GitHub and GitLab Threaten Snyk
Snyk
The real risk is distribution, not just feature overlap. GitHub and GitLab already own the repo, the pull request, and often the CI pipeline, so they can turn on code scanning, dependency checks, and autofix inside the same screen where developers write and merge code. That makes security feel like a built in setting instead of a separate product, which puts steady price and retention pressure on Snyk even when Snyk has deeper security capability.
-
GitHub has made this especially concrete. Its GitHub Code Security product includes code scanning, Dependabot features, and Copilot Autofix, and is priced at $30 per active committer per month. Because billing is tied to developers already working in GitHub, adding security can happen inside an existing enterprise contract instead of a new vendor purchase.
-
GitLab is following the same path from the DevSecOps side. Advanced SAST in GitLab Ultimate adds cross file and cross function taint analysis, lower noise, and merge request based workflows, so a team already running source control and CI in GitLab can buy security as one more tier upgrade rather than adopt a separate scanner.
-
Recent performance shows why this matters. Snyk reached an estimated $326M ARR by February 2026, but growth slowed to 7% YoY as the category got more crowded with platform bundles like GitHub and broader security suites like Wiz. At the same time, Snyk Code grew by riding AI coding adoption, which suggests its best defense is to stay ahead on accuracy and remediation for modern code, not to compete on bundle economics alone.
From here, application security keeps moving toward the system where code is already created, reviewed, and shipped. That favors GitHub and GitLab for default adoption, while leaving Snyk the path of becoming the premium layer for enterprises that need better signal, broader coverage across environments, and stronger remediation than the repo platforms can provide out of the box.