Product Updates

The PR Issue Summary Comment feature (previously in Closed Beta) for Snyk PR Checks is now available in Early Access! With this feature, developers using Snyk PR Checks will receive a comment with a summary count of security, license, and code checks directly within their pull requests, categorized by severity (Critical, High, Medium, Low). This empowers developers to identify and address issues early, with detailed links provided for deeper investigation.

To enable this experience, a new Pull request experience section is now available in the SCM integration settings for supported SCMs. This allows you to directly opt-in to the experience and manage whether to omit the summary comment in cases of PR Check success.

PR Comments are available in Early Access for the following SCM integrations:

• GitHub: GitHub OAuth, GitHub Enterprise (PAT), and GitHub Cloud App

• Bitbucket: Bitbucket Cloud (PAT), Bitbucket Cloud App

Start streamlining your workflows today!

We’re excited to share that supported license data in the form of expressions will now automatically be included in all SBOMs produced by Snyk.

Until now, license information has been available in other parts of Snyk—but not in our CycloneDX or SPDX software bill of materials.

We hope this release makes it easier than ever to share key legal context about your supply chain with relevant audiences.

Although no changes are required, we recommend exploring how you can begin using license data in your SBOM-related integrations and workflows.

This release is coming soon, and could be available as early as November 28th. Keep an eye out for updates to Snyk's User Docs with more information.

We are excited to announce a significant enhancement to Snyk Automatic Fix Pull Requests, furthering our mission in designing workflows that match different projects needs.

Starting December 5th, you will be able to set Fix Pull Requests thresholds by either severity or score. We understand in some projects, fixing all vulnerabilities constantly is extremely important, whereas in others focusing on specific types boosts velocity. That's why, you'll be able to configure two types of rules for the Automatic Fix Pull Requests:

• by score (priority or risk score) - set a threshold from 0 to 1000

• by severity - select among critical, high, medium or low

Snyk will take into account your preferences and raise Automatic Fix Pull Requests only for the issues matching your preferences. Please keep in mind that this option will not influence our Backlog PR capability at the moment.

New organizations created in Snyk will experience a default score of 700 for this capability, which will also represent our default starting June 5th 2025 for all organizations that do not set a specific preference by that point.

Enjoy Snyk Fix PRs!

We discovered a bug in the handling of applications using npm lockfile v3 in Snyk Container, causing transitive dependencies to be omitted from results.

A fix has been identified. Once this has been applied, Snyk Container npm projects using v3 lockfiles are likely to see an increase in identified dependencies. This may lead to an increase in vulnerabilities when re-scanning existing repositories, even if repository contents are unchanged.

The fix will be rolled out to both the Kubernetes integration and next Snyk CLI stable release on December 18th.

The fix is already available in Container Registry integrations.

If you have any questions or need assistance, please don’t hesitate to reach out to us.

[Hotfix update - Nov 20, 2024]

We’ve released a hot fix - Snyk CLI v1.1294.1 - to address the following issues reported by our customers on. Release notes can be found here.

Bug #1 -

• Before the fix - Snyk Container scanner was unable to process RedHat images when the content_sets attribute was missing in the redhat-content-manifests file.

1{
2  "name": "redhat-content-manifests",
3  "version": "1.0",
4  "requires": [
5    "rpm"
6  ],
7  "content_sets": [
8    {
9      "name": "rhel-server-rhscl-7-rpms",
10      "baseurl": "http://cdn.redhat.com/content/rhel/server/7/7Server/x86_64/rh-os/",
11      "mirrorlist": "http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os",
12      "gpgcheck": 1,
13      "gpgkey": "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release",
14      "enabled": 1
15    }
16  ]
17}

Example of redhat-content-manifests file with a content_sets section.

• After the Fix - The fix will allow successful scanning of RedHat images when content_sets is absent.

• Important to note: This fix will be applied to Container Registry and Kubernetes integration as well.

Bug #2 -

• Before the fix - Some customers have reported encountering a "too many vulnerable paths for conversion to legacy test output" error when scanning Python projects using Snyk Container (via the snyk container monitor CLI command).

• After the fix - We’ve optimized Python pip dependency graphs by removing unnecessary optional dependencies. This reduces the number of vulnerable and upgrade paths, resulting in fixing this reported error, faster scans and improved reliability.

• Important to note:

• The issue count and dependencies remain unchanged.

• The change primarily reduces path information for optional dependencies when they are not needed, specifically the number of paths from the root to a vulnerability, which may be significantly decreased.

Bug #3-

• Before the Fix: An "Invalid JSON" error occurred under the following conditions:

• Trace or debugging was enabled.

• Policies were applied to the test results.

• The --json flag was used with the snyk test, snyk monitor, snyk container test or snyk container monitor CLI commands.

• After the Fix: The issue will be resolved, and JSON parsing will work correctly under these specific conditions.

• Important to Note: This problem is limited to CLI version v1.1294.0 and does not affect other versions.

You can learn more about Snyk CLI release channels in user documentation. If you have any questions, feel free to reach out to the Snyk support team!

Starting on November 20, 2024, we will be rolling out scalability and data accuracy improvements to Issues. In some cases (<1% of recurring tests in our internal benchmarking), these improvements may impact the values for the following fields in our REST API for Issues, Issues UI, and Issues Reporting.

For SCA (Snyk Open Source, Snyk Container) products:

• reachability

• exploit maturity

• is pinnable

• is patchable

• is upgradeable

• package name

• package version

For all products:

• is currently present

• is ignored

• disappear reason

• original severity

If you are using fields such as "reachability" and "exploit maturity" to prioritize which issues to remediate, you may notice changes in values during the rollout and will need to plan accordingly.

Please reach out to your account team or support for any questions.

In 2023, we released OAuth 2.0 service accounts as an alternative to API keys as authentication material for service accounts. However, the creation and management of these service accounts was only possible through the API.

We’re pleased to announce that you can now create and manage OAuth 2.0 service accounts through the Snyk UI. For more information on how to leverage these service accounts through the UI, please head to the user documentation.

We are thrilled to announce the new edition of the Asset Dashboard!

The new edition features several new enhancements:

• Global filters bar: easily slice and dice the entire dashboard by various asset attributes.

• Revised Coverage Overview widget: one holistic view for all your security products' coverage.

• New data widgets: explore the new Asset Class Breakdown, Package manager breakdown, and Application context availability widgets.

• PDF export: export the full dashboard in a PDF format.

Please notice that the Asset Dashboard is now available for enterprise customers under Reports in the Group menu, and will no longer appear as a separated item in the Group main menu.

To allow a smooth transition, the previous asset dashboard edition will remain accessible through a banner link in the new edition.

Please notice that it will only include the Commits Trend Widget and the Recent Repository Activity Table, as those are not included in the new edition.

You can learn more about the new edition in Snyk Learn or in the product documentation.

For any question, please contact your account team.

New enhancements are now available in the Developer IDE and CLI usage Report.

This update includes the following enhancements:

• Developer email address in the "Adoption by individual users" table - helps to better distinguish and reach out to any specific developers.

• PDF export - allowing to share usage status reports and improve internal communication over the IDE adoption.

The Developer IDE and CLI usage report is available under the Org and Group Reports menu. Learn more about it in our product documentation.

For any question, please contact your account team.

We are happy to share some important enhancements that are now available in the Vulnerabilities Detail Report.

The Vulnerabilities Detail Report is used to identify the most prevalent vulnerabilities and review their spread across your projects and targets. It is also useful for planning CVE eradication programs.

This update includes the following enhancements:

• Target indication: see the vulnerability spread across targets. We added indication on the affected targets count in the main table and when drilling-down, you would also see the affected target name, next to the affected project.

• Column picker: allowing you to view and prioritize vulnerabilities by various factors, such as NVD score, CVSS score, EPSS score and more.

The Vulnerabilities Detail Report is available under the Org and Group Reports menu. Learn more about it in our product documentation.

For any question, please contact your account team.