Safeguard
Security

Snyk Open Source: What It Does, Pricing, and How to Use It

A practical look at Snyk Open Source: how its SCA scanning and fix PRs work, the current pricing tiers, and where its free plan limits bite.

Marcus Chen
DevSecOps Engineer
5 min read

Snyk Open Source is Snyk's software composition analysis product: it scans your project's open-source dependencies, matches them against a vulnerability database, and can open pull requests that upgrade vulnerable packages to fixed versions. It is the SCA piece of Snyk's broader suite, which also includes Snyk Code (SAST), Snyk Container, and Snyk IaC. This post covers what the tool does, how to run it, and — because it is the most common question — what it actually costs.

What Snyk Open Source scans

The product operates on your dependency manifests and lockfiles across a range of ecosystems: npm and Yarn for JavaScript, Maven and Gradle for Java, pip and Poetry for Python, Go modules, RubyGems, NuGet, and more. It resolves the full dependency tree, including transitive dependencies, and flags packages with known vulnerabilities from Snyk's own curated database.

A useful detail is that Snyk maintains its vulnerability data as a proprietary database rather than relying solely on public feeds, and often publishes advisories ahead of their appearance in some public sources. Whether that edge matters depends on your ecosystem, but it is a genuine differentiator worth knowing.

Running a scan

The fastest path is the CLI. Install it and authenticate:

npm install -g snyk
snyk auth

Then test a project from its root:

snyk test

You get a list of vulnerabilities, each with a severity, the dependency path that introduced it, and — importantly — whether an upgrade or patch is available:

✗ High severity vulnerability found in lodash
  Introduced through: myapp@1.0.0 > some-lib@2.3.0 > lodash@4.17.11
  Fixed in: 4.17.12

To watch a project over time and get fix PRs, connect your repository and run snyk monitor, which uploads a snapshot so Snyk can alert you when new vulnerabilities are disclosed against dependencies you already have.

The fix workflow

Snyk's remediation opens pull requests that bump vulnerable dependencies to a fixed version, similar in spirit to other automated-remediation tools. For direct dependencies this is usually clean. For transitive ones it is harder — the fix may require an upgrade to the intermediate package that pulls in the vulnerable one, which Snyk will suggest when a path exists. As always, an auto-generated upgrade PR needs a test suite and a human review before merge; a patch version bump is usually safe, a major bump rarely is.

Pricing: the part everyone asks about

Based on Snyk's published plans, the structure has a few tiers:

  • Free: $0 per contributing developer, with monthly test limits per product (on the order of a couple hundred SCA tests per month). Public and open-source repositories get unlimited tests with no time limit, which makes the free tier genuinely usable for OSS maintainers.
  • Team: around $25 per contributing developer per month, billed annually. It requires a minimum number of developers and caps the number of licenses per organization, so it targets small-to-mid teams. It includes unlimited scans and bundles Snyk Open Source with Snyk Code.
  • Enterprise: custom pricing via sales, adding SSO, role-based access control, advanced reporting, and priority support across the full product line.

The gotcha to plan for is the test limit on the free tier. For a private repository with active development, a few hundred tests a month disappears quickly once scans run on every pull request, and you hit the ceiling faster than you expect. Model your PR volume against the limit before you commit a private project to the free plan.

Where it fits, honestly

Snyk Open Source is a strong, mature SCA product with good ecosystem coverage, a well-regarded vulnerability database, and a slick developer experience. The main friction points teams raise are cost at scale — the per-developer model adds up — and, as with any SCA tool, noise from vulnerabilities in code paths you never execute.

That reachability question is where the SCA market is competing hardest. Tools differ in whether they simply report a vulnerable package is present or reason about whether the vulnerable function is actually called. An SCA tool such as Safeguard weighs on that axis; if you are comparing options directly, our Snyk comparison lays out the trade-offs, and the SCA product page explains what reachability analysis buys you. Pick based on your ecosystem, your team size, and how much the per-seat pricing matters to your budget.

FAQ

Is Snyk Open Source free?

There is a free tier at $0 per developer, but it caps the number of tests per month for private projects. Public and open-source repositories get unlimited tests with no time limit. For a private repo with active pull-request scanning, you will likely hit the monthly test limit and need the paid Team plan.

What is the difference between Snyk Open Source and Snyk Code?

Snyk Open Source is software composition analysis — it scans your third-party open-source dependencies for known vulnerabilities. Snyk Code is static application security testing (SAST) — it analyzes your own first-party source code for security defects. They cover different risk surfaces and are often used together.

Does Snyk Open Source scan transitive dependencies?

Yes. It resolves the full dependency tree and flags vulnerabilities in transitive (indirect) dependencies, showing the dependency path that introduced each one. Fixing a transitive vulnerability sometimes requires upgrading the intermediate package, which Snyk suggests when a viable path exists.

How much does the Snyk Team plan cost?

Snyk's published pricing lists the Team plan at roughly $25 per contributing developer per month, billed annually, with a minimum developer count and a cap on licenses per organization. Enterprise pricing is custom and negotiated through sales. Always confirm current figures on Snyk's own plans page.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.