Product Updates

Starting February 24, 2026, Snyk Code will begin a phased rollout of support for Ruby 4.0. This initial update focuses on foundational parser improvements and enhanced support for Ruby modules to accommodate the latest language features.

• Ruby 4.0 Parser: Support for new syntax and language features introduced in the Ruby 4.0 specification.

• Module Analysis: Improved understanding of Ruby module structures for more accurate pathing and taint flow.

Impact on Results: Because this update provides a more precise interpretation of Ruby codebases, customers may see an increase in findings as the engine identifies issues that were previously outside the parser's scope.

This release is the first in a series of planned enhancements to our Ruby analysis engine scheduled for the first half of 2026. We will continue to announce significant updates and further improvements in this area as they are rolled out.

This update will be automatically available to all customers using Snyk Code for Ruby.

We are excited to announce the general availability of Broken Object Level Authorization (BOLA) detection for OpenAPI targets, starting today. This feature uses artificial intelligence (AI), particularly large language models (LLMs), to identify unauthorized data access risks. You can now test for these vulnerabilities using the built-in API Normal or API Full scanning profiles.

BOLA is ranked as the primary risk in the OWASP API Top 10. By automating the detection of this complex vulnerability, we help you move beyond manual security reviews and reduce the risk of data leaks. Our goal is to provide proactive protection for your APIs by identifying authorization flaws before they can be exploited.

To use this feature, you must configure API target authentication for two separate users. The second user acts as the attacker and should have the same or lower privileges than the first user, and should not have access to the first user's resources. Once configured, our scanning engines will automatically attempt to detect if the second user can inadvertently access data belonging to the first, providing clear visibility into potential authorization gaps.

To learn more, visit How to set up your target for testing BOLA vulnerabilities? in our user documentation.

We're excited to introduce the first automatic solution for correlating static application security testing (SAST) and dynamic application security testing (DAST) findings. By connecting Snyk Code issues with Snyk API & Web results, we can now pinpoint the exact line of code responsible for a DAST vulnerability, helping you understand exactly where your code needs to be fixed and speed up your remediation process.

Vulnerabilities discovered during DAST can often be difficult and time-consuming for developers to locate within the source code. This update automates that manual search process. By using artificial intelligence to map runtime findings back to static code analysis, we're helping your teams reduce the mean time to remediate and focus on fixing issues rather than finding them.

In order to use our SAST/DAST correlation, you just need to link your Snyk API & Web targets to your Snyk Code projects and scan your API & Web targets the way you're used to. We'll do all the heavy lifting for you, and show you the corresponding SAST issue that matches our DAST finding, with the context and link directly to the code that needs to be fixed to mitigate the vulnerability.

Learn more about it here

We’re expanding our analytics capabilities by making the analytics page available at the Group and Organization (Org) levels. Previously, this customizable view was only accessible at the tenant level. We've renamed the Reports page in the left navigation to Analytics at both the Group and Org levels. To access all reports, navigate to Analytics and select the Reports tab, which will display the Reports Catalog. We've also updated the URL path to use "analytics" instead of "reporting."

We want to provide Group and Org admins with a top-down, customizable view into their specific security data. By bringing the analytics page to every level of the hierarchy, we’re making it easier for you to gain insights without needing tenant-level access. This update allows you to build and customize dashboards that hone in on the specific metrics you care about, such as filtering by specific Orgs within a Group or tracking high-priority vulnerability trends across your immediate business units. This flexibility ensures you can focus on the risk data most relevant to your specific area of responsibility.

You can now build and view analytics dashboards tailored to your specific Group or Org. While we’ve removed the report selector dropdown, we’ve put redirects in place so your saved views and favorited pages continue to work. Under our current permission model, Group admins can view analytics for their specific group and all associated Orgs, while Org admins can focus on their individual Org data.

To learn more, visit Snyk Analytics in our user documentation.

Microsoft is phasing out global personal access tokens (PATs) and replacing them with more secure, scoped, and manageable credentials. These tokens currently grant access to every Azure organization that a user belongs to. You need to update your Azure Repos integrations with Snyk to organization-scoped tokens to maintain your connection.

Upcoming deadlines

• March 15, 2026: Microsoft stops issuing new global personal access tokens.

• December 1, 2026: Microsoft disables all existing global personal access tokens.

Update your connection

1. Generate a new Personal Access Token (PAT) in Azure DevOps. Ensure the token is scoped specifically to the Azure Organizations you need. You can find guidance in the Microsoft documentation.

2. Update the token at both the Groups level and the Organizations level.

   • Log in to Snyk.

   • Navigate to Group-level Integrations and find your Azure Repos integration settings. Create a single profile for each Azure organization and enter the new PAT. This is required for Asset discovery and enrichment.

   • Navigate to Org-level Integrations and find your Azure Repos integration settings. Clear the old token and enter the new PAT. This supports rest of the other Snyk features.

3. If you are using a Snyk Broker, you will also need to follow the setup-specific documentation to set the PAT.

   • Update the token for your Classic Broker.

   • Update the token for your Universal Broker.

Read the Microsoft announcement for more information.

We have released a new version of our Visual Studio Code IDE plugin. This update addresses minor bug fixes and improvements, including:

• Fix for the automated registration of Snyk’s MCP server when using Snyk’s IDE plugin and Copilot in VSCode

If you have any questions, feel free to reach out to the Snyk support team.

We are excited to announce the Early Access launch of Breakability Analysis for Snyk Pull Requests, furthering our mission to help developers fix vulnerabilities without slowing down innovation.

We understand that the "fear of breaking the build" is a major blocker to keeping dependencies up to date. Updating a library to fix a security issue shouldn't feel like a gamble. That’s why we have introduced a new predictive risk assessment to help you distinguish between a quick fix and a complex upgrade.

Starting today via Snyk Preview, Snyk will analyze proposed dependency upgrades and assign a Breakability (Merge) Risk Score directly within the PR description:

• 🟢 Low Risk (Safe to Merge): We have high confidence the upgrade contains only non-breaking changes (e.g., security patches or EOL runtime drops). These are strong candidates for auto-merging.

• 🟡 Medium Risk: Caution is advised due to ambiguous change log data or environmental factors.

• 🔴 High Risk (Action Required): We have identified likely breaking changes (e.g., API removals) that likely require code refactoring. These should be prioritized for a dedicated sprint.

This insight allows your team to burn down the backlog of "Low Risk" fixes quickly while preventing "High Risk" upgrades from silently breaking your builds.

This feature is available now in Early Access for supported ecosystems. You can enable it for your organization by navigating to Settings > Snyk Preview.

Read more about the assessment here.

Enjoy merging with confidence!

P.S. Please note that at this time, Breakability Analysis involves sending package information, including the current and proposed upgrade version, to an LLM. AI generated content may contain errors and should be reviewed for accuracy before use.

We’ve completed the migration of Snyk Advisor into security.snyk.io, bringing package intelligence directly into the security experience.

Package pages now include Snyk Advisor insights alongside vulnerability data, providing a more complete and consistent view of open-source package health.

What’s new

• Snyk Advisor metrics - Popularity, Maintenance, Security, and Community - now appear directly on package pages for supported ecosystems.

• Package health insights can be explored without leaving security.snyk.io.

• Advisor URLs now redirect to their corresponding package pages on security.snyk.io.
  

These updates make it easier to evaluate open source packages in context, supported by the same trusted data that powers Snyk Advisor.

To explore the updated experience, visit any package page on security.snyk.io. For more details, see Snyk Docs and the Blog post.

Snyk Code enhances analysis across multiple language ecosystems

We’ve updated Snyk Code to improve accuracy and coverage for many of the languages and frameworks you use. These enhancements help identify more true positive findings and remove false positives from your results, providing a more reliable view of your security posture.

Expanded language and framework support

The latest updates introduce support for several modern frameworks and libraries:

• C# 14 and .NET 10: Analysis now includes the latest C# and .NET versions, which also covers VB.NET applications built on the .NET 10 framework.

• Kotlin and Java: We improved support for Spring WebFlux and Jax-RS in Kotlin. We also added better coverage for grpc-spring based gRPC clients in both Java and Kotlin.

• JavaScript and TypeScript: Snyk Code now supports the Sequelize library.

• Go: We added support for the Fiber framework.

• Swift: Analysis now includes the grpc-swift library for gRPC use cases.

These changes will be available as part of our general availability support for these ecosystems. You can see these improvements reflected in your scan results in the Web UI or CLI.

The changes will roll out on February 23, 2026.

To learn more, visit Snyk Code language and framework support in our user documentation.

We’ve introduced the follow-scan command to the Snyk API & Web (DAST) command-line interface (CLI) starting with version 0.0.1a15. This update allows the CLI to wait for a scan to finish before your CI/CD pipeline continues. We've also added new configuration options that let you set time limits for scans and define specific vulnerability thresholds that will automatically fail a build. After each run, we provide a direct link to your results for faster triaging.

You can now automatically block high-risk code from progressing through your CI/CD pipeline. By using the latest CLI version, you gain native control over build failures without needing to manage complex workarounds or manual checks.

To learn more, visit Snyk API & Web CLI documentation.