Product Updates

We’re excited to announce the Early Access launch of the PR Check Report, a powerful new way to see how PR checks are performing and driving security outcomes across your organization. This release sets the stage for measuring the true security impact of PR checks across your organization and strengthening your overall prevention posture.

The current release of the report helps you:

• Monitor performance: Track pass, fail, error, and marked-as-successful rates over time across Snyk Open Source and Snyk Code checks. 

• Measure coverage: Understand where PR checks are enabled across your repositories to identify adoption gaps.

• Uncover recurring errors: Surface common error types and configuration issues to improve scan reliability and developer confidence.

Feature highlights:

• Flexible filters by time window, Snyk product (Snyk Open Source / Snyk Code), and project parameters like origin (SCM) and asset class.

• Org, Group, and Tenant-level insights into PR check performance and coverage.

• Export options for deeper data exploration and sharing.

The report is available under Analytics in the All Reports section for Tenant-level visibility. You can also find it in the Reports section of your Group or Organization by selecting Pull Request Checks Usage & Performance from the Change Report menu.

Learn more in our user documentation and connect with your account team to share feedback or help shape upcoming improvements.

Snyk Code CLI Upload is now Generally Available. This powerful capability bridges the gap between local CLI scanning and the centralized power of the Snyk Platform. By uploading your scan results directly from the CLI to the Snyk Web UI, you unlock the full range of Snyk features, helping your teams gain a comprehensive, centralized view of their security posture.

This means that projects scanned via the Snyk CLI are now seamlessly integrated into the platform, giving you unified management and visibility, including:

• Centralized Reporting: View historical trends, metrics, and risk overviews for CLI-scanned projects alongside your SCM-integrated projects.

• Full Platform Features: Access Organization and Group level views, enabling better governance, policy enforcement, and holistic security management across all your code, dependencies, and configurations.

• Unified Issue Management: Manage, triage, and collaborate on issues found by the CLI directly in the Snyk Web UI.

For all users, the Snyk Code CLI Upload functionality is available by updating to the latest Snyk CLI version and using the appropriate upload command/flag. This functionality is enabled and ready for use by default.

For more detailed information on how Snyk Code CLI Upload works and how to implement it, visit our CLI Upload documentation.

Starting October 13, 2025, we're rolling out several analysis improvements in Snyk Code for the Java and VB.NET ecosystems. For Java, we are improving taint flow analysis to correctly handle variadic method parameters and enhancing inter-file sanitization logic. For VB.NET, we are adding support for aliased namespace imports.

These enhancements are designed to improve the accuracy of our static application security testing (SAST) engine. By better understanding how data flows through your applications and recognizing more language features, we can provide more precise scan results.

You may notice an increase in true positive findings and a reduction of false positives in your projects. These updates will be applied automatically as part of our standard support for Java and VB.NET, with no action required from you.

To learn more, visit our Snyk User Documentation.

We’re pleased to announce that Issue Summary Comments and High-Context Inline Comments are now live and enabled by default for all customers using PR Checks with the following Source Code Manager (SCM) integrations:

• GitLab

• Azure Repos

• Bitbucket Server

What’s included:

• Issue Summary Comment for both successful and failed PR checks, covering Snyk Code and Open Source security & license findings.

• Inline Comments for Snyk Code findings, providing high-context feedback directly in the pull request.

To adjust your preferences, head over to Integration Settings in the Snyk UI where you can toggle comments on or off at any time. This release is a big step forward in our mission to make security native to the developer experience. Refer to the user documentation for more details.

We're updating the "Code Analysis" popup in Snyk Code to provide a more detailed and accurate breakdown of your scanned repositories. Previously, this view showed general language names (e.g., JavaScript).

After this update, it will display the specific file extensions that were analyzed (e.g., .js, .jsx, .ts).

This change provides greater transparency, removing the ambiguity that can occur in complex, polyglot projects. By seeing the exact file types Snyk has scanned, you can more easily verify scan coverage and gain a better understanding of your repository's composition.

This update will roll out to all customers on Sep 22, 2025.

We are excited to announce a new Snyk Code update, bringing increased findings and improved inline documentation to our customers.

What's New?

• Improved Crypto Cipher Detection: In Java, Kotlin, and Scala, we've enhanced our detection for insecure crypto ciphers.

• New Python Rule: A new rule has been added for XXE (XML External Entity Injection), which covers CWE-330.

• Expanded JavaScript Coverage: We've added new coverage for popular JavaScript frameworks, including Angular's ActivatedRoutes and react-router-dom.

• Javalin Web Framework Support: We have added new coverage for the Javalin web framework in Java and Kotlin

• Enhanced Issue Descriptions: The descriptions and titles for security issues have been updated to provide clearer, more specific information. For example, "Cleartext Transmission of Sensitive Information" will now be appropriately categorized into more granular findings like:

  • Cleartext Transmission via Unencrypted Socket

  • Cleartext Transmission via Unencrypted Email

  • Cleartext Transmission via Unencrypted WebSocket

  • Cleartext Transmission via HTTP Instead of HTTPS

This update is scheduled to be rolled out across all Snyk environments on September 15.

We’ve released hotfix v2.23.1 for our Visual Studio Code extension.

This update addresses two use cases that improve stability and the overall user experience. We have enhanced how the plugin handles network proxies and certificates, which will reduce download errors within the IDE. This release also fixes a bug that prevented the GCA integration from working correctly in some cases.

There are no other functional changes in this version, so your day-to-day experience using the extension will remain the same.

If you have any questions, feel free to reach out to our support team.

We encourage everyone to upgrade to the latest version to benefit from these improvements!

On August 5th, 2025, Snyk Code will receive a significant analysis and coverage upgrade. This update will enhance detection capabilities and may lead to a change in findings for some customers, including new findings and a reduction in false positives for most.

Key improvements in this release include:

• Go & PHP: Improved analysis of multi-variable declarations to reduce false positives in common assignment patterns.

• All Languages: Enhanced inter-file analysis to more accurately track when data is sanitized across multiple files, significantly reducing a common source of false positives.

• All Languages (except Scala & Ruby): Better detection of field-level sanitization within a single file, reducing false positives where tainted data is later made safe.

• JavaScript and TypeScript: Support for mongoose as well as express-mongo-sanitize has been added.

• Java: Added support for the JAX-RS framework.

• Go: Added support for the sqlx library.

• Scala: Added support for the Slick framework.

• Python: Introduced initial support for CWE-330, detecting insecure random number generation related to ciphers.

Starting July 23, 2025, Snyk Code will be updated to recognize new application entry points within MCP (Model Context Protocol) server implementations.

The security analysis will now trace data from these MCP sources as it enters an application, expanding security coverage for agentic workflows. As a result of this expanded analysis, findings in affected projects may change.

This support covers the following key frameworks and libraries:

• Java: Spring AI (org.springframework.ai)

• JavaScript: FastMCP, modelcontextprotocol/typescript-sdk

• Python: FastMCP, modelcontextprotocol/python-sdk, aiofiles

Snyk Code’s Python analysis has been updated to support __init__.py files, improving scan accuracy and depth.

This enhancement allows for the correct importing of symbols defined in package initialization files. This leads to a more accurate analysis of projects that use this common packaging structure, which is detailed in the official Python documentation on modules.

As a result of this deeper analysis, customers with projects utilizing this module structure may see new findings in their scan results.

This update affects Python projects only and was rolled out to all Snyk customers as part of recent support case work.