Product Updates

The Assets API is now available in Early Access, providing AppSec teams with programmatic access to comprehensive asset data. This eliminates the need for manual data exports and simplifies integration with other systems. With reliable, centralized access to asset information from sources like Snyk, SCMs, and runtime environments, teams can automate targeted actions, improve prioritization, and enhance visibility. The API empowers organizations to make more informed decisions and align security and development efforts more effectively.

Key capabilities of the Assets API include:

• Programmatic access to asset data — retrieve asset information from Snyk, SCMs, runtime, app context, and more

• Flexible filtering — query specific assets or subsets based on your chosen criteria

Check out the user docs for more details. We're dedicated to continuously enhancing this experience. If you'd like to share your feedback and help shape future improvements, please reach out to your account team to join upcoming feedback sessions.

Dear customers,

This is a reminder about the important changes to our support policy and the deprecation of certain IDE features, which are just around the corner.

As previously announced, our new 12-month Support Policy for IDE, Language Server, CI/CD plugins and CLI versions will officially come into effect on June 24, 2025. To ensure you continue to receive full support and access to the latest innovations, please upgrade your IDE plugin, Language Server, CI/CD plugins and CLI to a version released within the last 12 months by this date.

Additionally, as part of our upcoming IDE plugin release on July 17, 2025, the following features will be removed:

• Code Quality Findings in Snyk Code (WebUI and IDE Plugins):

  This functionality will no longer be provided.

• JavaScript CDN Library Detection

  in HTML Files: This will apply as well to JavaScript and TypeScript files, not just HTML. Note: This applies to CDN library detection only - it does not affect Snyk Code or Snyk Open Source JavaScript/TypeScript core capabilities

• Container Image Detection in Kubernetes YAML Files

  : This experimental feature will be removed from the Snyk JetBrains IDE Integration.

We encourage you to review the original announcement for full details and guidance on these changes/

If you have any questions or require assistance with upgrading, please don't hesitate to contact our support team.

Thank you for your continued partnership!

Snyk Code Consistent Ignores is now Generally Available (GA) for all Snyk Code customers.

This capability ensures ignores are consistently applied in all surfaces throughout the development lifecycle, helping your teams eliminate distractions and focus on the risks that matter most. This means ignores are now respected across projects, branches, and integrations within a repository, notably in the IDE plugins, the Snyk CLI, and native PR checks.

For existing customers, Snyk Code Consistent Ignores can be enabled by toggling this on in your Group or Org settings. Any newly created groups or orgs will have this functionality enabled by default going forward.

We're thrilled to bring this powerful capability as a core offering of the Snyk platform, bringing a new level of focus and efficiency to your security workflows. For more detailed information on how Snyk Code Consistent Ignores works, check out the documentation and the Snyk Learn lesson.

We are pleased to announce improved support for Maven default profiles in Open Source SCM scanning. Previously, we only considered profiles where activeByDefault was set to true. With this change, scanning will now more faithfully activate profiles that would be activated by running Maven dependency resolution locally. The will result in more accurate scanning, as the dependency resolution engine will more closely mimic the behavior of Maven itself.

This change will be rolled out on July 9th, and customers may expect changes in the issues detected for existing projects imported into Snyk. For customers scanning projects using both the SCM integration and CLI, you can expect to see more consistent results between these two solutions.

We’ve released a CLI hotfix (v1.1297.2) to enhance security and resolve the following issues:

• Improved Debug Logging Security for Scans: Improves the sanitization of credentials in local debug logs.

• IDE Connectivity for Proxy Users: Fixes an issue where IDE plugins could fail to connect when operating behind an NTLM proxy.

• Snyk Code Local Engine Fix: Addresses a regression that prevented the Snyk Code Local Engine (SCLE) from functioning correctly within the IDEs. As this release is focused on security and stability, no change in behavior or new features are expected.

Release notes can be found here.

If you have any questions, feel free to reach out to the Snyk support team. We encourage everyone to upgrade to the latest version to benefit from these important security and reliability fixes!

Starting July 7, 2025, Snyk Code will expand its framework support for JavaScript and TypeScript. This update increases vulnerability coverage for applications using popular web frameworks:

• New Framework Support: Introducing analysis for web applications built with the hapi.js and TSOA frameworks. Customers using these frameworks will potentially see an increase in vulnerabilities reported

• Express Framework Enhancement: Improving analysis by recognizing object destructuring in request handlers.

• Improved support for for-each loops.

This update will be released as part of Snyk Code’s existing support for JavaScript and TypeScript.

We are pleased to announce that Reachability for JavaScript and TypeScript will begin rolling out for General Availability (GA) on June 18th.

This milestone follows an Early Access program during which we partnered with development and security teams to validate the capability and refine its accuracy, coverage, and scalability.

Reachability analysis helps teams prioritize vulnerabilities by identifying whether a vulnerable code element (functions, classes, modules, etc.) is invoked by their application code. This enables organizations to concentrate remediation efforts on vulnerabilities that are more likely to be exploitable in their application context.

This enhancement also means that customers participating in the Early Access stage may see changes to existing vulnerabilities, marking them as reachable.

Please refer to the documentation on reachability analysis for more information on enablement, supported environments, and package managers.

Back in November, we announced a significant enhancement to Snyk Automatic Fix Pull Requests, furthering our mission to design workflows to match different projects needs.

Today, we're excited to announce the completion of this effort, the setting of a default threshold for any organization leveraging our auto-fixes that hasn't done so already.

Auto Fix Pull Request thresholds are configurable by either severity or score. We understand in some projects, fixing all vulnerabilities constantly is extremely important, whereas in others focusing on specific types boosts velocity. That's why we configured two types of rules for Automatic Fix Pull Requests:

• by score (priority or risk score) - set a threshold from 0 to 1000

• by severity - select among critical, high, medium or low

Starting today, June 5th, we're defaulting any organization that hasn't yet set a threshold to a risk score of 700, the general consensus amongst our early adopters and the value Snyk's seen to most effectively reduce noise while still surfacing fixes for the most important vulnerabilities.

If you've already set thresholds, Snyk will not change your defaults. This option will also not influence our Backlog PR capability.

We are pleased to announce an update to the Java Reachability Engine, which will deliver a more accurate analysis across a broader range of Java packages and vulnerabilities.

As a result of this expanded coverage, customers may see changes to existing vulnerabilities marking them as reachable. We recognize that this update may affect your triage and prioritization workflows, as we ensure that potential issues are identified with greater precision.

This change will gradually roll out on June 16th, and customers should expect to see additional coverage improvements in the upcoming months. No action is needed from customers who have already enabled the reachability feature.

Just so you know, modifications in first-party code, vulnerability analysis updates, and SAST engine improvements (like this update) can affect the reachability results, and vulnerabilities labeled as "No Path Found" can evolve to "Reachable" over time.

See our documentation to learn more about Reachability Analysis.

We are pleased to announce a bug fix for Snyk Open Source Python support.

With this update SCM support for Python will be improved as follows:

• Today, SCM scans for some Python 3.8+ projects omit virtualenv and pip dependencies if they are used, leading to possible false negatives in related issues. With this change, these dependencies will be correctly included.

• CLI scans already accurately represent these dependencies, and are not affected by this release.

How will my scan results change?

• Overall accuracy of Python SCM scans for projects using these dependencies will increase, which may lead to an increase in identified vulnerabilities for projects using these dependencies.

What are the next steps?

The changes will be released on June 18th, and projects will see improved results in their next test.