Product Updates

We are thrilled to announce that the Prevention Report is now available in Early Access!

Measuring the true impact of "shifting left" has traditionally been a challenge. We designed the Prevention report to give you clear, actionable visibility into the effectiveness of security adoption directly within your development lifecycle.

This new report tracks the vulnerabilities developers proactively remediate at the point of creation in Snyk Code and Secrets—long before those issues ever reach a pull request or production environment. Data is seamlessly captured in the background as your team works across our developer surfaces, including Snyk Studio (MCP), IDE plugins and extensions, and the CLI.

The Prevention report enables you to:

• Measure proactive security: Track the total number of raw fixes and monitor your fix rate over time using our new prevention key performance indicators (KPIs).

• Analyze developer workflows: Break down fixes by surface area to understand exactly where your team prefers to resolve issues (MCP, IDE, or CLI).

• Identify trends and champions: Leverage the Fix-by-Developer leaderboard and detailed vulnerability breakdowns to see which types of vulnerabilities developers squash immediately, and which ones are detected but left unfixed.

• Enrich your Analytics Overview: Enable fix-by-surface KPIs and a new fix trends chart directly within your primary Analytics Overview dashboard for a comprehensive view of your security posture.

You can now directly measure the effectiveness of your IDE or MCP-based security efforts. By tracking vulnerabilities remediated early in the development lifecycle, you gain the data needed to prove the success of your security programs and validate your application security strategy.

To learn more, visit our Snyk User Documentation.

We are pleased to announce Snyk CLI release, v1.1305.1

This release contains fixes and minor improvements. To learn more beyond what is highlighted below, please reference the full release notes.

This update includes the following:

• Improved rate-limit handling: the CLI now respects the X-RateLimit-Reset header when it is rate limited by the API, so retries wait the correct amount of time. This improves the reliability of scans in high-volume and CI/CD environments.

• Fixed vulnerabilities:

  • CVE-2026-39827

  • CVE-2026-39831

  • CVE-2026-33186 (IaC extensions)

If you have any questions, feel free to reach out to the Snyk support team. We encourage everyone to upgrade to the latest version to take advantage of these improvements.

We are excited to announce a redesign of the Snyk User Docs site, introducing a new structure built around site sections.

What's changed?

The docs are now reorganized into six clearly defined site sections:

• Discover Snyk: An introduction to the platform, capabilities, and supported languages.

• Platform administration: Settings, user management, Org configuration, and more.

• Scan, fix, and prevent: Snyk core security scanning, fixing and prevention workflows

• Developer tools: CLI, IDE integrations, related tooling, and more

• Agent security: Agentic and AI-powered security features.

• Snyk data and governance: Data handling, compliance, and policies.

In addition, there are dedicated sections for Getting started guides and Implementation guides to support onboarding and deployment workflows.

Why have we made this change?

We know that it can be difficult to quickly understand where you are in the product ecosystem when searching for information, with docs feeling fragmented across products and feature areas. This update aims to align content with your real user workflows, reduce the cognitive load of finding information, and improve the overall experience when navigating the docs.

We're expanding Snyk Code analysis for the .NET (C# and VB) ecosystem with broader detection across TLS configuration, cryptographic algorithms, and third-party crypto libraries. We built these improvements to surface a wider range of crypto-related security issues in .NET codebases while keeping false positives in check. Coverage extends across the standard library and the most common third-party crypto packages, so customers using BouncyCastle see the same depth of detection as native .NET code.

We're also expanding PHP coverage for SQL injection, Snyk Code now detects interfile taint flow when the SQL sink is wrapped in a database-access class. These improvements arrive with the June release on 15 June 2026.

What's changing

New TLS vulnerability detection for .NET (CWE-326)

Snyk Code now identifies insecure TLS protocol configuration across the most common .NET HTTP and network stacks: ServicePointManager, HttpClientHandler, WinHttpHandler, SocketsHttpHandler, Kestrel, and SslStream. Only TLS 1.2 and 1.3 are considered safe. Earlier protocols are flagged as vulnerable, including bitwise flag combinations.

Broader Insecure Cipher coverage for .NET (CWE-327)

Generalised cipher detection for C# and VB, with new third-party support via BouncyCastle. Algorithms now flagged: PAKE, Triple DES, DES, Skipjack, RC4, RC2, MD-5, and SHA-1.

Expanded weak-key-size detection for .NET (CWE-326)

Native standard-library coverage added for ECDHE, ECDH, ECDSA, RSA, AES (GCM), and HMAC-SHA1, HMAC-SHA2, and HMAC-SHA3 across Base, Windows, and Linux .NET types. Third-party support was added for DH, DHE (BouncyCastle), AES-XTS (BouncyCastle), and CMAC-AES (BouncyCastle).

Generalised crypto rule templates for .NET (CWE-326, CWE-327)

The InsecureCipher, TooSmallKeySize, and WeakEccCurve rules have been refactored into unified report templates.

PHP SQL injection interfile taint flow through wrapper classes (CWE-89)

Snyk Code now detects SQL injection where the sink is defined in a wrapper class (single level: caller → wrapper → mysql_query)

Important details to note

• You may notice an increase in .NET vulnerability findings after the June release, particularly around TLS misconfiguration and weak cryptographic algorithms.

• RC2 is reclassified from TooSmallKeySize to InsecureCipher. Customers with ignores or policies tied to specific rule keys should be aware (Scope is .NET (C# and VB) only).

• A small number of CryptoServiceProviders false positives related to read-only KeySize properties will no longer fire. These were never actionable in the first place (Scope is .NET (C# and VB) only).

• PHP customers may see new SQL injection findings after the June release, particularly in codebases that route database calls through wrapper classes.

To learn more, visit our Snyk User Documentation.

New Model & New Architecture

We're happy to announce we're upgrading Agent Fix to use the Claude family of models enhanced by Snyk's tooling and intelligence. This move delivers the following major improvements:

Security & Functional Enhancements

• Agentic Retries: Our new workflow now detects where code suggestions deviate from security best practices. Instead of discarding the result, the system analyzes the failure and injects tailored guidance into the agent's subsequent attempts. 

• Dynamic Few-Shot Prompting: We now use the same training set used to fine-tune our internal model to dynamically provide secure fix examples for the new model to follow. 

Expanded Support

• Full Language Coverage: We will enable support for all Snyk Code languages on Day 1, removing previous limitations on language availability.

• Comprehensive Rule Support: AI-powered fixes are now available for all supported rules and vulnerability types across the platform.

Measurable Impact

• Golden Test Benchmark: Both Sonnet 4.6 and Opus 4.6 saw improved performance against Snyk’s Golden Test benchmark (72.4% to 82.5% and 74.6% to 85.4% respectively) with this new architecture vs. the models on their own.

Check out the blog for more details. This update started rolling out on May 26th and will reach 100% by end of day on May 28th.

Snyk API & Web now supports the OWASP Top 10:2025 standard for compliance reporting. Users can generate compliance reports against either OWASP 2025 or OWASP 2021 — both versions remain available.

The OWASP Top 10 is the most widely referenced application security framework globally. It's used by enterprises for compliance programs, audit preparation, security training, and vulnerability prioritization.

The OWASP Top 10:2025 was officially published in November 2025 and is being adopted by enterprises, auditors, and compliance programs now. Organizations need their security tools to support the current standard for audit-ready compliance reports.

Without 2025 support, compliance teams face manual workarounds — exporting findings to spreadsheets and cross-referencing against the new standard — a time-consuming and error-prone process.

What changed in OWASP Top 10 2025:

• Two new categories: A03 (Software Supply Chain Failures) and A10 (Mishandling of Exceptional Conditions)

• Re-ranked categories: Security Misconfiguration moved from #5 to #2; Injection dropped from #3 to #5; Cryptographic Failures dropped from #2 to #4

• SSRF reclassification: Server-Side Request Forgery is now classified under A01 (Broken Access Control) instead of having its own category

You can now generate compliance reports against either OWASP 2025 or OWASP 2021 directly from the Snyk API & Web interface — both versions remain available.

How to use:

1. From the Scan Activity list or from your Scan details, click on the Reports button to expand it

2. Select the OWASP version you need:

   • OWASP Top 10 2025 — for audits, compliance programs, or reporting against the current standard

   • OWASP Top 10 2021 — for historical comparisons or programs that haven't migrated to the 2025 edition yet

3. Generate your report — all findings are automatically mapped to the selected standard

What you'll see:

• Compliance reports are clearly labeled with the selected OWASP version

• Versioned compliance labels throughout the product (target details, scan details, finding details) show which standard a finding is failing to comply with (e.g., OWASP 2025, OWASP 2021)

To learn more, visit Types of scan reports you can generate with Snyk API & Web in our user documentation.

We are pleased to announce the latest stable Snyk CLI release, v1.1305.0.

We are introducing the following key improvements in this version. To learn more about bug fixes and additional enhancements beyond what is highlighted below, please reference the full release notes.

This update includes the following:

• SBOM

  • Introduces the --allow-incomplete-sbom flag for snyk sbom, allowing the SBOM to be generated even when individual projects fail to resolve. Failed projects are surfaced as per-project errors alongside the successful results.

• Container

  • Speed up snyk container monitor by sending dependency requests in parallel, configurable via the SNYK_REQUEST_CONCURRENCY environment variable.

• MCP

  • Adds an experimental breakability evaluation tool to the Snyk MCP Server.

• Static CLI binaries for Linux

  • Linux ARM64 and AMD64 binaries are now statically linked by default.

• Additional Reliability and Performance Improvements

  • npm package aliases from lockfile now appropriately used in test command.

  • Fixes parsing of Python .whl files when scanning projects with --all-projects.

  • Updates dependencies to fix vulnerabilities

Release notes can be found here.

If you have any questions, feel free to reach out to the Snyk support team. We encourage everyone to upgrade to the latest version to take advantage of these new features and improvements.

We've improved the recently introduced Download CSV feature to offer greater flexibility when exporting data directly from the Snyk API & Web interface.

We understand that analyzing security data often happens outside of our platform. The original Download CSV functionality was added to save you time and streamline custom reporting and internal data manipulation. This expansion provides even more power and flexibility by allowing you to select from a comprehensive range of fields, ensuring you get exactly the data you need for your external analysis.

This feature is available to all users across all account plans. If you have access to a table, you can download its data.

To learn more, visit How to export table data to CSV in our user documentation.

This month on Snyk Learn, there are brand new lessons for Evo by Snyk, along with a refreshed "Snyk in an IDE" lesson set. We are also excited to launch the new AI Secure Development learning path, where you will learn to build any app securely using AI while mastering foundational AI-powered security topics such as prompt injection and MCP.

Try the new "Feedback" button on learn.snyk.io (login required) to share feedback and topic suggestions.

Security lessons

• [New] Learning Path - AI Secure Development

• [New] Getting started with AI development

• [New] Prompt engineering

• [New] AI app development

• [New] Securing your AI app

• [New] AI in the Software Development Life Cycle (SDLC)

• [New] AI Agents: Securing Autonomous Workflows

Snyk platform lessons

• [New] Navigating the Evo Interface - a new lesson to familiarize yourself with the unified agentic interface in Evo by Snyk.

• [New] AI Security Posture Management (AI-SPM) - a new lesson that enables users to detect AI assets via AI-BOM scans and enforce governance through Natural Language Policies as well as traditional menu items.
  
  We have refreshed the following lessons to ensure all content reflects our current platform and products, also providing a streamlined, role-based learning experience:
  

• [Updated] Using Snyk in an IDE - updated to reflect the Developer’s workflow, including installing the plugin, authenticating, and using real-time scanning to find and fix vulnerabilities without leaving your IDE.

• [Updated] Administrating Snyk in an IDE - formerly part of the “Using Snyk in an IDE” course, this lesson now focuses on the Administrator’s workflow, including advanced configuration and governance.

Expanded framework and coding languages coverage

We’ve also expanded Snyk Learn content to cover more of your tech stack:

• New/expanded language support:

  • Multiple lessons expanded into Python, Rust, and Ruby for the OWASP Top 10 learning path.

Each new/updated lesson above links directly to the relevant content so you can share it with your teams or assign it as part of your training program with the Snyk Learning Management Add-On.

Introducing Hooks-Based Guardrails

Snyk Studio is evolving our agentic guardrails to enable deeper trust in agent-generated code. We are debuting a new asynchronous, hooks-based approach to replace traditional rules-based guardrails, ensuring that security remains deterministic and efficient without slowing down the developer loop.

As agentic development has matured, initial friction points in rules-based models have become apparent. By transitioning to a hooks-based architecture, Snyk Studio resolves these key challenges with the traditional rules-based approach:

• Determinism: While agents may occasionally ignore traditional rules, hooks are deterministic, ensuring that defined security scans are executed every time.

• Zero Latency: Unlike rules-based models that add visible friction to the developer experience, hooks leverage background scans to provide a low-latency workflow.

• Context Window Efficiency: The rules-based approach injected Snyk scan results into the agent's context window, consuming limited token space. Hooks decouple scan execution and results, keeping the context window focused on coding tasks.

Support for Leading ADEs

We have targeted support for the hook-based approach to cover popular Agentic Development Environments (ADEs) across both Windows and macOS. You can now leverage Snyk Studio guardrails in:

• Claude Code

• Cursor

• Gemini CLI

• Codex CLI (coming soon)

We also support automatic configuration of the /snyk-fix command, /snyk-batch-fix command, MCP server, and secure dependency health check skill for:

• Kiro

• Windsurf

• Copilot CLI

• Copilot VS Code Extension

Scaling for the Enterprise

To simplify adoption, we have released an installation script to automate configuration and deployment. The install script:

• Supports Windows and Mac

• Can be used via MDM to support distribution at scale

• Installs the /snyk-fix command, /snyk-batch-fix command, MCP server, and secure dependency health check skill on: Claude Code, Cursor, Gemini CLI, Codex CLI (coming soon), Kiro, Windsurf, Copilot CLI, and the Copilot VS Code Extension

• Installs hooks on: Claude Code, Cursor, Gemini CLI, Codex CLI (coming soon)

Getting Started

See our revamped documentation to get hooks configured and installed in your favorite ADE.

What’s Next

We will continue to expand support for additional ADEs and are working to integrate Snyk Studio distribution directly with Agent Scan and Agent Guard.