---
title: Arnica Reviews
meta_title: 'Arnica Reviews 2026: Details, Pricing, & Features | G2'
meta_description: Filter reviews by the users' company size, role or industry to find
  out how Arnica works for a business like yours.
aggregate_rating:
  rating_value: 4.9
  review_count: 8
  scale: '5'
date_modified: '2026-06-24'
parent_category:
  name: Development
  url: https://www.g2.com/categories/development
---

# Arnica Reviews
**Vendor:** Arnica  
**Category:** [Software Supply Chain Security Solutions](https://www.g2.com/categories/software-supply-chain-security-tools)  
**Average Rating:** 4.9/5.0  
**Total Reviews:** 8
## About Arnica
Arnica is a comprehensive application security posture management (ASPM) platform that protects developers, source code, and products throughout the software development lifecycle. The platform provides real-time application security scanning with 100% coverage across the software supply chain, addressing risks in Static Application Security Testing (SAST), Software Composition Analysis (SCA), Infrastructure as Code (IaC), hardcoded secrets detection, and more. At its core, Arnica offers AI-native security governance that takes control of AI-generated code through advanced AI SAST scanning and agentic rules enforcement. The platform automatically injects centrally-controlled security requirements into AI coding agents like Copilot, Cursor, and Claude at the point of code generation, ensuring every line of AI-written code is secure by default before vulnerabilities reach production. This approach addresses 92% of risks before they ever reach production environments. Arnica's pipelineless architecture provides automatic coverage for every repository without requiring CI/CD pipeline integrations or IDE deployments. The platform scans every code change at the feature branch level, delivering developer-native workflows that keep teams focused on building features rather than chasing security issues. Risk prioritization is enhanced through OWASP Top 10, CVSS, EPSS, and KEV scoring, combined with organizational context to surface the most critical vulnerabilities. The platform excels in developer experience by delivering security findings directly within existing workflows through Slack, Microsoft Teams, pull request comments, and automated ticket management in Jira and Azure DevOps Boards. AI-powered mitigation suggestions provide context-aware, automated fixes that align with organizational coding standards, significantly reducing mean-time-to-remediation. Key security capabilities include real-time secrets detection with automatic validation and mitigation, comprehensive container scanning that maps vulnerabilities directly to source code, and intelligent dependency management with automated SCA upgrades. The platform maintains SOC 2 Type 2 compliance and ISO 27001 certification, ensuring enterprise-grade security standards. Arnica's unique value proposition lies in its ability to scale security across entire organizations while maintaining development velocity, providing complete visibility into code risks, and enabling proactive security measures that prevent vulnerabilities from reaching production environments.



## Arnica Pros & Cons
**What users like:**

- Users value the **accuracy of findings** in Arnica, ensuring precise insights into privilege management and security. (1 reviews)
- Users value the **actionable recommendations** from Arnica, simplifying the management of elevated privileges and enhancing security. (1 reviews)
- Users value the **ease of setup and administration** of Arnica, which saves time and enhances convenience. (1 reviews)
- Users love the **easy setup** of Arnica, allowing quick administration and efficient use of the product. (1 reviews)
- Users appreciate the **effective remediation of over-provisioning** with Arnica, enhancing security while simplifying privilege management. (1 reviews)
- Risk Management (1 reviews)
- Security (1 reviews)
- Users find **Vulnerability Detection** in Arnica invaluable for efficiently identifying and managing security risks in repositories. (1 reviews)

**What users dislike:**

- Users feel the **limited availability of features** in Arnica for smaller teams restricts their access to essential protections. (1 reviews)

## Arnica Reviews
  ### 1. Developer-friendly AppSec with a flexible policy engine

**Rating:** 5.0/5.0 stars

**Reviewed by:** Thomas G. | Senior DevSecOps Engineer, Enterprise (> 1000 emp.)

**Reviewed Date:** June 15, 2026

**What do you like best about Arnica?**

I deployed Arnica to replace Checkmarx at a previous company, and I have brought it with me to several startups I support since then. I still use it in my current role, in a somewhat different capacity than the full enterprise program I originally ran.

The policy engine was the primary reason we selected it after evaluating multiple products, since none of the other vendors we tested could offer comparable granularity at the time. It deployed fast across GitHub and Azure DevOps through SCM integration, with no CI rework to start getting value, and our first blocking policy was live within 90 days.

We were able to create granular PR policies on severity, EPSS, finding type, direct versus transitive and prod versus dev dependencies, and package reputation, which let us stage enforcement from annotations into blocking and turn rollout into measurable maturity milestones.

It also strengthened our Security Champions program, since we could empower champions to review dismissals for their own teams. Developer experience improved because people handled findings in code they were already changing instead of years of historical debt.

Customer success has been a genuine strength, responsive and willing to help with rollout, and several requests we raised shipped faster than I expected.

The SBOM explorer experience is also something I personally appreciate, I use it regularly to check exposure across the organizations I support whenever another large supply chain attack hits the news.

My use of the AI review features is still early, more proof of concept than a rollout. I feel positive about the direction, since reviewing AI-generated code is a real challenge and having policy enforcement meet it at the source is the right place to solve it.

On cost, it was priced competitively against the other vendors we evaluated and the per-identity model scaled sensibly as the team grew.

**What do you dislike about Arnica?**

Dashboard and reporting could be smoother, especially for executive or audit reporting, though I did not find it better in Checkmarx, Snyk, or GitHub Advanced Security. The API was accessible and well-documented enough that our vulnerability management aggregation platform built an integration to it, and we separately pulled findings into our own reporting. 

We had some early challenges with SAST rule quality for older, non-web languages, C++ in particular, where SAST quality tends to be inconsistent industry-wide. We worked with Arnica on custom rules and coverage has improved since. 

No DAST, which was a lower priority given our focus on pre-production risk, but runtime-heavy teams should weigh that. 

The per-identity pricing model also made direct comparison against other vendors trickier, since most of them price differently, and it took some work to walk our finance stakeholders through it before a deal could move forward, though we concluded the pricing was fair once we normalized the comparison.

**What problems is Arnica solving and how is that benefiting you?**

The goal was to get more traction from existing application security coverage across SCA, SAST, secrets detection, and SBOM, without slowing engineering down on GitHub and Azure DevOps. In a previous deployment we selected it because we were not seeing consistent, organization-wide reduction in findings, largely because of how findings were delivered, and we wanted a tool that would let us run a focused, prioritized reduction process. 

Delivering findings at the SCM layer meant developers mostly dealt with issues in the code they were actively changing rather than a backlog of historical debt they had no context for, which is what finally moved the needle on reduction. 

The policy engine flexibility gave us a concrete way to prioritize in a common way across our other product security programs, since we could place emphasis on issues with demonstrated impact that came through bug bounty and red team work, and further tie that back to how Security Champions reviewed and drove remediation on their teams. That pulled four programs into a shared product security effort with a common incentive.

The other ongoing benefit is supply-chain visibility, when a major dependency compromise hits the news, I can check exposure across the organizations I support quickly.

**Official Response from Anna Daugherty:**

> Thank you so much for your feedback, Thomas. We appreciate the detailed review, and are always looking to improve our features and capabilities. We can't wait to share exciting new updates at Arnica with you! 

  ### 2. Intuitive Dashboards and AI That Finds Real Issues

**Rating:** 5.0/5.0 stars

**Reviewed by:** Verified User in Computer Software | Enterprise (> 1000 emp.)

**Reviewed Date:** June 17, 2026

**What do you like best about Arnica?**

Works well within existing pipelines. The dashboards are intuitive to use. It's is simple for developers to find their findings to address their code issues. 
The SLAs per branch is useful when you have many different
 development teams.  The newer AI capabilities work well to find real issues instead of FUD.

**What do you dislike about Arnica?**

While the dashboard is intuitive, management reporting would be useful. The lack of DAST compared to competitors is a small issue.

**What problems is Arnica solving and how is that benefiting you?**

We can find and resolve coding issues earlier in the SDLC, reducing the cost to fix problems which speaks to the ROI of the product.

  ### 3. Great Security Coverage at a Reasonable Price

**Rating:** 4.5/5.0 stars

**Reviewed by:** Verified User in Information Technology and Services | Small-Business (50 or fewer emp.)

**Reviewed Date:** June 03, 2026

**What do you like best about Arnica?**

ou quickly understand the security posture of your codebase and can maintain continuous oversight while delegating day-to-day security responsibilities to contributing developers.

**What do you dislike about Arnica?**

The user interface can be confusing. For example, I couldn't easily find the option to remove a monitored repository.

**What problems is Arnica solving and how is that benefiting you?**

Nowadays, as hybrid code developed by both humans and AI agents is rapidly created and deployed, security risks are increasing exponentially. I needed a budget-sensitive tool that could help me mitigate those risks.

**Official Response from Anna Daugherty:**

> Thank you for your feedback. We appreciate it! 

  ### 4. Intuitive and flexible

**Rating:** 5.0/5.0 stars

**Reviewed by:** Verified User in Financial Services | Enterprise (> 1000 emp.)

**Reviewed Date:** August 26, 2024

**What do you like best about Arnica?**

Easy setup and administration was my favorite part.  It had what we needed, but took a fraction of the time to set up.

**What do you dislike about Arnica?**

It can be tedious logging in multiple times throughout the day, but Short login sessions are generally more secure.

**What problems is Arnica solving and how is that benefiting you?**

Arnica assists us with vulnerability detection (SAST and SCA), and it's prioritization to make meaningful strides in remediation.

  ### 5. Security Professionals operate on the concepts of Need to Know &Least Privileged Access.

**Rating:** 4.5/5.0 stars

**Reviewed by:** Robert V. | Mid-Market (51-1000 emp.)

**Reviewed Date:** March 15, 2023

**What do you like best about Arnica?**

Development and Security are often at odds when granting elevated privileges to source code repositories.  A security team asking developers to prove they need elevated privileges causes the "Trust Me" conversation, where developers argue that they should be trusted to have complete control of the source code.   

Adopting Zero Trust strategies is helping to remediate over-provisioning in many systems, but source code repositories remain a source of contention.  Arnica allows Security teams to discover elevated privileges that have been granted but rarely if ever, used.

With Arnica, Need to Know & Least-Privileged Access metrics are always available without input from developers.

Removing unused, elevated privileges effectively reduces the attack surface and associated risk to intellectual property.

Remediation of discovered overprovisioning is simple and easily documented for change control.

**What do you dislike about Arnica?**

The complete feature set in Arnica is only available to GitHub Enterprise organizations.  Smaller teams not ready to move to GitHub enterprise will not have the full set of protections.  

However, discovering and mitigating risk in source code repositories at any level improves overall risk in any software firm.

**What problems is Arnica solving and how is that benefiting you?**

Securing source code in Agle software firms requires visibility into the privileges granted to the Organization.  Repositories are often misclassified as public or "open source" when the proprietary nature of the project is not fully understood.  Individuals with unnecessary elevated privileges can expose intellectual property by facilitating collaboration inappropriately. 

Arnica gives firms visibility, analysis, reporting and remediation capabilities on GitHub.  Securing the organization without removing privileges that are necessary for the appropriate individuals.

  ### 6. Easy to use tool for managing risks on github

**Rating:** 5.0/5.0 stars

**Reviewed by:** Lucas F. | Director of Engineering, Small-Business (50 or fewer emp.)

**Reviewed Date:** December 06, 2022

**What do you like best about Arnica?**

Could not be easier to use. Quickly connect to your GitHub and get a robust delineation of all potential vulnerabilities in your repository. Can't wait for more features to come out and to use this tool more regularly as our team scales.

**What do you dislike about Arnica?**

Very limited areas of confusing UI and ideally would love to see more integrations across my stack to detect vulnerabilities and excessive perms.

**What problems is Arnica solving and how is that benefiting you?**

Peace of mind knowing that our repo is safe and tightly controlled with a revolving door of contractors coming in and out of our operation.

  ### 7. Arnica provide both the visibility and the ability to take action with regards to Git permissions.

**Rating:** 5.0/5.0 stars

**Reviewed by:** Guy G. | Security Engineer, Enterprise (> 1000 emp.)

**Reviewed Date:** October 14, 2022

**What do you like best about Arnica?**

Arnica's detections are data-driven, which means it is most likely a true positive when something is detected.
Taking action with Arnica against its detection helps ease the mitigation process.
Arnica's team is always looking to expand its discoveries with new types of detections and improve existing ones.

**What do you dislike about Arnica?**

We look forward to expanding our use of Arnica in our environment.

**What problems is Arnica solving and how is that benefiting you?**

Arnicas solves the Git access management problems that are always left behind because it is time-consuming and hard to manage.
The fact that it is done automatically with intelligence helps us implement the solution and take action confidently.

  ### 8. Arnica made it way easier to manage repo security, saved money too!

**Rating:** 5.0/5.0 stars

**Reviewed by:** Joe W. | Sr. VP of Technology, Enterprise (> 1000 emp.)

**Reviewed Date:** May 25, 2022

**What do you like best about Arnica?**

With Arnica, we are streamlining the review process through data driven analytics and automation to guard against the accumulation of excessive permissions. Arnica has already paid for itself through process optimization and developer tool cost savings by right sizing commercial license.

**What do you dislike about Arnica?**

We are happy with the product capabilities. We are eager to see how the feature set grows.

**What problems is Arnica solving and how is that benefiting you?**

We are securing the devops supply chain. We are also managing entitlements and permissions for our 3000 developers. The tool is also being used to manage down waste in licensing unused tools.


## Arnica Discussions
  - [What is Arnica used for?](https://www.g2.com/discussions/what-is-arnica-used-for)

- [View Arnica pricing details and edition comparison](https://www.g2.com/products/arnica/reviews?section=pricing&secure%5Bexpires_at%5D=2026-06-27+09%3A28%3A13+-0500&secure%5Bsession_id%5D=978e670d-1651-4ac1-8255-2cd7cca73cb8&secure%5Btoken%5D=1836c720167e9498cfb4e0e3c561f5a78962b92ef5bb83157ffcda1f3f8378c1&format=llm_user)
## Arnica Integrations
  - [Azure Pipelines](https://www.g2.com/products/azure-pipelines/reviews)
  - [Bitbucket](https://www.g2.com/products/bitbucket/reviews)
  - [Claude](https://www.g2.com/products/anthropic-claude/reviews)
  - [Claude](https://www.g2.com/products/claude-2025-12-11/reviews)
  - [Claude](https://www.g2.com/products/claude/reviews)
  - [Claude](https://www.g2.com/products/claude-claude/reviews)
  - [Cursor](https://www.g2.com/products/cursor/reviews)
  - [Gemini](https://www.g2.com/products/ignite-enterprise-software-solutions-inc-gemini/reviews)
  - [Gemini](https://www.g2.com/products/zen-healthcare-it-gemini/reviews)
  - [Gemini](https://www.g2.com/products/gemini-storybook-gemini/reviews)
  - [Gemini](https://www.g2.com/products/gemini-trust-company-llc-gemini/reviews)
  - [Gemini](https://www.g2.com/products/google-gemini/reviews)
  - [Gemini](https://www.g2.com/products/gemini-2021-11-09/reviews)
  - [Gemini](https://www.g2.com/products/blue-rocket-incorporated-gemini/reviews)
  - [Gemini](https://www.g2.com/products/gemini-advanced-marketing-solutions-gemini/reviews)
  - [GitHub](https://www.g2.com/products/github/reviews)
  - [GitHub Copilot](https://www.g2.com/products/github-copilot/reviews)
  - [GitHub Copilot](https://www.g2.com/products/github-github-copilot/reviews)
  - [GitLab](https://www.g2.com/products/gitlab/reviews)
  - [Jira](https://www.g2.com/products/jira/reviews)
  - [Kubernetes](https://www.g2.com/products/kubernetes/reviews)
  - [Kubernetes](https://www.g2.com/products/american-cloud-kubernetes/reviews)
  - [Microsoft Teams](https://www.g2.com/products/microsoft-teams/reviews)
  - [Microsoft Teams](https://www.g2.com/products/epc-group-microsoft-partner-microsoft-teams/reviews)
  - [Openai](https://www.g2.com/products/openai/reviews)
  - [seemplicity](https://www.g2.com/products/seemplicity/reviews)
  - [Slack](https://www.g2.com/products/slack/reviews)

## Arnica Features
**Administration**
- API / Integrations
- Extensibility

**Functionality - Software Composition Analysis **
- Language Support
- Integration
- Transparency

**Security**
- Tampering
- Malicious Code
- Verification
- Security Risks

**Risk management - Application Security Posture Management (ASPM)**
- Vulnerability Management
- Risk Assessment and Prioritization
- Compliance Management
- Policy Enforcement

**Functionality - Software Bill of Materials (SBOM)**
- Format Support
- Annotations
- Attestation

**Cloud Visibility**
- Data Discovery
- Cloud Registry
- Cloud Gap Analytics

**Analysis**
- Reporting and Analytics
- Issue Tracking
- Static Code Analysis
- Code Analysis

**Effectiveness - Software Composition Analysis**
- Remediation Suggestions
- Continuous Monitoring
- Thorough Detection

**Tracking**
- Bill of Materials
- Audit Trails
- Monitoring

**Integration and efficiency - Application Security Posture Management (ASPM)**
- Integration with Development Tools
- Automation and Efficiency

**Management - Software Bill of Materials (SBOM)**
- Monitoring
- Dashboards
- User Provisioning

**Security**
- Data Security
- Data loss Prevention
- Security Auditing

**Testing**
- Command-Line Tools
- Manual Testing
- Test Automation
- Compliance Testing
- Black-Box Scanning
- Detection Rate
- False Positives

**Reporting and Analytics - Application Security Posture Management (ASPM)**
- Trend Analysis
- Risk Scoring
- Customizable Dashboards

**Identity**
- SSO
- Governance
- User Analytics

**Agentic AI - Static Application Security Testing (SAST)**
- Autonomous Task Execution

**Agentic AI  - Application Security Posture Management (ASPM)**
- Autonomous Task Execution
- Multi-step Planning

## Top Arnica Alternatives
  - [GitHub](https://www.g2.com/products/github/reviews) - 4.7/5.0 (2,301 reviews)
  - [GitLab](https://www.g2.com/products/gitlab/reviews) - 4.5/5.0 (880 reviews)
  - [Wiz](https://www.g2.com/products/wiz-wiz/reviews) - 4.7/5.0 (809 reviews)