GitLab
vs
Snyk
vs
Decision Kit
Decision Kit
Summary
Snyk offers security scanning of open source components, container scanning, and license compliance.
GitLab Ultimate offers not only these capabilities but also Static and Dynamic Application Security Testing. GitLab Ultimate automatically includes broad security scanning with every code commit including Static and Dynamic Application Security Testing, along with dependency scanning, container scanning, and license management.
Comparison to GitLab
Although Snyk is a good fit for customers who need to identify vulnerabile packages in open source components, it does not provide a broad range of scanning types. Customers are likely to choose GitLab if they want an all-in-one product that can do SAST, DAST, and Fuzzing in addition to SCA. They are also likely to choose GitLab if they value having their scanning tightly integrated with the development workflow.
Strengths and Weaknesses
| GitLab | Snyk | |
|---|---|---|
| Strengths | • Provides a full range of code scanning types (SAST, DAST, etc) within a single solution • Integrated security as part of DevOps workflow for all developers • Security leadership by being a CVE Numbering Authority |
• Extremely easy to use, provides a clean UX and design • Strong capabilities to customize, prioritize, and remediate vulnerabilities • Security leadership through conferences and acquisition of DevSecCon |
| Weaknesses | • Requires users to use GitLab for CI if they are not doing so already | • Does not provide a full suite of code scanning to adequately detect all vulnerabilities - no SAST or DAST • The entire workflow and UI is separate from the developer’s typical day-to-day work |
High-level Comparison of Scanning Capabilities
| GitLab | Snyk | |
|---|---|---|
| SAST | ✅ | |
| DAST | ✅ | |
| Vulnerability scanning | ✅ | ✅ |
| License compliance | ✅ | ✅ |
| Fuzzing | ✅ |
Detailed Comparison of SCA Features
| GitLab | Snyk | |
|---|---|---|
| Dependency scanning | ✅ | ✅ |
| Package scanning | ✅ | ✅ |
| License compliance | ✅ | ✅ |
| Support for scanning containerized applications | ✅ | ✅ |
| Ability to scan running containers in production | roadmap | |
| Basic prioritization (low, med, high, etc) | ✅ | ✅ |
| Advanced prioritization (code reachability and ability to weaponize) | ✅ | |
| Custom prioritization rules | ✅ | |
| Basic auto-suggested fixes (upgrade package) | ✅ | ✅ |
| Advanced fixes (patch vulnerability w/o upgrade) | ✅ | |
| Scan when an MR is opened or pipeline is run | ✅ | ✅ |
| Scan on a schedule | ✅ | |
| Gating - prevent deployment to enforce license compliance or vulnerability standards | ✅ | ✅ |
| Alerts and notifications (Slack, Jira, etc) | roadmap | ✅ |
| Basic report dashboard (count of H, M, L) | ✅ | ✅ |
| Extensive report dashboard (track vulnerabilities and exposure over time) | ✅ | |
| On demand ability to run scans from a cli | ✅ |
Feature Comparison
| FEATURES |
|
|
|---|---|---|
|
Static Application Security Testing
GitLab allows easily running Static Application Security Testing (SAST) in CI/CD pipelines; checking for vulnerable source code or well known security bugs in the libraries that are included by the application. Results are then shown in the Merge Request and in the Pipeline view. This feature is available as part of Auto DevOps to provide security-by-default. |
|
|
|
Secret Detection
GitLab allows you to perform Secret Detection in CI/CD pipelines; checking for unintentionally committed secrets and credentials. Results are then shown in the Merge Request and in the Pipeline view. This feature is available as part of Auto DevOps to provide security-by-default. |
|
|
|
Dependency Scanning
GitLab automatically detects well known security bugs in the libraries that are included by the application, protecting your application from vulnerabilities that affect dependencies that are used dynamically. Results are then shown in the Merge Request and in the Pipeline view. This feature is available as part of Auto DevOps to provide security-by-default. |
|
|
|
Dynamic Application Security Testing
Once your application is online, GitLab allows running Dynamic Application Security Testing (DAST) in CI/CD pipelines; your application will be scanned to ensure threats like XSS or broken authentication flaws are not affecting it. Results are then shown in the Merge Request and in the Pipeline view. This feature is available as part of Auto DevOps to provide security-by-default. |
|
|
|
Interactive Application Security Testing
IAST combines elements of static and dynamic application security testing methods to improve the overall quality of the results. IAST typically uses an agent to instrument the application to monitor library calls and more. GitLab does not yet offer this feature. |
|
|
|
Cloud Native Network Firewall
Cloud native network firewall provides container-level network micro segmentation which isolates container network communications to limit the “blast radius” of compromise to a specific container or microservice. A container-aware virtual firewall identifies valid traffic flows between app components in your cluster and limits damage by preventing attackers from moving through your environment when they have already compromised one part of it. |
|
|
|
Container Scanning
When building a Docker image for your application, GitLab can run a security scan to ensure it does not have any known vulnerability in the environment where your code is shipped. Results are then shown in the Merge Request and in the Pipeline view. This feature is available as part of Auto DevOps to provide security-by-default. |
|
|
|
License Compliance
Check that licenses of your dependencies are compatible with your application, and approve or deny them. Results are then shown in the Merge Request and in the Pipeline view. |
|
|
|
On-demand Dynamic Application Security Testing
There’s no reason to wait for the next CI pipeline run to find out if your site if vulnerable or to reproduce a previously found vulnerability. GitLab offers scanning your running application with On-demand Dynamic Application Security Testing (DAST), independent of code changes or merge requests. |
|
|
|
Site and Scanner profiles for On-demand DAST scans
Reuse configuration profiles quickly with on-demand DAST scans, instead of reconfiguring scans every time you need to run one. Mix different scan profiles with site profiles to quickly conduct scans that cover different areas or depths of your application and API. |
|
|
|
DAST Configuration UI
Enabling DAST is now as simple as three clicks. This guided configuration experience makes it easier for non-CI experts to get started with GitLab DAST. The tool helps a user create a merge request to enable DAST scanning while leveraging best configuration practices like using the GitLab-managed |
|
|
Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license
