Fintech Pomelo resolves 9,500 vulnerabilities across 900 repositories in under a month with Snyk
Argentine fintech Pomelo replaced a fragile custom-built security orb with Snyk's application security platform, onboarding ~900 repositories and ~200 developers in under a month and resolving 9,500 vulnerabilities — including 200 critical issues with 100 containing mature exploits.
Background
Pomelo's rapid growth from a small team to a 200-developer organization with ~900 repositories overwhelmed its custom-built security tooling. Multiple tools in multiple languages generated incompatible output formats, high false-positive rates, and no unified view — making regulatory audit reporting extremely difficult in a heavily regulated fintech environment.
What Was Implemented
- Replaced custom CircleCI orb security tooling with Snyk's unified application security platform
- Deployed Snyk Open Source (SCA) and Snyk Code (SAST) across all ~900 repositories within one month
- Onboarded ~200 developers with security training for managers and engineers
- Integrated Snyk with existing tools: GitHub, CircleCI, Jira, and Slack (Snyk-Slack integration for real-time issue alerts)
- Purchased Snyk via AWS Marketplace to leverage existing AWS billing and streamline procurement
Results
Pomelo resolved 9,500 vulnerabilities since implementing Snyk, comprising 2,150 high-severity and 200 critical-severity issues, including 100 with mature exploits . The team achieved 100% repository coverage (~900 repos) and developer access for ~200 engineers in under one month — faster than typical enterprise security rollouts. Unified reporting eliminated the multi-format fragmentation that had made audit compliance reporting impractical.
Lessons
- In fast-growing fintechs, custom-built security tooling becomes a liability rather than an asset as repository counts scale into the hundreds.
- Developer adoption of security tools is a prerequisite for effectiveness; tools that are visible in existing workflows (GitHub, Slack, CircleCI) achieve higher adoption than portal-based alternatives.
- Consolidated security data from a single platform dramatically simplifies regulatory compliance reporting — a meaningful differentiator in financial services.
- AWS Marketplace procurement integration reduces time-to-value in organizations already running on AWS.
- A unified platform that supports multiple languages from a single scan (Go, Python, etc.) eliminates the context-switching that fragmented toolchains impose.