Product Updates

Starting October 26th, Snyk Code will begin the 3 month process of deprecating Python 2 language support. Further, we plan to End of Life (EOL) on January 23, 2024, where Python 2 support will be terminated. For context, Python 2 has been unsupported by Python.org since January 2020.

This means that no new development work and no new support tickets related to Python 2 will be processed. Existing Python 2 projects will continue to be scanned until EOL. After EOL, Python 2 findings will no longer appear in your results.

Note that support for Python 3 will not be affected and continue as usual.

If you are using Python 2, please reach out to your account teams.

We're pleased to share that scanning deployed Azure cloud environments is now GA for Snyk IaC customers on an enterprise plan. You can now secure your Azure infrastructure from code - with IaC template scanning for Azure Resource Manager(ARM) and Terraform - to the cloud.

Users can now:

• Onboard Azure subscriptions via API and UI, and scan and test Azure resources with our security rules

• Find and fix misconfigurations identified by Snyk in the org-wide Cloud issues UI, or in the REST API for issues

• View an inventory of Azure resources with the GET /cloud/resources endpoint

Please see our User Docs for more details, and contact your account team with any questions.

We're thrilled to share that our SBOM Test APIs now support a wider range of Open Source languages and ecosystems! Now you can test CycloneDX SBOM documents for vulnerabilities across the following purl types: cargo, cocoapods, composer, gem, golang, hex, maven, npm, nuget, pypi, swift, or generic for unmanaged C/C++.

We hope this milestone helps you adopt SBOMs within your developer workflows and expand testing coverage for a greater number of assets.

Please see our User Docs for more information and reach out if you have any questions.

We are pleased to announce that – going forward as of version 1.1230.0 – Snyk CLI natively supports Apple silicon. You are no longer required to manually install Apple’s Rosetta 2 before installing Snyk CLI.

For our Apple silicon users this means, whether you are installing directly – via any of our supported installation methods – or via an IDE plugin, the correct and latest Apple silicon build will be selected and installed on the system automatically.

With this improvement, our Apple silicon users will be able to

• experience a simplified Snyk CLI installation,

• and secure code without compromising on productivity, performance, or their compliance needs.

To get started with Snyk CLI, or for more information, please read the docs.

We are excited to announce the Beta release of the new Issues API REST endpoints, which unifies all Snyk issues (SCA, SAST, Cloud) across projects or orgs into one API call. The Unified Issues API approach offers several key benefits:

• Simplifies the user experience with one paginated API call across all projects or orgs

• Saves time by eliminating the need to stitch data across various calls and offering a consistent schema to parse responses with

• Highlights our commitment to building Snyk as a holistic security platform

The Beta version builds on the Experimental versions with the following new features:

• Stable UUIDs which will not change with releases of future versions thus minimizing breaking changes going forward

• New Risk Score and Factors allowing for assessing risk using broader issue, application and business context

• Increased performance profile with faster response times

Please check out the API docs for listing all issues by group, and by org.

Following the incident last Friday, October 6th, we’re temporarily rolling back PHP Interfile starting today as part of our mitigation strategy. For customers with PHP code, you may see a decreased number of results.

We recognize the importance of PHP Interfile and are actively working towards a solution.

We don’t have a confirmed timeline yet, but will provide updates once the situation stabilizes.

Please reach out with any questions.

We recently announced a plan to sunset the v1 List all projects API (from June 22nd 2023, with an end-of-life on December 22nd 2023) in favor of the REST List All Projects for an org API.

Starting from October, we will be scheduling brownouts where we will be periodically removing this endpoint for a scheduled period of time. Here is the schedule:

• October 23rd for 1 hour starting at 12:00 UTC

• November 16th for 2 hours starting at 06:00 UTC

• December 6th for 4 hours starting 17:00 UTC

During these time windows, the API will return 410 Gone for all requests. If you require further support during this period, please raise a support ticket.

Please refer to this guide to move all your automations over to replacement endpoints. If you require further support during this period, please raise a support ticket.

curl is a popular command-line tool for transferring data using various network protocols. curl is used almost ubiquitously, and shipped with almost all Linux distributions.

The curl maintainer announced recently that on Oct 11, 2023, at around 6:00 UTC, a new version 8.4.0 of curl and libcurl will be released, to address a High severity vulnerability, which is assigned to CVE-2023-38545.

In the maintainer’s own words:

This is probably the worst security problem found in curl in a long time.

Please be advised to follow updates and upgrade to the latest version once available.

While not all security data is currently available, and the exact impact of this issue is still to be determined, Snyk Security Team is monitoring for updates, will update the curl security advisory accordingly, and will share more information in the following blog post: High severity vulnerability found in libcurl and curl.

We're pleased to share that the Snyk SBOM CLI Extension now supports additional options for working with Maven, npm, Gradle, Python, Yarn, and NuGet projects.

These will help you produce a more accurate CycloneDX or SPDX SBOM based on your project's configuration. These options are available in CLI version 1.1228.0 and beyond.

Please see our User Docs for more details.

Today, Snyk is pleased to announce open beta availability of Git repository cloning – a new, and more scalable way for Snyk to provide code security and code quality improvements via SCM integrations – helping you develop fast and stay secure.

The open beta is rolling out to all customers, and across all of Snyk’s deployments in the coming days, and will be available – via Snyk Preview – for all SCM integrations (GitHub, GitHub Enterprise, GitLab, Bitbucket Server, Bitbucket Cloud App, Bitbucket Cloud (Legacy), and Azure Repos), and SCM “flows” (import, PR checks, recurring tests).

When enabled by a Snyk Organization administrator, these flows will be backed by a temporary and shallow Git clone of repository contents, helping Snyk perform its security analyses more reliably and more accurately. This capability has particular benefit for customers using SCM integrations at scale, as it protects against a breach of SCM API rate- and content- limits, and improves Snyk’s analysis of very large repos (sometimes referred to as “monorepos”), by surfacing previously unreachable contents.

Be on the lookout for this new capability, scheduled to land in your Snyk Organization in the coming days.

Meanwhile, you can read more in the docs.