# Best Software Supply Chain Security Solutions

  *By [Adam Crivello](https://research.g2.com/insights/author/adam-crivello)*

   Software supply chain security tools provide automated and continuous monitoring of the various components and stages of the software development process. This includes analyzing the source code, identifying potential security risks, scanning for malicious code, and verifying the authenticity of third-party components and dependencies.

Software supply chain security refers to the process of securing the software development lifecycle from start to finish. It involves safeguarding against any potential vulnerabilities or threats to the software supply chain that could compromise the integrity of the software.

These tools can also detect any attempts to tamper with the software during the development or deployment stages. They help ensure that only trusted and validated software components are included in the final product, thereby minimizing the risk of introducing any vulnerabilities or malware into the software supply chain. Software supply chain security solutions are often used alongside tools such as [static code analysis tools](https://www.g2.com/categories/static-code-analysis) to seek out and protect against potential vulnerabilities.

To qualify for inclusion in the Software Supply Chain Security category, a product must:

- Provide automated and continuous monitoring of various components of the development process
- Detect attempts to tamper with the software during the development or deployment stages
- Scan for malicious code and security risks
- Verify authenticity of third-party components


## Best Software Supply Chain Security Solutions At A Glance

- **Leader:** [JFrog](https://www.g2.com/products/jfrog-2024-03-28/reviews)
- **Highest Performer:** [OX Security](https://www.g2.com/products/ox-security/reviews)
- **Easiest to Use:** [Aikido Security](https://www.g2.com/products/aikido-security/reviews)
- **Top Trending:** [Aikido Security](https://www.g2.com/products/aikido-security/reviews)
- **Best Free Software:** [Aikido Security](https://www.g2.com/products/aikido-security/reviews)


---

**Sponsored**

### JFrog

JFrog Ltd. (Nasdaq: FROG), the creators of the unified DevOps, DevSecOps, DevGovOps and MLOps platform, is on a mission to create a world of software delivered without friction from development to production. Driven by a “Liquid Software” vision, the JFrog Platform is a software supply chain system of record that is designed to power organizations as they build, manage, and distribute secure software with speed and scale. Holistic security features help identify, protect, and remediate against threats and vulnerabilities. The universal, hybrid, multi-cloud JFrog Platform is available as both SaaS services across major cloud service providers and self-hosted. Millions of users and approximately 6,600 organizations worldwide, including a majority of the Fortune 100, depend on JFrog solutions to securely embrace digital transformation in the AI era. Learn more at www.jfrog.com or follow us on X @JFrog.


[Visit company website](https://www.g2.com/external_clickthroughs/record?secure%5Bad_program%5D=ppc&amp;secure%5Bad_slot%5D=category_product_list&amp;secure%5Bcategory_id%5D=1006186&amp;secure%5Bdisplayable_resource_id%5D=1006186&amp;secure%5Bdisplayable_resource_type%5D=Category&amp;secure%5Bmedium%5D=sponsored&amp;secure%5Bplacement_reason%5D=page_category&amp;secure%5Bplacement_resource_ids%5D%5B%5D=1006186&amp;secure%5Bprioritized%5D=false&amp;secure%5Bproduct_id%5D=143017&amp;secure%5Bresource_id%5D=1006186&amp;secure%5Bresource_type%5D=Category&amp;secure%5Bsource_type%5D=category_page&amp;secure%5Bsource_url%5D=https%3A%2F%2Fwww.g2.com%2Fcategories%2Fsoftware-supply-chain-security-tools%3Fpage%3D1&amp;secure%5Btoken%5D=7315a90b92ebcd7bb99dfe1f030b565caa5b8bdd90977964383e73a625a8488d&amp;secure%5Burl%5D=https%3A%2F%2Fjfrog.com%2Fartifactory%2F%3Futm_source%3Dg2%26utm_medium%3Dcpc_social%26utm_campaign%3Dbrand_awareness_banner_ad%26utm_content%3Du-bin&amp;secure%5Burl_type%5D=custom_url)

---

## Top-Rated Products (Ranked by G2 Score)
  ### 1. [Snyk](https://www.g2.com/products/snyk/reviews)
  Snyk (pronounced sneak) is a developer security platform for securing custom code, open source dependencies, containers, and cloud infrastructure all from a single platform. Snyk’s developer security solutions enable modern applications to be built securely, empowering developers to own and build security for the whole application, from code &amp; open source to containers &amp; cloud infrastructure. Secure while you code in your IDE: find issues quickly using the scanner, fix issues easily with remediation advice, verify the updated code. Integrate your source code repositories to secure applications: integrate a repository to find issues, prioritize with context, fix &amp; merge. Secure your containers as you build, throughout the SDLC: start fixing containers as soon as your write a Dockerfile, continuously monitor container images throughout their lifecycle, and prioritize with context. Secure build and deployment pipelines: Integrate natively with your CI/CD tool, configure your rules, find &amp; fix issues in your application, and monitor your applications. Secure your apps quickly with Snyk’s vulnerability scanning and automated fixes - Try for Free!


  **Average Rating:** 4.5/5.0
  **Total Reviews:** 129


**Seller Details:**

- **Seller:** [Snyk](https://www.g2.com/sellers/snyk)
- **HQ Location:** Boston, Massachusetts
- **Twitter:** @snyksec (20,919 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/10043614/ (1,207 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Who Uses This:** Software Engineer
  - **Top Industries:** Computer Software, Information Technology and Services
  - **Company Size:** 44% Mid-Market, 35% Small-Business


#### Pros & Cons

**Pros:**

- Vulnerability Detection (3 reviews)
- Vulnerability Identification (3 reviews)
- Easy Integrations (2 reviews)
- Features (2 reviews)
- Integrations (2 reviews)

**Cons:**

- False Positives (2 reviews)
- Poor Interface Design (2 reviews)
- Scanning Issues (2 reviews)
- Software Bugs (2 reviews)
- Code Management (1 reviews)

  ### 2. [JFrog](https://www.g2.com/products/jfrog-2024-03-28/reviews)
  JFrog Ltd. (Nasdaq: FROG), the creators of the unified DevOps, DevSecOps, DevGovOps and MLOps platform, is on a mission to create a world of software delivered without friction from development to production. Driven by a “Liquid Software” vision, the JFrog Platform is a software supply chain system of record that is designed to power organizations as they build, manage, and distribute secure software with speed and scale. Holistic security features help identify, protect, and remediate against threats and vulnerabilities. The universal, hybrid, multi-cloud JFrog Platform is available as both SaaS services across major cloud service providers and self-hosted. Millions of users and approximately 6,600 organizations worldwide, including a majority of the Fortune 100, depend on JFrog solutions to securely embrace digital transformation in the AI era. Learn more at www.jfrog.com or follow us on X @JFrog.


  **Average Rating:** 4.2/5.0
  **Total Reviews:** 111


**Seller Details:**

- **Seller:** [JFrog Ltd](https://www.g2.com/sellers/jfrog-ltd)
- **Company Website:** https://jfrog.com
- **Year Founded:** 2008
- **HQ Location:** Sunnyvale, CA
- **Twitter:** @jfrog (23,134 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/jfrog-ltd/ (2,292 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Who Uses This:** Software Engineer, DevOps Engineer
  - **Top Industries:** Information Technology and Services, Computer Software
  - **Company Size:** 52% Enterprise, 32% Mid-Market


#### Pros & Cons

**Pros:**

- Features (18 reviews)
- Repository Management (14 reviews)
- Deployment (13 reviews)
- Integrations (12 reviews)
- Easy Integrations (11 reviews)

**Cons:**

- Complexity (9 reviews)
- Expensive (8 reviews)
- Learning Curve (8 reviews)
- Difficult Learning (7 reviews)
- Learning Difficulty (7 reviews)

  ### 3. [Aikido Security](https://www.g2.com/products/aikido-security/reviews)
  Aikido Security is the developer-first security platform that unifies code, cloud, protection, and attack testing in one suite of best-in-class products. Built by developers for developers, Aikido helps teams of any size ship secure software faster, automate protection, and simulate real-world attacks with AI-driven precision. The platform’s proprietary AI cuts noise by 95%, delivers one-click fixes, and saves developers 10+ hours per week. Aikido Intel proactively uncovers vulnerabilities in open source packages before disclosure, helping secure more than 50,000 organizations worldwide, including Revolut, Niantic, Visma, Montblanc, and GoCardless.


  **Average Rating:** 4.6/5.0
  **Total Reviews:** 139


**Seller Details:**

- **Seller:** [Aikido Security](https://www.g2.com/sellers/aikido-security)
- **Company Website:** https://aikido.dev
- **Year Founded:** 2022
- **HQ Location:** Ghent, Belgium
- **Twitter:** @AikidoSecurity (6,187 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/aikido-security/ (175 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Who Uses This:** CTO, Founder
  - **Top Industries:** Computer Software, Information Technology and Services
  - **Company Size:** 71% Small-Business, 17% Mid-Market


#### Pros & Cons

**Pros:**

- Ease of Use (78 reviews)
- Security (55 reviews)
- Features (52 reviews)
- Easy Integrations (47 reviews)
- Easy Setup (47 reviews)

**Cons:**

- Missing Features (19 reviews)
- Expensive (17 reviews)
- Limited Features (16 reviews)
- Pricing Issues (15 reviews)
- Lacking Features (14 reviews)

  ### 4. [OX Security](https://www.g2.com/products/ox-security/reviews)
  OX is redefining product security for the AI era. Founded by Neatsun Ziv and Lion Arzi, former Check Point executives, OX is the company behind VibeSec — the first AI-native vibe security platform. Unlike traditional “Shift Left” approaches that collapsed under AI’s speed, VibeSec makes software secure by default by preventing risks before they exist. Powered by the OX AI Data Lake and dynamic code-to-runtime context, OX Security delivers: Autonomous, embedded security that runs as fast as developers. Dynamic risk context that shrinks security backlogs before they spiral. Continuous alignment across code, cloud, APIs, and runtime. With OX, developers focus on building while security runs itself, giving enterprises complete confidence that every release ships secure. OX Security -Vendor desc (request to update): OX Security is the company behind VibeSec, an AI-native autonomous security platform built for the AI development era. Unlike traditional tools that chase vulnerabilities after code is written, VibeSec embeds dynamic security context directly into AI coding environments like Cursor and Copilot. The result: every line of code is secure by default. For the first time, security moves at the speed of AI-driven development, preventing vulnerabilities before they exist, shrinking backlogs with every commit, and making security a seamless part of the development flow.


  **Average Rating:** 4.8/5.0
  **Total Reviews:** 51


**Seller Details:**

- **Seller:** [OX Security](https://www.g2.com/sellers/ox-security)
- **Year Founded:** 2021
- **HQ Location:** New York, USA
- **LinkedIn® Page:** https://www.linkedin.com/company/ox-security/ (184 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Who Uses This:** Security Engineer
  - **Top Industries:** Financial Services, Information Technology and Services
  - **Company Size:** 63% Mid-Market, 25% Enterprise


#### Pros & Cons

**Pros:**

- Features (27 reviews)
- Ease of Use (23 reviews)
- Customer Support (22 reviews)
- Integration Support (22 reviews)
- Security (22 reviews)

**Cons:**

- Integration Issues (8 reviews)
- Missing Features (8 reviews)
- Complexity (5 reviews)
- Inadequate Reporting (5 reviews)
- Limited Cloud Integration (5 reviews)

  ### 5. [Jit](https://www.g2.com/products/jit/reviews)
  Jit is redefining application security by introducing the first Agentic AppSec Platform, seamlessly blending human expertise with AI-driven automation. Designed for modern development teams, Jit empowers organizations to proactively manage security risks across the entire software development lifecycle.​ AI-Powered Agents Jit&#39;s AI Agents, such as SERA (Security Evaluation and Remediation Agent) and COTA (Communication, Ops, and Ticketing Agent), collaborate with your teams to automate vulnerability triage, risk assessment, and remediation processes, significantly reducing manual workloads. ​ Comprehensive Security Scanning Achieve full-stack security coverage with integrated scanners for SAST, DAST, SCA, IaC, CSPM, and more. Jit&#39;s platform ensures continuous monitoring and immediate feedback on code changes, facilitating rapid identification and resolution of security issues. ​ Developer-Centric Experience With integrations into popular IDEs and CI/CD pipelines, Jit provides developers with contextual security insights directly within their workflows, promoting a shift-left approach without disrupting productivity. ​ Agentic AI for AppSec Teams Risk-Based Prioritization Utilizing the Model Context Protocol (MCP), Jit evaluates vulnerabilities in the context of runtime environments, business impact, and compliance requirements, enabling teams to focus on the most critical risks. ​ Seamless Integrations Jit integrates with a wide array of tools, including GitHub, GitLab, AWS, Azure, GCP, Jira, Slack, and more, ensuring that security processes are embedded within your existing technology stack. ​


  **Average Rating:** 4.5/5.0
  **Total Reviews:** 43


**Seller Details:**

- **Seller:** [jit](https://www.g2.com/sellers/jit)
- **Year Founded:** 2021
- **HQ Location:** Boston, MA
- **Twitter:** @jit_io (521 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/jit/ (151 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Top Industries:** Computer Software, Financial Services
  - **Company Size:** 44% Mid-Market, 42% Small-Business


#### Pros & Cons

**Pros:**

- Security (10 reviews)
- Easy Integrations (8 reviews)
- Ease of Use (7 reviews)
- Efficiency (7 reviews)
- Integration Support (7 reviews)

**Cons:**

- Integration Issues (4 reviews)
- Limited Features (4 reviews)
- Limited Integration (4 reviews)
- Poor Documentation (4 reviews)
- Complexity (3 reviews)

  ### 6. [SOOS](https://www.g2.com/products/soos/reviews)
  SOOS is the complete application security posture management platform. Scan your software for vulnerabilities, control the introduction of new dependencies, exclude unwanted license types, generate and manage Software Bill of Materials (SBOM), and fill out your compliance worksheets across all your teams. SOOS’s ASPM is a dynamic, comprehensive approach to safeguarding your application infrastructure from vulnerabilities across the Software Development Life Cycle (SDLC) and live deployments. Easy to integrate, all in one dashboard. SCA - Deep tree vulnerability scanning, license compliance, governance DAST - Automated Web &amp; API vulnerability scanning Containers - Scan contents for vulnerabilities SAST - Analyze code for security vulnerabilities IaC - Cloud security coverage SBOMs - Create – monitor – manage


  **Average Rating:** 4.6/5.0
  **Total Reviews:** 42


**Seller Details:**

- **Seller:** [SOOS](https://www.g2.com/sellers/soos)
- **Company Website:** https://soos.io
- **Year Founded:** 2019
- **HQ Location:** Winooski, US
- **Twitter:** @soostech (45 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/53122310 (26 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Top Industries:** Information Technology and Services, Computer Software
  - **Company Size:** 50% Mid-Market, 43% Small-Business


#### Pros & Cons

**Pros:**

- Ease of Use (8 reviews)
- Easy Integrations (6 reviews)
- Integrations (6 reviews)
- Customer Support (5 reviews)
- Vulnerability Detection (5 reviews)

**Cons:**

- Inadequate Reporting (4 reviews)
- Poor Reporting (4 reviews)
- Lacking Features (3 reviews)
- Lack of Guidance (3 reviews)
- Dashboard Issues (2 reviews)

  ### 7. [Mend.io](https://www.g2.com/products/mend-io/reviews)
  Mend.io is the leading application security solution, helping organizations reduce application risk efficiently. Built for modern, AI-driven, and traditional development environments alike, Mend.io prioritizes what matters most, so teams fix less, reduce risk faster, and deliver software with confidence.


  **Average Rating:** 4.3/5.0
  **Total Reviews:** 105


**Seller Details:**

- **Seller:** [Mend](https://www.g2.com/sellers/mend-ab79a83a-6747-4682-8072-a3c176489d0b)
- **Company Website:** https://mend.io
- **Year Founded:** 2011
- **HQ Location:** Boston, Massachusetts
- **Twitter:** @Mend_io (11,291 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/2440656/ (263 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Who Uses This:** Software Engineer
  - **Top Industries:** Computer Software, Information Technology and Services
  - **Company Size:** 38% Small-Business, 34% Mid-Market


#### Pros & Cons

**Pros:**

- Scanning Efficiency (8 reviews)
- Ease of Use (7 reviews)
- Easy Integrations (6 reviews)
- Scanning Technology (6 reviews)
- Vulnerability Detection (6 reviews)

**Cons:**

- Integration Issues (6 reviews)
- Limited Features (3 reviews)
- Missing Features (3 reviews)
- Complex Implementation (2 reviews)
- Confusing Interface (2 reviews)

  ### 8. [Cybeats](https://www.g2.com/products/cybeats/reviews)
  Cybeats is at the forefront of cybersecurity innovation and is focused explicitly on automating Software Bill of Materials (SBOM) and Vulnerability Exploitability eXchange (VEX) management. Our platform has built-in support for HBOM and AIBOM. Our mission is to empower organizations to rapidly identify and address vulnerabilities, significantly reducing costs while enhancing the security posture of their products. With our focus on the vision of &quot;Building trust in every layer of your technology,&quot; Cybeats provides a robust platform that ensures transparency and security throughout the technological stack. Core Offerings - SBOM Management &amp; Continuous Monitoring Cybeats offers a scalable solution for managing and monitoring SBOMs. Our platform stores enriches and distributes SBOMs efficiently across the organization and the organization&#39;s customers. This continuous monitoring helps proactively identify and mitigate software component risks. - SBOM Inventory &amp; Management We provide a centralized system for SBOM inventory management that ensures all software components are accounted for, up-to-date, and secure. This systematic approach helps maintain a clear overview of all software elements, facilitating easier management and compliance. - Vulnerability Lifecycle Management (VLM) Our VLM capabilities integrate Vulnerability Exploitability Exchange (VEX) and Vulnerability Disclosure Program (VDP) processes. This integration helps identify, assess, manage, and mitigate vulnerabilities throughout their lifecycle, ensuring continuous protection against potential software supply chain threats. - Regulatory Compliance Cybeats aligns with global regulatory requirements, assisting organizations in staying compliant with evolving cybersecurity standards. Our solution simplifies compliance management, reducing the complexity and resources required to meet legal and industry standards. With the introduction of regulatory requirements of the FDA pre-market and post-market, the EU CRA, PCI-SSF, and others, companies that develop software-based products must align with the SBOM and Vulnerability management requirements. - OSS and Comercial Licensing Risk Assessment Understanding and managing licensing risks associated with software components is crucial. Cybeats provides tools to assess these risks, helping organizations avoid legal and financial repercussions related to software licensing. - SBOM Sharing and Exchange We facilitate secure sharing and exchange of SBOMs within and across organizations. This capability ensures that all parties in the software supply chain have access to accurate and timely information, enhancing collaborative efforts toward secure software development.


  **Average Rating:** 4.4/5.0
  **Total Reviews:** 15


**Seller Details:**

- **Seller:** [CYBEATS](https://www.g2.com/sellers/cybeats)
- **Year Founded:** 2017
- **HQ Location:** Toronto, Ontario
- **Twitter:** @cybeatstech (615 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/cybeats/ (33 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Company Size:** 47% Small-Business, 33% Mid-Market


  ### 9. [Endor Labs](https://www.g2.com/products/endor-labs/reviews)
  Endor Labs helps you build and ship secure software fast, whether it&#39;s written by humans and AI. While conventional code scanning tools drown teams in false positives, Endor Labs zeroes in on real risks, empowering developers without slowing them down. Trusted by OpenAI, Snowflake, Peloton, Robinhood, Dropbox, Rubrik, and more, Endor Labs is transforming AppSec. • 92% less alerts: Unify code scanning (SAST, SCA, container, secrets, malware, AI models) and automate security code reviews with AI. Pinpoint real vulnerabilities with function-level reachability, filtering out unreachable risks and letting developers fix what matters as they code. • 6X faster fixes: Skip the guesswork. Endor Labs guides developers towards safe OSS upgrades, and backports fixes for hard-to-update libraries. • Guardrails for AI coding assistants: Endor Labs natively integrates into AI coding assistants to help them produce code securely by default. Additionally, Endor Labs has built multiple agents to review the AI and human generated code for architecture and business-logic issues. • Compliance, streamlined: FedRAMP, PCI, NIST, and SLSA compliance is simplified with artifact signing, SBOM, VEX, and more—accelerating your path to secure, compliant code. Learn more at: www.endorlabs.com/demo-request


  **Average Rating:** 4.8/5.0
  **Total Reviews:** 9


**Seller Details:**

- **Seller:** [Endor Labs](https://www.g2.com/sellers/endor-labs)
- **Company Website:** https://www.endorlabs.com/
- **Year Founded:** 2021
- **HQ Location:** Palo Alto, California, United States
- **Twitter:** @EndorLabs (541 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/endorlabs (200 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Company Size:** 78% Mid-Market, 22% Enterprise


#### Pros & Cons

**Pros:**

- Features (5 reviews)
- Ease of Use (4 reviews)
- Accuracy of Findings (3 reviews)
- Customer Support (3 reviews)
- Integration Support (3 reviews)

**Cons:**

- UX Improvement (3 reviews)
- API Limitations (1 reviews)
- Difficult Setup (1 reviews)
- Integration Issues (1 reviews)
- Missing Features (1 reviews)

  ### 10. [Socket](https://www.g2.com/products/socket-socket/reviews)
  Socket is the leading developer-first security platform that protects modern applications from malicious and vulnerable open source dependencies. By combining real-time package monitoring with AI-powered code analysis, Socket detects and blocks supply chain attacks within minutes of publication. With advanced reachability analysis, automated remediation, and license compliance features, Socket enables teams to focus on building software, while we keep their open source code secure.


  **Average Rating:** 4.6/5.0
  **Total Reviews:** 9


**Seller Details:**

- **Seller:** [Socket](https://www.g2.com/sellers/socket)
- **Year Founded:** 2020
- **HQ Location:** San Francisco, US
- **Twitter:** @SocketSecurity (8,734 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/socketinc/ (67 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Company Size:** 44% Mid-Market, 33% Enterprise


#### Pros & Cons

**Pros:**

- Security (3 reviews)
- Open Source (2 reviews)
- Accuracy of Findings (1 reviews)
- Alerts (1 reviews)
- Comprehensive Security (1 reviews)

**Cons:**

- Missing Features (1 reviews)
- System Slowness (1 reviews)

  ### 11. [Jscrambler](https://www.g2.com/products/jscrambler/reviews)
  Jscrambler is the leader in Client-Side Security for the modern, composable web. As organizations increasingly build digital experiences through third-party software supply chains and AI-powered agents, sensitive data is now created directly in the browser — the point of creation for digital interactions — making it one of the enterprise’s most privileged yet least governed attack surfaces. Jscrambler’s Client-Side Security Platform is powered by a Behavioral Enforcement Core that governs how application code, third-party scripts, and sensitive data behave at runtime. By enforcing software integrity and data governance directly in the browser, the platform ensures sensitive data and AI inputs are controlled according to enterprise policy at the point of creation — before they leave the client environment. Trusted by leading global retailers, airlines, financial services providers, and healthcare organizations, Jscrambler provides the visibility and enforcement organizations need to stop client-side attacks, prevent data leakage, and maintain compliance with regulations including PCI DSS, GDPR, HIPAA, CCPA, and the EU AI Act.


  **Average Rating:** 4.4/5.0
  **Total Reviews:** 30


**Seller Details:**

- **Seller:** [Jscrambler](https://www.g2.com/sellers/jscrambler)
- **Company Website:** https://jscrambler.com
- **Year Founded:** 2014
- **HQ Location:** San Francisco, California
- **Twitter:** @Jscrambler (1,166 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/1005462/ (92 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Company Size:** 37% Mid-Market, 30% Small-Business


#### Pros & Cons

**Pros:**

- Security (3 reviews)
- Ease of Use (2 reviews)
- User Interface (2 reviews)
- Automation (1 reviews)
- Comprehensive Overview (1 reviews)

**Cons:**

- Difficult Initiation (2 reviews)
- Slow Performance (2 reviews)
- Dashboard Issues (1 reviews)
- Error Handling (1 reviews)
- Lack of Guidance (1 reviews)

  ### 12. [Arnica](https://www.g2.com/products/arnica/reviews)
  Arnica simplifies and effectively automates source code security, while maintaining or improving development velocity. Arnica uses rich tooling integration, deep learning, and behavioral analytics to empower organizations with the tools to be proactive in building a secure software supply chain.


  **Average Rating:** 4.9/5.0
  **Total Reviews:** 5


**Seller Details:**

- **Seller:** [Arnica](https://www.g2.com/sellers/arnica)
- **Year Founded:** 2021
- **HQ Location:** Alpharetta, Georgia
- **Twitter:** @arnicaio (125 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/arnica-io/about (54 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Company Size:** 60% Enterprise, 20% Mid-Market


#### Pros & Cons

**Pros:**

- Accuracy of Findings (1 reviews)
- Actionable Recommendations (1 reviews)
- Ease of Use (1 reviews)
- Easy Setup (1 reviews)
- Remediation Solutions (1 reviews)

**Cons:**

- Paid Features (1 reviews)

  ### 13. [Traceable AI](https://www.g2.com/products/traceable-ai/reviews)
  Traceable is the industry’s leading API Security company that helps organizations protect their digital systems and assets in a cloud-first world where everything is interconnected. Traceable is the only intelligent and context-aware platform that powers complete API security. Security Posture Management: Traceable helps organizations dramatically improve their security posture with a real time, risk ranked catalog of all APIs in their ecosystem, conformance analysis, identification of shadow and orphaned APIs, and visibility of sensitive data flows. RunTime Threat Protection: Traceable observes user level transactions and applies mature machine learning algorithms to discover anomalous transactions, alert the security team, and block attacks at the user level. Threat management and analytics: Traceable helps organizations analyze attacks and incidents with its API data lake, which provides rich historical data of nominal and malicious traffic. API Security Testing throughout the SDLC: Traceable connects the security lifecycle together with the DevOps lifecycle providing automated API Security tests to be run within the CI pipeline. Digital Fraud Prevention: Traceable brings together its broad and deep data collection over time and cutting edge machine learning to identify fraud across all API transactions


  **Average Rating:** 4.7/5.0
  **Total Reviews:** 23


**Seller Details:**

- **Seller:** [Harness](https://www.g2.com/sellers/harness-25016f40-e80f-4417-bea8-39412055d17a)
- **Company Website:** https://harness.io/
- **Year Founded:** 2018
- **HQ Location:** San Francisco
- **Twitter:** @HarnessWealth (1,402 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/harnessinc/ (1,611 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Top Industries:** Financial Services
  - **Company Size:** 70% Enterprise, 17% Mid-Market


#### Pros & Cons

**Pros:**

- Customer Support (11 reviews)
- Security (8 reviews)
- Setup Ease (4 reviews)
- API Management (3 reviews)
- Customization (2 reviews)

**Cons:**

- Limited Features (3 reviews)
- False Positives (2 reviews)
- Inefficiency (2 reviews)
- Poor Documentation (2 reviews)
- Poor Reporting (2 reviews)

  ### 14. [DryRun Security](https://www.g2.com/products/dryrun-security/reviews)
  Security leaders face a paradox: ship faster and enable agentic development while staying secure and keeping developers productive. DryRun Security resolves this by securing every pull request and repo with a high-precision, automated security engineer review right where developers and their agents build. DryRun Security is the industry’s most accurate agentic code security intelligence platform. Powered by its proprietary Contextual Security Analysis (CSA) engine, DryRun Security delivers the AI moment for security teams in an AI-native developer world. Traditional static application security testing (SAST) floods teams with alerts, misses higher-order risk, and burns time in triage. DryRun Security goes beyond SAST with contextual analysis that prioritizes what is exploitable and impactful in your codebase, then helps engineers remediate fast. Instead of “find everything and hope someone sorts it out,” DryRun Security delivers code security intelligence that is ready to act on. DryRun Security puts a security engineer directly into developer workflows. In pull requests, the Code Review Agent reviews changes in context, explains risk in plain language, and guides fixes where developers already work. In repos, the DeepScan Agent produces focused, human-grade findings for the issues that actually matter, without weeks of manual review before major milestones. The Custom Policy Agent enforces guardrails with Natural Language Code Policies, so you can standardize security and compliance requirements across teams without brittle rule sets. Codebase Insights allows leaders to ask questions of their entire codebase like &quot;Are we exposed to this new vulnerability&quot; and have confidence in minutes. DryRun Security also integrates with AI coding workflows, so remediation happens with the precision of a security engineer working at machine speed. Teams connect DryRun Security insights and guidance into Claude, Cursor, OpenAI Codex, and Windsurf, helping developers and their agents fix issues with contextual, security-engineered direction tied to the PR and codebase. What DryRun Security delivers (beyond SAST) • Automated secure code review in every pull request with high-signal findings and low noise • Contextual Security Analysis that catches common vulnerabilities and deeper multi-dependency and logic risks • Automated remediation guidance that helps engineers fix faster, with explanations and next steps • Secrets analysis identifies genuine hardcoded secrets and suppresses the usual false alarms • Policy enforcement in PRs using Natural Language Code Policies for consistent guardrails across repos • Codebase intelligence and reporting for AppSec visibility, prioritization, and audit-ready evidence DryRun Security supports most code environments, languages, and frameworks, including: • GitHub, GitLab • C#, Golang, Elixir, JavaScript, TypeScript, Python, Ruby, Java, Kotlin, PHP, Swift, HTML • Infrastructure as Code (Terraform, YAML) • And more


  **Average Rating:** 4.9/5.0
  **Total Reviews:** 19


**Seller Details:**

- **Seller:** [DryRun Security](https://www.g2.com/sellers/dryrun-security)
- **Year Founded:** 2023
- **HQ Location:** Austin, US
- **LinkedIn® Page:** https://www.linkedin.com/company/dryrun-security/ (19 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Top Industries:** Computer &amp; Network Security
  - **Company Size:** 42% Small-Business, 26% Mid-Market


#### Pros & Cons

**Pros:**

- Security (13 reviews)
- Vulnerability Detection (9 reviews)
- Features (8 reviews)
- Accuracy (7 reviews)
- Easy Setup (7 reviews)

**Cons:**

- Slow Performance (2 reviews)
- Slow Speed (2 reviews)
- UX Improvement (2 reviews)
- Limited Customization (1 reviews)
- Workflow Issues (1 reviews)

  ### 15. [Xygeni](https://www.g2.com/products/xygeni/reviews)
  Secure your Software Development and Delivery! Xygeni Security specializes in Application Security Posture Management (ASPM), using deep contextual insights to effectively prioritize and manage security risks while minimizing noise and overwhelming alerts. Our innovative technologies automatically detect malicious code in real-time upon new and updated components publication, immediately notifying customers and quarantining affected components to prevent potential breaches. With extensive coverage spanning the entire Software Supply Chain—including Open Source components, CI/CD processes and infrastructure, Anomaly detection, Secret leakage, Infrastructure as Code (IaC), and Container security—Xygeni ensures robust protection for your software applications. Trust Xygeni to protect your operations and empower your team to build and deliver with integrity and security.


  **Average Rating:** 4.6/5.0
  **Total Reviews:** 4


**Seller Details:**

- **Seller:** [Xygeni Security](https://www.g2.com/sellers/xygeni-security)
- **Year Founded:** 2021
- **HQ Location:** Madrid, ES
- **Twitter:** @xygeni (182 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/xygeni/ (30 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Company Size:** 60% Small-Business, 40% Mid-Market


#### Pros & Cons

**Pros:**

- Comprehensive Security (2 reviews)
- Prioritization (2 reviews)
- Risk Management (2 reviews)
- Security (2 reviews)
- Cloud Integration (1 reviews)

**Cons:**

- Difficult Setup (1 reviews)
- Learning Curve (1 reviews)

  ### 16. [Arnica EmailServer](https://www.g2.com/products/arnica-emailserver/reviews)
  Arnica EmailServer is an enterprise-strength tool for automating both mass-emailing and single email processing tasks.


  **Average Rating:** 4.0/5.0
  **Total Reviews:** 1


**Seller Details:**

- **Seller:** [Arnica](https://www.g2.com/sellers/arnica)
- **Year Founded:** 2021
- **HQ Location:** Alpharetta, Georgia
- **Twitter:** @arnicaio (125 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/arnica-io/about (54 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Company Size:** 100% Small-Business


  ### 17. [Cycode](https://www.g2.com/products/cycode/reviews)
  Cycode’s AI-Native Application Security Platform unites security and development teams with actionable context from code to runtime to identify, prioritize, and fix the software risks that matter. Powered by proprietary scanners, third-party integrations, and the Context Intelligence Graph (CIG), Cycode delivers unified, correlated insight across the Software Factory. Its unique ability to sense, reason, and act with context in the AI-Era comes from its foundational convergence of AST, ASPM, and Software Supply Chain Security—purpose-built to secure both AI- and human-generated code.


  **Average Rating:** 4.0/5.0
  **Total Reviews:** 2


**Seller Details:**

- **Seller:** [Cycode](https://www.g2.com/sellers/cycode)
- **Year Founded:** 2019
- **HQ Location:** New York, New York, United States
- **LinkedIn® Page:** https://www.linkedin.com/company/cycode (159 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Company Size:** 67% Mid-Market, 33% Enterprise


  ### 18. [ReversingLabs](https://www.g2.com/products/reversinglabs/reviews)
  ReversingLabs is the trusted name in file and software security. We provide the modern cybersecurity platform to verify and deliver safe binaries. Trusted by the Fortune 500 and leading cybersecurity vendors, RL Spectra Core powers the software supply chain and file security insights, tracking over 422 billion searchable files with the ability to deconstruct full software binaries in seconds to minutes. Only ReversingLabs provides that final exam to determine whether a single file or full software binary presents a risk to your organization and your customers.


  **Average Rating:** 4.7/5.0
  **Total Reviews:** 10


**Seller Details:**

- **Seller:** [ReversingLabs](https://www.g2.com/sellers/reversinglabs)
- **Year Founded:** 2009
- **HQ Location:** Cambridge, US
- **Twitter:** @ReversingLabs (6,968 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/reversinglabs/ (330 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Company Size:** 80% Small-Business, 10% Mid-Market


#### Pros & Cons

**Pros:**

- Accuracy of Information (2 reviews)
- Customer Support (2 reviews)
- Efficiency (2 reviews)
- Prioritization (2 reviews)
- Reliability (2 reviews)

**Cons:**

- Complex Querying (1 reviews)
- Confusing Interface (1 reviews)
- Navigation Issues (1 reviews)
- UX Improvement (1 reviews)

  ### 19. [Sonatype Repository Firewall](https://www.g2.com/products/sonatype-repository-firewall/reviews)
  Sonatype Repository Firewall helps protect your software supply chain by blocking open source malware and other high-risk components before they enter your artifact repositories and development workflows. Repository Firewall evaluates components at the point of download using automated analysis plus policy enforcement, so risky packages can be prevented (or quarantined) before they spread across builds, teams, and environments. Key capabilities: - Detect and block known and suspicious open source malware before it reaches developers - Enforce security, license, and quality policies early, at the repository perimeter - Identify risky or malicious components already present in repositories to support cleanup and response - Provide clear, auditable policy decisions and guidance so teams understand why a component was blocked and what to use instead - Integrate with common repository managers (including Nexus Repository and JFrog Artifactory) to add protection without slowing delivery Repository Firewall is ideal for organizations that depend heavily on public registries and want a preventative control to reduce supply chain attacks, lower rework, and keep development moving with trusted components.


  **Average Rating:** 5.0/5.0
  **Total Reviews:** 1


**Seller Details:**

- **Seller:** [Sonatype](https://www.g2.com/sellers/sonatype)
- **Year Founded:** 2008
- **HQ Location:** Fulton, US
- **Twitter:** @sonatype (10,611 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/210324/ (532 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Company Size:** 100% Mid-Market


#### Pros & Cons

**Pros:**

- Control (1 reviews)
- Network Security (1 reviews)
- Protection (1 reviews)

**Cons:**

- Expertise Required (1 reviews)
- Inadequate Learning Resources (1 reviews)
- Poor Customer Support (1 reviews)

  ### 20. [ZeroPath](https://www.g2.com/products/zeropath/reviews)
  ZeroPath (YC S24) is the first AI-native application security platform that fundamentally reimagines how organizations find and fix vulnerabilities. Unlike deterministic SAST tools that bolt AI onto legacy rule engines, ZeroPath was built from the ground up to combine large language models with advanced program analysis (AST, data flow, taint tracking) by Ex-Tesla Red Team and Google Security engineers. ZeroPath&#39;s core differentiation is detecting critical vulnerabilities that pattern-matching SAST fundamentally cannot find. It catches IDORs, authorization bypasses, race conditions, and authentication bugs by reasoning about application behavior and developer intent. This capability achieved a 92% alert reduction when triaging findings from legacy tools. ZeroPath is best suited for enterprises and startups that want a complete appsec experience with: AI-powered SAST across 16+ languages, SCA with exploitability analysis (90% noise reduction by determining if dependency CVEs are actually reachable in your code), secrets detection with validation, IaC scanning for Terraform/CloudFormation/Kubernetes, and natural language security policies. Context-aware autopatch generation fixes 70% of vulnerabilities automatically with framework-specific patches that match your coding standards. To keep the developer experience seamless, ZeroPath integrates into existing workflows with zero configuration. It provides Sub-60-second PR scans on GitHub, GitLab, Bitbucket, and Azure DevOps to provide instant security feedback without blocking development. Developers receive clear explanations, one-click fixes, and can refine patches using natural language commands directly in PR comments. The platform automatically attributes vulnerabilities to responsible developers and syncs bidirectionally with Jira, Linear, and more. Overall, less noise, along with the breadth of integrations, has already made security teams faster in triaging and finding real vulnerabilities. Having been security engineers ourselves, we also understand how important visibility is for the evaluations. ZeroPath users get executive dashboards with real-time MTTR tracking, automated compliance reporting for SOC2 and ISO27001, and risk-based prioritization using CVSS 4.0 scoring. The platform provides complete visibility across organizational repositories, including security models, authentication patterns, and filtering logic, without manual configuration. Our research team dogfeeds our own technology and has discovered CVE-2025-61928 (critical account takeover in better-auth with 300k+ weekly downloads), identified 170+ verified bugs in curl, found 7 vulnerabilities in django-allauth enabling account impersonation, and discovered 0-days in production systems at Netflix, Hulu, and Salesforce. Currently trusted by 750+ companies running 200k+ scans monthly, ZeroPath delivers what security-conscious engineering teams need: more real vulnerabilities, dramatically less noise, and automated fixes that actually work.


  **Average Rating:** 4.5/5.0
  **Total Reviews:** 11


**Seller Details:**

- **Seller:** [ZeroPath](https://www.g2.com/sellers/zeropath)
- **Company Website:** https://zeropath.com
- **Year Founded:** 2024
- **HQ Location:** San Francisco, US
- **LinkedIn® Page:** https://www.linkedin.com/company/zeropathai/ (9 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Company Size:** 36% Small-Business, 27% Mid-Market


#### Pros & Cons

**Pros:**

- Accuracy (6 reviews)
- Accuracy of Findings (6 reviews)
- Security (6 reviews)
- Vulnerability Detection (5 reviews)
- Vulnerability Identification (4 reviews)

**Cons:**

- Bug Issues (2 reviews)
- Bugs (2 reviews)
- Software Bugs (2 reviews)
- Cost Issues (1 reviews)
- Dashboard Issues (1 reviews)

  ### 21. [Apiiro](https://www.g2.com/products/apiiro/reviews)
  Apiiro is the leader in application security posture management (ASPM), unifying risk visibility, prioritization, and remediation with deep code analysis and runtime context. Get complete application and risk visibility: Apiiro takes a deep, code-based approach to ASPM. Its Cloud Application Security Platform analyzes source code and pulls in runtime context to build a continuous, graph-based inventory of application and software supply chain components. Prioritize with code-to-runtime context: With its proprietary Risk Graph™️, Apiiro contextualizes security alerts from third-party tools and native security solutions based on the likelihood and impact of risk to uniquely minimize alert backlogs and triage time by 95%. Fix faster and prevent risks that matter: By tying risks to code owners, providing LLM-enriched remediation guidance, and embedding risk-based guardrails directly into developer tools and workflows, Apiiro improves remediation times (MTTR) by up to 85%. Apiiro&#39;s native security solutions include API security testing in code, secrets detection and validation, software bill of materials (SBOM) generation, sensitive data exposure prevention, software composition analysis (SCA), and CI/CD and SCM security.


  **Average Rating:** 4.8/5.0
  **Total Reviews:** 2


**Seller Details:**

- **Seller:** [Apiiro](https://www.g2.com/sellers/apiiro)
- **Year Founded:** 2019
- **HQ Location:** New York, New York, United States
- **Twitter:** @apiiroSecurity (7,415 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/apiiro (120 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Company Size:** 100% Mid-Market


  ### 22. [Appsec360](https://www.g2.com/products/appsec360/reviews)
  AppSec360 is a platform for AI-driven software development to become Secure-by-Design.


**Seller Details:**

- **Seller:** [Appsec360](https://www.g2.com/sellers/appsec360)
- **Year Founded:** 2020
- **HQ Location:** Melbourne, AU
- **LinkedIn® Page:** https://www.linkedin.com/company/myappsec360 (3 employees on LinkedIn®)


  ### 23. [Conviso](https://www.g2.com/products/conviso/reviews)
  The Conviso Platform is a complete Application Security Posture Management (ASPM) solution that centralizes visibility, correlation, and prioritization of vulnerabilities across the software development lifecycle. It integrates with your existing SAST, DAST, SCA, IaC, and CI/CD tools, automates triage, and provides a unified view of risk — helping security and development teams work together to reduce complexity and strengthen AppSec maturity.


**Seller Details:**

- **Seller:** [Conviso Application Security](https://www.g2.com/sellers/conviso-application-security)
- **Year Founded:** 2008
- **HQ Location:** Curitiba, BR
- **LinkedIn® Page:** https://www.linkedin.com/company/convisoappsec (81 employees on LinkedIn®)


  ### 24. [Gauntlet](https://www.g2.com/products/gauntlet/reviews)
  Gauntlet mitigates risks like security breaches, data theft, and compliance violations with Generative AI (GenAI), enhancing efficiency by accelerating time-to-fix by 60%. Its core pillars include Cloud Security Posture Management (CSPM) for proactive vulnerability remediation, Software Supply Chain Security (SBOM) for component transparency, Secrets Scanning to safeguard sensitive credentials, and AI Security Posture Management (AISPM) to secure cloud-based AI services. Gauntlet ensures seamless compliance with over 20 global standards, including HIPAA, FDA, and GDPR, making regulatory adherence effortless for organizations. This powerful platform reduces human error and optimizes operational security at every level. Visit https://www.gauntlet.security for more information.


  **Average Rating:** 5.0/5.0
  **Total Reviews:** 1


**Seller Details:**

- **Seller:** [Gauntlet Technologies](https://www.g2.com/sellers/gauntlet-technologies)
- **HQ Location:** N/A
- **LinkedIn® Page:** https://www.linkedin.com/company/No-Linkedin-Presence-Added-Intentionally-By-DataOps (1 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Company Size:** 100% Small-Business


#### Pros & Cons

**Pros:**

- Customer Success (1 reviews)
- Remediation Guidance (1 reviews)
- Reporting (1 reviews)

**Cons:**

- Inefficient Alert System (1 reviews)

  ### 25. [Guardian](https://www.g2.com/products/palo-alto-networks-guardian/reviews)
  Enable enterprise level enforcement and management of model security to block unsafe models from entering your environment.


**Seller Details:**

- **Seller:** [Palo Alto Networks](https://www.g2.com/sellers/palo-alto-networks)
- **Year Founded:** 2005
- **HQ Location:** Santa Clara, CA
- **Twitter:** @PaloAltoNtwks (128,510 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/30086/ (21,355 employees on LinkedIn®)
- **Ownership:** NYSE: PANW


## Parent Category

[Development Software](https://www.g2.com/categories/development)


## Related Categories

- [Vulnerability Scanner Software](https://www.g2.com/categories/vulnerability-scanner)
- [Static Application Security Testing (SAST) Software](https://www.g2.com/categories/static-application-security-testing-sast)
- [Software Composition Analysis Tools](https://www.g2.com/categories/software-composition-analysis)
- [Secure Code Review Software](https://www.g2.com/categories/secure-code-review)
- [Software Bill of Materials (SBOM) Software](https://www.g2.com/categories/software-bill-of-materials-sbom)