Product Updates

We are pleased to announce the latest stable Snyk CLI release, v1.1298.0.

We are introducing the following new features and improvements in this version. To learn more about bug fixes and additional enhancements beyond what is highlighted below, please reference the release notes.

General Enhancements

• Updated glibc requirements: This version introduces new expectations for the underlying glibc requirements for Linux users. We recommend reviewing the updated requirements to ensure continued smooth operation. More details here.

• Personal Access Token (PAT) Support: We have added support for Personal Access Tokens (PAT) for authentication. More details here.

• MCP Enhancements: Further improvements have been made to the Snyk MCP for Agentic Workflows to enhance AI-driven security workflows. More details here.

Open Source Enhancements

• Maven: For long-running test, monitor, and sbom scans on projects with dense dependency graphs, the Dverbose flag now provides improved output and progress indication.

• Dotnet: We have improved support for comments within global.json files. Scans that previously failed when the file contained special content, such as URLs, will now complete successfully.

• NPM/Yarn: Package aliases are now supported and honored by default, leading to more accurate dependency resolution in complex projects.

• Node.js: The dependency graph produced by snyk test --print-graph has been enhanced. Node IDs will now contain type and classifier information for greater clarity.

• Gradle: For projects scanned with the --gradle-normalize-deps flag, internal project dependencies with multiple artifacts under a single coordinate will now correctly show all dependencies instead of a single, randomly selected one.

Container Enhancements

• Red Hat Vulnerability scanning: Starting from RHEL 10 Red Hat will be providing vulnerability data in CSAF/VEX format, and we now support this new format.

• Support for new versions of Chainguard Wolf images: Chainguard has made some changes in file locations. With this new version we now accurately support scanning Chainguard images.

Release notes can be found here.

If you have any questions, feel free to reach out to the Snyk support team.

We encourage everyone to upgrade to the latest version to benefit from these new features and improvements!

Starting July 23, 2025, Snyk Code will be updated to recognize new application entry points within MCP (Model Context Protocol) server implementations.

The security analysis will now trace data from these MCP sources as it enters an application, expanding security coverage for agentic workflows. As a result of this expanded analysis, findings in affected projects may change.

This support covers the following key frameworks and libraries:

• Java: Spring AI (org.springframework.ai)

• JavaScript: FastMCP, modelcontextprotocol/typescript-sdk

• Python: FastMCP, modelcontextprotocol/python-sdk, aiofiles

We're pleased to announce that on Friday, July 11th, 2025 we will be introducing several improvements to the "List issues for a package" APIs.

This release will reduce request latency and improve the timeliness of newly published advisories being returned by the API.

In addition, this release will address several bugs listed below, which may result in changes to the number of vulnerabilities returned for some packages:

• Currently the API responds with all vulnerabilities about a package in Linux ecosystems (apk, deb and rpm). The fix reduces those down to only the vulnerabilities affecting the specified version.

• Requests for npm purls that contain an @ symbol in the namespace currently cause a 400 Bad Request. This change properly parses these purls and instead correctly returns a 200 OK with the expected vulnerabilities.

• When there is no remedy, the remedies array will now be empty.

• The problems array is now consistently sorted by each objects id.
  

Please reach out if you have any questions.

We're excited to announce that Snyk Assist is now available for Snyk Learning Management customers across all Snyk Multi-Tenant regions.

What is Snyk Assist?

Snyk Assist is an AI-powered assistant integrated into the Snyk Learn platform. It is designed to answer your Snyk product and application security questions instantly, helping you learn faster and resolve queries efficiently directly within your learning environment.

How do I get access?

• Be a Snyk Learning Management Add-On customer.

• Have a Group Admin enable the Group level setting.

• Set your preferred org to an org within the group where Snyk Assist is enabled.

• Navigate to any Snyk Learn lesson and Snyk Assist will pop up to help!

Dive deeper

For more information on Snyk Assist, check out our Snyk Assist docs, take our Snyk Learn Lesson on Snyk Assist and read our blog on AI assisted development.

Snyk Code’s Python analysis has been updated to support __init__.py files, improving scan accuracy and depth.

This enhancement allows for the correct importing of symbols defined in package initialization files. This leads to a more accurate analysis of projects that use this common packaging structure, which is detailed in the official Python documentation on modules.

As a result of this deeper analysis, customers with projects utilizing this module structure may see new findings in their scan results.

This update affects Python projects only and was rolled out to all Snyk customers as part of recent support case work.

Starting July 14, 2025, Snyk Code will release an update to improve the accuracy of CSRF (CWE-352) detection in C# WebAPI applications.

• This fix significantly reduces false positives, helping developers focus on real issues without being distracted by incorrect CSRF findings. Other vulnerability results are unaffected.

The update will roll out as part of Snyk Code’s General Availability (GA) support for C#.

To enhance developer efficiency and optimize our security tools, Snyk is excited to introduce a new architecture for the Snyk integrations public documentation. This centralized documentation section offers a dedicated and organized area for all Snyk CLI, IDE, and CI/CD integrations.

The objective is to integrate security seamlessly into the software development lifecycle. This update directly supports that goal by offering a cohesive discovery point of the developer tools, clearly distinct from SCM and other platform integrations. The result is a more logical and intuitive user experience.

This change provides the following advantages:

• Improved usability: By creating a dedicated section for developer-centric integrations, users can locate and configure the necessary tools with greater precision and fewer errors.

• Accelerated tool adoption: The centralized documentation section simplifies the discovery process, allowing development and security teams to implement and deploy Snyk more quickly across their workflow environments.

• Increased efficiency: Users can save considerable time when accessing and managing the integrations essential to their daily development and security workflows.

To ensure continuity, all bookmarks and links to previous integration pages will be automatically redirected to their new locations within the public documentation, preventing any disruption to user workflows.

This information architecture change will officially come into effect on July 9, 2025.

Snyk users without a configured Snyk Essentials Group-level integration will soon benefit from Automatic Repository Discovery, which provides visibility into the users' security coverage, out of the box. This feature helps users identify which repositories have been imported and are being tested in Snyk, and which have not. The discovered repositories will appear in the Snyk Essentials Inventory tab.

Automatic Repository Discovery is currently available for users with GitHub Cloud App, GitHub Enterprise, GitLab, and Azure DevOps Org-level integrations, and will soon be available to users with BitBucket Cloud, BitBucket Cloud App, and BitBucket Server Organization-level integrations, including brokered setups.

We’ll begin gradually rolling this out to all Enterprise plan customers starting July 16th, 2025. If you’d like early access, please reach out to your account team.

We are releasing Snyk CLI v1.1297.3, a follow-up hotfix to our recent v1.1297.2 announcement. This update further enhances the security of debug logging.

We encourage all users to upgrade to v1.1297.3 to benefit from these important security enhancements. Release notes can be found here.

CVE-2025-6624 has been published to address this vulnerability.

Important: This hotfix resolves a potential vulnerability. Please review the details below.

By default, the Snyk CLI sanitizes sensitive credential information from logs. However, previous versions of the Snyk container CLI tool had potential vulnerabilities in this sanitization, where sensitive credentials could potentially be written into local Snyk CLI debug logs, if the Snyk CLI is executed in DEBUG or DEBUG/TRACE mode. There is no exposure to these vulnerabilities if the DEBUG flag is not used when executing Snyk CLI commands. Exact details are listed below.

Although these logs are only stored locally where the CLI is invoked, debug logs might have been manually sent as part of support queries to Snyk Support Engineers or copied/backed up to other locations by your processes.

Snyk has already proactively reached out to any customers we believe may have been exposed to this vulnerability, based on our internal usage logs. However, we recommend that users of Snyk CLI upgrade to this hotfix to avoid any future exposure.

This hotfix resolves the following vulnerabilities:

• When the snyk container test or snyk container monitor commands are run against a container registry, with debug mode enabled, the container registry credentials could previously be written into the local Snyk CLI debug log in some circumstances. This only happens with credentials specified in environment variables (SNYK_REGISTRY_USERNAME and SNYK_REGISTRY_PASSWORD), or in the CLI (--password/-p and --username/-u).

• When the snyk auth command is executed with debug mode enabled AND the log level is set to TRACE, the access / refresh credential tokens used to connect the CLI to Snyk could previously be written into the local CLI debug logs.

• When the snyk iac test is executed with a Remote IAC Custom rules bundle, debug mode enabled AND the log level is set to TRACE, the docker registry token could previously be written into the local CLI debug logs.

As part of the Snyk AI Trust platform, Snyk Agent Fix will be available in pull requests starting this week, on 23 June. This feature aims to reduce the manual overhead of resolving vulnerabilities and minimize PR time to merge, all while ensuring seamless integration into existing developer workflows. With Snyk Agent Fix, developers are empowered to act immediately on SAST findings by generating and applying fix suggestions directly within pull requests, reducing context switching and streamlining remediation.

The following capabilities are supported for Early Access:

• Generate fix suggestions using the @snyk /fix command in a PR inline comment, displaying a proposed code change.

• View an explanation of the suggested fix alongside the code snippet.

• Apply the suggested code directly to the PR as a commit using the @snyk /apply command.

• Generate multiple fix suggestions within the same PR, where applicable.

Early access is currently focused on GitHub integrations: GitHub App (Cloud and Server). GitHub and GitHub Enterprise while support for additional SCM integrations is coming soon. This is part of an ongoing series of enhancements aimed at improving the developer pull request experience with Snyk. If you’d like to enable this feature for your organization, you will be able to self-opt in via the Pull Request Experience section in your SCM integration settings.

Check out the user docs for more details. We’re committed to continuously improving this experience — reach out to your account team if you’d like to join feedback sessions and help shape the future of your Snyk workflows.