Product Updates

Snyk delivers a number of REST API improvements and changes regularly which can be incredibly beneficial. However, given the frequency of delivery, it can be difficult to keep track of these changes at a glance, which means that you might be missing out on key improvements or potentially breaking changes.

With this in mind, we’re pleased to announce that we have created and exposed a changelog for our API. This changelog will outline which REST endpoints have been affected, what the change was, and whether it’s breaking. You can also look at the changes per version of the API.

We are excited to announce the GA release of the Custom PR templates feature, bringing a stable and extensive solution for letting you customize the title, description and commit message for PRs being raised by Snyk.

The General Availability version delivers:

• You can customize the PR look either at the repo level (via a YAML file upload) or Group level (via an API call)

• You can customize PRs by type (Container PRs & OS PRs)

More details on the feature are available in our documentation.

We are excited to announce improvements to our Deserialization of Untrusted Data (CWE-502) rule where we now report on every usage of the BinaryFormatter library. This update specifically addresses the use of the BinaryFormatter class in serialization processes in C# and VB.NET applications.

The rule triggers a warning message: "The BinaryFormatter class was found to be in use. As per Microsoft recommendations, BinaryFormatter serialization is obsolete and should not be used". This is aligned with Microsoft's guidelines advocating for the discontinuation of obsolete serialization methods due to security risks.

This rule has been updated within the Snyk Code scanning processes and is available for immediate use. Customers may notice a modest increase in identified issues related to this rule when conducting new scans.

Thank you for choosing Snyk Code to enhance the security and integrity of your software development. We are committed to continuously improving our tools to help you keep your code safe and efficient.

We're pleased to share that Snyk AppRisk will allow customers to bring ServiceNow CMDB data into AppRisk as their application context information. You can now see the repo assets in AppRisk with the data from ServiceNow CMDB; this will make it easy for your AppSec team to manage their repo assets in AppRisk.

What is this feature about?

Enable customers to add ServiceNow CMDB, allow the customer to bring their application context into AppRisk. Enrich repo assets with metadata from ServiceNow CMDB. This will help users manage their assets and create policies for their assets using CMDB metadata.

This feature will be available for Snyk AppRisk Essentials and Snyk AppRisk Pro, which will enrich your repository assets.

Please see our User Docs for more details, and contact your account team with any questions.

We would like to share a deprecation plan for obsolete Snyk Images with our customers.

Snyk Images are published by Snyk covering a range of different software versions and operating systems in common usage. These images can be pulled from Docker Hub snyk/snyk.

We have identified a list of Snyk Images which are built on software packages that are no longer supported by their upstream vendors. To ensure our customers stay secure, we will stop building images based on unsupported software, followed by a removal of these images from Docker Hub.

Here are the steps that we will take in the next four months:

• Stop building Snyk Images that are listed here on the 10th of June 2024

• Remove them from Docker Hub on the 12th of August 2024

Snyk strongly recommends customers to check this list and to stop using listed images as they pose security risks. To transition away from these images, please follow the steps outlined here.

Snyk will be removing obsolete Snyk Images from Docker Hub on the 12th of August 2024. Customers who continue using Snyk Images that Snyk does not recommend will observe broken build pipelines or disruption to their integrated workflows after the 11th of August 2024.

For more information, please reach out to your account manager, or our support team.

We would like to inform Snyk customers that Snyk CLI Images will be removed from Docker Hub on the 12th of August 2024. We advise customers to transition away from these images as a matter of urgency.

Snyk CLI Images are docker images that bundle CLI binaries along with commonly used software versions and operating systems. In 2022, Snyk shared a deprecation notice on Docker Hub recommending customers to not use them. In October 2023, we also announced the decoupling of Snyk Orb, and Snyk Scan from Snyk CLI Images.

Since these changes, Snyk strongly recommends that customers stop using these images for the following reasons: These images contain software packages which are no longer supported by their upstream vendors Unsupported packages pose security risks Snyk stopped maintaining these images in October 2023

Snyk will be removing these deprecated images from Docker Hub on the 12th of August 2024. Customers who continue using Snyk CLI Images after 11th of August 2024 will observe broken build pipelines or disruption to their integrated workflows. To transition away from these images, please follow product documentation here to build your own custom images.

For more information, please reach out to your account manager, or our support team.

After previewing the experience for over a year we are pleased to announce the General Availability of our new and improved Import Logs page.

Along with this general availability, we are introducing further benefits to the Import Logs, including:

1. Historical information on what was imported into your Snyk Organization

2. Rich error information for several ecosystems – including Go, npm, .Net, Maven, and PIP – supporting troubleshooting and remediation when an import fails

This is being rolled out incrementally and will show up in your Snyk Org over the coming several days.

For more information, see the docs.

We are thrilled to announce the addition of two new insightful reports to our growing list of reporting features: the SLA Management report and the Featured Zero-Day report.

Here's a quick overview of what you can expect from each:

• SLA Management Report

  1. Monitor SLA compliance across orgs based on your own SLA policy

  2. Identify issues that will soon breach the SLA policy

  3. Prioritize issues based on SLA considerations

• Featured Zero-Day Report

  1. Analyze the exposure to issues reported in a Zero-Day publication

  2. Prioritize issues of a specific Zero-Day publication

  3. Track the Zero-Day vulnerability eradication progress

These additions complement our existing suite of reports, further empowering AppSec practitioners and R&D leaders to make informed decisions, govern the AppSec program and improve the enterprise posture health.

To learn more about each report visit our product documentation.

As adoption of LLM platforms like OpenAI and Gemini grows, so does the security risk associated with using them. We’ve added LLM sources to our ruleset which means the taint vulnerabilities supported by Snyk Code will now report when untrusted data from an LLM reaches a sensitive function. This greatly expands our coverage in the fast growing AI domain across all of our supported languages.

We are committed to enabling our customers to securely leverage cutting edge AI tools and libraries. Our analysts will continue to research this topic in detail, and we will periodically publish this research in our blog. You can read the latest post on code injection vulnerabilities in Python caused by Generative AI.

If you have any questions, or want a detailed list of LLM libraries added, please reach out to your account teams.

We're thrilled to announce that Snyk AppRisk Pro is now available. Snyk AppRisk Pro expands on Snyk AppRisk’s core capabilities of application discovery & visibility, security coverage management, and risk-based prioritization with the following new capabilities:

• Application Analytics - a new data analytics capability offering AppSec teams a comprehensive overview of their AppSec program at a macro level, facilitating tracking, measurement, and reporting on program performance and risk KPIs.

• Extended security coverage visibility - new integrations with Nightfall AI and GitGuardian extend visibility of Snyk AppRisk to secret detection tools for managing security coverage on your repositories.

• Risk based prioritization with runtime intelligence - integrations with leading security and observability solutions, as well as a new, eBPF-based Snyk runtime sensor, provide runtime context to enable security teams to prioritize what to fix first and to assess any gaps in Snyk Container coverage vs. running containers. These runtime data sources are in a closed beta.

To learn more, please reference our product documentation and reach out to your account team with any questions.