Product Updates

On the projects pages, all ignore types will now allow expiration dates to be set. Additionally, the ignore type currently labeled "Ignore Permanently" on the projects page will be relabeled "Won't Fix" to match what is reflected in the API.

Currently, Snyk can automatically create pull requests (PRs) on your behalf to upgrade your dependencies based on the relevant scan results. These can help you pay down your security vulnerability backlog, introduce fixes for newly discovered issues, or keep your dependencies up to date with new versions.

With our new "Snyk Generated Pull Requests" report now available in Early Access, you can visually track and measure the impact of these fix PRs. This report enables you to review how many Snyk Fix, Backlog, and Upgrade PRs were opened, merged, or closed across your repositories, and observe the overall mean time to merge. This report, available for all supported SCM integrations, can be filtered by organization, repository, project, or source and is refreshed every 90 minutes.

To view this report, simply navigate to the Reports section of your Group or Organization and choose “Snyk Generated Pull Requests” from the "Change Report" drop-down menu.

For more information, visit our reports documentation.

As part of our commitment to improving the pull request experience, we’ve introduced key enhancements to Inline Comments which boost developers' productivity by bringing detailed security findings directly into their PRs.

What’s new:

✅ Inline Comments are now capped at 10, prioritizing the most critical vulnerabilities by severity to prevent clutter and avoid SCM rate limits. If more than 10 findings exist, a note in the PR Summary Comment will notify you.

✅ Smarter vulnerability placement ensures that findings reported outside the PR diff are mapped to the nearest relevant changed line, keeping security issues visible even when the exact location isn’t commentable.

These updates streamline security reviews, reducing distractions while ensuring developers can quickly act on vulnerabilities within PRs.

In 2025, Snyk Code will improve PR check performance for JavaScript and Python, enabling faster scans.

As a preparation, this update restructures some rules, simplifying the result set while maintaining detection accuracy.

What's New?

• JavaScript DDoS Detection: Instead of multiple findings, only the misconfigured web server instance will be highlighted.

• Python XSS Detection (when using the Jinja Framework): Repeated findings are consolidated into a single misconfiguration highlight for better clarity.

This update will roll out as part of our JavaScript and Python language support on March 10, 2025.

We’re expanding Snyk Code’s Java support with the addition of Spring WebFlux, a widely used reactive web framework.

What’s New?

• Recognize WebFlux APIs, including Mono and Flux types, to better understand application behavior.

• Detect tainted data sources in functional endpoints, improving security analysis for reactive applications.

This update will be available as part of our Java language support on March 17, 2025.

We’ve released a CLI hotfix (v1.1295.4), resolving CVE-2025-21614. This hotfix upgrades necessary dependencies and maintains the same user experience as the previous stable version.

Release notes can be found here.

If you have any questions, feel free to reach out to the Snyk support team.

We encourage everyone to upgrade to the latest version!

Snyk Code now enhances security scan coverage by automatically identifying which implementation belongs to an interface in Java.

This update improves vulnerability detection, especially for Dependency Injection (DI) frameworks and common design patterns that rely on interfaces.

Customers using these patterns may see an increase in detected vulnerabilities.

What’s New?

• Resolves an interface to its first and only detected implementation class.

• Improves scan accuracy for DI-heavy frameworks and reusable design patterns.

• Shipped as part of our ongoing improvements—already available!

Snyk Learn has released an updated reporting interface that is now generally available for all Snyk Enterprise plan customers. This update offers enhanced visibility into developer security training progress for your Snyk Organizations. By default, Snyk Learn Reports are available to Org/Group Admin roles in Snyk.

What’s New?

• Improved Performance: Large download requests are now processed asynchronously, significantly boosting performance for large Snyk Organizations.

• Detailed Reports: Get an overview of learner progress across the Learn catalog, plus user-specific progress reports.

• Custom Role Support: Control who can see Snyk Learn reports for different Snyk Organizations via Custom Role permissions.

• API Access: Learner progress data is available via the Learn API (beta), part of the standard Snyk REST API.

Important Changes: As previously communicated in the Snyk Learn app (from August 2024), Free and Team plans no longer have access to Snyk Learn reporting.

We’re excited to announce that Snyk Code will support Rust and Groovy in early access, with the rollout starting on March 3. Customers will be able to enable Rust and Groovy support inside Snyk Preview to scan their source code for security issues.

For Rust, Snyk Code will detect security vulnerabilities in backend web applications, covering issues in common frameworks, HTTP handling, async runtimes, and database interactions.

For Groovy, Snyk Code will identify security risks in backend web applications, including those using standard libraries and major web frameworks.

Public documentation at docs.snyk.io will be updated by the launch date.

Asset context has been proven to be well adopted and useful to make better prioritization decisions across the platform. With that, we will be removing some of the hard-coded system tags so that users can control directly through an asset policy how and under what conditions those tags apply.

The system tags that will be removed are all based on the repo name and can be created with an asset policy as demonstrated in the tagging policy use case.

The system tags that will be removed are: payment, infrastructure, ecommerce, scanned artifact: packages, scanned artifact: repositories, upload, demo, billing, account, attachment.

In addition, we're introducing in the UI the 'type' of each asset tag - this information will be available through the Inventory view and also when inspecting a specific asset.

This update rolls out on February 26, 2025.