Product Updates

At Snyk, our goal is to provide developers with the most secure and reliable tools. To deliver on that promise, we are focusing our support for Ruby Fix PRs on modern, actively supported versions of the language (3.1 and newer).

What's Changing?

As part of this focus, we will be ending support for creating Fix PRs for projects that use end-of-life (EOL) Ruby versions (those below 3.1)

This means that if you are using a Ruby version older than 3.1, you will no longer be able to automatically generate Fix PRs from Snyk.

Why We're Making This Change

• Focus on Security and Reliability: By concentrating on modern Ruby versions, we can ensure the quality and reliability of our Fix PRs, providing you with more accurate and secure fixes.

• Aligning with Ruby's Lifecycle: We're aligning our support with the official Ruby EOL schedule, ensuring that you're always working with supported and secure versions.

What This Means for You

• If you're using Ruby 3.1 or newer, there's no change for you. You will continue to receive Fix PRs as usual.

• If you're using a Ruby version older than 3.1, we encourage you to upgrade. This will not only allow you to continue using our Fix PR feature but also ensure you're benefiting from the latest security updates and performance improvements from the Ruby community.

Timeline

• October 1, 2025: End of Fix PR support for Ruby v2.3.

• February 1, 2026: End of Fix PR support for all Ruby versions below 3.1.

We're excited to continue improving Snyk for Ruby developers and helping you build secure applications.

If you're using Ruby 3.1 or newer, there's no change for you and you will continue to receive Fix PRs as usual. If you're using an older version, we encourage you to upgrade. This will allow you to continue using our Fix PR feature and benefit from the latest security updates and performance improvements from the Ruby community.

To learn more, visit our Snyk User Documentation.

We're excited to announce a new default vulnerability experience coming to Snyk Open Source, launching over the next couple of weeks to all Maven, .NET, npm, Python, Ruby, and Yarn projects.

What's New?

We've shifted the focus from individual vulnerabilities to the libraries they belong to. This new dependency-grouped view provides a holistic look at your remediation options, allowing you to see the full impact of each potential library upgrade.

Instead of fixing vulnerabilities one by one, you can now perform a true cost/benefit analysis. See exactly how many issues you can resolve with a single upgrade, compare the impact of different library updates, and make more informed decisions to maximize your team's efficiency. We've also streamlined the Fix PR process, making it easier to understand and customize your upgrades with just a few clicks.

How do I use it?

This new experience will begin rolling out to all applicable Snyk projects over the next couple of weeks. Once enabled, navigate to an individual project in your organization to see it in action. To switch back to the legacy view, click the “Group by” dropdown in the right-hand corner and select "none".

Happy Remediating!

We are pleased to announce improved support for Maven default profiles in Open Source SCM scanning. Previously, we only considered profiles where activeByDefault was set to true. With this change, scanning will now more faithfully activate profiles that would be activated by running Maven dependency resolution locally. The will result in more accurate scanning, as the dependency resolution engine will more closely mimic the behavior of Maven itself.

This change will be rolled out on July 9th, and customers may expect changes in the issues detected for existing projects imported into Snyk. For customers scanning projects using both the SCM integration and CLI, you can expect to see more consistent results between these two solutions.

We are pleased to announce a bug fix for Snyk Open Source Python support.

With this update SCM support for Python will be improved as follows:

• Today, SCM scans for some Python 3.8+ projects omit virtualenv and pip dependencies if they are used, leading to possible false negatives in related issues. With this change, these dependencies will be correctly included.

• CLI scans already accurately represent these dependencies, and are not affected by this release.

How will my scan results change?

• Overall accuracy of Python SCM scans for projects using these dependencies will increase, which may lead to an increase in identified vulnerabilities for projects using these dependencies.

What are the next steps?

The changes will be released on June 18th, and projects will see improved results in their next test.

We are happy to announce that Snyk Open Source now supports Conan packages, available through SBOM workflows and the package issues API!

Conan, a popular package manager for C and C++ projects, is now included in Snyk’s growing list of supported ecosystems. Customers can now detect vulnerabilities and license intelligence in their Conan projects CycloneDX or SPDX SBOMs.

With this update:

• You can submit Conan packages via SBOM Test (CLI/API) and the package issues API (pkg:conan) for precise vulnerability detection.

• Access available fixed version information for Conan vulnerabilities.

• Identify and manage license information for Conan packages.

The feature will be generally available starting May 22, 2025. For any questions, please reach out to the Snyk Support team.

We are pleased to announce the latest stable Snyk CLI release v1.1297.0.

We are introducing the following new features and improvements in this version. To learn more about bug fixes and additional enhancements beyond what is highlighted below, please reference the release notes.

Container Enhancements

We've made scanning container image archives more straightforward. You can now directly scan image archives (e.g., image.tar) using snyk container test image.tar or snyk container monitor image.tar without needing to specify the image type as a prefix. This simplifies the command structure and streamlines your container security workflows.

Open Source Enhancements

This release brings significant improvements to Gradle module resolutions. The Snyk CLI's Gradle dependency resolution will now default to finding all artifacts against resolved dependencies. You can read more about this here.

Release notes can be found here.

If you have any questions, feel free to reach out to the Snyk support team.

We encourage everyone to upgrade to the latest version to benefit from these new features and improvements!

We are pleased to announce a bug fix for Snyk Open Source PHP support in the Snyk CLI.

With this update CLI support for PHP will be improved as follows:

• Today, Snyk CLI test and monitor commands may fail for users who only have composer.phar locally, and no global composer. With this bug fix, these scans will now succeed

How will my scan results change?

• CI/CD pipelines that were failing due to this error may now succeed after upgrading to the new CLI version

• New issues may be found when the projects are scanned successfully

What are the next steps?

The changes are available now in the preview channel of the CLI, and will be included in the stable channel on 14 May 2025.

We’re excited to announce that Issue Summary Comments and High-Context Inline Comments are now Generally Available! 🎉

As of May 1, 2025, the features are enabled by default for all customers using PR Checks on supported SCMs, marking a major milestone in how Snyk brings security into the developer workflow.

What’s included:

• Issue Summary Comments for both successful and failed PR checks, covering Snyk Code and Open Source security & license findings.

• Inline Comments for Snyk Code issue findings, providing high-context feedback directly in the pull request.

This applies to repositories connected via:

• GitHub: GitHub OAuth, GitHub Enterprise (PAT), and GitHub Cloud App

• BitBucket: Bitbucket Cloud (PAT) and Bitbucket Cloud App

To adjust your preferences, head over to Integration Settings in the Snyk UI where you can toggle comments on or off at any time. This release is a big step forward in our mission to make security native to the developer experience. We’re excited to see how this helps your teams catch and fix issues faster, right within your SCM! 🚀

Refer to the user documentation for more details!

We are pleased to announce two Snyk Open Source bug fixes for Gradle support in the CLI.

With this update CLI support for Gradle will be improved as follows:

• Multiple packages with the same artifactId will be included in the dependency graph correctly.

• platform dependencies will no longer be included in the dependency graph. Platform dependencies are not regular dependencies of the project, and do not result in an artifact. Rather they control the versions of other dependencies, in a similar way to dependency management BOMs in Maven.

How will my scan results change?

Overall, this release should not lead to an increase in vulns or issues.

• artifactId change - we might find more paths in the dependency graph, but the packages and issues should remain the same.

• platform change - potentially fewer issues.

What are the next steps?

The changes are available now in the preview channel of the CLI, and will be included in the stable channel on 14 May 2025.

We’re excited to announce that Reachability for C# is now available in Early Access! 🎉

With this release, you gain an essential signal for assessing risk & prioritizing vulnerabilities in NuGet dependencies across all of your .NET projects.

Reachability for Snyk Open Source works by analyzing your source code with Snyk's DeepCode AI Engine to determine whether a path to vulnerable code can be found, whether directly or transitively.

This insight helps you gauge the likelihood of exploitation and enables you to make more informed decisions about how to address vulnerabilities.

Whether used independently or as part of a comprehensive risk-based prioritization strategy with Risk Score, Reachability helps you focus on the vulnerabilities that matter most.

Visit Snyk Preview to enable this feature and start gaining deeper insights into your C# codebase today.