Skip to main content

Product Updates

Engine
Surface
AI Workflows
Area
Release Status

Showing 1 - 10 of 449 updates

Support for Bruno Collections in API Targets

New

Snyk API & Web now provides native support for Bruno collections. You can import your collections directly into the platform to create API Targets without converting files to Postman collections or OpenAPI schemas first.

For teams using Bruno, this update simplifies API targets setup with several key capabilities:

  • Collection Imports: Upload Bruno collections directly using a ZIP file or folder.

  • Environment Variable Syncing: Snyk uploads collection environments automatically. The platform scans the import and warns you if any variables are missing required secret values.

  • Authentication Support: Use authentication types derived from the collection or custom authentication scripts.

For a step-by-step walkthrough on importing your first collection, refer to the article in our Help Center.

Headshot of Natalia Yurchenko

Natalia Yurchenko | Senior Product Manager

Tags:

Announcing Snyk CLI v1.1306.0

New

We are pleased to announce the latest stable Snyk CLI release, v1.1306.0.

We are introducing the following key improvements in this version. To learn more about bug fixes and additional enhancements beyond what is highlighted below, please reference the full release notes.

This update includes the following:

  • Doctor

    • Adds a new snyk doctor command, giving you a quick way to diagnose common CLI problems by generating a diagnostic report for your system or analyzing debug log output.

  • Container

    • Container scans now detect the Java runtime version across a wider range of JVM base images, and can find vulnerabilities in .NET application dependencies.

  • Snyk Studio MCP

    • The breakability evaluation tool in the Snyk MCP Server is now enabled by default and no longer requires an experimental flag.

  • SCA Test

    • Improves dependency detection for Gradle projects.

  • Additional Reliability and Performance Improvements

    • Shows a warning when a request is automatically retried due to rate limiting, instead of retrying silently.

    • Skips the reachability upload when no supported files are present, instead of failing.

    • Fixes dependency resolution for Swift Package Manager projects that reference packages by registry identity, so they're correctly matched to their GitHub source for vulnerability scanning.

    • Fixes scanning of sbt projects with custom Scala configurations.

    • Fixes a bug where scanning Yarn workspaces could report vulnerabilities from a workspace member's dev dependencies as production dependencies, when that member was consumed by a sibling package.

    • Updates dependencies to fix vulnerabilities.

Release notes can be found here.

If you have any questions, feel free to reach out to the Snyk support team. We encourage everyone to upgrade to the latest version to take advantage of these new features and improvements.

Matt Dolan | Senior Product Manager

Snyk Code: July Release, C++ rules, Java library coverage, and JavaScript Insecure Transmission

Improved

The July release expands Snyk Code coverage for C++ with several new rules and broader native C++ detection, improves detection for several popular Java libraries, and adds a new Insecure Transmission rule for JavaScript and TypeScript. These changes arrive with the July release on 13 July 2026

What's changing

New rules

  • Log Forging, C++ (CWE-117, high): flags untrusted user input reaching a logging sink, which can let an attacker forge or corrupt log entries.

  • Improper Privilege Management, C++ (CWE-269, high): flags a privilege-dropping call whose result is not verified; a failed call can leave the process running with elevated privileges.

  • Missing Authorization, C++ (CWE-862, CWE-732): flags overly permissive file permissions (world-writable or world-executable), and calls that pass root (UID or GID 0) to privilege-escalation or file-ownership functions.

  • SSL/TLS Certificate Verification Bypass, C++ (CWE-295, medium): detects disabled certificate verification across seven TLS frameworks (OpenSSL, Qt, mbedTLS, libcurl, Boost.Asio, libpq, libpqxx), which exposes connections to man-in-the-middle attacks.

  • Insecure TLS Configuration, C++ (CWE-327, high): detects insecure TLS configuration, such as enabling outdated TLS versions.

  • Sensitive Cookie Without Secure Attribute, C++ (CWE-614, low): flags cookies that omit the Secure attribute, either by default or explicitly set to false, leaving them exposed to man-in-the-middle attacks.

  • Insecure Transmission, JavaScript (CWE-319): detects cleartext transmission over insecure transports beyond HTTP. Initial coverage targets Redis clients (@redis/client, ioredis, redis) connecting over a non-TLS redis:// URL. New rule-key, separate from HttpToHttps.

New C++ coverage

Detection now extended to native C++ for:

  • Code Injection (CWE-94): across six framework modules: dlopen, LoadLibrary, Lua, CPython, Duktape, QuickJS.

  • Insecure Storage (CWE-922, info): sqlite, realm, leveldb, rocksdb, lmdb, Qt.

  • Insecure Cipher (CWE-327): broader native C++ crypto coverage (OpenSSL, Botan, libsodium, libtomcrypt, libgcrypt, Crypto++, mbedTLS).

Expanded Java library coverage

Improved detection for code using these popular Java libraries:

  • Azure SDK for Java (com.azure:azure-core)

  • Logback (ch.qos.logback:logback-classic)

  • Reactor Netty HTTP (io.projectreactor.netty:reactor-netty-http)

  • Apache Kafka clients (org.apache.kafka:kafka-clients)

  • Jackson (com.fasterxml.jackson.core: jackson-databind and jackson-core)

Important details to note

  • C++ customers may see new findings after the July release, in particular from the new rules above.

  • TLS rule reclassification: the existing TLS rule (Inadequate Encryption Strength) is moving from CWE-326 to CWE-327 across C++, Groovy, Java, Kotlin, Python, Scala and Swift. Customers with policies or ignores tied to the TLS rule under CWE-326 should review them. The TLS detection has also been refactored, so customers may see a change in the volume of TLS-related findings.

  • The C++ Insecure Storage rule is info-level and may increase findings, including some false positives (early triage sampled 50 of 491 new findings: 47 true positives, 3 false positives).

  • The JavaScript Insecure Transmission rule ships as a new rule-key, separate from HttpToHttps, so ignore and policy scoping stays clean.

To learn more, visit our Snyk User Documentation.

Nina Kanti | Senior Product Manager

Tags:

Issue alert emails: updating the default

On July 27, 2026, Snyk updates the default setting for issue alert emails to ensure every notification you receive is relevant to your work. These emails alert you to newly detected vulnerabilities and license violations.

Summary of changes

If you have never manually configured your notification preferences, you stop receiving these emails after July 27, 2026. This update moves issue alert notifications to an opt-in model so they only reach you if they are useful to your workflow. If you have already chosen which emails you receive, your preferences do not change and remain preserved exactly as they are.

Manage your preferences

You can keep receiving these emails by saving your preferences before the July 27 deadline, or you can re-enable them at any time afterward. Wherever you can set issue alert notifications, a banner appears in the Snyk web UI. To opt in instantly, click Keep my current selections in the banner.

You can also manually manage your settings:

  • For personal preferences: Navigate to Account Settings, click Notifications, find the issue alert emails for the relevant Organizations, and save your preference.

  • For Organizations admins: Navigate to Organization Settings, click Notifications, and update the default for all members of your organization.

  • For Groups admins: Navigate to Group, click Notifications, and manage issue alert settings across every organization in the Groups from a single page.

To learn more, visit Manage notifications

Neha Shenoy | Senior Product Manager

Announcing Snyk CLI v1.1305.2

Fix

We are pleased to announce Snyk CLI release, v1.1305.2.

This release contains fixes and minor improvements. To learn more beyond what is highlighted below, please reference the full release notes.

This update includes the following:

  • Bumped the Go runtime to version 1.26.4.

  • Improved MCP logging and addressed security issues in the Snyk MCP Server.

  • Fixed vulnerabilities:

    • CVE-2026-44705

    • CVE-2026-45570

    • CVE-2026-49982

If you have any questions, feel free to reach out to the Snyk support team. We encourage everyone to upgrade to the latest version to take advantage of these improvements.

Matt Dolan | Senior Product Manager

Tags:

Snyk Learn lesson roundup: what’s new in June

New

This month on Snyk Learn, we’ve added new AI security lessons covering the attacks that target agentic systems: getting agents to run code they shouldn't, poisoning their memory to bend their reasoning, and exploiting the gaps where agents talk to each other!

Security lessons

Expanded framework & language coverage

We’ve also expanded Snyk Learn content to cover more of your tech stack:

  • New/expanded language support:

    • Multiple lessons expanded into Python, Rust, and Ruby for the OWASP Top 10.

Each new/updated lesson above links directly to the relevant content so you can share it with your teams or assign it as part of your training program with the Snyk Learning Management Add-On.

Use Snyk Learn to help your security engineers and developers stay ahead of the latest risks!

Bonus Content

Snyk is also publishing videos on AI coding and AI security on our YouTube channel! If you would like to see content like this on Snyk Learn, use the feedback button on Snyk Learn to let us know.

Snyk YouTube

Headshot of Alex Ley

Alex Ley | Senior Director, Snyk Learn

Automatically Close Obsolete Open Source Fix PRs with Help from Snyk, Now Generally Available!

General availability

A cluttered PR backlog slows everyone down.

Following a successful Early Access, automatic closing of Open Source Fix PRs is now generally available. What's more, this feature will be turned on by default across all of our customers so your team spends less time triaging stale pull requests and more time shipping.

Whether a developer manually applied a fix, removed the dependency, or a transitive update resolved the issue, Snyk catches it during your next recurring test and closes the outdated PR. We also drop a comment on the PR explaining exactly which issues were resolved, so your team always has the right context without the extra noise.

How it works:

  • Snyk checks your open Fix PRs during recurring tests.

  • If the targeted dependency was removed, updated transitively, or fixed manually, the PR is automatically closed.

  • Snyk leaves a comment detailing the resolved issues so your team knows exactly why it was closed.

  • A Fix PR is only closed if all issues are resolved—if some remain, Snyk leaves the PR open so nothing falls through the cracks.

What's new at GA: With the general availability rollout, this feature is now enabled by default for all organizations. Administrators who prefer to manage closures manually can opt out from the settings page. You can now also configure the maximum number of obsolete PRs Snyk will close per day. giving you control of your workflow, a top piece of feedback from Early Access.

We hope you enjoy cleaner, more actionable backlogs!

Headshot of  Ryan McMorrow

Ryan McMorrow | Product Lead, Remediation

Rescheduling Snyk Code June Update on June 15 to June 22

Improved

The upcoming improvements for our Snyk Code: June Update will be postponed from June 15 to June 22. We're running a final round of quality validation to make sure these updates deliver the most accurate results.

These updates, including broader TLS and cryptographic detection for .NET and expanded PHP SQL injection coverage, will now go live on June 22.

Nina Kanti | Senior Product Manager

Tags:

Assess secure-at-inception effectiveness with the Prevention report (Early Access)

Early access

We are thrilled to announce that the Prevention Report is now available in Early Access!

Measuring the true impact of "shifting left" has traditionally been a challenge. We designed the Prevention report to give you clear, actionable visibility into the effectiveness of security adoption directly within your development lifecycle.

This new report tracks the vulnerabilities developers proactively remediate at the point of creation in Snyk Code and Secrets—long before those issues ever reach a pull request or production environment. Data is seamlessly captured in the background as your team works across our developer surfaces, including Snyk Studio (MCP), IDE plugins and extensions, and the CLI.

The Prevention report enables you to:

  • Measure proactive security: Track the total number of raw fixes and monitor your fix rate over time using our new prevention key performance indicators (KPIs).

  • Analyze developer workflows: Break down fixes by surface area to understand exactly where your team prefers to resolve issues (MCP, IDE, or CLI).

  • Identify trends and champions: Leverage the Fix-by-Developer leaderboard and detailed vulnerability breakdowns to see which types of vulnerabilities developers squash immediately, and which ones are detected but left unfixed.

  • Enrich your Analytics Overview: Enable fix-by-surface KPIs and a new fix trends chart directly within your primary Analytics Overview dashboard for a comprehensive view of your security posture.

You can now directly measure the effectiveness of your IDE or MCP-based security efforts. By tracking vulnerabilities remediated early in the development lifecycle, you gain the data needed to prove the success of your security programs and validate your application security strategy.

To learn more, visit our Snyk User Documentation.

Headshot of Sara Meadzinger

Sara Meadzinger | Staff Product Manager

Announcing Snyk CLI v1.1305.1

Fix

We are pleased to announce Snyk CLI release, v1.1305.1

This release contains fixes and minor improvements. To learn more beyond what is highlighted below, please reference the full release notes.

This update includes the following:

  • Improved rate-limit handling: the CLI now respects the X-RateLimit-Reset header when it is rate limited by the API, so retries wait the correct amount of time. This improves the reliability of scans in high-volume and CI/CD environments.

  • Fixed vulnerabilities:

    • CVE-2026-39827

    • CVE-2026-39831

    • CVE-2026-33186 (IaC extensions)

If you have any questions, feel free to reach out to the Snyk support team. We encourage everyone to upgrade to the latest version to take advantage of these improvements.

Matt Dolan | Senior Product Manager

Tags: