Product Updates

This month on Snyk Learn, there are brand new lessons for Evo by Snyk, along with a refreshed "Snyk in an IDE" lesson set. We are also excited to launch the new AI Secure Development learning path, where you will learn to build any app securely using AI while mastering foundational AI-powered security topics such as prompt injection and MCP.

Try the new "Feedback" button on learn.snyk.io (login required) to share feedback and topic suggestions.

Security lessons

• [New] Learning Path - AI Secure Development

• [New] Getting started with AI development

• [New] Prompt engineering

• [New] AI app development

• [New] Securing your AI app

• [New] AI in the Software Development Life Cycle (SDLC)

• [New] AI Agents: Securing Autonomous Workflows

Snyk platform lessons

• [New] Navigating the Evo Interface - a new lesson to familiarize yourself with the unified agentic interface in Evo by Snyk.

• [New] AI Security Posture Management (AI-SPM) - a new lesson that enables users to detect AI assets via AI-BOM scans and enforce governance through Natural Language Policies as well as traditional menu items.
  
  We have refreshed the following lessons to ensure all content reflects our current platform and products, also providing a streamlined, role-based learning experience:
  

• [Updated] Using Snyk in an IDE - updated to reflect the Developer’s workflow, including installing the plugin, authenticating, and using real-time scanning to find and fix vulnerabilities without leaving your IDE.

• [Updated] Administrating Snyk in an IDE - formerly part of the “Using Snyk in an IDE” course, this lesson now focuses on the Administrator’s workflow, including advanced configuration and governance.

Expanded framework and coding languages coverage

We’ve also expanded Snyk Learn content to cover more of your tech stack:

• New/expanded language support:

  • Multiple lessons expanded into Python, Rust, and Ruby for the OWASP Top 10 learning path.

Each new/updated lesson above links directly to the relevant content so you can share it with your teams or assign it as part of your training program with the Snyk Learning Management Add-On.

Introducing Hooks-Based Guardrails

Snyk Studio is evolving our agentic guardrails to enable deeper trust in agent-generated code. We are debuting a new asynchronous, hooks-based approach to replace traditional rules-based guardrails, ensuring that security remains deterministic and efficient without slowing down the developer loop.

As agentic development has matured, initial friction points in rules-based models have become apparent. By transitioning to a hooks-based architecture, Snyk Studio resolves these key challenges with the traditional rules-based approach:

• Determinism: While agents may occasionally ignore traditional rules, hooks are deterministic, ensuring that defined security scans are executed every time.

• Zero Latency: Unlike rules-based models that add visible friction to the developer experience, hooks leverage background scans to provide a low-latency workflow.

• Context Window Efficiency: The rules-based approach injected Snyk scan results into the agent's context window, consuming limited token space. Hooks decouple scan execution and results, keeping the context window focused on coding tasks.

Support for Leading ADEs

We have targeted support for the hook-based approach to cover popular Agentic Development Environments (ADEs) across both Windows and macOS. You can now leverage Snyk Studio guardrails in:

• Claude Code

• Cursor

• Gemini CLI

• Codex CLI (coming soon)

We also support automatic configuration of the /snyk-fix command, /snyk-batch-fix command, MCP server, and secure dependency health check skill for:

• Kiro

• Windsurf

• Copilot CLI

• Copilot VS Code Extension

Scaling for the Enterprise

To simplify adoption, we have released an installation script to automate configuration and deployment. The install script:

• Supports Windows and Mac

• Can be used via MDM to support distribution at scale

• Installs the /snyk-fix command, /snyk-batch-fix command, MCP server, and secure dependency health check skill on: Claude Code, Cursor, Gemini CLI, Codex CLI (coming soon), Kiro, Windsurf, Copilot CLI, and the Copilot VS Code Extension

• Installs hooks on: Claude Code, Cursor, Gemini CLI, Codex CLI (coming soon)

Getting Started

See our revamped documentation to get hooks configured and installed in your favorite ADE.

What’s Next

We will continue to expand support for additional ADEs and are working to integrate Snyk Studio distribution directly with Agent Scan and Agent Guard.

We've added several new widgets to the analytics overview to provide better visibility into your security program. These updates include key performance indicators (KPIs) from the Snyk Studio and pull request (PR) check reports directly into your main dashboard.

We want the analytics overview to be the central landing page for your most important metrics. As we've introduced new reporting capabilities, the overview page needed to evolve to match. By bringing in data from PR checks and Snyk Studio, we're ensuring you have immediate access to the most accurate and relevant security data without navigating through multiple sub-reports.

You can now track Total PR checks and your PR Check success rate alongside developer activity from Snyk Studio, including Agentic Scans and unique Developers running agentic scans. These widgets allow for more precise tracking of developer adoption and tool effectiveness. To keep your view clean, the new widgets are disabled by default, but you can enable it whenever you need that specific breakdown.

To learn more, visit Analytics Overview tab in our user documentation.

We are pleased to announce Snyk CLI release, v1.1304.2

This release contains fixes and minor improvements. To learn more beyond what is highlighted below, please reference the full release notes.

This update includes the following:

• Fixed vulnerabilities:

  • SNYK-GOLANG-GITHUBCOMAWSAWSSDKGOV2AWSPROTOCOLEVENTSTREAM-16316402

  • SNYK-GOLANG-GITHUBCOMAWSAWSSDKGOV2SERVICES3-16316411

  • CVE-2026-39892

  • CVE-2026-33750

• Snyk Studio: Adding missing tools annotations to MCP server

If you have any questions, feel free to reach out to the Snyk support team. We encourage everyone to upgrade to the latest version to take advantage of these improvements.

We’re improving the usability of our zero-day reports to help you manage multiple security incidents more effectively. We expanded the filter bar for selected zero-day events to provide better context when you view data from several incidents at once. Additionally, the Accumulative Issues Backlog trend chart now breaks out each selected incident individually, and we added a new filter to the open issues side panel that allows you to toggle between open and resolved issues.

We want to make it easier for you to distinguish between different security events when they happen simultaneously. By providing a granular view of the backlog and more flexible filtering options, we aim to reduce the complexity of tracking remediation progress across various high-priority incidents.

You can now clearly see which incidents correspond to your report data even when multiple events are selected. This update allows you to monitor how many outstanding issues exist for each specific event in the trend chart and quickly verify if issues associated with a selected asset are being remediated or have already been resolved.

To learn more, visit Zero-day report in our user documentation.

We are pleased to announce expanded JVM support for Snyk Container vulnerability scanning. Previously, detection for unmanaged Java container software was limited to OpenJDK 8 binaries. With this update, customers can now identify vulnerabilities in their container images for Java versions beyond OpenJDK 8.

This update includes the following:

• Support for Eclipse Temurin and Adoptium OpenJDK distributions that follow the standard /opt/java/openjdk/release layout.

• Automatic detection via file fingerprinting with no manual action required to enable it.

This feature is gradually rolling out to General Availability (GA) across CLI and Container Registry (CR) integrations.

If you have any questions, feel free to reach out to the Snyk support team.

We are pleased to announce Snyk CLI release, v1.1304.1

This release contains fixes and minor improvements. To learn more beyond what is highlighted below, please reference the full release notes.

This update includes the following:

• Improved error handling to prioritize and surface the most relevant error and correct exit code when multiple errors occur during maintenance windows. Exit code behavior is documented here:

  • https://docs.snyk.io/developer-tools/snyk-cli/debugging-the-snyk-cli#exit-codes

  • https://docs.snyk.io/scan-with-snyk/error-catalog#snyk-0099

• Snyk Agent Scan: Improved CI flexibility with an issues ignore option, and added support for Windows x86 and macOS x86 architectures.

• Fixed vulnerabilities:

  • CVE-2026-4660

  • CVE-2026-39883

If you have any questions, feel free to reach out to the Snyk support team. We encourage everyone to upgrade to the latest version to take advantage of these improvements.

Starting May 5, 2026, we're updating Snyk Code to improve scanning precision and reduce noise across all supported languages.

Improvements to scanning precision

All languages — Path Traversal severity tuning (CWE-22)
Path Traversal findings are now tiered by source risk. Findings from lower-risk sources are automatically reclassified from High/Medium to Low severity, reducing noise while keeping high-risk vectors prominent.

Java, Kotlin, Groovy — Apache Camel framework coverage (CWE-89 / CWE-22 / CWE-611)
Apache Camel Exchange HTTP sources are now tracked as taint origins. Applications using Apache Camel will see new findings where HTTP body and header values flow into SQL injection, path traversal, or XXE sinks. Customers using Apache Camel may see an increase in findings.

All languages — Improved .snyk exclude precision
.snyk exclude patterns now use full .gitignore-style glob semantics for more expressive and consistent scan scope control. Customers relying on .snyk exclude rules may see changes in scan scope.

Python — Reduced false positives on archive extraction (CWE-22 / CWE-73)
Python TarSlip detection is now scoped to genuine archive operations. Previously, any .extract() method call was flagged regardless of context - causing false positives in document parsers, ML pipelines, and custom extraction classes.
Findings now only fire when the receiver is a tarfile.open() or zipfile.ZipFile() object. ZipSlip detection via zipfile.ZipFile is also improved. Customers may see a reduction in Python TarSlip findings and new ZipSlip findings where archive contents are extracted without path sanitisation.

Important details to note

All percentage improvements are based on Snyk's curated open-source data set. As part of these updates, you may see a decrease in High and Medium severity counts for Path Traversal as findings move to Low based on source risk tier. Total finding counts remain stable. Customers using Apache Camel may see an increase in findings as new data flows are detected. These changes apply specifically to the languages and CWEs listed above, while other scan areas remain unchanged.

We added a new Known Exploited Vulnerabilities (KEV) filter to help you identify risks that the Cybersecurity and Infrastructure Security Agency (CISA) tracks as already exploited in the wild. While we already allow you to filter vulnerabilities and Common Vulnerabilities and Exposures (CVE) by their exploit maturity level, this update specifically targets the CISA KEV catalog. You can find this filter on any page where issue filters are available to help you manage your security backlog.

The CISA KEV catalog is a vital resource for meeting global security standards. For instance, FedRAMP requires strict remediation service-level agreements (SLAs) for any vulnerability listed in this catalog. Furthermore, the European Union Cyber Resilience Act (EU CRA) mandates that organizations actively monitor for vulnerabilities found in the CISA KEV catalog. We’re providing this filter to automate this visibility and help you maintain compliance across different regulatory environments.

You can now isolate vulnerabilities within the CISA KEV catalog with a single click. This helps you prioritize remediation based on documented real-world exploitation rather than just theoretical risk. By using this filter, you ensure your team addresses the specific issues that auditors and regulators prioritize, reducing the manual effort needed to cross-reference your backlog against federal and international mandates.

To learn more, visit Issue vulnerability details in our user documentation.

We are excited to be launching Repo Monitor Configuration, which allows for management of repository coverage and monitoring configurations centrally across your entire Snyk Group from the Group-level Inventory page. This means you can monitor and manage repositories without navigating between individual Snyk Organizations.

Repo Monitor Configuration provides the following capabilities:

• Centralized asset monitoring: view monitoring status for all products, identify health status, and see required actions (such as enabling Snyk Code or resolving SCM integration issues) in one view.

• Bulk import: import repositories directly from the Group Inventory page into specific Snyk Organizations.

• On-demand retesting: trigger a retest for specific repositories directly from Inventory.

• Actionable error resolution: clear guidance ia available when testing fails due to integration issues or entitlements. After the underlying issue is resolved, testing resumes automatically.