Product Updates

We are pleased to announce the General Availability (GA) of the Severity Condition in Group-Level Policies.

This new capability empowers you to create more granular policies for taking action (such as ignoring or changing severity) on findings based on their severity. The condition is available for both Code and OS Security group-level policies within the UI.

To learn more about setting up group-level policies, visit our Snyk User Documentation.

On November 24th, 2025, we detected a new supply chain attack, SHA1-Hulud, impacting the npm ecosystem. We suspect this to be a second wave of the Shai-Hulud attack which took place in September 2025.

As communicated on our Trust Center, Snyk will continue to monitor this active incident through resolution. As of now, we believe over 700 packages have been compromised.

To help you better understand whether or not you have been impacted, we have released a new Featured Zero Day Report named SHA1-Hulud npm Supply Chain Attack - Nov 2025.

As new advisories are added and projects are re-tested, this Report will be populated with issues if Snyk detects the usage of any compromised packages.

We're excited to announce support for .NET 10 for Open Source, which was released on November 11. This update ensures you can securely build and scan your newest .NET applications. We’ve added this support for scans using both our command line interface (CLI) and integrations with source code management (SCM) systems. This feature is now generally available (GA) and supported within our "Improved .NET scanning" capability.

The .NET ecosystem is a top priority for many developers and for us. We are committed to providing quick support for all new major releases, and this update continues that commitment. This allows you to adopt new technology without sacrificing security visibility.

All developers using .NET 10 can immediately begin scanning their projects using the Snyk CLI or their integrated SCM tools—no manual configuration or action is required to enable this feature. Please be aware that simply changing your .NET target framework does not automatically update the associated project dependencies.

Note that RestoreEnablePackagePruning flag introduced in .NET 10 prunes unused system packages from the project. Those dependencies can be including again by setting the RestoreEnablePackagePruning property to false in your project file or Directory.Build.props file.

To learn more, visit our Snyk User Documentation and for more information about see updating the projects, see this help article.

We are pleased to announce the release of new stable versions for our IDE plugins. The new versions are:

• Visual Studio Code v2.27.0

• JetBrains v2.18.0

• Eclipse v3.6.0

• Visual Studio v2.6.0

This release is focused on enhancing stability and reliability, with key updates including:

• Automated Org Selection (Early Access): When enabled, Snyk will automatically select the most appropriate organization for your project using context found in your repository and your authentication. If an organization is configured manually, this feature will be overridden. If an appropriate organization cannot be identified automatically, the preferred organization defined in your web account settings will be used as a fallback.

Note: For Visual Studio Code, new Settings will only appear after the application has been restarted.

Please refer to the changelog for each of our plugins for a more detailed list of additional bug fixes and enhancements. You can learn more about the Snyk IDE plugins in our Learn resources.

If you have any questions, feel free to reach out to the Snyk Support team.

We’re pleased to announce that Reachability for Snyk CLI and CI/CD integrations is now available in Early Access for all Snyk Open Source customers.

As a refresher, Snyk’s Reachability analysis works by scanning your source code and determining whether the code that makes a vulnerability exploitable is reachable, either directly or transitively.

Starting today, you can now use Reachability with the latest Snyk CLI and CI/CD integrations to prevent these contextually relevant and higher risk issues from reaching production.

For more information on how to get started, please take a look our our User Docs.

We are pleased to announce the latest stable Snyk CLI release, v1.1301.0.

We are introducing the following key improvements in this version. To learn more about bug fixes and additional enhancements beyond what is highlighted below, please reference the full release notes.

This update includes the following:

• Snyk Container: Container scanning now supports both Ubuntu Chisel images and zstd-compressed layers, as well as usr/lib JAR files via the `--include-system-jars` parameter.

• Snyk Open Source: Initial support for Maven 4 is available for Open Source's test, monitor and SBOM commands.

• Snyk Open Source: Reachability for Snyk CLI and CI/CD integrations is now available in Early Access for all Snyk Open Source customers.

• Snyk SBOM: A new experimental flag, `--include-provenance`, for Maven projects that includes verification checksums in SBOMs.

• Snyk Studio: Snyk Studio now supports writing scan output into a file, and Service Account support.

• Stability, security, and performance: This release also includes numerous bug fixes and enhancements to improve the overall stability, security, and performance of the CLI.

Release notes can be found here.

If you have any questions, feel free to reach out to the Snyk support team.

We encourage everyone to upgrade to the latest version to take advantage of these new features and improvements.

We've improved Snyk Code analysis for the .NET, PHP, Python, Go, and Scala ecosystems. These updates increase coverage and analysis quality, providing broader and more accurate static application security testing (SAST) support.

We're expanding our support to include C#13 and .NET9 SDK, additional PHP file extensions (.inc, .module, .install, .theme & .profile), better Python import support for class instances, support for lib/pq in Go, and support for the Tapir web framework in Scala.

These improvements roll out on November 17, 2025, as part of our General Availability (GA) support for these languages in Snyk Code.

Because analysis quality is enhanced, you may notice a change in your scan results, including new true positives and the removal of previous false positives. No action is required; the updates apply automatically.

To learn more, visit our Snyk User Documentation.

We’ve enhanced the package experience on security.snyk.io to make it easier to explore package health and security information in one place.

Package pages now include Snyk Advisor insights, bringing together Popularity, Maintenance, Security, and Community data alongside vulnerability details. This delivers a more complete and consistent experience.

What’s new

• Package intelligence data now appears directly on the package page for supported ecosystems.

• Advisor metrics (Popularity, Maintenance, Security, Community) can now be explored without leaving security.snyk.io.

These improvements bring greater context and transparency to open source package information while maintaining the same trusted data sources from Snyk Advisor.

To explore the updated experience, visit any package page on security.snyk.io. For more details about how the package health score and its underlying parameters are calculated, see Snyk Docs.

Maven 4 is the long-awaited next major upgrade for Maven. We are happy to announce General Availability (GA) support for Maven 4 Release Candidate 4 (RC4). This new capability is available for both our command-line interface (CLI) and source code management (SCM) integrations, giving you the opportunity to test your repositories with this new version of Maven before its official release.

While the official Maven 4 GA release date is not set, we want to provide an opportunity to test your projects in advance. By supporting the final planned Release Candidate, you can get ahead of the official upgrade and help us by giving feedback before the final release.

This update is for early adopters who want to test their repositories against Maven 4 before it becomes official. You can now use Snyk to scan your Maven 4 RC4 projects through the CLI and your SCM integrations. Please be aware that this is support for a Release Candidate, and the following features are not supported:

• CI-friendly variables

• Conditional Profile Activation

• Alternative Project Object Model (POM) syntaxes

Snyk Suport for Java and Kotlin

We’re excited to announce the next step in Snyk’s ongoing rollout of CVSS version 4.0 - expanding Exploit Maturity visibility into the Reporting and Project page (Issues Card) experiences.

With this release, you can now view Exploit Maturity (CVSS v4.0) values directly in both Reporting and the Project page, alongside other vulnerability details. This enhancement brings consistency across Snyk’s interfaces, aligning our API and CLI experiences, so teams can more accurately assess exploitability and prioritize remediation.

What’s new

Exploit Maturity (CVSS v4.0) is now available in:

• Reporting - New Column and Filter Option.

• Project page (Issues Card) - Visible in issue details and Filter Option.

This enhancement builds on earlier phases of our CVSS 4.0 rollout, extending exploit maturity visibility from the REST Issues API and CLI into the product UI.

For more information about CVSS v4.0, please refer to the blog post: What’s new in CVSS 4.0, or visit our User Docs.