Product Updates

Snyk Code is improving its Jakarta EE and Java EE coverage to enhance vulnerability detection in enterprise Java applications. This update expands support for key frameworks, increasing accuracy and improving security insights.

What’s New?

• Additional Data Sources: Now includes JMS messaging, WebSocket, and Mail as sources of user-controlled data.

• Broader Sink & Sanitizer Coverage: Expanded detection across Jakarta EE components.

• ConstraintValidator Support: Recognizes sanitizers defined via ConstraintValidator annotations within the same repository.

This update will be available as part of our Java language support on March 1, 2025.

Snyk Code will soon provide a more focused dataflow view for taint vulnerability reports. By removing unnecessary steps, this update makes it easier to trace relevant flows, improving clarity and speeding up issue reviews.

The update rolls out on February 19.

We are excited to announce improvements to the Snyk Container base image recommendation algorithm.

Previously we would sometime recommend upgrades to alpha and beta images, this particularly affected Python base images.

This has now been fixed and we no longer recommend updating to these types of image.

PR Checks for Snyk Code are now Generally Available. Customers using Snyk Code to secure their applications can enable PR Checks to automatically scan their pull requests and provide a mechanism to gate those changes from being merged when new security vulnerabilities are discovered.

How do I enable PR Checks for Code?

Snyk Code PR Checks are available for all supported SCM integrations.

To turn them on for Snyk Code projects, navigate to the Pull Request Status Checks section under your organization’s integration settings and look for Code Analysis. From there, you can enable PR Checks and select your preferred failure condition (Low, Medium, or High severity issues).

You can then use PR Checks, along with your SCM’s configuration, to decide whether to prevent changes from being merged while the commit status check is in a failed state.

We’ve released a CLI hotfix (v1.1295.3) to enhance the following use cases:

• Improved memory usage when executing code scans on large projects

• Fix incorrect filtering of files when executing code scans which could fail the analysis

• Fix unexpected logouts that were reported when using OAuth2 authentication

Release notes can be found here.

If you have any questions, feel free to reach out to the Snyk support team.

We encourage everyone to upgrade to the latest version!

We have released Broker version 4.205.1. In this version, all ACCEPT rule flags will be enabled by default. This update reduces the need for user configuration, resulting in an enhanced Broker experience.

In the case that you do not want a specific ACCEPT rule flag enabled, customers can easily opt-out of the default ACCEPT all behavior by adding ACCEPT_<FLAGNAME>=false to your Broker client configuration.

As best practice, we recommend using the latest version and regularly updating the Broker, preferably through automation.

Please contact support with any questions.

We’re pleased to announce an integration with Google Cloud Security Command Center (SCC), which enables security teams to monitor and manage application security vulnerabilities and misconfigurations from the Snyk platform - all within SCC interfaces, alongside other findings from Google Cloud. The integration is in Early Access, and is available to all Snyk customers on an Enterprise plan.

The combination of Snyk with Google SCC enables security teams to:

• Centralize findings with a comprehensive view in SCC of application and cloud security findings from Snyk and Google Cloud.

• Detect and respond to new vulnerabilities and misconfigurations as they emerge at any point of the SDLC - by viewing all findings in SCC, and fixing priority findings in code with Snyk.

Please reference our documentation for more information on setting up the integration.

We’ve released a hotfix for our Visual Studio IDE plugin (v2.0.1) to address the following issues:

• When scanning projects that contained non-ASCII characters in their path, results were not displayed.

• UI freezes caused by either the authentication flow or the ignoring trust mechanism.

Release notes can be found here.

If you have any questions, feel free to reach out to the Snyk support team.

We encourage everyone to upgrade to the latest version!

Following the previous announcement, we have completed the rollout of the updated navigation menu for all Enterprise customers.

The left-side navigation menu will now include the Tenant that brings together all the Snyk entities of each Enterprise customer. Read more about Snyk Tenants and the new Tenant-level roles.

Accessing the Tenant entry in the hierarchical navigation menu does not automatically provide visibility into everything within the Tenant. Customers will continue to see only the Groups and Organizations of which they are a member.

Learn more about how to set up your Snyk Tenant in our updated Snyk Learn training.

We’re thrilled to announce the next step in our journey to improve security insights and prioritization—building on our previous update introducing CVSS 4.0. This enhancement adds support for CVSS 4.0 and Exploit Maturity (Threat Metrics) fields in the REST Issues API, delivering even more robust tools for vulnerability management.

The new default evaluation using CVSS v4.0 will improve the prioritization workflow and risk assessment, enabling you to focus on the most emerging threats.

In addition to CVSS 3.1 scores, you’ll now see CVSS 4.0 scores and exploit maturity fields when interacting with the REST Issues API.

Customers using data.effective_severity_level in their automations can now also use data.severities[].level for either CVSS 3.1 or CVSS 4.0 (based on data.severities[].version). Plus, gain access to all vector data and exploit details for each vulnerability for more granular automation and analysis.

For more information about CVSS v4.0's specifications, please refer to the blog post: What’s new in CVSS 4.0.

Stay secure,