Product Updates

We are excited to announce the UI enhancement to have a clearer empty state in Inventory! This provides clarification to why the enrichments might be empty. Main highlights include:

• Ensure that no cell is empty without a reason; this change removes all guesswork.

• To provide clarity on why the fields are missing, the Inventory page will display a defined empty state, including informative tooltips to guide users.

This update is scheduled to be rolled out across all Snyk environments on September 3rd. No actions are needed to enable these changes.

We are excited to announce a new Snyk Code update, bringing increased findings and improved inline documentation to our customers.

What's New?

• Improved Crypto Cipher Detection: In Java, Kotlin, and Scala, we've enhanced our detection for insecure crypto ciphers.

• New Python Rule: A new rule has been added for XXE (XML External Entity Injection), which covers CWE-330.

• Expanded JavaScript Coverage: We've added new coverage for popular JavaScript frameworks, including Angular's ActivatedRoutes and react-router-dom.

• Javalin Web Framework Support: We have added new coverage for the Javalin web framework in Java and Kotlin

• Enhanced Issue Descriptions: The descriptions and titles for security issues have been updated to provide clearer, more specific information. For example, "Cleartext Transmission of Sensitive Information" will now be appropriately categorized into more granular findings like:

  • Cleartext Transmission via Unencrypted Socket

  • Cleartext Transmission via Unencrypted Email

  • Cleartext Transmission via Unencrypted WebSocket

  • Cleartext Transmission via HTTP Instead of HTTPS

This update is scheduled to be rolled out across all Snyk environments on September 15.

Over the coming weeks we will be releasing a number of exciting improvements for JavaScript developers across the npm, pnpm, and Yarn ecosystems.

✨ pnpm general availability (GA)

pnpm is a fast and efficient JavaScript package manager often used for large monorepos. We’re excited that our support for pnpm will be generally available across CLI and SCM integrations in October 2025.

Starting on September 10th, we will begin gradually rolling out support to all customers. During this time, Snyk Projects previously misidentified as npm due to the presence of a package.json will be migrated to pnpm, maintaining all history and ignores.

Here's a summary of what's supported, but please keep an eye on our User Docs for more details:

• pnpm versions 7-10, including workspaces

• All Snyk SCM integrations

• Snyk CLI

• Snyk CI plug-ins

• PR Checks

• Fix PRs

✨ npm & Yarn improvements (GA)

npm and Yarn are two of the most extensively used package managers in the JavaScript ecosystem.

Over the next month, we will be gradually rolling out some minor improvements to how we scan Projects from these ecosystems in our SCM integrations—improving accuracy and offering consistency with our CLI.

Stay tuned for the following changes:

• Snyk now supports using multiple versions of the same dependency with Yarn through our SCM integrations. Previously, this would lead to errors.

• Snyk now correctly throws errors for out-of-sync Yarn manifest files using resolutions, when running under the default strict out of sync mode. Previously, this setting would get ignored for Yarn resolutions.

• Snyk now supports dependency aliases with Yarn and npm through our SCM integrations. Previously, aliases were not supported and could lead to false negatives.

• Snyk now offers more accurate results for npm projects using top level Bundled Dependencies.

These improvements have the potential to change the number of dependencies and issues detected in the project.

As part of our continued effort to improve developer productivity, we have released several enhancements to High-Context Inline Comments today. These updates aim to reduce context switching by delivering contextual and actionable security findings directly within your workflow.

What’s new:

• Data Flow support for GitLab & Azure Repos - Data flows are now supported for both GitLab and Azure Repos, helping developers trace how a vulnerability travels from source to sink in their code, making investigation and fixes faster. For users leveraging Snyk Broker, they are supported for the following versions:

  • Gitlab: Broker version 4.215.2 or higher

  • Azure Repos: Broker version 4.218.2 or higher

• We’ve resolved an issue for GitHub and Bitbucket users leveraging Snyk Broker. Data flows will now correctly point to the intended commit reference for the following versions:

  • GitHub: Broker version 4.216.1 or higher

  • Bitbucket: Broker version 4.217.3 or higher

No action is required to enable these changes. You can find more details in the user docs.

Over the coming weeks we will be introducing a few improvements to Maven and Ruby projects imported through SCM integrations.

Ruby

Starting today, we are releasing minor improvements to Fix PRs for Ruby.

• Snyk fixes vulnerabilities by updating vulnerable gems, running bundle update to re-lock your Gemfile.lock.

• When a Ruby version is not explicitly declared in the Gemfile, Snyk now defaults to Ruby 3.3 or latest. Previously, Snyk would default to 2.7.

• Additionally, Snyk now supports Ruby versions 3.3 and 3.4.

These changes have no impact on findings, but should improve the success rate of Fix PRs.

Maven

Starting two weeks from today, we’ll start gradually rolling out improvements to dependency resolution for Maven. The roll-out is expected to last approximately 1 month.

• Snapshot artifacts, e.g. org.example:foo:1.0.0-SNAPSHOT are published to Maven with unique versioning information. Snyk was previously not correctly resolving these dependencies, impacting the accuracy of projects and related issues. This will be fixed and projects will accurately detect these dependencies.

• Logic for “provided” transitive dependencies is now correct and aligns with Snyk CLI and how Maven handles these cases.

Both of the Maven improvements have the potential to change the number of dependencies and issues detected in the project.

Please refer to our User Docs for more information on supported languages.

We’ve released a new CLI version (v1.1298.3) with new features, bug fixes and improvements to enhance your security scanning.

This update includes the following two changes:

1. Open Source: Gradle 9 Support

We are pleased to announce that the Snyk CLI now supports scanning Gradle 9 projects!

Previously, when scanning version 9 projects in the CLI, some operations might fail due to reliance on a deprecated and removed Gradle CLI flag. This has now been resolved, and Gradle 9 is officially supported in the Snyk CLI.

2. AI-BOM: The snyk aibom command

The AI-BOM CLI command is now publicly accessible.

You can use the snyk aibom command to identify AI models, datasets, and map the AI supply chain, including connections to external tools and services using the Model Context Protocol (MCP).

Note: AI-BOM is an experimental feature and is subject to breaking changes without notice. Read more in our documentation.

Release notes are available here.

We encourage everyone to upgrade to the latest version to take advantage of these new capabilities. If you have any questions, please don’t hesitate to reach out to the Snyk support team.

We're excited to announce a crucial enhancement to our new Export API: we've added the project_target_file field. This update is a significant step in helping customers transition from the deprecated Reporting V1 API to our more robust and modern Export API. The project_target_file field, which was previously only available in the older Reporting V1 API, is now included in the Export API. This field provides critical information for disambiguating ownership in monorepos.

How Does This Benefit You?

• Seamless Migration: If your workflows, especially those involving monorepos, relied on project+target_file from the Reporting V1 API, you can now migrate those processes entirely to the Export API.

• Improved Ownership Clarity: For complex projects like monorepos, target_file helps you precisely identify and manage project ownership, leading to more accurate reporting and better security insights. It contains the file path within a project that Snyk is targeting for security scanning, such as /var/www/composer.lock, /app/package.json, or other dependency manifest files.

• Access to Modern API Features: By fully moving to the Export API, you can leverage its improved performance, scalability, and other advanced capabilities.

• Reduced Reliance on Legacy API: This addition helps reduce the need for the older Reporting V1 API, allowing us to focus on enhancing our newer, more efficient solutions.

What You Need to Know

The data for target_file is consistent with what you've seen in the Reporting V1 API and our internal datasets. We've ensured a direct mapping to provide you with reliable information. To make this field available, we've updated several underlying data structures. While this required a full refresh of some datasets on our end, you don't need to take any action other than updating your API integrations to utilize the new field. This enhancement directly addresses feedback from customers, enabling a smoother and more complete transition to the Export API.

The Export API is now GA, allowing our customers to create and download Snyk Issues data as a CSV file. It's useful for making custom reports and using Snyk data with other tools.

What it is and why it's helpful

The Export API, which Snyk Analytics supports, facilitates data export by enabling users to create and manage CSV files. These files are safely stored by Snyk. Designed for efficiency and security, the Export API helps users organize and scale the export of large datasets, which is useful for reporting and analytics tasks.

• Consume predefined datasets, based on Snyk reporting data

• Datasets evolve in parallel to Snyk Analytics' scope

• Focus on the user experience and ease of consumption

More information

You can find more details, including how to use the API, in our product documentation.

• Snyk Product Documentation

• Snyk API Documentation

We've just released an enhancement for the Snyk Container Registry Agent to improve compatibility with a wider range of container registries. You can now disable the repository listing feature to prevent integration errors and reduce API calls.

This is especially useful if you are using a registry that does not support the GET /v2/_catalog endpoint, or if your organization's security policies restrict access to it.

Key Benefits

• Expanded Registry Support: Ensures smooth integration with registries like GitHub Container Registry and GitLab Container Registry.

• Work Around Permission Issues: Allows the agent to function correctly even when it doesn't have permissions to list all repositories.

• Reduce API Calls: Optimizes performance by preventing unnecessary calls to your registry's catalog endpoint.

How to Enable

You can enable this feature by setting the SNYK_DISABLE_LIST_REPOS environment variable to true in your deployment. When enabled, the agent immediately returns an empty list instead of trying to query the registry, resolving potential errors.

For full setup instructions for Docker, Helm, and Kubernetes, please see the updated Snyk Container Registry Agent documentation.

Launching in Early Access on August 4th, 2025, Snyk Agent Fix eliminates the manual overhead of resolving vulnerabilities, helping developers merge secure PRs faster while integrating seamlessly into their existing workflows. With Snyk Agent Fix, developers are empowered to act immediately on SAST findings by generating and applying fix suggestions directly within pull requests, reducing context switching and streamlining remediation.

The following capabilities are supported for Early Access:

• Generate fix suggestions using the @snyk /fix command in a PR inline comment, displaying a proposed code change.

• View an explanation of the suggested fix alongside the code snippet.

• Apply the suggested code directly to the PR as a commit using the @snyk /apply command.

• Generate multiple fix suggestions within the same PR, where applicable.

The following Bitbucket integrations: Bitbucket Cloud, Bitbucket Cloud App, and Bitbucket Server will be supported. If you’d like to enable this feature for your organization, you can self-opt in via the Pull Request Experience section in your SCM integration settings.

Check out our user docs for more details and connect with your account team to participate in feedback sessions to shape the future of your workflows with Snyk.