Snyk offers security scanning of open source components, container scanning, and license compliance.

GitLab Ultimate offers not only these capabilities but also Static and Dynamic Application Security Testing. GitLab Ultimate automatically includes broad security scanning with every code commit including Static and Dynamic Application Security Testing, along with dependency scanning, container scanning, and license management.

Comparison to GitLab

Although Snyk is a good fit for customers who need to identify vulnerabile packages in open source components, it does not provide a broad range of scanning types. Customers are likely to choose GitLab if they want an all-in-one product that can do SAST, DAST, and Fuzzing in addition to SCA. They are also likely to choose GitLab if they value having their scanning tightly integrated with the development workflow.

Strengths and Weaknesses

  GitLab Snyk
Strengths   •     Provides a full range of code scanning types (SAST, DAST, etc) within a single solution
  •     Integrated security as part of DevOps workflow for all developers
  •     Security leadership by being a CVE Numbering Authority
  •     Extremely easy to use, provides a clean UX and design
  •     Strong capabilities to customize, prioritize, and remediate vulnerabilities
  •     Security leadership through conferences and acquisition of DevSecCon
Weaknesses   •     Requires users to use GitLab for CI if they are not doing so already   •     Does not provide a full suite of code scanning to adequately detect all vulnerabilities - no SAST or DAST
  •     The entire workflow and UI is separate from the developer’s typical day-to-day work

High-level Comparison of Scanning Capabilities

  GitLab Snyk
Vulnerability scanning
License compliance

Detailed Comparison of SCA Features

  GitLab Snyk
Dependency scanning
Package scanning
License compliance
Support for scanning containerized applications
Ability to scan running containers in production roadmap  
Basic prioritization (low, med, high, etc)
Advanced prioritization (code reachability and ability to weaponize)  
Custom prioritization rules  
Basic auto-suggested fixes (upgrade package)
Advanced fixes (patch vulnerability w/o upgrade)  
Scan when an MR is opened or pipeline is run
Scan on a schedule  
Gating - prevent deployment to enforce license compliance or vulnerability standards
Alerts and notifications (Slack, Jira, etc) roadmap
Basic report dashboard (count of H, M, L)
Extensive report dashboard (track vulnerabilities and exposure over time)  
On demand ability to run scans from a cli  
Feature Comparison

Static Application Security Testing

GitLab allows easily running Static Application Security Testing (SAST) in CI/CD pipelines; checking for vulnerable source code or well known security bugs in the libraries that are included by the application. Results are then shown in the Merge Request and in the Pipeline view. This feature is available as part of Auto DevOps to provide security-by-default.

Learn more about Static Application Security Testing

Infrastructure as Code (IaC) Security Scanning

With Gitlab 14.5 we’re introducing security scanning for Infrastructure as Code (IaC) configuration files.

Learn more about IaC security scanning

Secret Detection

GitLab allows you to perform Secret Detection in CI/CD pipelines; checking for unintentionally committed secrets and credentials. Results are then shown in the Merge Request and in the Pipeline view. This feature is available as part of Auto DevOps to provide security-by-default.

Learn more about Secret Detection

Dependency Scanning

Protect your application from vulnerabilities that affect dynamic dependencies by automatically detecting well-known security bugs in your included libraries.

Learn more about Dependency Scanning

Dynamic Application Security Testing

Ensure you are not exposed to web application vulnerabilities like broken authentication, cross-site scripting, or SQL injection by dynamically investigating your running test applications in CI/CD pipelines.

Learn more about application security for containers

Interactive Application Security Testing

IAST combines elements of static and dynamic application security testing methods to improve the overall quality of the results. IAST typically uses an agent to instrument the application to monitor library calls and more. GitLab does not yet offer this feature.

Cloud Native Network Firewall

Prevent attackers from moving through your environment by restricting container network communications to only allow valid traffic flows between application components.

Learn more about Container Network Security

Container Scanning

Run a security scan to ensure the Docker images for your application do not have any known vulnerabilities in the environment where your code is shipped.

Learn more about container scanning

License Compliance

Check that licenses of your dependencies are compatible with your application, and approve or deny them. Results are then shown in the Merge Request and in the Pipeline view.

Learn more about License Compliance

On-demand DAST

Identify vulnerabilities in your running application, independent of code changes or merge requests.

Learn more about On-demand DAST

Site and Scanner profiles for On-demand DAST scans

Reuse configuration profiles quickly with on-demand DAST scans, instead of reconfiguring scans every time you need to run one. Mix different scan profiles with site profiles to quickly conduct scans that cover different areas or depths of your application and API.

Learn more about application security for containers

DAST Configuration UI

Enabling DAST is now as simple as three clicks. This guided configuration experience makes it easier for non-CI experts to get started with GitLab DAST. The tool helps a user create a merge request to enable DAST scanning while leveraging best configuration practices like using the GitLab-managed DAST.gitlab-ci.yml template.

Learn more about the DAST Configuration UI

Scheduling On-demand DAST scans

Set on-demand DAST scans to run on ad hoc or recurring schedules.

Learn more about scheduling on-demand scans