Product Updates

We’ve activated direct links to Snyk Learn lessons within the findings details pages of Snyk API & Web. When you are reviewing a vulnerability, you can now find educational content under the Description tab. Snyk Learn provides hands-on lessons to help you understand, prevent, and fix security issues in your code.

We want to bridge the gap between identifying a security risk and knowing how to remediate it. By embedding these lessons directly where you work, we're making it easier for you to build security knowledge without leaving the platform.

You can now quickly access expert-guided security training for specific vulnerabilities you encounter. This helps you not only resolve the current issue but also acquire the skills to prevent similar vulnerabilities in the future, ultimately enhancing your overall security posture.

To learn more, visit Snyk Learn.

Experience greater flexibility in authenticating your scans with the new Signature capabilities for API targets. With Snyk API & Web, you can now configure signed requests using your own algorithms.

We added this feature to support complex authentication requirements that require signed requests. By providing a dedicated space to manage these signatures, we're making it easier for you to run automated security scans against protected API endpoints that verify message integrity and authenticity.

If you have the message signature feature enabled, you can now navigate to your API target settings to set up signing methods. This ensures your scans can successfully authenticate with APIs that require cryptographic signatures for every request.

To enable this feature, please contact the Sales team.

To learn more, visit How to configure Signed Requests for API Targets in our user documentation.

We added support for mutual TLS (mTLS) configuration for Web, OpenAPI, and Postman targets in Snyk API & Web. This allows you to extend your security testing to cover even your most strictly secured and authenticated endpoints.

We implemented this feature to support organizations that required higher levels of security or mutual trust between client and server. This allows our crawler and scanner to authenticate successfully with services that enforce strict mTLS requirements, ensuring comprehensive security coverage for your protected targets.

In the authentication tab for your Web and API targets, you will see a new CLIENT AUTHENTICATION CERTIFICATE module under your target Settings. You can use this to upload the necessary certificates for authentication. This change allows you to scan targets that were previously inaccessible due to mutual TLS requirements.

To enable this feature, please contact the Sales team.

To learn more, visit How To Configure Mutual TLS Authentication in our user documentation.

We are introducing a more robust and customizable risk acceptance workflow. While providing a Reason for acceptance remains a mandatory requirement for all users, account owners can now also mandate the following fields:

• Expiration Date: The date when the risk acceptance expires.

• Approver Name: The individual who authorized the risk acceptance.

• Approval Date: The date of the approval.

Once an acceptance period expires, the finding's status will automatically revert from Accepted Risk to Not Fixed, ensuring it is reviewed again. All acceptance details are captured in the finding's log to provide a complete audit trail.

We understand that manually tracking accepted risks is inefficient and can lead to overlooked vulnerabilities. This update automates the lifecycle of accepted risks, creating a clear, auditable, and enforceable process that ensures expired risks are never forgotten.

• For account owners: A new configuration module is available in Settings > Scan Settings where you can define the new mandatory fields for your risk acceptance process.

• For all users: The Accept Risk modal will continue to require a Reason and will now also display any additional fields required by the account owner. Any risk accepted with an expiration date will automatically re-enter the workflow as Not Fixed upon expiration, prompting a timely review.

To learn more, visit Configure the risk acceptance workflow in our user documentation.

We're giving you more control over how scans behave when a navigation sequence fails. In your Target Settings, you'll now find an option to immediately fail a scan if a navigation sequence cannot be completed. When enabled, the scan stops right away, allowing you to fix the issue sooner.

Previously, a failed navigation sequence would not stop a scan, potentially leading to incomplete results and wasted resources. This change allows you to get faster feedback on broken test sequences, saving time and preventing tedious manual reviews to identify why a scan may not have covered the intended user journeys.

Starting September 30, 2025, you will see a new checkbox in the Navigation Sequences module within your Target Settings: When a navigation sequence fails, fail the scan immediately and notify me. This option is disabled by default, so existing scans will continue to run as they do now. To enable this fail-fast behavior, you will need to edit your Target Settings. You can also configure new notifications for these failures in your Slack integration settings.

To learn more, visit How to set up Navigation Sequences and Slack integration in our user documentation.

We are enhancing how secrets and sensitive data are managed in Snyk API & Web. Effective today, you can designate specific fields as sensitive within your target settings, ensuring their values are automatically masked. Furthermore, Account Owners now have a new level of control with the ability to make sensitive information permanently non-retrievable after it is saved.

This enhancement is designed to significantly reduce the risk of accidental information disclosure and prevent unauthorized access to your sensitive data. By giving you granular control to define and mask specific fields, we are moving beyond a reliance on simplistic patterns and heuristics. The option to make secrets non-retrievable adds a critical layer of security, ensuring that once a secret is stored, it cannot be exposed again through the application.

This update introduces two key changes:

• For Account Owners: A new module is available on the Settings > Authentication page. This allows Account Owners to enforce that all designated sensitive information becomes non-retrievable for everyone in the account once saved.

• For all users: When configuring a target, you will now see a 'Mark as sensitive' checkbox for relevant fields. Selecting this option will automatically mask the field's value after it is saved. This applies to configurations such as:

  • API authentication payload

  • Login form

  • Login sequence

  • Basic authentication credentials

  • Custom headers and authentication headers

  • Custom cookies and authentication cookies

  • API Parameter Custom Values

  • Postman Environment Values

To learn more, visit How to manage secrets and sensitive data in Snyk API & Web in our user documentation.

Get ready to supercharge your security prioritization! Snyk API & Web is rolling out a new Critical severity level for findings. This enhancement brings our platform even closer to industry standards, helping you zero in on the most urgent vulnerabilities that demand immediate attention.

Key Dates

• September 2, 2025: The Critical severity level will become visible within the Snyk API & Web UI. While no findings will be assigned this severity yet, this is your prime opportunity to prepare your systems. Read this article for more information.

• September 16, 2025: Snyk API & Web will begin automatically assigning the Critical severity to all eligible findings (those with a CVSS score of 9.0 or higher). Existing finding severities won't change unless they are detected in a new scan after September 16th.

This update empowers you to focus on what matters most in safeguarding your applications. If you have any questions, please reach out to Snyk’s support team.

We’re thrilled to announce that Snyk API & Web has a brand new course called “Snyk API & Web - Using the web interface” available at Snyk Learn. 🎉

With this course, you can expect to learn how to configure targets and their settings, initiate scheduled scans, test APIs and web apps, manage findings, learn about asset discovery and take the most out of the reporting tools available.

With Snyk, you can narrow the gap between development, security, and operations by making security an intrinsic part of your development life cycle. Just head over to the course page or search for API & Web in our catalog to start learning today!

For any suggestions, questions or concerns, please reach out to the Snyk support team.

We’re thrilled to announce Probely is now Snyk API & Web, a next-generation Dynamic Application Security Testing (DAST) & API Security solution! 🎉

Snyk API & Web offers:

• 0.1% false positive rate, evidence-based reporting and detailed instructions on how to fix vulnerabilities, so you can focus on what really matters,

• ways of integrating with your preferred CI/CD tools, issue trackers, and messaging apps,

• customizable scanning configurations, scheduled scanning, partial scanning, scanning behind the login, and configuration of blackout scanning periods,

• ways of showcasing your compliance, by testing against a series of detailed requirement checklists,

• among many others.

Snyk API & Web's powerful security testing engine helps revolutionize the way APIs and web apps are tested, mapping companies’ ever-growing attack surface, automating the scanning of vulnerabilities, and providing quick and detailed fixes for them.

By integrating Snyk API & Web within the rest of Snyk’s portfolio, and leveraging AI capabilities, we thrive where others falter. And this is just the beginning; our ambitious roadmap is paving the way for much more to come!

If you wish to learn more about Snyk API & Web, please visit the Product page and Snyk API & Web course over Snyk Learn.

Once again, Snyk reinforces its commitment to help companies innovate securely and confidently at the accelerated pace the world requires.

For any suggestions, questions or concerns, please reach out to the Snyk support team.

Probely's upcoming release (April 22nd) brings forth a new feature for Enterprise customers: Managed reports! 🎉

Managed reports (or Saved reports) allow you to generate PDF reports of findings from multiple targets at the same time, based on a specific search/filter criteria; e.g. you can generate a report of all High findings across all targets from your account or from a specific team!

With this release, all Enterprise accounts should be able to see the Reports button on the top right corner of the Findings page and perform 1 of 3 tasks:

• Generate a new report of the findings listed, taking into account the search and filters applied on the interface

• Save a report that will take into account the search and filters applied on the interface, and that can be automatically emailed based on a set recurrence, or manually downloaded when needed

• Manage previously saved reports, allowing for easier access to previous filters/searches or download of existing reports

For any suggestions, questions or concerns please reach out to the Snyk support team.