Product Updates

We’re pleased to announce that Issue Summary Comments and High-Context Inline Comments are now live and enabled by default for all customers using PR Checks with the following Source Code Manager (SCM) integrations:

• GitLab

• Azure Repos

• Bitbucket Server

What’s included:

• Issue Summary Comment for both successful and failed PR checks, covering Snyk Code and Open Source security & license findings.

• Inline Comments for Snyk Code findings, providing high-context feedback directly in the pull request.

To adjust your preferences, head over to Integration Settings in the Snyk UI where you can toggle comments on or off at any time. This release is a big step forward in our mission to make security native to the developer experience. Refer to the user documentation for more details.

We're updating the "Code Analysis" popup in Snyk Code to provide a more detailed and accurate breakdown of your scanned repositories. Previously, this view showed general language names (e.g., JavaScript).

After this update, it will display the specific file extensions that were analyzed (e.g., .js, .jsx, .ts).

This change provides greater transparency, removing the ambiguity that can occur in complex, polyglot projects. By seeing the exact file types Snyk has scanned, you can more easily verify scan coverage and gain a better understanding of your repository's composition.

This update will roll out to all customers on Sep 22, 2025.

We are excited to announce a new Snyk Code update, bringing increased findings and improved inline documentation to our customers.

What's New?

• Improved Crypto Cipher Detection: In Java, Kotlin, and Scala, we've enhanced our detection for insecure crypto ciphers.

• New Python Rule: A new rule has been added for XXE (XML External Entity Injection), which covers CWE-330.

• Expanded JavaScript Coverage: We've added new coverage for popular JavaScript frameworks, including Angular's ActivatedRoutes and react-router-dom.

• Javalin Web Framework Support: We have added new coverage for the Javalin web framework in Java and Kotlin

• Enhanced Issue Descriptions: The descriptions and titles for security issues have been updated to provide clearer, more specific information. For example, "Cleartext Transmission of Sensitive Information" will now be appropriately categorized into more granular findings like:

  • Cleartext Transmission via Unencrypted Socket

  • Cleartext Transmission via Unencrypted Email

  • Cleartext Transmission via Unencrypted WebSocket

  • Cleartext Transmission via HTTP Instead of HTTPS

This update is scheduled to be rolled out across all Snyk environments on September 15.

We’ve released hotfix v2.23.1 for our Visual Studio Code extension.

This update addresses two use cases that improve stability and the overall user experience. We have enhanced how the plugin handles network proxies and certificates, which will reduce download errors within the IDE. This release also fixes a bug that prevented the GCA integration from working correctly in some cases.

There are no other functional changes in this version, so your day-to-day experience using the extension will remain the same.

If you have any questions, feel free to reach out to our support team.

We encourage everyone to upgrade to the latest version to benefit from these improvements!

On August 5th, 2025, Snyk Code will receive a significant analysis and coverage upgrade. This update will enhance detection capabilities and may lead to a change in findings for some customers, including new findings and a reduction in false positives for most.

Key improvements in this release include:

• Go & PHP: Improved analysis of multi-variable declarations to reduce false positives in common assignment patterns.

• All Languages: Enhanced inter-file analysis to more accurately track when data is sanitized across multiple files, significantly reducing a common source of false positives.

• All Languages (except Scala & Ruby): Better detection of field-level sanitization within a single file, reducing false positives where tainted data is later made safe.

• JavaScript and TypeScript: Support for mongoose as well as express-mongo-sanitize has been added.

• Java: Added support for the JAX-RS framework.

• Go: Added support for the sqlx library.

• Scala: Added support for the Slick framework.

• Python: Introduced initial support for CWE-330, detecting insecure random number generation related to ciphers.

Starting July 23, 2025, Snyk Code will be updated to recognize new application entry points within MCP (Model Context Protocol) server implementations.

The security analysis will now trace data from these MCP sources as it enters an application, expanding security coverage for agentic workflows. As a result of this expanded analysis, findings in affected projects may change.

This support covers the following key frameworks and libraries:

• Java: Spring AI (org.springframework.ai)

• JavaScript: FastMCP, modelcontextprotocol/typescript-sdk

• Python: FastMCP, modelcontextprotocol/python-sdk, aiofiles

Snyk Code’s Python analysis has been updated to support __init__.py files, improving scan accuracy and depth.

This enhancement allows for the correct importing of symbols defined in package initialization files. This leads to a more accurate analysis of projects that use this common packaging structure, which is detailed in the official Python documentation on modules.

As a result of this deeper analysis, customers with projects utilizing this module structure may see new findings in their scan results.

This update affects Python projects only and was rolled out to all Snyk customers as part of recent support case work.

Starting July 14, 2025, Snyk Code will release an update to improve the accuracy of CSRF (CWE-352) detection in C# WebAPI applications.

• This fix significantly reduces false positives, helping developers focus on real issues without being distracted by incorrect CSRF findings. Other vulnerability results are unaffected.

The update will roll out as part of Snyk Code’s General Availability (GA) support for C#.

Snyk Code Consistent Ignores is now Generally Available (GA) for all Snyk Code customers.

This capability ensures ignores are consistently applied in all surfaces throughout the development lifecycle, helping your teams eliminate distractions and focus on the risks that matter most. This means ignores are now respected across projects, branches, and integrations within a repository, notably in the IDE plugins, the Snyk CLI, and native PR checks.

For existing customers, Snyk Code Consistent Ignores can be enabled by toggling this on in your Group or Org settings. Any newly created groups or orgs will have this functionality enabled by default going forward.

We're thrilled to bring this powerful capability as a core offering of the Snyk platform, bringing a new level of focus and efficiency to your security workflows. For more detailed information on how Snyk Code Consistent Ignores works, check out the documentation and the Snyk Learn lesson.

Starting July 7, 2025, Snyk Code will expand its framework support for JavaScript and TypeScript. This update increases vulnerability coverage for applications using popular web frameworks:

• New Framework Support: Introducing analysis for web applications built with the hapi.js and TSOA frameworks. Customers using these frameworks will potentially see an increase in vulnerabilities reported

• Express Framework Enhancement: Improving analysis by recognizing object destructuring in request handlers.

• Improved support for for-each loops.

This update will be released as part of Snyk Code’s existing support for JavaScript and TypeScript.