Subjective comparison of Security Testing products. Sonatype vs JFrog vs Snyk
For many years now, it has been impossible to imagine building solutions not relying on open source. In fact, every project I’ve worked on has benefited more or less from community development. This trend doesn’t apply only to product companies and start-ups. Large financial institutions and other critical sectors are also reaping the benefits of open source. The State of Open Source report by OpenLogic & Open Source Initiative, among others, confirms this statement.
Such extensive use of open source can lead to some problems. Anyone who has worked with npm
or maven
based applications knows this. Developers, including myself, are often tempted to rely on external libraries and tools. This makes list of dependencies grow and grow, and it isn't easy to keep track of it. This raises the issue of trust in these dependencies. At some point, our project/product will need to generate reports with vulnerabilities and licenses of dependencies.
As software engineers, we should care about the quality and security of our solutions. For this reason, we should address this topic as early as possible in the Software development lifecycle (SDLC).
I have recently been researching and evaluating the most popular commercial products for open source security scanning — Sonatype, JFrog, Snyk. I have decided to bring all my outcomes together in this article. The comparison will be subjective and will refer to aspects that were crucial in my use case.
The technology stack of my project — a key aspect for further comparison:
- Java/Kotlin microservices
- Docker images as artifacts
- GitHub as code repositories & CI/CD
- Kubernetes
- IaaC with Terraform
Under this Miro Link, you will find the below table in better quality.
Summary
It is easy to see in the colored table that Snyk won my sympathy. IMHO, Snyk fits modern projects based on microservices, Docker, and CI/CD ala GitHub Actions. Sonatype turned out to be the least suitable for my project. However, I wouldn’t completely reject this tool. I think it has its advantages which you will see in projects that use Jenkins or private package repositories.
In the end, however, we didn’t choose it. Instead, we decided to build our own security scanning pipeline based on open source solutions such as Trivy
or Syft
.
As I mentioned earlier, the above comparison is my personal assessment. My conclusions are very subjective as I did this research to find the right tool for my project. For a different tech stack, perhaps the conclusions could be different. I made the tool comparison in August 2022, so if you are reading this after a long time, know that some things may be out of date.