customizable policies: FOSSA provides users with the ability to customize policies and create specific rules for vulnerability and license compliance. This allows organizations to enforce their own security and compliance standards. Snyk, while offering some degree of customization, has more limited options when it comes to policy configuration and enforcement.

  6. Developer-centric approach: Snyk takes a more developer-centric approach with its user interface and experience. The tool emphasizes simplicity and ease of use, making it more accessible to developers of all skill levels. FOSSA, on the other hand, provides a more comprehensive and feature-rich platform, which may be better suited for organizations with more complex requirements.

In summary, FOSSA and Snyk differ in their integration capabilities with CI/CD pipelines, the extent of license compliance management features, focus on enterprise-grade security, approach to dependency management, level of customizable policies, and user experience. Ultimately, the choice between FOSSA and Snyk depends on the specific needs and priorities of the organization or development team.

Advice on FOSSA and Snyk
Bryan Dady
SRE Manager at Subsplash · | 5 upvotes · 431.9K views
Needs advice
on
SnykSnykSonatype NexusSonatype Nexus
and
WhiteSourceWhiteSource

I'm beginning to research the right way to better integrate how we achieve SCA / shift-left / SecureDevOps / secure software supply chain. If you use or have evaluated WhiteSource, Snyk, Sonatype Nexus, SonarQube or similar, I would very much appreciate your perspective on strengths and weaknesses and how you selected your ultimate solution. I want to integrate with GitLab CI.

See more
Replies (1)
Moises Figueroa
DevOps Engineer at Ingenium Code · | 2 upvotes · 28.9K views
Recommends

I'd recommend Snyk since it provides an IDE extension for Developers, SAST, auto PR security fixes, container, IaC and includes open source scanning as well. I like their scoring method as well for better prioritization. I was able to remove most of the containers and cli tools I had in my pipelines since Snyk covers secrets, vulns, security and some code cleaning. SAST has false positives but the scoring helps. Also had to spend time putting some training docs but their engineers helped out with content.

See more
Get Advice from developers at your company using StackShare Enterprise. Sign up for StackShare Enterprise.
Learn More
Pros of FOSSA
Pros of Snyk
  • 1
    Easy to integrate
  • 1
    Fewer false positives
  • 1
    Native to CI
  • 1
    Supports full text license scanning
  • 10
    Github Integration
  • 5
    Free for open source projects
  • 4
    Finds lots of real vulnerabilities
  • 1
    Easy to deployed

Sign up to add or upvote prosMake informed product decisions

Cons of FOSSA
Cons of Snyk
    Be the first to leave a con
    • 2
      Does not integrated with SonarQube
    • 1
      No malware detection
    • 1
      No surface monitoring
    • 1
      Complex UI
    • 1
      False positives

    Sign up to add or upvote consMake informed product decisions

    - No public GitHub repository available -

    What is FOSSA?

    Continuously scan and comply with open source licenses across your deep dependencies.

    What is Snyk?

    Automatically find & fix vulnerabilities in your code, containers, Kubernetes, and Terraform

    Need advice about which tool to choose?Ask the StackShare community!

    What companies use FOSSA?
    What companies use Snyk?
    See which teams inside your own company are using FOSSA or Snyk.
    Sign up for StackShare EnterpriseLearn More

    Sign up to get full access to all the companiesMake informed product decisions

    What tools integrate with FOSSA?
    What tools integrate with Snyk?

    Sign up to get full access to all the tool integrationsMake informed product decisions

    Blog Posts

    Why Doesn’t Your CI Pipeline Have Security Bug Testing?
    Jun 9 2020 at 5:54PM

    StackHawk

    SlackJiraGraphQL+7
    3
    1129
    What are some alternatives to FOSSA and Snyk?
    Mongoose
    Let's face it, writing MongoDB validation, casting and business logic boilerplate is a drag. That's why we wrote Mongoose. Mongoose provides a straight-forward, schema-based solution to modeling your application data and includes built-in type casting, validation, query building, business logic hooks and more, out of the box.
    Black Duck
    It is a solution that helps development teams manage risks that come with the use of open source. It gives you complete visibility into open source management, combining sophisticated, multi-factor open source detection capabilities with the Black Duck KnowledgeBase.
    AutoFac
    It is an addictive Inversion of Control container for .NET Core, ASP.NET Core, .NET 4.5.1+, Universal Windows apps, and more. It provides activation events to let you know when components are being activated or released, allowing for a lot of customization with little code.
    Dependabot
    Dependabot helps you keep your dependencies up to date. Every day, it checks your dependency files for outdated requirements and opens individual PRs for any it finds. You review, merge, and get to work on the latest, most secure releases.
    GreenKeeper
    Real-time monitoring for npm dependencies. Let a bot send you informative and actionable issues so you can easily keep your software up to date and in working condition.
    See all alternatives

    Related Comparisons

    Doppins vs SnykDoppins vs FOSSADependabot vs SnykGemnasium vs SnykSnyk vs Tidelift

    Trending Comparisons

    Django vs Laravel vs Node.jsBootstrap vs Foundation vs Material-UINode.js vs Spring BootFlyway vs LiquibaseAWS CodeCommit vs Bitbucket vs GitHub

    Top Comparisons

    Bootstrap vs MaterializeHipChat vs Mattermost vs SlackBitbucket vs GitHub vs GitLabPostman vs Swagger UI