Product Updates

You can now scan COBOL codebases for security vulnerabilities using Snyk Code. This update helps large Organizations, particularly in retail and financial services, include legacy mainframe applications in their security programs and meet compliance or audit requirements.

Many Organizations manage significant COBOL codebases that previously lacked automated security scanning support. By adding COBOL support to Snyk Code, you can identify risks earlier in the development process and maintain a consistent security posture across your entire application portfolio.

Supported features

This release provides security coverage for standard COBOL, including CICS constructs.

Key features include:

• Support for .cbl, .ccp, .cob, and .cpy file extensions.

• 15 security rules across cryptography, injection, secrets, and error handling.

• Integration with the Snyk web UI for vulnerability management.

How to get started

You can access this feature through Snyk Preview.

Learn more about Snyk Codes COBOL support int he documentation.

Snyk Code expands Ruby analysis with interfile data flow support

Starting April 7, 2026, Snyk Code includes interfile data flow analysis for all Ruby Projects. This update moves beyond single-file analysis to detect vulnerabilities that span multiple files, providing a more accurate assessment of your code.

Improve Ruby on Rails security

Ruby on Rails applications often distribute logic across models, views, and controllers. By analyzing data flows across the entire codebase rather than individual files, Snyk Code identifies complex vulnerabilities that were previously difficult to detect. We've also refreshed the Ruby on Rails ruleset to provide better coverage for modern development patterns.

Key enhancements

• Interfile analysis:

  You can now trace data flows across multiple files in all Ruby Projects scanned by Snyk Code.

• Updated ruleset:

  We've improved the Ruby on Rails rules to ensure more comprehensive vulnerability detection.

• Zero configuration:

  This feature is active by default for all customers on April 7, 2026, and requires no manual setup.

Support for security teams

These improvements help security teams perform more effective risk assessments on large Ruby codebases. By closing the gap on interfile support, Snyk Code provides the same depth of analysis for Ruby as it does for other major languages.

Because analysis quality is enhanced, you may notice a change in your scan results, including new true positives and the removal of previous false positives.

For more information, you can review the current Ruby and rules documentation at https://docs.snyk.io.

Starting March 30, 2026, we’ve updated Snyk Code to provide more accurate results and reduce developer friction. These improvements help you focus on exploitable production code by reducing false positives and automatically deprioritizing issues found in test environments.

By refining our detection logic across several languages, we've lowered noise and increased the catch rate for critical vulnerabilities.

Improvements to scanning precision

We've focused on three key areas to improve your triage experience:

• Reduced noise: We've significantly lowered the number of false positives for .NET CSRF and JVM-based certificate validation.

• Risk-based triage: JavaScript vulnerabilities located in test classes now appear as Low severity. This change allows you to spend more time on production code rather than test mocks.

• Higher confidence: We've increased the true positive catch rate for hardcoded passwords in PHP and CSRF vulnerabilities in Kotlin.

Language-specific updates

You can see these improvements reflected in the following areas:

• .NET (C#): Enhanced CSRF detection with an 18% reduction in false positives.

• JavaScript: Automated detection of test classes to reclassify issues as Low severity.

• Kotlin: Improved support for detecting disabled CSRF protection in Spring Apps and refined SQLi precision.

• JVM (Java, Groovy, Kotlin, Scala): Improved logic for CWE-295 (Improper Certificate Validation).

• PHP: Expanded patterns for hardcoded password detection.

Important details to note

All percentage improvements are based on Snyk’s curated open-source data set. As part of these updates, you may see a decrease in High and Medium severity counts for JavaScript as issues move to Low based on their file location. These changes apply specifically to the languages and CWEs listed above, while other scan areas remain unchanged.

Snyk Code updates for Ruby include Sinatra support and RSpec noise reduction

Starting March 23, 2026, we've updated Snyk Code to provide broader coverage and more precise results for Ruby developers. These improvements expand support to the Sinatra framework and general Ruby applications while helping you manage alert noise in test files.

Expanding Ruby support beyond Rails

You can now use Snyk Code to secure applications built with Sinatra or vanilla Ruby. We've added new sources, sinks, and sanitizers to our knowledge base to ensure your microservices and monoliths receive accurate security analysis regardless of the framework you choose.

Reducing noise in RSpec test suites

To prevent non-production vulnerabilities from cluttering your results, Snyk Code now automatically identifies RSpec files. The engine regrades security issues found in these files to Low Severity. This change acknowledges the lower risk profile of test code and helps ensure your PR Checks remain focused on production-ready code.

Higher precision for object-oriented code

We've enhanced how Snyk Code tracks data flow through Ruby classes. The engine now better understands custom getters, setters, and direct field accesses. This improvement leads to more accurate detection and reduces both false positives and false negatives in complex codebases. Organizations making extensive use of custom fields can expect more reliable results that reflect how their data actually moves through the application.

To learn more, visit our Snyk User Documentation.

To learn more, visit Snyk Code language and framework support.

We have released a new CLI hotfix (v1.1303.1) to address the following:

• IDE plugins: Fixes an issue where customers using our most recent IDE plugins release may encounter scans not triggering when Snyk Code is enabled in their IDE settings

• UI: Fixes an issue where JSON output was rendered twice to disk and to standard output

• MCP: Fixes an issue where Snyk rules were not written locally

Release notes can be found here.

If you have any questions, please don’t hesitate to reach out to the Snyk support team.

Starting February 24, 2026, Snyk Code will begin a phased rollout of support for Ruby 4.0. This initial update focuses on foundational parser improvements and enhanced support for Ruby modules to accommodate the latest language features.

• Ruby 4.0 Parser: Support for new syntax and language features introduced in the Ruby 4.0 specification.

• Module Analysis: Improved understanding of Ruby module structures for more accurate pathing and taint flow.

Impact on Results: Because this update provides a more precise interpretation of Ruby codebases, customers may see an increase in findings as the engine identifies issues that were previously outside the parser's scope.

This release is the first in a series of planned enhancements to our Ruby analysis engine scheduled for the first half of 2026. We will continue to announce significant updates and further improvements in this area as they are rolled out.

This update will be automatically available to all customers using Snyk Code for Ruby.

We're excited to introduce the first automatic solution for correlating static application security testing (SAST) and dynamic application security testing (DAST) findings. By connecting Snyk Code issues with Snyk API & Web results, we can now pinpoint the exact line of code responsible for a DAST vulnerability, helping you understand exactly where your code needs to be fixed and speed up your remediation process.

Vulnerabilities discovered during DAST can often be difficult and time-consuming for developers to locate within the source code. This update automates that manual search process. By using artificial intelligence to map runtime findings back to static code analysis, we're helping your teams reduce the mean time to remediate and focus on fixing issues rather than finding them.

In order to use our SAST/DAST correlation, you just need to link your Snyk API & Web targets to your Snyk Code projects and scan your API & Web targets the way you're used to. We'll do all the heavy lifting for you, and show you the corresponding SAST issue that matches our DAST finding, with the context and link directly to the code that needs to be fixed to mitigate the vulnerability.

Learn more about it here

Snyk Code enhances analysis across multiple language ecosystems

We’ve updated Snyk Code to improve accuracy and coverage for many of the languages and frameworks you use. These enhancements help identify more true positive findings and remove false positives from your results, providing a more reliable view of your security posture.

Expanded language and framework support

The latest updates introduce support for several modern frameworks and libraries:

• C# 14 and .NET 10: Analysis now includes the latest C# and .NET versions, which also covers VB.NET applications built on the .NET 10 framework.

• Kotlin and Java: We improved support for Spring WebFlux and Jax-RS in Kotlin. We also added better coverage for grpc-spring based gRPC clients in both Java and Kotlin.

• JavaScript and TypeScript: Snyk Code now supports the Sequelize library.

• Go: We added support for the Fiber framework.

• Swift: Analysis now includes the grpc-swift library for gRPC use cases.

These changes will be available as part of our general availability support for these ecosystems. You can see these improvements reflected in your scan results in the Web UI or CLI.

The changes will roll out on February 23, 2026.

To learn more, visit Snyk Code language and framework support in our user documentation.

We have been listening to your feedback regarding the upcoming improvements to Snyk Code analysis for the Java, Kotlin, and .NET ecosystems.

To ensure the best possible experience and minimize disruption during the busy end-of-year season, we have decided to reschedule this rollout. These updates, including support for the Netty framework and ASPX inline code expression blocks, will now go live on January 12.

Thank you for your feedback as we work to improve the accuracy of your scan results.

We’re releasing support for the Dart programming language in Snyk Code, now available in Snyk Preview. This update allows you to scan your Dart code, which is frequently used with the Flutter framework, for security vulnerabilities. We have added detection capabilities for a variety of issues, including insecure data handling, authentication flaws, and injection risks.

We added this language support to help you secure mobile and offline storage, ensure robust authentication flows, and harden network communications within your Dart applications. By expanding Snyk Code capabilities, we aim to provide better coverage for modern mobile development stacks and help you prevent critical risks like cleartext logging and SSL/TLS validation failures.

To start scanning Dart applications, you must enable the feature manually. Navigate to Settings > Snyk Preview and enable the Dart support option. Once enabled, we will include Dart files in any future tests and retests, identifying vulnerabilities such as SQL injection and path handling issues.

To learn more, visit Snyk Code language and framework support in our user documentation.