# Best Software Bill of Materials (SBOM) Software

*By [Adam Crivello](https://research.g2.com/insights/author/adam-crivello)*


Software bill of materials (SBOM) solutions generate, ingest, manage, and monitor a machine-readable inventory of the components within software supply chains. The components covered include libraries, packages, modules, associated licenses, and more. Companies and developers use SBOM software to deliver and annotate comprehensive SBOMs for their software’s third party and open source components .

These solutions allow users to comply with government mandates that require the provision of a minimum SBOM. Maintaining and monitoring SBOMs also helps companies perform continuous risk assessments, though vulnerability remediation is not the primary focus of such tools. [software composition analysis (SCA) tools](https://www.g2.com/categories/software-composition-analysis) scan software supply chains’ components and dependencies at the code level to identify and remediate security vulnerabilities, whereas SBOM software automates the standardized presentation of those elements for transparency, observability, and compliance.

To qualify for inclusion in the Software Bill of Materials (SBOM) category, a product must:

- Automatically ingest and generate SBOMs in standard formats like CycloneDX and SPDX
- Continuously monitor and update SBOMs based on component versions, associated licenses, dependencies, and more
- Alert users of non-compliant elements in their software supply chain
- Allow users to annotate SBOMs
- Facilitate compliance with government regulations







## How Many Software Bill of Materials (SBOM) Software Products Does G2 Track?
**Total Products under this Category:** 33

### Category Stats (Jul 2026)
- **Average Rating**: 4.48/5 (↓0.03 vs Jun 2026) The average rating of products in this category, based on all submitted ratings
- **Top Trending Product**: Arnica (+0.87%) - Among all products in this category, Arnica recorded the largest rating increase compared to last month
*Last updated: July 14, 2026*


## How Does G2 Rank Software Bill of Materials (SBOM) Software Products?

**Why You Can Trust G2's Software Rankings:**

- 30 Analysts and Data Experts
- 900+ Authentic Reviews
- 33+ Products
- Unbiased Rankings

G2's software rankings are built on verified user reviews, rigorous moderation, and a consistent research methodology maintained by a team of analysts and data experts. Each product is measured using the same transparent criteria, with no paid placement or vendor influence. While reviews reflect real user experiences, which can be subjective, they offer valuable insight into how software performs in the hands of professionals. Together, these inputs power the G2 Score, a standardized way to compare tools within every category.


## Which Software Bill of Materials (SBOM) Software Is Best for Your Use Case?

- **Easiest to Use:** [OX Security](https://www.g2.com/products/ox-security/reviews)
- **Best Free Software:** [OX Security](https://www.g2.com/products/ox-security/reviews)


---

**Sponsored**

### OX Security

OX is redefining product security for the AI era. Founded by Neatsun Ziv and Lion Arzi, former Check Point executives, OX is the company behind VibeSec — the first AI-native vibe security platform. Unlike traditional “Shift Left” approaches that collapsed under AI’s speed, VibeSec makes software secure by default by preventing risks before they exist. Powered by the OX AI Data Lake and dynamic code-to-runtime context, OX Security delivers: Autonomous, embedded security that runs as fast as developers. Dynamic risk context that shrinks security backlogs before they spiral. Continuous alignment across code, cloud, APIs, and runtime. With OX, developers focus on building while security runs itself, giving enterprises complete confidence that every release ships secure. OX Security -Vendor desc (request to update): OX Security is the company behind VibeSec, an AI-native autonomous security platform built for the AI development era. Unlike traditional tools that chase vulnerabilities after code is written, VibeSec embeds dynamic security context directly into AI coding environments like Cursor and Copilot. The result: every line of code is secure by default. For the first time, security moves at the speed of AI-driven development, preventing vulnerabilities before they exist, shrinking backlogs with every commit, and making security a seamless part of the development flow.



[Visit website](https://www.g2.com/external_clickthroughs/record?secure%5Bad_program%5D=ppc&amp;secure%5Bad_slot%5D=category_product_list&amp;secure%5Bcategory_id%5D=1008169&amp;secure%5Bchosen_at%5D=2026-07-14T19%3A31%3A44Z&amp;secure%5Bdisplayable_resource_id%5D=1008169&amp;secure%5Bdisplayable_resource_type%5D=Category&amp;secure%5Bmedium%5D=sponsored&amp;secure%5Bplacement_reason%5D=page_category&amp;secure%5Bplacement_resource_ids%5D%5B%5D=1008169&amp;secure%5Bprioritized%5D=false&amp;secure%5Bproduct_id%5D=1312693&amp;secure%5Bresource_id%5D=1008169&amp;secure%5Bresource_type%5D=Category&amp;secure%5Bsource_type%5D=category_page&amp;secure%5Bsource_url%5D=https%3A%2F%2Fwww.g2.com%2Fcategories%2Fsoftware-bill-of-materials-sbom&amp;secure%5Btoken%5D=80e57b3d912a74d52ffec6bf09eedd5afa0be203b067a04ad5be0a36d2bbcff4&amp;secure%5Burl%5D=https%3A%2F%2Fwww.ox.security%2Fbook-a-demo%2F&amp;secure%5Burl_type%5D=custom_url)

---

## What Are the Top-Rated Software Bill of Materials (SBOM) Software Products in 2026?
### 1. [OX Security](https://www.g2.com/products/ox-security/reviews)
OX is redefining product security for the AI era. Founded by Neatsun Ziv and Lion Arzi, former Check Point executives, OX is the company behind VibeSec — the first AI-native vibe security platform. Unlike traditional “Shift Left” approaches that collapsed under AI’s speed, VibeSec makes software secure by default by preventing risks before they exist. Powered by the OX AI Data Lake and dynamic code-to-runtime context, OX Security delivers: Autonomous, embedded security that runs as fast as developers. Dynamic risk context that shrinks security backlogs before they spiral. Continuous alignment across code, cloud, APIs, and runtime. With OX, developers focus on building while security runs itself, giving enterprises complete confidence that every release ships secure. OX Security -Vendor desc (request to update): OX Security is the company behind VibeSec, an AI-native autonomous security platform built for the AI development era. Unlike traditional tools that chase vulnerabilities after code is written, VibeSec embeds dynamic security context directly into AI coding environments like Cursor and Copilot. The result: every line of code is secure by default. For the first time, security moves at the speed of AI-driven development, preventing vulnerabilities before they exist, shrinking backlogs with every commit, and making security a seamless part of the development flow.


**Average Rating:** 4.8/5.0
**Total Reviews:** 51

**Who Is the Company Behind OX Security?**

- **Seller:** [OX Security](https://www.g2.com/sellers/ox-security)
- **Year Founded:** 2021
- **HQ Location:** New York, USA
- **LinkedIn® Page:** https://www.linkedin.com/company/ox-security/ (199 employees on LinkedIn®)

**Who Uses This Product?**
- **Who Uses This:** Security Engineer
- **Top Industries:** Financial Services, Information Technology and Services
- **Company Size:** 63% Mid-Market, 25% Enterprise


#### What Are OX Security's Pros and Cons?

**Pros:**

- Features (8 reviews)
- Collaboration (6 reviews)
- Customer Support (6 reviews)
- Easy Integrations (6 reviews)
- Speed (6 reviews)

**Cons:**

- Complexity (5 reviews)
- Overwhelming Interface (4 reviews)
- Complex Setup (3 reviews)
- Dashboard Issues (3 reviews)
- Difficult Learning (3 reviews)


### What Do G2 Reviewers Say About OX Security?
*AI-generated summary from verified user reviews*

**Pros:**

- Users value the **intuitive dashboard** and seamless integration capabilities of OX Security for effective issue management.
- Users value the **effective collaboration** facilitated by OX Security, enhancing team efforts and streamlining workflows.
- Users praise the **responsive customer support** of OX Security, which enhances their overall experience and integration success.
- Users highlight the **seamless integrations** of OX Security, enhancing workflows and boosting development confidence without bottlenecks.
- Users value the **speed and efficiency** of OX Security, enabling faster triage and remediation of security issues.

**Cons:**

- Users find OX Security&#39;s **complexity overwhelming** , facing a steep learning curve and inadequate documentation for guidance.
- Users find the **interface overwhelming** , struggling with the extensive options and lacking clear documentation for navigation.
- Users find the **complex setup** of OX Security challenging, especially due to unclear documentation and overwhelming UI.
- Users find the **dashboard issues** can be overwhelming and lack effective reporting for management on security progress.
- Users find the **difficult learning** curve challenging due to OX Security&#39;s complex interface and insufficient documentation.

#### What Are Recent G2 Reviews of OX Security?

**"[A powerful and comprehensive tool that meets most best practices for web app security testing](https://www.g2.com/survey_responses/ox-security-review-10961361)"**

**Rating:** 4.5/5.0 stars
*— Verified User in Gambling &amp; Casinos*

[Read full review](https://www.g2.com/survey_responses/ox-security-review-10961361)

---

**"[A Transformative Game-Changer in Application Security Posture Management](https://www.g2.com/survey_responses/ox-security-review-10618682)"**

**Rating:** 5.0/5.0 stars
*— Dudi E.*

[Read full review](https://www.g2.com/survey_responses/ox-security-review-10618682)

---



### 2. [Cybeats](https://www.g2.com/products/cybeats/reviews)
Cybeats is at the forefront of cybersecurity innovation and is focused explicitly on automating Software Bill of Materials (SBOM) and Vulnerability Exploitability eXchange (VEX) management. Our platform has built-in support for HBOM and AIBOM. Our mission is to empower organizations to rapidly identify and address vulnerabilities, significantly reducing costs while enhancing the security posture of their products. With our focus on the vision of &quot;Building trust in every layer of your technology,&quot; Cybeats provides a robust platform that ensures transparency and security throughout the technological stack. Core Offerings - SBOM Management &amp; Continuous Monitoring Cybeats offers a scalable solution for managing and monitoring SBOMs. Our platform stores enriches and distributes SBOMs efficiently across the organization and the organization&#39;s customers. This continuous monitoring helps proactively identify and mitigate software component risks. - SBOM Inventory &amp; Management We provide a centralized system for SBOM inventory management that ensures all software components are accounted for, up-to-date, and secure. This systematic approach helps maintain a clear overview of all software elements, facilitating easier management and compliance. - Vulnerability Lifecycle Management (VLM) Our VLM capabilities integrate Vulnerability Exploitability Exchange (VEX) and Vulnerability Disclosure Program (VDP) processes. This integration helps identify, assess, manage, and mitigate vulnerabilities throughout their lifecycle, ensuring continuous protection against potential software supply chain threats. - Regulatory Compliance Cybeats aligns with global regulatory requirements, assisting organizations in staying compliant with evolving cybersecurity standards. Our solution simplifies compliance management, reducing the complexity and resources required to meet legal and industry standards. With the introduction of regulatory requirements of the FDA pre-market and post-market, the EU CRA, PCI-SSF, and others, companies that develop software-based products must align with the SBOM and Vulnerability management requirements. - OSS and Comercial Licensing Risk Assessment Understanding and managing licensing risks associated with software components is crucial. Cybeats provides tools to assess these risks, helping organizations avoid legal and financial repercussions related to software licensing. - SBOM Sharing and Exchange We facilitate secure sharing and exchange of SBOMs within and across organizations. This capability ensures that all parties in the software supply chain have access to accurate and timely information, enhancing collaborative efforts toward secure software development.


**Average Rating:** 4.4/5.0
**Total Reviews:** 15

**Who Is the Company Behind Cybeats?**

- **Seller:** [CYBEATS](https://www.g2.com/sellers/cybeats)
- **Year Founded:** 2017
- **HQ Location:** Toronto, Ontario
- **Twitter:** @cybeatstech (616 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/cybeats/ (32 employees on LinkedIn®)

**Who Uses This Product?**
- **Company Size:** 47% Small-Business, 33% Mid-Market



#### What Are Recent G2 Reviews of Cybeats?

**"[Great Computer Security Service Solutin](https://www.g2.com/survey_responses/cybeats-review-7160083)"**

**Rating:** 4.5/5.0 stars
*— Patrícia P.*

[Read full review](https://www.g2.com/survey_responses/cybeats-review-7160083)

---

**"[A safe and secure enterprise supply chain management system is created and enabled by Cybeats](https://www.g2.com/survey_responses/cybeats-review-7468992)"**

**Rating:** 4.5/5.0 stars
*— Karan C.*

[Read full review](https://www.g2.com/survey_responses/cybeats-review-7468992)

---



### 3. [Aqua Security](https://www.g2.com/products/aqua-security/reviews)
Aqua Security sees and stops attacks across the entire cloud native application lifecycle in a single, integrated platform. From software supply chain security for developers to cloud security and runtime protection for security teams, Aqua helps customers reduce risk while building the future of their businesses. The Aqua Platform is the industry’s most comprehensive Cloud Native Application Protection Platform (CNAPP). Founded in 2015, Aqua is headquartered in Boston, MA and Ramat Gan, IL with Fortune 1000 customers in over 40 countries.


**Average Rating:** 4.2/5.0
**Total Reviews:** 57

**Who Is the Company Behind Aqua Security?**

- **Seller:** [Aqua Security Software Ltd](https://www.g2.com/sellers/aqua-security-software-ltd)
- **Year Founded:** 2015
- **HQ Location:** Burlington, US
- **Twitter:** @AquaSecTeam (7,673 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/aquasecteam/ (466 employees on LinkedIn®)

**Who Uses This Product?**
- **Top Industries:** Computer Software, Financial Services
- **Company Size:** 56% Enterprise, 39% Mid-Market


#### What Are Aqua Security's Pros and Cons?

**Pros:**

- Security (18 reviews)
- Ease of Use (15 reviews)
- Detection (10 reviews)
- Features (10 reviews)
- Comprehensive Security (8 reviews)

**Cons:**

- Missing Features (7 reviews)
- Lack of Features (5 reviews)
- Improvement Needed (4 reviews)
- Limited Features (4 reviews)
- Complexity (3 reviews)


### What Do G2 Reviewers Say About Aqua Security?
*AI-generated summary from verified user reviews*

**Pros:**

- Users value the **proactive security insights** of Aqua Security, enabling early detection of issues and robust protection.
- Users value the **ease of use** with Aqua Security, benefiting from intuitive UI and seamless implementation.
- Users value the **effective detection of security issues** in Aqua Security, enhancing code safety before problems escalate.
- Users value the **intuitive UI and extensive security insights** provided by Aqua Security, facilitating proactive vulnerability management.
- Users value the **comprehensive security** features of Aqua Security, simplifying container management and enhancing overall protection.

**Cons:**

- Users note the **missing features** in Aqua Security, hindering deeper insights and effective reporting capabilities.
- Users highlight the **lack of features** in Aqua Security, particularly in dashboards and integration capabilities.
- Users feel there is **improvement needed** with Aqua Security&#39;s analytics, integrations, and overall functionality for better usability.
- Users note the **limited features** of Aqua Security, lacking essential integrations and customizable options for deeper insights.
- Users find the **complexity of the interface** and setup challenging, requiring extensive documentation and technical knowledge.

#### What Are Recent G2 Reviews of Aqua Security?

**"[AquaSec have been very efficient and user friendly.](https://www.g2.com/survey_responses/aqua-security-review-7802942)"**

**Rating:** 5.0/5.0 stars
*— Adefolarin B.*

[Read full review](https://www.g2.com/survey_responses/aqua-security-review-7802942)

---

**"[Allows us to monitor security of or platforms and scan images easily.](https://www.g2.com/survey_responses/aqua-security-review-10502217)"**

**Rating:** 5.0/5.0 stars
*— Mitchell M.*

[Read full review](https://www.g2.com/survey_responses/aqua-security-review-10502217)

---



### 4. [Arnica](https://www.g2.com/products/arnica/reviews)
Arnica is a comprehensive application security posture management (ASPM) platform that protects developers, source code, and products throughout the software development lifecycle. The platform provides real-time application security scanning with 100% coverage across the software supply chain, addressing risks in Static Application Security Testing (SAST), Software Composition Analysis (SCA), Infrastructure as Code (IaC), hardcoded secrets detection, and more. At its core, Arnica offers AI-native security governance that takes control of AI-generated code through advanced AI SAST scanning and agentic rules enforcement. The platform automatically injects centrally-controlled security requirements into AI coding agents like Copilot, Cursor, and Claude at the point of code generation, ensuring every line of AI-written code is secure by default before vulnerabilities reach production. This approach addresses 92% of risks before they ever reach production environments. Arnica&#39;s pipelineless architecture provides automatic coverage for every repository without requiring CI/CD pipeline integrations or IDE deployments. The platform scans every code change at the feature branch level, delivering developer-native workflows that keep teams focused on building features rather than chasing security issues. Risk prioritization is enhanced through OWASP Top 10, CVSS, EPSS, and KEV scoring, combined with organizational context to surface the most critical vulnerabilities. The platform excels in developer experience by delivering security findings directly within existing workflows through Slack, Microsoft Teams, pull request comments, and automated ticket management in Jira and Azure DevOps Boards. AI-powered mitigation suggestions provide context-aware, automated fixes that align with organizational coding standards, significantly reducing mean-time-to-remediation. Key security capabilities include real-time secrets detection with automatic validation and mitigation, comprehensive container scanning that maps vulnerabilities directly to source code, and intelligent dependency management with automated SCA upgrades. The platform maintains SOC 2 Type 2 compliance and ISO 27001 certification, ensuring enterprise-grade security standards. Arnica&#39;s unique value proposition lies in its ability to scale security across entire organizations while maintaining development velocity, providing complete visibility into code risks, and enabling proactive security measures that prevent vulnerabilities from reaching production environments.


**Average Rating:** 4.9/5.0
**Total Reviews:** 8

**Who Is the Company Behind Arnica?**

- **Seller:** [Arnica](https://www.g2.com/sellers/arnica)
- **Company Website:** https://www.arnica.io
- **Year Founded:** 2021
- **HQ Location:** Alpharetta, Georgia
- **Twitter:** @arnicaio (124 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/arnica-io/about (60 employees on LinkedIn®)

**Who Uses This Product?**
- **Company Size:** 63% Enterprise, 25% Small-Business


#### What Are Arnica's Pros and Cons?

**Pros:**

- Accuracy of Findings (1 reviews)
- Actionable Recommendations (1 reviews)
- Ease of Use (1 reviews)
- Easy Setup (1 reviews)
- Remediation Solutions (1 reviews)

**Cons:**

- Paid Features (1 reviews)


### What Do G2 Reviewers Say About Arnica?
*AI-generated summary from verified user reviews*

**Pros:**

- Users value the **accuracy of findings** from Arnica, which enhances security while ensuring proper privilege management.
- Users value the **actionable recommendations** from Arnica, enabling effective reduction of unused privileges and security risks.
- Users praise the **ease of setup** for Arnica, noting a quick and efficient administration process.
- Users love the **easy setup** of Arnica, allowing for quick administration and efficient implementation without hassle.
- Users value Arnica for its ability to **simplify remediation of over-provisioning** in source code repositories, enhancing security effortlessly.

**Cons:**

- Users express concerns about **paid features limited to GitHub Enterprise** , restricting access for smaller teams to essential protections.

#### What Are Recent G2 Reviews of Arnica?

**"[Intuitive Dashboards and AI That Finds Real Issues](https://www.g2.com/survey_responses/arnica-review-12972680)"**

**Rating:** 5.0/5.0 stars
*— Verified User in Computer Software*

[Read full review](https://www.g2.com/survey_responses/arnica-review-12972680)

---

**"[Developer-friendly AppSec with a flexible policy engine](https://www.g2.com/survey_responses/arnica-review-12962349)"**

**Rating:** 5.0/5.0 stars
*— Thomas G.*

[Read full review](https://www.g2.com/survey_responses/arnica-review-12962349)

---


#### What Are G2 Users Discussing About Arnica?

- [What is Arnica used for?](https://www.g2.com/discussions/what-is-arnica-used-for)

### 5. [Finite State](https://www.g2.com/products/finite-state/reviews)
Finite State empowers device OEMs to ship securely while enabling engineering teams to move at the speed of AI, immediately transforming product artifacts into audit-ready assurance through a single automated workflow. Leveraging deep binary analysis and AI-native execution, the platform unifies code, compiled components, and firmware in minutes—connecting security design with deployed software. By continuously generating SBOMs, VEX, and signed compliance packages, Finite State enables connected device companies across industries such as medical devices and automotive to meet evolving regulations, including the EU Cyber Resilience Act (CRA), and deliver continuous compliance at speed. Learn more at https://finitestate.io/


**Average Rating:** 4.3/5.0
**Total Reviews:** 12

**Who Is the Company Behind Finite State?**

- **Seller:** [Finite State](https://www.g2.com/sellers/finite-state)
- **Company Website:** https://finitestate.io
- **Year Founded:** 2017
- **HQ Location:** Columbus, Ohio, United States
- **Twitter:** @FiniteStateInc (670 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/finitestate (78 employees on LinkedIn®)

**Who Uses This Product?**
- **Company Size:** 50% Enterprise, 25% Mid-Market



#### What Are Recent G2 Reviews of Finite State?

**"[Deep Visibility Into Supply Chain Risks and CVEs—Boosting Product Security](https://www.g2.com/survey_responses/finite-state-review-12966722)"**

**Rating:** 5.0/5.0 stars
*— Suru S.*

[Read full review](https://www.g2.com/survey_responses/finite-state-review-12966722)

---

**"[Finite State Review: Firmware Security Simplified](https://www.g2.com/survey_responses/finite-state-review-12997919)"**

**Rating:** 5.0/5.0 stars
*— Prasanth B.*

[Read full review](https://www.g2.com/survey_responses/finite-state-review-12997919)

---



### 6. [Mend.io](https://www.g2.com/products/mend-io/reviews)
Modern risk doesn&#39;t live in one layer, it lives between them. Mend.io is built for every risk, across AI and AppSec, securing the code layer, the AI layer, and the interactions between them. From discovery and red teaming to guardrails and runtime protection, Mend.io delivers continuous protection across the entire AI application lifecycle. Mend.io solutions include: 1. Mend AI secures the layer where modern risk actually lives—the interaction between code and AI. It continuously discovers AI components (agents, prompts, models), tests real behavioral risk through automated red teaming, and enforces in-app runtime guardrails for one continuous control system for the AI lifecycle. 2. Mend AppSec secures the modern code layer by continuously discovering and prioritizing risk across code, libraries, containers, and dependencies, giving teams the clarity they need to reduce exposure and ship secure software faster. 3. Mend Renovate secures the foundation of every codebase by automatically updating dependencies, rating the likelihood each update will succeed without breaking changes, and grouping them by confidence level so teams can resolve them faster.


**Average Rating:** 4.3/5.0
**Total Reviews:** 108

**Who Is the Company Behind Mend.io?**

- **Seller:** [Mend](https://www.g2.com/sellers/mend-ab79a83a-6747-4682-8072-a3c176489d0b)
- **Company Website:** https://mend.io
- **Year Founded:** 2011
- **HQ Location:** Boston, Massachusetts
- **Twitter:** @Mend_io (11,256 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/2440656/ (257 employees on LinkedIn®)

**Who Uses This Product?**
- **Who Uses This:** Software Engineer
- **Top Industries:** Computer Software, Information Technology and Services
- **Company Size:** 37% Small-Business, 34% Mid-Market


#### What Are Mend.io's Pros and Cons?

**Pros:**

- Scanning Efficiency (8 reviews)
- Ease of Use (7 reviews)
- Easy Integrations (6 reviews)
- Scanning Technology (6 reviews)
- Vulnerability Detection (6 reviews)

**Cons:**

- Integration Issues (6 reviews)
- Limited Features (3 reviews)
- Missing Features (3 reviews)
- Complex Implementation (2 reviews)
- Confusing Interface (2 reviews)


### What Do G2 Reviewers Say About Mend.io?
*AI-generated summary from verified user reviews*

**Pros:**

- Users value the **scanning efficiency** of Mend.io, enabling quick and accurate scans across numerous repositories seamlessly.
- Users appreciate the **ease of use** of Mend.io, praising its seamless integration and simple navigation for vulnerability detection.
- Users value the **easy integrations** with CI/CD systems, enabling efficient scanning and streamlined workflows across repositories.
- Users value the **quick and accurate scanning** capabilities of Mend.io, enhancing their development workflow significantly.
- Users appreciate the **automated vulnerability detection** of Mend.io, enhancing early identification and resolution within their CI/CD pipelines.

**Cons:**

- Users find **integration issues** with Mend.io, particularly with on-premise tools like Jira, to be quite challenging.
- Users note the **limited features** of Mend.io, requiring custom tools and workarounds for efficient integration and functionality.
- Users find the **missing features** in Mend.io limit functionality, requiring workarounds for CI/CD integration and scanning.
- Users face **complex implementation** challenges, including many false positives and issues with integration and scanner updates.
- Users find the **interface confusing** , having to navigate between different portals for SAST and SCA products.

#### What Are Recent G2 Reviews of Mend.io?

**"[Great Tool for Managing 3rd party libraries](https://www.g2.com/survey_responses/mend-io-review-6728890)"**

**Rating:** 4.5/5.0 stars
*— Johannes B.*

[Read full review](https://www.g2.com/survey_responses/mend-io-review-6728890)

---

**"[Effortless Integration with Budget-Friendly Scanning](https://www.g2.com/survey_responses/mend-io-review-4261734)"**

**Rating:** 5.0/5.0 stars
*— Verified User in Computer Software*

[Read full review](https://www.g2.com/survey_responses/mend-io-review-4261734)

---


#### What Are G2 Users Discussing About Mend.io?

- [What is your experience regarding pricing and costs for Mend.io, and how does it compare to other open-source security solutions?](https://www.g2.com/discussions/what-is-your-experience-regarding-pricing-and-costs-for-mend-io-and-how-does-it-compare-to-other-open-source-security-solutions)
- [What is Mend (formerly WhiteSource) used for?](https://www.g2.com/discussions/what-is-mend-formerly-whitesource-used-for)
- [What is white Source bolt?](https://www.g2.com/discussions/what-is-white-source-bolt)
- [What are SCA tools?](https://www.g2.com/discussions/what-are-sca-tools)
- [What is software composition analysis SCA?](https://www.g2.com/discussions/what-is-software-composition-analysis-sca)

### 7. [Socket](https://www.g2.com/products/socket-socket/reviews)
Socket is the leading developer-first security platform that protects modern applications from malicious and vulnerable open source dependencies. By combining real-time package monitoring with AI-powered code analysis, Socket detects and blocks supply chain attacks within minutes of publication. With advanced reachability analysis, automated remediation, and license compliance features, Socket enables teams to focus on building software, while we keep their open source code secure.


**Average Rating:** 4.7/5.0
**Total Reviews:** 10

**Who Is the Company Behind Socket?**

- **Seller:** [Socket](https://www.g2.com/sellers/socket)
- **Year Founded:** 2020
- **HQ Location:** San Francisco, US
- **Twitter:** @SocketSecurity (21,558 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/socketinc/ (115 employees on LinkedIn®)

**Who Uses This Product?**
- **Company Size:** 40% Mid-Market, 30% Enterprise


#### What Are Socket's Pros and Cons?

**Pros:**

- Security (3 reviews)
- Open Source (2 reviews)
- Accuracy of Findings (1 reviews)
- Alerts (1 reviews)
- Comprehensive Security (1 reviews)

**Cons:**

- Missing Features (1 reviews)
- System Slowness (1 reviews)


### What Do G2 Reviewers Say About Socket?
*AI-generated summary from verified user reviews*

**Pros:**

- Users commend Socket for its **high-signal malware detection** and proactive support, enhancing supply chain security significantly.
- Users commend Socket for its **thorough open source security analysis** , greatly enhancing package evaluation and simplifying workflows.
- Users commend Socket for its **highly accurate analysis** , enhancing efficiency in managing open source security challenges.
- Users value the **proactive alerts** for supply chain attacks, ensuring strong security and quick customer support responses.
- Users value the **comprehensive security** offered by Socket, enhancing decision-making in managing software supply-chain risks.

**Cons:**

- Users find the **missing features** of Socket limiting, wishing for more use case coverage to streamline their tools.
- Users report **system slowness** , particularly with UI loading times, which can hinder overall usability.

#### What Are Recent G2 Reviews of Socket?

**"[Unique Approach to Supply Chain Security Problem and Does It Really Well](https://www.g2.com/survey_responses/socket-review-12052484)"**

**Rating:** 5.0/5.0 stars
*— Sindhoor H.*

[Read full review](https://www.g2.com/survey_responses/socket-review-12052484)

---

**"[Essential Tool for Application Security with Stellar MCP Feature](https://www.g2.com/survey_responses/socket-review-12686360)"**

**Rating:** 5.0/5.0 stars
*— Shreejal M.*

[Read full review](https://www.g2.com/survey_responses/socket-review-12686360)

---



### 8. [SOOS](https://www.g2.com/products/soos/reviews)
SOOS is the complete application security posture management platform. Scan your software for vulnerabilities, control the introduction of new dependencies, exclude unwanted license types, generate and manage Software Bill of Materials (SBOM), and fill out your compliance worksheets across all your teams. SOOS’s ASPM is a dynamic, comprehensive approach to safeguarding your application infrastructure from vulnerabilities across the Software Development Life Cycle (SDLC) and live deployments. Easy to integrate, all in one dashboard. SCA - Deep tree vulnerability scanning, license compliance, governance DAST - Automated Web &amp; API vulnerability scanning Containers - Scan contents for vulnerabilities SAST - Analyze code for security vulnerabilities IaC - Cloud security coverage SBOMs - Create – monitor – manage


**Average Rating:** 4.6/5.0
**Total Reviews:** 42

**Who Is the Company Behind SOOS?**

- **Seller:** [SOOS](https://www.g2.com/sellers/soos)
- **Year Founded:** 2019
- **HQ Location:** Winooski, US
- **Twitter:** @soostech (44 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/53122310 (24 employees on LinkedIn®)

**Who Uses This Product?**
- **Top Industries:** Information Technology and Services, Computer Software
- **Company Size:** 50% Mid-Market, 43% Small-Business


#### What Are SOOS's Pros and Cons?

**Pros:**

- Ease of Use (9 reviews)
- Customer Support (5 reviews)
- Easy Integrations (5 reviews)
- Integrations (5 reviews)
- Easy Setup (4 reviews)

**Cons:**

- Lack of Guidance (3 reviews)
- Poor Reporting (3 reviews)
- Dashboard Issues (2 reviews)
- Inadequate Reporting (2 reviews)
- Lacking Features (2 reviews)


### What Do G2 Reviewers Say About SOOS?
*AI-generated summary from verified user reviews*

**Pros:**

- Users find the **ease of use** of SOOS exceptional, appreciating user-friendly configurations and supportive onboarding experiences.
- Users praise the **awesome customer support** from SooS, enhancing their experience and setup process significantly.
- Users appreciate the **easy integrations** of SOOS, facilitating smooth development workflows without disruptions.
- Users value the **smooth integrations** of SOOS, ensuring effortless maintenance and reliable vulnerability visibility in workflows.
- Users love the **easy setup** of SOOS, enabling quick integration and intuitive usage for seamless API scanning.

**Cons:**

- Users note a **lack of guidance** in documentation and actionable remediation context, making onboarding and fixes challenging.
- Users find the **reporting poor** , lacking necessary filtering and grouping options for effective analysis of vulnerabilities.
- Users find the **dashboard issues** challenging, especially regarding reporting capabilities and asynchronous scanning limitations.
- Users find the **inadequate reporting** options in SOOS limit effective analysis and stakeholder communication.
- Users feel SOOS has **lacking features** , particularly in reporting options and intuitive navigation for new users.

#### What Are Recent G2 Reviews of SOOS?

**"[Awesome tool for detecting vulnerabilities within project dependecies](https://www.g2.com/survey_responses/soos-review-7753830)"**

**Rating:** 4.5/5.0 stars
*— Nayan C.*

[Read full review](https://www.g2.com/survey_responses/soos-review-7753830)

---

**"[Reliable continuous security assessment for our pipelines](https://www.g2.com/survey_responses/soos-review-7744758)"**

**Rating:** 4.0/5.0 stars
*— Brallan G.*

[Read full review](https://www.g2.com/survey_responses/soos-review-7744758)

---



### 9. [CAST Highlight](https://www.g2.com/products/cast-highlight/reviews)
Portfolio-level insights for app modernization, AI readiness, tech debt, OSS risks CAST Highlight is a SaaS software intelligence technology that delivers rapid, fact-based insights across your entire application portfolio. By automatically analyzing the source code of hundreds or thousands of applications, CAST Highlight helps organizations assess cloud maturity, AI &amp; Agentic readiness, software health, open source risk, resiliency, technical debt, and sustainability from a single lightweight scan. CAST Highlight is designed for CIOs, CTOs, enterprise architects, cloud leaders, application owners, security teams, and modernization teams that need a fact-based way to prioritize modernization, cloud, and AI adoption decisions at scale. It helps teams identify which applications are ready to move quickly, which require remediation, and where hidden software risks may affect transformation cost, timelines, security, resilience, or business outcomes. Unlike traditional manual or survey-based assessments, CAST Highlight analyzes application source code directly to rapidly segment portfolios, prioritize modernization paths, and uncover risks before they impact transformation programs. Organizations use CAST Highlight to: - Accelerate cloud migration and modernization planning - Segment applications by cloud maturity and transformation path - Identify high-value AI adoption opportunities - Assess Agentic Readiness across application portfolios - Prioritize technical debt, resiliency, and maintainability improvements - Assess open source vulnerabilities and IP / license exposure - Evaluate software sustainability with Green Impact insights - Reduce complexity, cost, and risk across transformation programs Businesses move faster using CAST to understand, improve, and transform their software. Through semantic analysis of source code, CAST generates dashboards and 3D maps for executives, technologists, and AI to navigate inside individual applications and across entire portfolios. This intelligence enables companies to steer, speed, and report on initiatives such as technical debt, modernization, and cloud. As the pioneer of the software intelligence field, CAST is trusted by the world’s leading companies and governments, their consultancies and cloud providers. See it all at castsoftware.com.


**Average Rating:** 4.5/5.0
**Total Reviews:** 86

**Who Is the Company Behind CAST Highlight?**

- **Seller:** [CAST](https://www.g2.com/sellers/cast)
- **Company Website:** https://www.castsoftware.com
- **Year Founded:** 1990
- **HQ Location:** New York
- **Twitter:** @SW_Intelligence (1,887 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/cast/ (1,264 employees on LinkedIn®)

**Who Uses This Product?**
- **Top Industries:** Information Technology and Services, Computer Software
- **Company Size:** 57% Enterprise, 24% Small-Business


#### What Are CAST Highlight's Pros and Cons?

**Pros:**

- Ease of Use (8 reviews)
- Easy Setup (4 reviews)
- Cloud Services (3 reviews)
- Efficiency (3 reviews)
- Real-time Monitoring (3 reviews)

**Cons:**

- Complex Navigation (1 reviews)
- Dashboard Issues (1 reviews)
- Delayed Detection (1 reviews)
- Difficulty (1 reviews)
- Expensive (1 reviews)


### What Do G2 Reviewers Say About CAST Highlight?
*AI-generated summary from verified user reviews*

**Pros:**

- Users commend the **ease of use** of CAST Highlight, benefiting from quick setup and efficient application analysis.
- Users find the **setup process easy** , enabling quick, efficient analysis of applications with minimal configuration required.
- Users appreciate the **cloud compatibility assessments** offered by CAST Highlight, significantly aiding in application migration and risk evaluation.
- Users appreciate the **efficient analysis** capabilities of CAST Highlight, enabling fast and objective insights for modernization strategies.
- Users value the **real-time monitoring** of CAST Highlight, enabling swift assessments and immediate actionable insights with ease.

**Cons:**

- Users find the **complex navigation** in CAST Highlight challenging, hindering their overall experience and efficiency.
- Users find the **dashboard issues** with CAST Highlight hinder deep technical analysis and require extensive customization.
- Users find that CAST Highlight&#39;s **delayed detection** may hinder timely insights and complicate technical analysis and metrics interpretation.
- Users find the **difficulty of initial configuration and interpretation** can hinder effective use of CAST Highlight.
- Users find the **expensive pricing** of CAST Highlight limits its accessibility for larger organizations, despite its value.

#### What Are Recent G2 Reviews of CAST Highlight?

**"[Efficient Analysis &amp; Confident Modernization](https://www.g2.com/survey_responses/cast-highlight-review-12250186)"**

**Rating:** 4.5/5.0 stars
*— Neha C.*

[Read full review](https://www.g2.com/survey_responses/cast-highlight-review-12250186)

---

**"[Portfolio Insights in One Place with CAST Highlight](https://www.g2.com/survey_responses/cast-highlight-review-12977472)"**

**Rating:** 4.5/5.0 stars
*— Verified User in Government Administration*

[Read full review](https://www.g2.com/survey_responses/cast-highlight-review-12977472)

---


#### What Are G2 Users Discussing About CAST Highlight?

- [What is cast imaging?](https://www.g2.com/discussions/what-is-cast-imaging) - 1 comment
- [How does a cast tool work?](https://www.g2.com/discussions/how-does-a-cast-tool-work)
- [What is CAST software tool?](https://www.g2.com/discussions/what-is-cast-software-tool) - 1 comment
- [What does cast highlight do?](https://www.g2.com/discussions/what-does-cast-highlight-do) - 1 comment

### 10. [Manifest](https://www.g2.com/products/manifest-cyber-manifest/reviews)
Manifest helps organizations understand and reduce the cybersecurity risk in the technology they produce and procure. The Manifest platform operationalizes software bills of materials (SBOMs), artificial intelligence bills of materials (AIBOMs), and Vulnerability Exploitability eXchange (VEX) documents so organizations can analyze and action the risk in internal or third-party tools. Manifest manages the entire SBOM lifecycle for customers in critical industries like enterprise technology, aerospace, defense contracting, healthcare, manufacturing &amp; logistics, financial services, and the federal government.


**Average Rating:** 5.0/5.0
**Total Reviews:** 3

**Who Is the Company Behind Manifest?**

- **Seller:** [Manifest Cyber](https://www.g2.com/sellers/manifest-cyber)
- **HQ Location:** Connecticut, USA
- **Twitter:** @manifestcyber (89 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/manifestcyber/ (14 employees on LinkedIn®)

**Who Uses This Product?**
- **Company Size:** 67% Mid-Market, 33% Small-Business


#### What Are Manifest's Pros and Cons?

**Pros:**

- Ease of Use (3 reviews)
- Automation (2 reviews)
- Real-time Monitoring (2 reviews)
- Authentication Security (1 reviews)
- Customer Support (1 reviews)

**Cons:**

- Time Consumption (1 reviews)


### What Do G2 Reviewers Say About Manifest?
*AI-generated summary from verified user reviews*

**Pros:**

- Users find Manifest to be **exceptionally easy to use** , integrating seamlessly into workflows and enhancing overall efficiency.
- Users value the **automation capabilities** of Manifest, streamlining SBOM generation and enhancing supply chain security effortlessly.
- Users value the **real-time monitoring** capabilities of Manifest, enhancing security and transparency in their software supply chain.
- Users value the **authentication security** of Manifest, which enhances the protection of the software supply chain.
- Users rave about the **exceptional customer support** from Manifest, ensuring satisfaction and effective product implementation.

**Cons:**

- Users find that the **integration process consumes significant time** , making it challenging to streamline their workflow.

#### What Are Recent G2 Reviews of Manifest?

**"[Real “Continuous Compliance”](https://www.g2.com/survey_responses/manifest-review-9130056)"**

**Rating:** 5.0/5.0 stars
*— Peter Z.*

[Read full review](https://www.g2.com/survey_responses/manifest-review-9130056)

---

**"[Cutting-Edge Tool Enables Complete Lifecycle Management of your Software Bill of Materials](https://www.g2.com/survey_responses/manifest-review-9139664)"**

**Rating:** 5.0/5.0 stars
*— Shaun M.*

[Read full review](https://www.g2.com/survey_responses/manifest-review-9139664)

---



### 11. [Snyk](https://www.g2.com/products/snyk/reviews)
Snyk (pronounced sneak) is a developer security platform for securing custom code, open source dependencies, containers, and cloud infrastructure all from a single platform. Snyk’s developer security solutions enable modern applications to be built securely, empowering developers to own and build security for the whole application, from code &amp; open source to containers &amp; cloud infrastructure. Secure while you code in your IDE: find issues quickly using the scanner, fix issues easily with remediation advice, verify the updated code. Integrate your source code repositories to secure applications: integrate a repository to find issues, prioritize with context, fix &amp; merge. Secure your containers as you build, throughout the SDLC: start fixing containers as soon as your write a Dockerfile, continuously monitor container images throughout their lifecycle, and prioritize with context. Secure build and deployment pipelines: Integrate natively with your CI/CD tool, configure your rules, find &amp; fix issues in your application, and monitor your applications. Secure your apps quickly with Snyk’s vulnerability scanning and automated fixes - Try for Free!


**Average Rating:** 4.5/5.0
**Total Reviews:** 135

**Who Is the Company Behind Snyk?**

- **Seller:** [Snyk](https://www.g2.com/sellers/snyk)
- **HQ Location:** Boston, Massachusetts
- **Twitter:** @snyksec (21,057 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/10043614/ (1,370 employees on LinkedIn®)

**Who Uses This Product?**
- **Who Uses This:** Software Engineer
- **Top Industries:** Computer Software, Information Technology and Services
- **Company Size:** 44% Mid-Market, 35% Small-Business


#### What Are Snyk's Pros and Cons?

**Pros:**

- Easy Integrations (5 reviews)
- Vulnerability Detection (5 reviews)
- Ease of Use (4 reviews)
- User Interface (4 reviews)
- Vulnerability Identification (4 reviews)

**Cons:**

- Expensive (3 reviews)
- False Positives (3 reviews)
- Poor Interface Design (2 reviews)
- Pricing Issues (2 reviews)
- Scanning Issues (2 reviews)


### What Do G2 Reviewers Say About Snyk?
*AI-generated summary from verified user reviews*

**Pros:**

- Users value the **easy integrations** of Snyk, facilitating seamless setup and management within their development workflows.
- Users value Snyk&#39;s **vulnerability detection** for its rapid updates and user-friendly integration, enhancing code security and efficiency.
- Users love Snyk for its **ease of use** , enjoying simple integration and intuitive navigation for vulnerability management.
- Users appreciate the **intuitive GUI and seamless integration** of Snyk, making vulnerability management straightforward and efficient.
- Users value Snyk&#39;s **efficient vulnerability identification** that enhances code security and streamlines development processes.

**Cons:**

- Users find Snyk to be **very expensive** , raising concerns about cost despite its long-term value.
- Users experience **false positive issues** with Snyk, leading to confusion and missed genuine vulnerabilities during scans.
- Users find the **interface design lacking** , especially with DAST being separate and overall usability concerns.
- Users express concerns about **pricing issues** , noting that comprehensive features may come at a high cost.
- Users often face **false positives in scanning** and delays in pipeline due to slow scans for medium repositories.

#### What Are Recent G2 Reviews of Snyk?

**"[Seamless Dev-First Security with Fast Scans and Actionable Fixes](https://www.g2.com/survey_responses/snyk-review-12676270)"**

**Rating:** 4.5/5.0 stars
*— Prateek J.*

[Read full review](https://www.g2.com/survey_responses/snyk-review-12676270)

---

**"[Developer-Friendly Security with Clear, Automated Fixes](https://www.g2.com/survey_responses/snyk-review-12974957)"**

**Rating:** 4.5/5.0 stars
*— Hemanth K.*

[Read full review](https://www.g2.com/survey_responses/snyk-review-12974957)

---


#### What Are G2 Users Discussing About Snyk?

- [What is Snyk scanning?](https://www.g2.com/discussions/what-is-snyk-scanning) - 2 comments, 2 upvotes
- [Is Snyk a SaaS?](https://www.g2.com/discussions/is-snyk-a-saas) - 2 comments
- [How good is Snyk?](https://www.g2.com/discussions/how-good-is-snyk) - 2 comments
- [What is Snyk used for?](https://www.g2.com/discussions/what-is-snyk-used-for)

### 12. [Anchore](https://www.g2.com/products/anchore/reviews)
Anchore, Inc., based in Santa Barbara, CA, was founded in 2016 by Saïd Ziouani and Daniel Nurmi to help organizations implement secure container-based workflows without compromising velocity. Anchore Enterprise is a complete container security workflow solution for professional teams. Integrating seamlessly with a wide variety of development tools and platforms, it allows teams to adhere to defined industry security standards. The Anchore Enterprise user interface provides visibility to security teams, allowing them to audit and verify compliance throughout the organization. It can be deployed in air-gapped and public cloud environments and is built for large scale. Anchore Enterprise is based on Anchore Engine, an open-source tool for deep image inspection and vulnerability scanning.


**Average Rating:** 4.4/5.0
**Total Reviews:** 4

**Who Is the Company Behind Anchore?**

- **Seller:** [Anchore](https://www.g2.com/sellers/anchore)
- **Year Founded:** 2016
- **HQ Location:** Santa Barbara, California, United States
- **Twitter:** @anchore (2,797 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/anchore/ (91 employees on LinkedIn®)

**Who Uses This Product?**
- **Company Size:** 50% Mid-Market, 50% Enterprise


#### What Are Anchore's Pros and Cons?

**Pros:**

- Cloud Integration (1 reviews)
- Ease of Use (1 reviews)
- Easy Integrations (1 reviews)
- Features (1 reviews)
- Onboarding (1 reviews)



### What Do G2 Reviewers Say About Anchore?
*AI-generated summary from verified user reviews*

**Pros:**

- Users appreciate the **cloud integration capabilities** of Anchore, enhancing workflow management with tools like DefectDojo and Jira.
- Users find Anchore&#39;s interface **clean and user-friendly** , streamlining workflows and enhancing security issue management.
- Users appreciate the **easy integrations** with tools like DefectDojo and Jira for streamlined security workflows.
- Users commend the **clean and easy-to-use interface** of Anchore, enhancing integration and workflow planning for security issues.
- Users appreciate the **clean and easy-to-use interface** of Anchore, enhancing their workflow integration and issue tracking.


#### What Are Recent G2 Reviews of Anchore?

**"[Love the intuitive interface and dashboard to assess security posture in a single place](https://www.g2.com/survey_responses/anchore-review-11048224)"**

**Rating:** 4.0/5.0 stars
*— Raja A.*

[Read full review](https://www.g2.com/survey_responses/anchore-review-11048224)

---

**"[Anchore: Essential Tool for Container Security and Compliance](https://www.g2.com/survey_responses/anchore-review-10025756)"**

**Rating:** 4.0/5.0 stars
*— Dr habeeb M.*

[Read full review](https://www.g2.com/survey_responses/anchore-review-10025756)

---


#### What Are G2 Users Discussing About Anchore?

- [What is Anchore used for?](https://www.g2.com/discussions/what-is-anchore-used-for)

### 13. [1Exiger Platform](https://www.g2.com/products/1exiger-platform/reviews)
Exiger’s award-winning, purpose-built technology platform, 1Exiger, is the only open-source, third-party and supply chain management software that helps companies and government agencies achieve cost savings, resilience, and compliance in real time. Created and launched in collaboration with our 550+ customers, the platform makes supply chain management simple, intuitive and accessible. The 1Exiger user experience is housed in an integrated suite that is scalable and secure. Using our powerful AI technology, you can uncover risks and reveal insights that enable confident decision-making.


**Average Rating:** 4.5/5.0
**Total Reviews:** 17

**Who Is the Company Behind 1Exiger Platform?**

- **Seller:** [Exiger](https://www.g2.com/sellers/exiger)
- **Company Website:** https://www.exiger.com/
- **HQ Location:** New York, NY
- **Twitter:** @exigerllc (1,851 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/exiger (800 employees on LinkedIn®)

**Who Uses This Product?**
- **Company Size:** 53% Enterprise, 47% Mid-Market


#### What Are 1Exiger Platform's Pros and Cons?

**Pros:**

- Risk Management (6 reviews)
- Ease of Use (5 reviews)
- Automation Efficiency (3 reviews)
- Compliance Management (3 reviews)
- Comprehensive Coverage (3 reviews)

**Cons:**

- Limited Customization (4 reviews)
- Limited Functionality (4 reviews)
- Difficult Usability (3 reviews)
- Limited Features (3 reviews)
- Poor Navigation (3 reviews)


### What Do G2 Reviewers Say About 1Exiger Platform?
*AI-generated summary from verified user reviews*

**Pros:**

- Users appreciate the **strong risk visibility** of the 1Exiger Platform, enabling proactive management of compliance and regulatory risks.
- Users find 1Exiger Platform to be **easy to use** , enabling seamless implementation and efficient risk management for all suppliers.
- Users value the **automation efficiency** of the 1Exiger Platform, streamlining risk management and compliance workflows effectively.
- Users value the **centralized compliance management** of the 1Exiger Platform, streamlining risk assessment and reporting effectively.
- Users appreciate the **comprehensive coverage** of 1Exiger, finding it user-friendly and effective for risk management.

**Cons:**

- Users find the **limited customization** options of the 1Exiger Platform restrict their ability to meet specific business needs.
- Users note the **limited functionality** of the 1Exiger Platform, especially regarding customization and mobile accessibility.
- Users experience **difficult usability** with the 1Exiger Platform, citing a steep learning curve and complex navigation.
- Users find **customization options limited** on the 1Exiger Platform, especially for mobile access and specific modules.
- Users report that the **navigation can be confusing** and slow, particularly for new users handling complex tasks.

#### What Are Recent G2 Reviews of 1Exiger Platform?

**"[Easy-to-Use Platform That Centralizes Risk &amp; Compliance Data and Saves Time](https://www.g2.com/survey_responses/1exiger-platform-review-10545189)"**

**Rating:** 4.5/5.0 stars
*— Verified User in Package/Freight Delivery*

[Read full review](https://www.g2.com/survey_responses/1exiger-platform-review-10545189)

---

**"[Great Visibility Into HQ Practices for Remote Teams](https://www.g2.com/survey_responses/1exiger-platform-review-12726616)"**

**Rating:** 4.0/5.0 stars
*— carl l.*

[Read full review](https://www.g2.com/survey_responses/1exiger-platform-review-12726616)

---


#### What Are G2 Users Discussing About 1Exiger Platform?

- [What is DDIQ used for?](https://www.g2.com/discussions/what-is-ddiq-used-for)

### 14. [FossID](https://www.g2.com/products/fossid-fossid/reviews)
FossID is a Software Composition Analysis (SCA) suite designed to give organizations clear, defensible insight into the software they build and ship. It helps teams understand exactly what third-party, open source, and commercial code exists in their products so they can manage license compliance, intellectual property risk, and security with confidence. Agentic SCA by FossID brings software supply chain integrity into the moment of code creation for continuous, real-time license and security compliance so you can move at AI-speed and eliminate reactive code rework. FossID is ideal for organizations that value accuracy, transparency, and control over their software supply chain. It is widely used by manufacturers of embedded systems and software-driven products in industries such as automotive, aerospace, medical devices, industrial automation, electronics, and telecom, where regulatory requirements and long product lifecycles demand a higher standard of software governance. FossID is also trusted by legal, compliance, and GRC teams that need reliable, auditable results, as well as by acquirers and investors conducting technical due diligence. FossID analyzes real source code rather than relying solely on declared dependencies. FossID identifies reused components and code snippets with high precision, detecting fragments as small as six lines of code. This approach delivers more accurate results in complex, mixed codebases, including legacy systems, embedded software, and environments influenced by AI-assisted development. Key differentiators include deep snippet-level detection that remains effective even when code has been modified or reformatted, a 200M+ component open source knowledge base covering more than 2,500 licenses, and strong identification of license and copyright obligations. FossID is deployed in a way that ensures that source code never leaves the organization, a critical requirement for security- and IP-sensitive teams. FossID supports software supply chain integrity across the entire development and release lifecycle. Engineers use it early to identify and resolve issues before code is merged. Legal and compliance teams rely on it to validate policy compliance, manage license obligations and produce accurate SBOMs. Governance, Risk, and Compliance leaders use FossID to demonstrate software supply chain transparency, reduce audit risk, and support regulatory compliance initiatives, including the EU Cyber Resilience Act. The primary value of FossID is confidence. Confidence in what is inside your software, confidence in your compliance posture, and confidence that your teams can move forward efficiently without introducing unnecessary risk.


**Average Rating:** 4.0/5.0
**Total Reviews:** 2

**Who Is the Company Behind FossID?**

- **Seller:** [FossID](https://www.g2.com/sellers/fossid-038ca491-2507-49c4-b6f1-2f965c09e84e)
- **Company Website:** https://www.fossid.com
- **Year Founded:** 2016
- **Twitter:** @FOSSID_AB (137 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/fossid-ab/ (1 employees on LinkedIn®)

**Who Uses This Product?**
- **Company Size:** 50% Mid-Market, 50% Enterprise



#### What Are Recent G2 Reviews of FossID?

**"[Detects Code-Snippets reliable and has good usabiilty](https://www.g2.com/survey_responses/fossid-review-11298102)"**

**Rating:** 4.0/5.0 stars
*— Nikolaus F.*

[Read full review](https://www.g2.com/survey_responses/fossid-review-11298102)

---

**"[Powerful, Customizable Scanning with Accurate License Detection and Great Support](https://www.g2.com/survey_responses/fossid-review-12638783)"**

**Rating:** 4.0/5.0 stars
*— Jackie L.*

[Read full review](https://www.g2.com/survey_responses/fossid-review-12638783)

---



### 15. [JFrog](https://www.g2.com/products/jfrog-2024-03-28/reviews)
JFrog Ltd. (Nasdaq: FROG), the creators of the unified DevOps, DevSecOps, DevGovOps and MLOps platform, is on a mission to create a world of software delivered without friction from development to production. Driven by a “Liquid Software” vision to keep software continuously flowing, secure, and always up to date, the JFrog Platform serves as the definitive software supply chain system of record. It is uniquely engineered to power organizations as they build, manage, and distribute trusted software with unprecedented speed, security, and scale across hybrid and multi-cloud environments. As software engineering evolves in the AI era, JFrog’s newest offerings address the industry&#39;s most pressing trend: the rise of agentic software development and the hidden security risks of &quot;Shadow AI.&quot; In response to threat actors increasingly targeting developer workflows including a massive surge in malicious open-source AI models and infected packages; JFrog has expanded its platform capabilities to deliver absolute end-to-end visibility and automated compliance. Key new innovations include the JFrog AI Catalog, which enables organizations to centralize, govern, and control the lifecycle of AI models approved for enterprise use. To secure autonomous coding environments, JFrog introduced the Universal MCP Registry and the Agent Skills Registry (developed alongside NVIDIA). These new solutions establish the industry’s first enterprise-grade trust layer to safely manage and store AI agent skills, monitor connections, and instantly block unsafe developer tools or malicious coding extensions right where developers work. Furthermore, the integration of advanced DevGovOps and Runtime Security tools allows teams to replace slow, manual compliance audits with continuous, background policy enforcement. By shifting security left directly into the binary pipeline, JFrog ensures that the volume of AI-assisted code does not outpace an organization&#39;s ability to verify its safety. Today, millions of users and approximately 6,600 organizations worldwide, including a majority of the Fortune 100, depend on the universal JFrog Platform to eliminate point-solution fatigue, bridge the governance gap, and securely embrace digital transformation. Learn more at www.jfrog.com or follow us on X @JFrog.


**Average Rating:** 4.2/5.0
**Total Reviews:** 139

**Who Is the Company Behind JFrog?**

- **Seller:** [JFrog Ltd](https://www.g2.com/sellers/jfrog-ltd)
- **Company Website:** https://jfrog.com
- **Year Founded:** 2008
- **HQ Location:** Sunnyvale, CA
- **Twitter:** @jfrog (23,186 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/jfrog-ltd/ (2,364 employees on LinkedIn®)

**Who Uses This Product?**
- **Who Uses This:** Software Engineer, DevOps Engineer
- **Top Industries:** Information Technology and Services, Computer Software
- **Company Size:** 50% Enterprise, 30% Mid-Market


#### What Are JFrog's Pros and Cons?

**Pros:**

- Features (18 reviews)
- Repository Management (14 reviews)
- Deployment (13 reviews)
- Integrations (12 reviews)
- Easy Integrations (11 reviews)

**Cons:**

- Complexity (9 reviews)
- Expensive (8 reviews)
- Learning Curve (8 reviews)
- Difficult Learning (7 reviews)
- Learning Difficulty (7 reviews)


### What Do G2 Reviewers Say About JFrog?
*AI-generated summary from verified user reviews*

**Pros:**

- Users value the **unified support for diverse package formats** in JFrog, enhancing their DevOps workflows significantly.
- Users value the **centralized management of artifacts** in JFrog, enhancing security and efficiency in DevOps workflows.
- Users value the **seamless deployment integration** of JFrog, streamlining CI/CD pipelines and enhancing security across projects.
- Users value the **seamless integrations** of JFrog with various tools, enhancing their CI/CD pipeline efficiency and security.
- Users love the **easy integrations** with various tools, enhancing their CI/CD workflow and artifact management.

**Cons:**

- Users find the **complexity** of the JFrog platform overwhelming, often requiring extensive training to navigate its functionalities.
- Users feel the **cost of JFrog** can be prohibitive for smaller teams, making adoption challenging and less accessible.
- Users face a **steep learning curve** and significant setup time, making initial adoption challenging for smaller teams.
- Users find the **difficult learning curve** of JFrog challenging, necessitating extensive training to harness its full capabilities.
- Users find the **learning difficulty** of JFrog challenging, as it requires substantial time and effort to master.

#### What Are Recent G2 Reviews of JFrog?

**"[JFrog Simplifies Artifact Management for Organized, Reliable Deployments](https://www.g2.com/survey_responses/jfrog-review-12870354)"**

**Rating:** 4.5/5.0 stars
*— Subhashree S.*

[Read full review](https://www.g2.com/survey_responses/jfrog-review-12870354)

---

**"[Efficient, Scalable Artifact Management That Streamlines the Software Delivery Lifecycle](https://www.g2.com/survey_responses/jfrog-review-12788318)"**

**Rating:** 4.0/5.0 stars
*— Arkajit D.*

[Read full review](https://www.g2.com/survey_responses/jfrog-review-12788318)

---


#### What Are G2 Users Discussing About JFrog?

- [What are the benefits and challenges of using JFrog for managing your software supply chain?](https://www.g2.com/discussions/what-are-the-benefits-and-challenges-of-using-jfrog-for-managing-your-software-supply-chain)
- [What does Jfrog Platform do?](https://www.g2.com/discussions/what-does-jfrog-platform-do)
- [What is difference between JFrog and Nexus?](https://www.g2.com/discussions/what-is-difference-between-jfrog-and-nexus)
- [What is Artifactory software used for?](https://www.g2.com/discussions/what-is-artifactory-software-used-for)

### 16. [SonarQube](https://www.g2.com/products/sonarqube/reviews)
Sonar, the industry standard for code verification and automated code review, helps reduce outages, improve security, and lower risks associated with AI and agentic coding. As an independent verification platform, Sonar enables organizations to securely develop at the speed of AI. Sonar is the foundation for high-performance software engineering, analyzing over 750 billion lines of code daily to ensure applications are secure, reliable, and maintainable. Rooted in the open source community, Sonar is trusted by 7M+ developers globally, including teams at ServiceNow, Booking.com, Deutsche Bank, AstraZeneca, and Ford Motor Company.


**Average Rating:** 4.4/5.0
**Total Reviews:** 151

**Who Is the Company Behind SonarQube?**

- **Seller:** [SonarSource Sàrl](https://www.g2.com/sellers/sonarsource-sarl)
- **Company Website:** https://www.sonarsource.com
- **Year Founded:** 2008
- **HQ Location:** Geneva, Switzerland
- **Twitter:** @SonarSource (10,913 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/sonarsource/ (973 employees on LinkedIn®)

**Who Uses This Product?**
- **Who Uses This:** DevOps Engineer, Software Engineer
- **Top Industries:** Information Technology and Services, Computer Software
- **Company Size:** 43% Enterprise, 39% Mid-Market


#### What Are SonarQube's Pros and Cons?

**Pros:**

- Code Quality (24 reviews)
- Features (20 reviews)
- Issue Identification (19 reviews)
- Ease of Use (18 reviews)
- Easy Integrations (18 reviews)

**Cons:**

- Software Bugs (12 reviews)
- Complex Configuration (10 reviews)
- False Positives (10 reviews)
- Complexity (8 reviews)
- Complex Setup (8 reviews)


### What Do G2 Reviewers Say About SonarQube?
*AI-generated summary from verified user reviews*

**Pros:**

- Users value SonarQube for its ability to **efficiently flag code quality and security issues** , ensuring a clean and reliable codebase.
- Users appreciate the **flexible issue filtering and prioritization** features of SonarQube, enhancing focus and communication.
- Users value the **issue identification** feature of SonarQube, enhancing focus on high-priority problems and improving development processes.
- Users appreciate the **ease of use** of SonarQube, benefiting from automated quality checks integrated into their development workflows.
- Users appreciate the **easy integrations** with CI/CD tools, enhancing their workflow and overall development process.

**Cons:**

- Users experience **software bugs** including false positives and high RAM usage, complicating usage and requiring advanced knowledge.
- Users find the **configuration process complex** , often requiring extensive knowledge and still resulting in numerous warnings.
- Users report frequent **false positives** that complicate the analysis process, affecting the overall usability of SonarQube.
- Users find SonarQube&#39;s **configuration complexity** and overwhelming warnings to be challenging, affecting their overall experience.
- Users find the **complex setup** of SonarQube challenging, especially for beginners, often leading to frustrating experiences.

#### What Are Recent G2 Reviews of SonarQube?

**"[SonarQube: Easy Integration, Simple UI, and Solid Free Code Quality Scanning](https://www.g2.com/survey_responses/sonarqube-review-12975264)"**

**Rating:** 4.5/5.0 stars
*— Divyarajsinh  C.*

[Read full review](https://www.g2.com/survey_responses/sonarqube-review-12975264)

---

**"[Catches bugs early, saves us time](https://www.g2.com/survey_responses/sonarqube-review-13087609)"**

**Rating:** 5.0/5.0 stars
*— Srinidhi H.*

[Read full review](https://www.g2.com/survey_responses/sonarqube-review-13087609)

---


#### What Are G2 Users Discussing About SonarQube?

- [What is SonarLint used for?](https://www.g2.com/discussions/what-is-sonarlint-used-for)
- [What is SonarQube and how does it work?](https://www.g2.com/discussions/what-is-sonarqube-and-how-does-it-work) - 1 upvote
- [What is the benefit of SonarQube?](https://www.g2.com/discussions/what-is-the-benefit-of-sonarqube)
- [What are the main components of SonarQube platform?](https://www.g2.com/discussions/what-are-the-main-components-of-sonarqube-platform)
- [What is SonarQube and its features?](https://www.g2.com/discussions/what-is-sonarqube-and-its-features)

### 17. [Xygeni](https://www.g2.com/products/xygeni/reviews)
Secure your Software Development and Delivery! Xygeni Security specializes in Application Security Posture Management (ASPM), using deep contextual insights to effectively prioritize and manage security risks while minimizing noise and overwhelming alerts. Our innovative technologies automatically detect malicious code in real-time upon new and updated components publication, immediately notifying customers and quarantining affected components to prevent potential breaches. With extensive coverage spanning the entire Software Supply Chain—including Open Source components, CI/CD processes and infrastructure, Anomaly detection, Secret leakage, Infrastructure as Code (IaC), and Container security—Xygeni ensures robust protection for your software applications. Trust Xygeni to protect your operations and empower your team to build and deliver with integrity and security.


**Average Rating:** 4.6/5.0
**Total Reviews:** 4

**Who Is the Company Behind Xygeni?**

- **Seller:** [Xygeni Security](https://www.g2.com/sellers/xygeni-security)
- **Year Founded:** 2021
- **HQ Location:** Madrid, ES
- **Twitter:** @xygeni (178 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/xygeni/ (30 employees on LinkedIn®)

**Who Uses This Product?**
- **Company Size:** 60% Small-Business, 40% Mid-Market


#### What Are Xygeni's Pros and Cons?

**Pros:**

- Comprehensive Security (2 reviews)
- Prioritization (2 reviews)
- Risk Management (2 reviews)
- Security (2 reviews)
- Cloud Integration (1 reviews)

**Cons:**

- Difficult Setup (1 reviews)
- Learning Curve (1 reviews)


### What Do G2 Reviewers Say About Xygeni?
*AI-generated summary from verified user reviews*

**Pros:**

- Users commend the **comprehensive security** of Xygeni, enhancing their development process with effective risk management and compliance.
- Users value Xygeni&#39;s **contextual risk prioritization** , empowering teams to focus on critical security issues effectively.
- Users highlight the **advanced risk management capabilities** of Xygeni, effectively identifying and prioritizing security vulnerabilities.
- Users value the **robust security features** of Xygeni, enabling proactive threat management and compliance automation in development.
- Users value the **seamless CI/CD integration** of Xygeni, enhancing security while maintaining efficient development processes.

**Cons:**

- Users experience **difficult setup** with Xygeni, as certain edge cases complicate the integration with CI/CD pipelines.
- Users note a **steep learning curve** for first-time users, requiring familiarity with AppSec best practices.

#### What Are Recent G2 Reviews of Xygeni?

**"[The essential tool for proactive security and confident development](https://www.g2.com/survey_responses/xygeni-review-11393516)"**

**Rating:** 4.5/5.0 stars
*— Marcos C.*

[Read full review](https://www.g2.com/survey_responses/xygeni-review-11393516)

---

**"[Revolutionized Our Security Workflow with Unified, AI-Driven Efficiency](https://www.g2.com/survey_responses/xygeni-review-11998435)"**

**Rating:** 5.0/5.0 stars
*— Yerassyl K.*

[Read full review](https://www.g2.com/survey_responses/xygeni-review-11998435)

---



### 18. [BINARLY](https://www.g2.com/products/binarly/reviews)
Binarly is an AI-powered platform dedicated to protecting devices from emerging firmware and hardware threats. Founded in 2021 and headquartered in Pasadena, California, Binarly leverages advanced machine learning and deep code inspection at the binary level to provide comprehensive visibility into hardware and firmware vulnerabilities. This approach enables security teams to detect and respond to sophisticated attacks below the operating system, ensuring robust protection for enterprise device infrastructures.



**Who Is the Company Behind BINARLY?**

- **Seller:** [BINARLY](https://www.g2.com/sellers/binarly)
- **Year Founded:** 2021
- **HQ Location:** Santa Monica, US
- **LinkedIn® Page:** https://www.linkedin.com/company/binarlyinc (48 employees on LinkedIn®)






### 19. [CAST SBOM Manager](https://www.g2.com/products/cast-sbom-manager/reviews)
CAST SBOM Manager enables users to automatically create, customize, and maintain Software Bill of Materials (SBOMs) with the ultimate level of control and flexibility. It detects open source dependencies and related risks (vulnerabilities and security advisories, licenses, obsolescence) directly from scanning source code, and allows you to create and maintain SBOM metadata over time (proprietary components, custom licenses, vulnerabilities) and much more.



**Who Is the Company Behind CAST SBOM Manager?**

- **Seller:** [CAST](https://www.g2.com/sellers/cast)
- **Year Founded:** 1990
- **HQ Location:** New York
- **Twitter:** @SW_Intelligence (1,887 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/cast/ (1,264 employees on LinkedIn®)
- **Ownership:** Bridgepoint






### 20. [CBOM Secure](https://www.g2.com/products/cbom-secure/reviews)
CBOM Secure is a machine-readable Cryptographic Bill of Materials (CBOM) platform that delivers continuous visibility and control over cryptography across source code, binaries, containers, and runtime environments. It automatically discovers and inventories algorithms, keys, certificates, protocols, and libraries, creating a centralized, normalized system of record. By mapping cryptographic assets to real execution paths, CBOM helps organizations distinguish dormant components from active usage, prioritize risk, and accelerate incident response. The platform supports compliance with standards such as NIST, FIPS 140-3, CMMC 2.0, and ISO 27001 while identifying legacy and quantum-vulnerable cryptography to enable structured post-quantum migration. Available on-premises, in the cloud, SaaS, or hybrid, CBOM transforms undocumented cryptography into a governed, audit-ready security control.



**Who Is the Company Behind CBOM Secure?**

- **Seller:** [Encryption Consulting](https://www.g2.com/sellers/encryption-consulting)
- **HQ Location:** N/A
- **LinkedIn® Page:** https://www.linkedin.com/company/No-Linkedin-Presence-Added-Intentionally-By-DataOps (1 employees on LinkedIn®)






### 21. [Enso Security](https://www.g2.com/products/enso-security/reviews)
Enso Application Security Posture is a platform for AppSec teams to manage their day-to-day work, implement their security strategy into an AppSec organizational program, enforce it and automate it. And all of that in a scalable rapidly changing environment. AppSec teams struggle with prioritization - they may have a vision and concept of how to handle AppSec, but they don’t know where to invest and what actions to take. To keep up with R&amp;D velocity and scale, Enso provides full visibility on the application inventory, focuses the AppSec teams on the most important tasks and insights, and takes a policy-based “call to action” approach so that the AppSec professionals won’t waste their time looking for application changes, prioritizing, or doing manual work.



**Who Is the Company Behind Enso Security?**

- **Seller:** [Enso Security](https://www.g2.com/sellers/enso-security)
- **HQ Location:** Boston, Massachusetts, United States
- **LinkedIn® Page:** https://www.linkedin.com/company/enso-security/ (1,331 employees on LinkedIn®)






### 22. [Eracent SBOM-HQ](https://www.g2.com/products/eracent-sbom-hq/reviews)
SBOM-HQ™ - from Eracent SBOM-HQ™ provides a well-rounded set of data, reporting and analysis features that help organizations minimize risks and comply with cyber mandates and directives. While SBOM-HQ™ provides value to in-house and commercial application development teams, it is also unique in its approach to meeting the requirements of organizations that purchase or subscribe to software from numerous publishers. These “software consumers” will have to manage dozens, hundreds, or even thousands of SBOMs for products that they use, and this is impractical or impossible to do one SBOM at a time. SBOM-HQ™ is based around a centralized, single-source repository of libraries, components, and other related data from SBOMs. It dramatically reduces response time when a vulnerability is reported since it eliminates the need to review SBOMs individually. How does SBOM-HQ™ work? Customers upload their SBOM files via the user interface. During this straightforward process, users can assign related information that can be used to support reporting, filters, data access, and more. This information includes Publisher, Line of Business, Application Component, and more. SBOM-HQ™ “deconstructs” each uploaded SBOM and records the software product to which the SBOM belongs and all the SBOM’s content. This results in an index of components and libraries mapped to products. If a vulnerability is reported by NIST or another organization, customers get an immediate report of every product in use in their organization that includes the affected component or library. SBOM-HQ™ is continuously monitored and updated, and it leverages vulnerability data from NIST and other trusted global sources. It uses this data to display risk scores, levels of criticality, and more. SBOM-HQ™ also provides visibility into license types for each component and library, reducing the risk of unknowingly using a library that has excessive restrictions when less risky options are available. The system offers version tracking – the version in use, newer available versions, and version history – as well as lifecycle dates that support obsolescence management. The dedicated open source library within Eracent’s IT-Pedia® product data library provides a solid foundation for SBOM-HQ™’s analysis and reporting. Who can benefit from using SBOM-HQ? SBOM-HQ is designed to support all teams engaged in the use and operation of software. DevOps – SBOM-HQ integrates into CI/CD to generate and enrich SBOMs with real time risk data, ensuring secure and compliant releases. Procurement – SBOM-HQ equips procurement teams with SBOM-driven insights into software quality and licensing risks, enabling smarter vendor selection and safer software purchases. CyberSec teams – SBOM-HQ evaluates cyber security aspects of purchased software and monitors new vulnerabilities that appear. ITOps – SBOM-HQ exposes software weaknesses and helps mitigate the risks. Legal and Licensing teams – SBOM-HQ delivers clear visibility into open source licenses, flags conflicts early, and provides audit-ready compliance reports. Why SBOM-HQ? SBOM-HQ is designed to support software buyers and users, not just software publishers. While most SBOM solutions stop at the software development life cycle, SBOM-HQ goes further. It empowers software consumers to continuously monitor not only what they build, but also what they buy - from design and procurement, through integration, all the way to production in their own data centers. With SBOM-HQ, transparency extends beyond development, delivering visibility and control across the entire software supply chain. To learn more about SBOM-HQ™, register for a free trial at sbomhq.com or contact Eracent today!



**Who Is the Company Behind Eracent SBOM-HQ?**

- **Seller:** [Eracent](https://www.g2.com/sellers/eracent)
- **Year Founded:** 2000
- **HQ Location:** Riegelsville, Pennsylvania
- **Twitter:** @eracent (141 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/15155 (70 employees on LinkedIn®)






### 23. [FOSSA](https://www.g2.com/products/fossa/reviews)
Open source is a critical part of your software. In the average modern software product, over 80% of the source code shipped is derived from open source. Each component can have cascading legal, security, and quality implications for your customers, making it one of the most important things to manage correctly. FOSSA helps you manage your open source components. We plug into your development workflow to help your team automatically track, manage, and remediate issues with the open source you use to: - Stay compliant with software licenses and generate required attribution documents - Enforce usage and licensing policies throughout your CI/CD workflow - Monitor and remediate security vulnerabilities - Flag code quality issues and outdated components proactively By enabling open source, we help development teams increase development velocity and decrease risk.


**Average Rating:** 4.2/5.0
**Total Reviews:** 15

**Who Is the Company Behind FOSSA?**

- **Seller:** [FOSSA](https://www.g2.com/sellers/fossa)
- **Year Founded:** 2015
- **HQ Location:** San Francisco, California
- **Twitter:** @getfossa (774 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/fossa/ (59 employees on LinkedIn®)

**Who Uses This Product?**
- **Top Industries:** Computer Software
- **Company Size:** 47% Small-Business, 33% Mid-Market


#### What Are FOSSA's Pros and Cons?

**Pros:**

- Easy Integrations (1 reviews)
- Issue Resolution (1 reviews)
- Remediation Solutions (1 reviews)
- Risk Management (1 reviews)
- Security (1 reviews)



### What Do G2 Reviewers Say About FOSSA?
*AI-generated summary from verified user reviews*

**Pros:**

- Users value the **easy integrations** of FOSSA with existing tools, streamlining security and dependency management in their applications.
- Users value FOSSA&#39;s **issue resolution capabilities** , as it effectively identifies and recommends fixes for vulnerabilities.
- Users benefit from **comprehensive vulnerability remediation** with Fossa&#39;s detailed insights and recommended fixes for dependencies.
- Users value FOSSA for its **effective risk management** , highlighting vulnerabilities and providing remediation recommendations.
- Users value FOSSA for its **robust security scanning** capabilities, effectively identifying library vulnerabilities and suggesting fixes.


#### What Are Recent G2 Reviews of FOSSA?

**"[Fossa for enterprise applications](https://www.g2.com/survey_responses/fossa-review-10931000)"**

**Rating:** 4.0/5.0 stars
*— Pavan Kumar G.*

[Read full review](https://www.g2.com/survey_responses/fossa-review-10931000)

---

**"[&quot;The FOSSA Experience&quot;](https://www.g2.com/survey_responses/fossa-review-8576931)"**

**Rating:** 5.0/5.0 stars
*— Elvis M.*

[Read full review](https://www.g2.com/survey_responses/fossa-review-8576931)

---



### 24. [Heeler](https://www.g2.com/products/heeler/reviews)
Heeler empowers application security teams to shift left with the context they need to reduce noise, accelerate remediation, and move beyond traditional vulnerability management. By combining ASPM, SCA with static and runtime context, and runtime threat modeling, Heeler transforms AppSec programs from reactive firefighting to proactive, scalable security. How Heeler Helps AppSec Teams • Reduce Noise: AppSec teams and developers are drowning in findings. Heeler delivers unified code, runtime, business and security context, reducing alert noise by up to 95%, so teams can focus on critical issues and fix what matters most. • Fix Remediation: Remediation is broken. Most effort is spent reaching a fix—not implementing it. Heeler automates the remediation lifecycle, cutting effort and time, enabling AppSec teams to scale alongside engineering. • Move Beyond Vulnerabilities: With Heeler, continuous runtime threat modeling becomes a reality. Decompose running applications, track changes, compare deployments, and stop risks in real time—all before they reach production. Why Heeler is Essential Modern applications are more complex and dynamic than ever, expanding attack surfaces and making end-to-end security modeling nearly impossible without the right tools. Heeler bridges this gap, addressing the root causes of unscalable AppSec programs: • Lack of Context: Disparate data silos make understanding application behavior and identifying risks challenging. • Labor-Intensive Processes: Without unified context, security efforts are manual, unscalable, and push risk identification too far right. • Firefighting Mode: Security and engineering teams are trapped addressing too many findings and often focus their time on the wrong threats, leaving no bandwidth for secure-by-design initiatives. Key Capabilities • ProductDNA (Unified Context): Automates a real-time service catalog, mapping changesets to deployments and modeling every service with integrated code, runtime, business, and security context. • Runtime Threat Modeling: Enables continuous threat modeling with tools to decompose applications, track changes, compare deployments, and uncover risks in real time. • ASPM: Heeler reduces alert noise by up to 95% and automates remediation workflows, scaling security seamlessly with engineering demands. • SCA with Static and Runtime Context: Combines static and runtime data with business and deployment context, delivering next-gen SCA that prioritizes what matters, strengthens security, and simplifies AppSec workflows. Heeler ensures AppSec teams and developers have the context they need to shift left and build secure-by-design applications—effortlessly.



**Who Is the Company Behind Heeler?**

- **Seller:** [Heeler Security](https://www.g2.com/sellers/heeler-security)
- **Year Founded:** 2023
- **HQ Location:** N/A
- **LinkedIn® Page:** https://www.linkedin.com/company/heeler-security (20 employees on LinkedIn®)






### 25. [Hilt](https://www.g2.com/products/hilt/reviews)
Hilt monitors how data actually moves across your environment, not just whether policies are followed. Using proprietary eBPF kernel probes, Hilt captures every data movement event at the base level across cloud workloads, endpoints, and network boundaries. A three-tier behavioral detection engine (deterministic rules, behavioral ML, and model inference) identifies anomalous data movement in real time including transfers where permissions were valid and no policy was violated, but the behavior was wrong. Automated containment blocks exfiltration in under one second. Deployed in minutes with one command, no code changes, and no SDK. Built for latency-sensitive environments including financial services, hedge funds, and law firms.



**Who Is the Company Behind Hilt?**

- **Seller:** [Hilt AI](https://www.g2.com/sellers/hilt-ai)
- **HQ Location:** Milton Keynes, GB
- **LinkedIn® Page:** https://www.linkedin.com/company/hilt-ai/ (1 employees on LinkedIn®)







## What Is Software Bill of Materials (SBOM) Software?

[DevSecOps Software](https://www.g2.com/categories/devsecops)

## What Software Categories Are Similar to Software Bill of Materials (SBOM) Software?

- [Static Application Security Testing (SAST) Software](https://www.g2.com/categories/static-application-security-testing-sast)
- [Software Composition Analysis Tools](https://www.g2.com/categories/software-composition-analysis)
- [Software Supply Chain Security Solutions](https://www.g2.com/categories/software-supply-chain-security-tools)



