Product Updates

We’ve completed the migration of Snyk Advisor into security.snyk.io, bringing package intelligence directly into the security experience.

Package pages now include Snyk Advisor insights alongside vulnerability data, providing a more complete and consistent view of open-source package health.

What’s new

• Snyk Advisor metrics - Popularity, Maintenance, Security, and Community - now appear directly on package pages for supported ecosystems.

• Package health insights can be explored without leaving security.snyk.io.

• Advisor URLs now redirect to their corresponding package pages on security.snyk.io.
  

These updates make it easier to evaluate open source packages in context, supported by the same trusted data that powers Snyk Advisor.

To explore the updated experience, visit any package page on security.snyk.io. For more details, see Snyk Docs and the Blog post.

We are excited to share that we've made several improvements to how you test CycloneDX and SPDX SBOM files with Snyk, now available in Early Access for Snyk Open Source and Snyk Container.

These changes give you greater feature parity and a more consistent experience across your CLI testing workflows.

Here's what you can expect in Snyk CLI version 1.1302.0 and greater:

• The snyk sbom test command no longer requires the use of the --experimental option.

• You can now use previously unsupported options, including --severity-threshold, --reachability, --reachability-filter. These additions provide more granular control over your SBOM scanning results.

• Findings are returned by default in a human readable output and now include any applicable enrichments such as Reachability, Policy, Ignores, and Fix Advice.

• When you use the --json option, findings will be returned in a new JSON schema.

• We've also introduced clearer error messages, helping you quickly understand and resolve issues if Snyk is unable to test your SBOM file.

To minimize disruption to your workflows, we recommend reviewing your current integration and making any necessary changes prior to updating.

For those using Snyk CLI versions 1.1301.0 and below, the --experimental flag remains supported, and findings are returned in the previous format.

For more details, please refer to our User Docs.

We have added support for scanning Node.js applications that use pnpm as their package manager within container images. When you scan a container image, Snyk will now automatically detect pnpm-lock.yaml files. If your project contains both a lockfile and node_modules, we will use the lockfile to generate a more accurate dependency graph.

Previously, Snyk Container scans for pnpm-based projects relied on node_modules analysis or less granular detection methods. As pnpm adoption has grown due to its speed and disk efficiency, we wanted to ensure container scanning provided the same depth of coverage as our CLI and SCM integrations.

This update brings container scanning into parity with other Snyk integrations. Users will see improved accuracy in their scan results without needing to change any configurations.

This feature is available in the latest Snyk CLI release. To learn more, visit the Supported workloads page in our user documentation.

We have updated Snyk Container to support scanning for stripped Go binaries and those built using CGo. We have enhanced the scanner to use module-level analysis via .go.buildinfo, allowing Snyk to accurately identify dependencies even when debug information is removed or C libraries are used.

Historically, stripped binaries and CGo builds made it difficult for scanners to accurately parse dependencies, potentially leaving vulnerabilities undetectable. This update closes that visibility gap.

Users scanning Go containers may now see new vulnerabilities that were previously hidden due to the limitations of scanning these specific binary types. This ensures more complete security coverage for Go applications.

This improvement is available in Snyk CLI v1.1302.0 (preview and stable releases). Update your CLI to the latest version to ensure your Go container artifacts are fully covered.

We have introduced a new optimization mechanism to support scanning for enterprise-scale projects with massive dependency graphs. We added a graph pruning capability that allows scans exceeding the standard maxVulnPathsLimit to complete successfully.

Certain large projects generate dependency graphs with over 100,000 vulnerable paths. Previously, these massive graphs hit a hard limit in the Snyk Container monitor, causing the scan to fail completely for large enterprise workloads.

This unblocks scans for large projects. Users who were previously unable to monitor their largest containers due to timeout or complexity errors can now successfully scan them.

CLI users can use the --prune-repeated-subdependencies flag immediately. Customers using container registry integrations should request that the corresponding Feature Flag be enabled for their organization by contacting support.

We are pleased to announce the latest stable Snyk CLI release, v1.1302.0.

We are introducing the following key improvements in this version. To learn more about bug fixes and additional enhancements beyond what is highlighted below, please reference the full release notes.

This update includes the following:

• Snyk Container

  • Support for OCI images with manifests missing platform fields

  • Container scan support for cgo and stripped Go binaries

  • Added pnpm lockfile support

• Snyk Open Source

  • Improved PackageURLs in SBOM documents for go.mod projects

  • Added support for deb, apk, and rpm in SBOM test

  • Added PackageURL information to go.mod dependency graphs for snyk test

  • Added support for poetry development dependencies

• Additional changes

  • MCP Scan is now part of the Snyk CLI, allowing you to test the supply chain of agent-based developer tools like Cursor and Claude Code.

Release notes can be found here.

If you have any questions, feel free to reach out to the Snyk support team. We encourage everyone to upgrade to the latest version to take advantage of these new features and improvements.

We are pleased to announce the latest stable Snyk CLI release, v1.1301.0.

We are introducing the following key improvements in this version. To learn more about bug fixes and additional enhancements beyond what is highlighted below, please reference the full release notes.

This update includes the following:

• Snyk Container: Container scanning now supports both Ubuntu Chisel images and zstd-compressed layers, as well as usr/lib JAR files via the `--include-system-jars` parameter.

• Snyk Open Source: Initial support for Maven 4 is available for Open Source's test, monitor and SBOM commands.

• Snyk Open Source: Reachability for Snyk CLI and CI/CD integrations is now available in Early Access for all Snyk Open Source customers.

• Snyk SBOM: A new experimental flag, `--include-provenance`, for Maven projects that includes verification checksums in SBOMs.

• Snyk Studio: Snyk Studio now supports writing scan output into a file, and Service Account support.

• Stability, security, and performance: This release also includes numerous bug fixes and enhancements to improve the overall stability, security, and performance of the CLI.

Release notes can be found here.

If you have any questions, feel free to reach out to the Snyk support team.

We encourage everyone to upgrade to the latest version to take advantage of these new features and improvements.

We've just released an enhancement for the Snyk Container Registry Agent to improve compatibility with a wider range of container registries. You can now disable the repository listing feature to prevent integration errors and reduce API calls.

This is especially useful if you are using a registry that does not support the GET /v2/_catalog endpoint, or if your organization's security policies restrict access to it.

Key Benefits

• Expanded Registry Support: Ensures smooth integration with registries like GitHub Container Registry and GitLab Container Registry.

• Work Around Permission Issues: Allows the agent to function correctly even when it doesn't have permissions to list all repositories.

• Reduce API Calls: Optimizes performance by preventing unnecessary calls to your registry's catalog endpoint.

How to Enable

You can enable this feature by setting the SNYK_DISABLE_LIST_REPOS environment variable to true in your deployment. When enabled, the agent immediately returns an empty list instead of trying to query the registry, resolving potential errors.

For full setup instructions for Docker, Helm, and Kubernetes, please see the updated Snyk Container Registry Agent documentation.

We are pleased to announce the latest stable Snyk CLI release v1.1297.0.

We are introducing the following new features and improvements in this version. To learn more about bug fixes and additional enhancements beyond what is highlighted below, please reference the release notes.

Container Enhancements

We've made scanning container image archives more straightforward. You can now directly scan image archives (e.g., image.tar) using snyk container test image.tar or snyk container monitor image.tar without needing to specify the image type as a prefix. This simplifies the command structure and streamlines your container security workflows.

Open Source Enhancements

This release brings significant improvements to Gradle module resolutions. The Snyk CLI's Gradle dependency resolution will now default to finding all artifacts against resolved dependencies. You can read more about this here.

Release notes can be found here.

If you have any questions, feel free to reach out to the Snyk support team.

We encourage everyone to upgrade to the latest version to benefit from these new features and improvements!

We are excited to announce improvements to the Snyk Container base image recommendation algorithm.

Previously we would sometime recommend upgrades to alpha and beta images, this particularly affected Python base images.

This has now been fixed and we no longer recommend updating to these types of image.