Product Updates

Snyk API & Web MCP Server brings even more security to your IDE

You can use the Snyk API & Web MCP server to bring Snyk security capabilities directly into your AI-native development environment. By using the Model Context Protocol (MCP), you can use natural language to onboard targets, configure DAST authentication, scan targets, and triage vulnerabilities without leaving your IDE.

Security workflows often require manual effort and constant context switching. We built the Snyk API & Web MCP server to eliminate this friction. Previously, setting up and onboarding new targets required significant manual work. This integration simplifies these processes and removes the need for security plumbing between tools.

This release benefits Appsec and Dev Teams using MCP-enabled tools like Claude Desktop, Cursor, or Windsurf.

• From UI-heavy to chat-native: Instead of navigating menus to set up a scan, you can tell your assistant to automatically onboard and configure a new Snyk API & Web target

• Automated authentication: Use AI to help generate and implement the authentication scripts required for deep web scans.

Learn more about these capabilities in the Snyk API & Web MCP Server documentation.

We have released a new CLI hotfix (v1.1303.2) to address the following:

• Security Fixes

  • We have implemented a fix for a vulnerability identified in our underlying gRPC library

• Snyk Open Source

  • Optimized Privilege Evaluation: Resolved a bug where the CLI repeatedly checked user feature flags when scanning multiple Go projects, resulting in smoother performance.

  • Enhanced PackageURL Handling: Fixed an issue where Go projects using a replace directive with relative paths would encounter formatting errors.

• Snyk Container

  • Go Standard Library: This update introduces expanded support for the Go Standard Library within Snyk Container scans.

• Snyk Evo (Agent Red Teaming)

  • Attack Profiles: Users can now leverage the --profile flag to choose from pre-configured attack goals, including fast, security, and safety profiles.

  • Improved Terminology: We have updated our internal naming conventions for goals, strategies, and attacks to provide a more intuitive user experience.

  • Improved Onboarding: Interactive wizard to guide users through Agent Red Teaming configuration and setup.

Release notes can be found here.

If you have any questions, please don’t hesitate to reach out to the Snyk support team.

We’re adding an analytics overview widget that tracks the total number of Snyk projects being monitored. This key performance indicator (KPI) is available in the Widget selector, allowing you to add it to your saved dashboards. This update helps you visualize the total count of projects being continuously monitored for open-source vulnerabilities and license issues, after you use the snyk monitor command.

We want to provide better visibility into the scale of your security program. By adding a dedicated KPI for monitored projects, we make it easier for you to track the coverage of your continuous monitoring.

After you log in, navigate to your analytics dashboard and open the Widget selector. Select the new Projects Monitored KPI to add it to a Saved dashboard. This provides an immediate view of how many projects are being continuously monitored for vulnerabilities and license issues.

To learn more, visit Analytics or Snyk CLI commands in our user documentation.

Starting March 30, 2026, we’ve updated Snyk Code to provide more accurate results and reduce developer friction. These improvements help you focus on exploitable production code by reducing false positives and automatically deprioritizing issues found in test environments.

By refining our detection logic across several languages, we've lowered noise and increased the catch rate for critical vulnerabilities.

Improvements to scanning precision

We've focused on three key areas to improve your triage experience:

• Reduced noise: We've significantly lowered the number of false positives for .NET CSRF and JVM-based certificate validation.

• Risk-based triage: JavaScript vulnerabilities located in test classes now appear as Low severity. This change allows you to spend more time on production code rather than test mocks.

• Higher confidence: We've increased the true positive catch rate for hardcoded passwords in PHP and CSRF vulnerabilities in Kotlin.

Language-specific updates

You can see these improvements reflected in the following areas:

• .NET (C#): Enhanced CSRF detection with an 18% reduction in false positives.

• JavaScript: Automated detection of test classes to reclassify issues as Low severity.

• Kotlin: Improved support for detecting disabled CSRF protection in Spring Apps and refined SQLi precision.

• JVM (Java, Groovy, Kotlin, Scala): Improved logic for CWE-295 (Improper Certificate Validation).

• PHP: Expanded patterns for hardcoded password detection.

Important details to note

All percentage improvements are based on Snyk’s curated open-source data set. As part of these updates, you may see a decrease in High and Medium severity counts for JavaScript as issues move to Low based on their file location. These changes apply specifically to the languages and CWEs listed above, while other scan areas remain unchanged.

Snyk Code updates for Ruby include Sinatra support and RSpec noise reduction

Starting March 23, 2026, we've updated Snyk Code to provide broader coverage and more precise results for Ruby developers. These improvements expand support to the Sinatra framework and general Ruby applications while helping you manage alert noise in test files.

Expanding Ruby support beyond Rails

You can now use Snyk Code to secure applications built with Sinatra or vanilla Ruby. We've added new sources, sinks, and sanitizers to our knowledge base to ensure your microservices and monoliths receive accurate security analysis regardless of the framework you choose.

Reducing noise in RSpec test suites

To prevent non-production vulnerabilities from cluttering your results, Snyk Code now automatically identifies RSpec files. The engine regrades security issues found in these files to Low Severity. This change acknowledges the lower risk profile of test code and helps ensure your PR Checks remain focused on production-ready code.

Higher precision for object-oriented code

We've enhanced how Snyk Code tracks data flow through Ruby classes. The engine now better understands custom getters, setters, and direct field accesses. This improvement leads to more accurate detection and reduces both false positives and false negatives in complex codebases. Organizations making extensive use of custom fields can expect more reliable results that reflect how their data actually moves through the application.

To learn more, visit our Snyk User Documentation.

To learn more, visit Snyk Code language and framework support.

We’ve added a new Custom Headers module to the Scanner tab within Postman target settings. Much like our existing functionality for Web and OpenAPI targets, you can now configure specific headers and determine whether they should be included in the test surface or not. By default, we treat these headers as static prerequisites — such as authentication tokens — that are sent with every request to satisfy API requirements without being actively tested. If you select the checkbox to test a header, the scanner treats that header value as a testable attack surface and runs full security checks against it.

We’re introducing this update to give you more flexibility and precision when scanning Postman targets. Many APIs require specific headers to function, but not all of those headers need to be subjected to security testing. By allowing you to define which headers are static prerequisites and which should be actively tested, we’re ensuring your scans are both compatible with your API requirements and focused on the right attack surfaces.

You can now manage your Postman targets’ scan configurations more effectively by adding custom headers directly in the UI. When you view your results, the Scan results page for Postman targets now includes a Custom Headers entry in the USED SETTINGS module. This clearly indicates whether custom headers were Enabled or Disabled for that specific scan, providing better auditability for your security testing.

To learn more, visit Understanding Custom Headers in Snyk API & Web in our user documentation.

We have released a new version of our Visual Studio Code IDE plugin. This update addresses minor bug fixes and improvements, including:

• Addresses an issue where the CLI installation warning was incorrectly displayed despite the CLI being installed and the plugin functioning correctly.

If you have any questions, feel free to reach out to the Snyk support team.

Starting on March 6, 2026, we’re introducing Credentials Manager to help you store and manage sensitive authentication data separately from your target configurations. This update simplifies secrets management and allows teams to share authentication setups without exposing actual credentials.

The Credentials Manager replaces the Secret Obfuscation feature, which is now discontinued.

Running dynamic application security testing (DAST) scans requires sensitive information like logins, passwords, and tokens. Previously, these were stored directly within each Target. This made it difficult to manage authentication across multiple targets and made regular password rotation time-consuming. We built this to provide a centralized way to manage these secrets more efficiently.

The Credentials Manager introduces several changes to how you handle sensitive data:

• Centralized storage: You store credentials in a dedicated place, keeping them separate from your Target configuration.

• Write-only secrets: Some credentials are write-only. You can use these in authentication settings, but the values remain hidden after you save them.

• Flexible configuration: You can still create credentials for a single Target if you do not want to save them to the central Credentials Manager.

To learn more, visit How to manage target authentication credentials in Snyk API & Web.

We have released a new CLI hotfix (v1.1303.1) to address the following:

• IDE plugins: Fixes an issue where customers using our most recent IDE plugins release may encounter scans not triggering when Snyk Code is enabled in their IDE settings

• UI: Fixes an issue where JSON output was rendered twice to disk and to standard output

• MCP: Fixes an issue where Snyk rules were not written locally

Release notes can be found here.

If you have any questions, please don’t hesitate to reach out to the Snyk support team.

We are pleased to announce the release of new stable versions for our IDE plugins.
The new versions are:

• Visual Studio Code v2.29.0

• JetBrains v2.20.0

• Eclipse v3.8.0

• Visual Studio v2.8.0

This release is focused on enhancing stability and reliability, with key updates including:

• Better error messages when the CLI binary is corrupt

• Bug fix for JetBrains plugins to prevent crashes on startup

• Improvements for “New” issues view when using non-standard git configurations

• Improved org selection when an empty org is specified

Along with additional bug fixes, security updates, and improvements.

Please refer to the changelog for each of our plugins for a more detailed list of additional bug fixes and enhancements. You can learn more about the Snyk IDE plugins in our Learn resources.

If you have any questions, feel free to reach out to the Snyk Support team.