Product Updates

We are introducing Learning Programs in Snyk Learn, now available in early access (EA) for Learning Management Add-On customers. This feature allows you to curate specific paths of security education and product training, then assign them to groups of users from across your Snyk Tenant. You can build these tracks using our existing catalog, enroll participants in bulk, and monitor progress in real time. To help maintain high completion rates, we have also added automated email reminders.

We want to help you move beyond ad-hoc training by providing a structured way to automate security onboarding, meet compliance requirements like SOC2 or ISO27001, and drive targeted remediation. By grouping lessons into formal programs, we make it easier for security leaders to ensure that the right teams are learning the right skills at the right time.

Tenant admins can now manage these initiatives directly from the Snyk Learn dashboard under the Management menu. You can delegate management to team leads or security champions by creating a custom role via the Snyk API with specific permissions. Your developers will see a dedicated "assigned programs" section on their dashboard with a familiar Learning Path experience to guide them through their required lessons.

While in Early Access, learning programs are limited to 300 users per program, and programs must be created using the UI. Throughout Early Access, we will be rolling out workflow enhancements and additional reporting capabilities via Snyk Learn Program Reports.

You can provide feedback through in-app pop-ups, to your Snyk account team, and to support@snyk.io.

To get started, visit Snyk Learn or our Snyk Learn User Documentation for more information.

Starting February 25, 2026, we are introducing snyk_package_health_check for Snyk Studio. This update brings Secure at inception protection to dependency selection in agentic development workflows, ensuring that AI coding assistants evaluate open-source packages before they enter your project.

As AI coding assistants increasingly select and install dependencies autonomously, security must move earlier in the workflow. This feature enables AI agents to use insights from the Snyk security database to evaluate packages at the moment they are chosen.
This functionality is available in an Experimental profile for several supported ecosystems, including npm, PyPI, Maven, NuGet, and Golang.

New capabilities

• Package health checks across four dimensions: Security, Maintenance, Community, and Popularity.

• Clear guidance outcomes to help manage agent behavior, including Healthy, Review recommended, Not recommended, and Unknown/insufficient data.

• Policy-driven guardrails that allow Organizations to require health checks, pause on risk signals, block unsafe packages, and enforce human approval.

Why this matters

Evaluating package health before installation reduces supply chain risk, which is critical because AI agents can introduce dependencies at scale. Integrating snyk_package_health_check into MCP extends your security policies and governance directly into AI-assisted development.

If you have any questions, please reach out to the Snyk Support team. To learn more about snyk_package_health_check, visit the Snyk documentation.

We are excited to share that starting on 9 March, we will introduce significant coverage and quality improvements to Reachability for JavaScript, Java, and Python. By deepening our mapping of cross-package relationships and upgrading our underlying ecosystem analysis, we've increased both the precision and recall of our engine.

Why Reachability matters 

Snyk’s Reachability analysis scans your source code to determine if the specific code that makes a vulnerability exploitable is actually being called, either directly or transitively.

This critical context allows you to:

• Gauge exploitation likelihood: Easily distinguish between theoretical risk and actual, exploitable risk.

• Prioritize effectively: Cut through the noise and focus your developers on the vulnerabilities that matter most.

• Drive risk-based security: Use Reachability independently or alongside the Snyk Risk Score to build a comprehensive risk-prioritization strategy.

What this release means for you 

By addressing both false positives and false negatives, we are ensuring your findings are more accurate and actionable than ever before. As we release these changes, you may notice significant fluctuations in the reachability and Risk Score for issues in the following project types: npm, pnpm, yarn, maven, gradle, pip, pipenv, and poetry. 

For more information on how to optimize your workflows with these new improvements, please check out our user documentation.

We’ve added new analytics functionality to the Risk Exposure report to help you better understand and manage your security posture. We’re introducing clickable objects within the Risk Breakdown table that allow you to drill down into specific issues and assets directly from the report. To provide more context, we’ve also added tooltips for categories such as Baseline Issue, Non Preventable Issue, Preventable Issue, and Other New Issue. Additionally, the Risk Exposure Trend now includes new viewing options, allowing you to filter open issues by Snyk product, exploit maturity, and top organizations (Orgs).

We’re moving this report from early access to general availability (GA) to provide a more comprehensive view of your application security (AppSec) risk. By aligning widget filters and adding trend data for specific products and exploit maturity levels, we're making it easier for you to pinpoint exactly where risk is originating and how it's evolving over time.

You can now interact with the Risk Breakdown table and trend lines to open detailed drawers for specific issues and impacted assets. This makes it faster to investigate why a trend has changed without leaving the report. The new tooltips clearly define how we categorize different issue types, ensuring your team has a shared understanding of risk definitions. If you manage multiple organizations, the new "Top Orgs" view helps you quickly identify which areas of your business require the most attention based on open issue counts.

We're excited to share that "improved .NET scanning" has moved out of Snyk Preview and is now generally available.

It is now easier than ever to onboard your .NET repos and gain visibility into your software supply chain with a high degree of accuracy.

This release covers both SCM integrations, the CLI and CI/CD plugins, and the IDE—providing consistent results across your software development lifecycle.

Private package and Snyk Broker support

Managing private dependencies is critical for enterprise development, so we have expanded support for self-hosted and private NuGet packages to ensure you have visibility into your entire software supply chain.

• Universal Broker: If you use the universal Broker, you can now fully scan private packages hosted on brokered connections to Artifactory and Nexus.

Enhanced accuracy and performance

We have updated the scanning architecture to use the native dependency resolution logic of the .NET ecosystem. By using the dotnet SDK directly to resolve dependencies,  Snyk now provides a highly precise representation of your project's dependency graph.

Expanded project support

We are removing the barriers to scanning complex configurations. You can now scan any SDK-style Project that builds successfully with the dotnet SDK. This includes broad support for standard build customization files such as global.json, Directory.Build.props, and Directory.Packages.props without requiring additional configuration.

Additionally, this update unlocks support for Windows-specific frameworks—including WPF and WCF—for environments running .NET SDK 10 or higher.

Availability

These improvements will be released gradually starting in mid-February and are designed to be non-disruptive to your existing workflows.

For more information on configuration and support, see the Snyk documentation for .NET.

We are excited to announce the general availability of Broken Object Level Authorization (BOLA) detection for OpenAPI targets, starting today. This feature uses artificial intelligence (AI), particularly large language models (LLMs), to identify unauthorized data access risks. You can now test for these vulnerabilities using the built-in API Normal or API Full scanning profiles.

BOLA is ranked as the primary risk in the OWASP API Top 10. By automating the detection of this complex vulnerability, we help you move beyond manual security reviews and reduce the risk of data leaks. Our goal is to provide proactive protection for your APIs by identifying authorization flaws before they can be exploited.

To use this feature, you must configure API target authentication for two separate users. The second user acts as the attacker and should have the same or lower privileges than the first user, and should not have access to the first user's resources. Once configured, our scanning engines will automatically attempt to detect if the second user can inadvertently access data belonging to the first, providing clear visibility into potential authorization gaps.

To learn more, visit How to set up your target for testing BOLA vulnerabilities? in our user documentation.

Starting February 24, 2026, Snyk Code will begin a phased rollout of support for Ruby 4.0. This initial update focuses on foundational parser improvements and enhanced support for Ruby modules to accommodate the latest language features.

• Ruby 4.0 Parser: Support for new syntax and language features introduced in the Ruby 4.0 specification.

• Module Analysis: Improved understanding of Ruby module structures for more accurate pathing and taint flow.

Impact on Results: Because this update provides a more precise interpretation of Ruby codebases, customers may see an increase in findings as the engine identifies issues that were previously outside the parser's scope.

This release is the first in a series of planned enhancements to our Ruby analysis engine scheduled for the first half of 2026. We will continue to announce significant updates and further improvements in this area as they are rolled out.

This update will be automatically available to all customers using Snyk Code for Ruby.

We're excited to introduce the first automatic solution for correlating static application security testing (SAST) and dynamic application security testing (DAST) findings. By connecting Snyk Code issues with Snyk API & Web results, we can now pinpoint the exact line of code responsible for a DAST vulnerability, helping you understand exactly where your code needs to be fixed and speed up your remediation process.

Vulnerabilities discovered during DAST can often be difficult and time-consuming for developers to locate within the source code. This update automates that manual search process. By using artificial intelligence to map runtime findings back to static code analysis, we're helping your teams reduce the mean time to remediate and focus on fixing issues rather than finding them.

In order to use our SAST/DAST correlation, you just need to link your Snyk API & Web targets to your Snyk Code projects and scan your API & Web targets the way you're used to. We'll do all the heavy lifting for you, and show you the corresponding SAST issue that matches our DAST finding, with the context and link directly to the code that needs to be fixed to mitigate the vulnerability.

Learn more about it here

We’re expanding our analytics capabilities by making the analytics page available at the Group and Organization (Org) levels. Previously, this customizable view was only accessible at the tenant level. We've renamed the Reports page in the left navigation to Analytics at both the Group and Org levels. To access all reports, navigate to Analytics and select the Reports tab, which will display the Reports Catalog. We've also updated the URL path to use "analytics" instead of "reporting."

We want to provide Group and Org admins with a top-down, customizable view into their specific security data. By bringing the analytics page to every level of the hierarchy, we’re making it easier for you to gain insights without needing tenant-level access. This update allows you to build and customize dashboards that hone in on the specific metrics you care about, such as filtering by specific Orgs within a Group or tracking high-priority vulnerability trends across your immediate business units. This flexibility ensures you can focus on the risk data most relevant to your specific area of responsibility.

You can now build and view analytics dashboards tailored to your specific Group or Org. While we’ve removed the report selector dropdown, we’ve put redirects in place so your saved views and favorited pages continue to work. Under our current permission model, Group admins can view analytics for their specific group and all associated Orgs, while Org admins can focus on their individual Org data.

To learn more, visit Snyk Analytics in our user documentation.

Microsoft is phasing out global personal access tokens (PATs) and replacing them with more secure, scoped, and manageable credentials. These tokens currently grant access to every Azure organization that a user belongs to. You need to update your Azure Repos integrations with Snyk to organization-scoped tokens to maintain your connection.

Upcoming deadlines

• March 15, 2026: Microsoft stops issuing new global personal access tokens.

• December 1, 2026: Microsoft disables all existing global personal access tokens.

Update your connection

1. Generate a new Personal Access Token (PAT) in Azure DevOps. Ensure the token is scoped specifically to the Azure Organizations you need. You can find guidance in the Microsoft documentation.

2. Update the token at both the Groups level and the Organizations level.

   • Log in to Snyk.

   • Navigate to Group-level Integrations and find your Azure Repos integration settings. Create a single profile for each Azure organization and enter the new PAT. This is required for Asset discovery and enrichment.

   • Navigate to Org-level Integrations and find your Azure Repos integration settings. Clear the old token and enter the new PAT. This supports rest of the other Snyk features.

3. If you are using a Snyk Broker, you will also need to follow the setup-specific documentation to set the PAT.

   • Update the token for your Classic Broker.

   • Update the token for your Universal Broker.

Read the Microsoft announcement for more information.