Expand my Community achievements bar.

SOLVED

AEM Users: Which Third-Party Tool Do You Prefer - Veracode, Snyk, or Others ?

Avatar

Level 2

Hi AEM Community,

I’m reaching out to gather insights on the third-party tools you use for Adobe Experience Manager (AEM) that will allow us to increase the security on our codebase/projects. Specifically, I’m interested in understanding your experiences with tools like Veracode and Snyk, but I’m also open to hearing about any other tools you find valuable.

 

Here are a few questions to guide your responses:

  1. Which third-party tool do you use with AEM (e.g., Veracode, Snyk, or another tool)?
  2. What are the key benefits you’ve experienced with this tool?
  3. Are there any challenges or limitations you’ve encountered?
  4. How has this tool impacted your workflow or project outcomes?
  5. Would you recommend this tool to other AEM users? Why or why not?

Your feedback will be incredibly helpful for anyone looking to enhance security on AEM with reliable third-party tools.

Thank you in advance for sharing your experiences!

1 Accepted Solution

Avatar

Correct answer by
Level 8

Hi @JM-JosePerez,

 

on my current project, we are using:

  • GitHub Actions for CI/CD like AEM Git Sync, RDE Deployments, UI Testing, Performance Testing
    • Pros: Simple to use but still powerful, many plugins available that make integration with other tools simple, Dependabot raises automatic PR for dependency updates, branch protection rules to ensure quality gates pass
    • Cons: Haven't found one yet, it was a great experience to migrate from Jenkins to Actions
    • Recommendation: 5/5
  • SonarQube with Custom AEM Rules for static code checks on every PR
    • Pros: Catches a lot of issues in the code, ensures good code coverage, ability to develop and install custom rules, easy to automate with GitHub Actions
    • Cons: Some rules are opinionated, not so simple to write custom rules, the cloud version doesn't allow custom plugins/rules
    • Recommendation: 4/5
  • Snyk for license and vulnerability checks on every PR
    • Pros: Super simple to set up, PR decorations work on the Cloud version with just one click, Simple interface with guidance on how to fix vulnerabilities and ability to automatically open PRs for new vulnerabilities found
    • Cons: I haven't used it for a long time, but for now it does exactly what we need it to do
    • Recommendation: 5/5
  • Sentry for real-user monitoring, core web vitals, and frontend errors
    • Pros: Important not to forget about frontend errors and performance as every project has them, quite simple to set up, a powerful interface enables easy team collaboration, and can automatically track releases and link issues to commits
    • Cons: Requires someone to review, manage and prioritize issues
    • Recommendation: 5/5

 

Hope this helps,

Daniel

View solution in original post

4 Replies

Avatar

Community Advisor

@JM-JosePerez  When you say you want to enhance AEM set up? where exactly ? Is it in Content creation , Pipeline set up for deployment or Devops or security scan for vulnerabilities or anything else? 
looks like the products you mentioned are code scan for security? Currently we use Nexus IQ scan for code vulnerabilities , even look for vulnerabilities in dependency jar and address the issues. 

Your questions are very broad to discuss. 

Avatar

Level 2

Thank you for the pointers. I have edited the questions to make it clearer for the community. My company and I will look at Nexus IQ but would love to know any other recommendations too!

Thank you!

Avatar

Correct answer by
Level 8

Hi @JM-JosePerez,

 

on my current project, we are using:

  • GitHub Actions for CI/CD like AEM Git Sync, RDE Deployments, UI Testing, Performance Testing
    • Pros: Simple to use but still powerful, many plugins available that make integration with other tools simple, Dependabot raises automatic PR for dependency updates, branch protection rules to ensure quality gates pass
    • Cons: Haven't found one yet, it was a great experience to migrate from Jenkins to Actions
    • Recommendation: 5/5
  • SonarQube with Custom AEM Rules for static code checks on every PR
    • Pros: Catches a lot of issues in the code, ensures good code coverage, ability to develop and install custom rules, easy to automate with GitHub Actions
    • Cons: Some rules are opinionated, not so simple to write custom rules, the cloud version doesn't allow custom plugins/rules
    • Recommendation: 4/5
  • Snyk for license and vulnerability checks on every PR
    • Pros: Super simple to set up, PR decorations work on the Cloud version with just one click, Simple interface with guidance on how to fix vulnerabilities and ability to automatically open PRs for new vulnerabilities found
    • Cons: I haven't used it for a long time, but for now it does exactly what we need it to do
    • Recommendation: 5/5
  • Sentry for real-user monitoring, core web vitals, and frontend errors
    • Pros: Important not to forget about frontend errors and performance as every project has them, quite simple to set up, a powerful interface enables easy team collaboration, and can automatically track releases and link issues to commits
    • Cons: Requires someone to review, manage and prioritize issues
    • Recommendation: 5/5

 

Hope this helps,

Daniel

Avatar

Level 2

Thank you so much for your comprehensive and insightful reply! Your breakdown of the tools and their pros and cons is incredibly helpful