Product Updates

We are pleased to announce the latest stable Snyk CLI release, v1.1305.0.

We are introducing the following key improvements in this version. To learn more about bug fixes and additional enhancements beyond what is highlighted below, please reference the full release notes.

This update includes the following:

• SBOM

  • Introduces the --allow-incomplete-sbom flag for snyk sbom, allowing the SBOM to be generated even when individual projects fail to resolve. Failed projects are surfaced as per-project errors alongside the successful results.

• Container

  • Speed up snyk container monitor by sending dependency requests in parallel, configurable via the SNYK_REQUEST_CONCURRENCY environment variable.

• MCP

  • Adds an experimental breakability evaluation tool to the Snyk MCP Server.

• Static CLI binaries for Linux

  • Linux ARM64 and AMD64 binaries are now statically linked by default.

• Additional Reliability and Performance Improvements

  • npm package aliases from lockfile now appropriately used in test command.

  • Fixes parsing of Python .whl files when scanning projects with --all-projects.

  • Updates dependencies to fix vulnerabilities

Release notes can be found here.

If you have any questions, feel free to reach out to the Snyk support team. We encourage everyone to upgrade to the latest version to take advantage of these new features and improvements.

We've improved the recently introduced Download CSV feature to offer greater flexibility when exporting data directly from the Snyk API & Web interface.

We understand that analyzing security data often happens outside of our platform. The original Download CSV functionality was added to save you time and streamline custom reporting and internal data manipulation. This expansion provides even more power and flexibility by allowing you to select from a comprehensive range of fields, ensuring you get exactly the data you need for your external analysis.

This feature is available to all users across all account plans. If you have access to a table, you can download its data.

To learn more, visit How to export table data to CSV in our user documentation.

This month on Snyk Learn, there are brand new lessons for Evo by Snyk, along with a refreshed "Snyk in an IDE" lesson set. We are also excited to launch the new AI Secure Development learning path, where you will learn to build any app securely using AI while mastering foundational AI-powered security topics such as prompt injection and MCP.

Try the new "Feedback" button on learn.snyk.io (login required) to share feedback and topic suggestions.

Security lessons

• [New] Learning Path - AI Secure Development

• [New] Getting started with AI development

• [New] Prompt engineering

• [New] AI app development

• [New] Securing your AI app

• [New] AI in the Software Development Life Cycle (SDLC)

• [New] AI Agents: Securing Autonomous Workflows

Snyk platform lessons

• [New] Navigating the Evo Interface - a new lesson to familiarize yourself with the unified agentic interface in Evo by Snyk.

• [New] AI Security Posture Management (AI-SPM) - a new lesson that enables users to detect AI assets via AI-BOM scans and enforce governance through Natural Language Policies as well as traditional menu items.
  
  We have refreshed the following lessons to ensure all content reflects our current platform and products, also providing a streamlined, role-based learning experience:
  

• [Updated] Using Snyk in an IDE - updated to reflect the Developer’s workflow, including installing the plugin, authenticating, and using real-time scanning to find and fix vulnerabilities without leaving your IDE.

• [Updated] Administrating Snyk in an IDE - formerly part of the “Using Snyk in an IDE” course, this lesson now focuses on the Administrator’s workflow, including advanced configuration and governance.

Expanded framework and coding languages coverage

We’ve also expanded Snyk Learn content to cover more of your tech stack:

• New/expanded language support:

  • Multiple lessons expanded into Python, Rust, and Ruby for the OWASP Top 10 learning path.

Each new/updated lesson above links directly to the relevant content so you can share it with your teams or assign it as part of your training program with the Snyk Learning Management Add-On.

Introducing Hooks-Based Guardrails

Snyk Studio is evolving our agentic guardrails to enable deeper trust in agent-generated code. We are debuting a new asynchronous, hooks-based approach to replace traditional rules-based guardrails, ensuring that security remains deterministic and efficient without slowing down the developer loop.

As agentic development has matured, initial friction points in rules-based models have become apparent. By transitioning to a hooks-based architecture, Snyk Studio resolves these key challenges with the traditional rules-based approach:

• Determinism: While agents may occasionally ignore traditional rules, hooks are deterministic, ensuring that defined security scans are executed every time.

• Zero Latency: Unlike rules-based models that add visible friction to the developer experience, hooks leverage background scans to provide a low-latency workflow.

• Context Window Efficiency: The rules-based approach injected Snyk scan results into the agent's context window, consuming limited token space. Hooks decouple scan execution and results, keeping the context window focused on coding tasks.

Support for Leading ADEs

We have targeted support for the hook-based approach to cover popular Agentic Development Environments (ADEs) across both Windows and macOS. You can now leverage Snyk Studio guardrails in:

• Claude Code

• Cursor

• Gemini CLI

• Codex CLI (coming soon)

We also support automatic configuration of the /snyk-fix command, /snyk-batch-fix command, MCP server, and secure dependency health check skill for:

• Kiro

• Windsurf

• Copilot CLI

• Copilot VS Code Extension

Scaling for the Enterprise

To simplify adoption, we have released an installation script to automate configuration and deployment. The install script:

• Supports Windows and Mac

• Can be used via MDM to support distribution at scale

• Installs the /snyk-fix command, /snyk-batch-fix command, MCP server, and secure dependency health check skill on: Claude Code, Cursor, Gemini CLI, Codex CLI (coming soon), Kiro, Windsurf, Copilot CLI, and the Copilot VS Code Extension

• Installs hooks on: Claude Code, Cursor, Gemini CLI, Codex CLI (coming soon)

Getting Started

See our revamped documentation to get hooks configured and installed in your favorite ADE.

What’s Next

We will continue to expand support for additional ADEs and are working to integrate Snyk Studio distribution directly with Agent Scan and Agent Guard.

We've added several new widgets to the analytics overview to provide better visibility into your security program. These updates include key performance indicators (KPIs) from the Snyk Studio and pull request (PR) check reports directly into your main dashboard.

We want the analytics overview to be the central landing page for your most important metrics. As we've introduced new reporting capabilities, the overview page needed to evolve to match. By bringing in data from PR checks and Snyk Studio, we're ensuring you have immediate access to the most accurate and relevant security data without navigating through multiple sub-reports.

You can now track Total PR checks and your PR Check success rate alongside developer activity from Snyk Studio, including Agentic Scans and unique Developers running agentic scans. These widgets allow for more precise tracking of developer adoption and tool effectiveness. To keep your view clean, the new widgets are disabled by default, but you can enable it whenever you need that specific breakdown.

To learn more, visit Analytics Overview tab in our user documentation.

We are pleased to announce Snyk CLI release, v1.1304.2

This release contains fixes and minor improvements. To learn more beyond what is highlighted below, please reference the full release notes.

This update includes the following:

• Fixed vulnerabilities:

  • SNYK-GOLANG-GITHUBCOMAWSAWSSDKGOV2AWSPROTOCOLEVENTSTREAM-16316402

  • SNYK-GOLANG-GITHUBCOMAWSAWSSDKGOV2SERVICES3-16316411

  • CVE-2026-39892

  • CVE-2026-33750

• Snyk Studio: Adding missing tools annotations to MCP server

If you have any questions, feel free to reach out to the Snyk support team. We encourage everyone to upgrade to the latest version to take advantage of these improvements.

We’re improving the usability of our zero-day reports to help you manage multiple security incidents more effectively. We expanded the filter bar for selected zero-day events to provide better context when you view data from several incidents at once. Additionally, the Accumulative Issues Backlog trend chart now breaks out each selected incident individually, and we added a new filter to the open issues side panel that allows you to toggle between open and resolved issues.

We want to make it easier for you to distinguish between different security events when they happen simultaneously. By providing a granular view of the backlog and more flexible filtering options, we aim to reduce the complexity of tracking remediation progress across various high-priority incidents.

You can now clearly see which incidents correspond to your report data even when multiple events are selected. This update allows you to monitor how many outstanding issues exist for each specific event in the trend chart and quickly verify if issues associated with a selected asset are being remediated or have already been resolved.

To learn more, visit Zero-day report in our user documentation.

We are pleased to announce expanded JVM support for Snyk Container vulnerability scanning. Previously, detection for unmanaged Java container software was limited to OpenJDK 8 binaries. With this update, customers can now identify vulnerabilities in their container images for Java versions beyond OpenJDK 8.

This update includes the following:

• Support for Eclipse Temurin and Adoptium OpenJDK distributions that follow the standard /opt/java/openjdk/release layout.

• Automatic detection via file fingerprinting with no manual action required to enable it.

This feature is gradually rolling out to General Availability (GA) across CLI and Container Registry (CR) integrations.

If you have any questions, feel free to reach out to the Snyk support team.

We are pleased to announce Snyk CLI release, v1.1304.1

This release contains fixes and minor improvements. To learn more beyond what is highlighted below, please reference the full release notes.

This update includes the following:

• Improved error handling to prioritize and surface the most relevant error and correct exit code when multiple errors occur during maintenance windows. Exit code behavior is documented here:

  • https://docs.snyk.io/developer-tools/snyk-cli/debugging-the-snyk-cli#exit-codes

  • https://docs.snyk.io/scan-with-snyk/error-catalog#snyk-0099

• Snyk Agent Scan: Improved CI flexibility with an issues ignore option, and added support for Windows x86 and macOS x86 architectures.

• Fixed vulnerabilities:

  • CVE-2026-4660

  • CVE-2026-39883

If you have any questions, feel free to reach out to the Snyk support team. We encourage everyone to upgrade to the latest version to take advantage of these improvements.

Starting May 5, 2026, we're updating Snyk Code to improve scanning precision and reduce noise across all supported languages.

Improvements to scanning precision

All languages — Path Traversal severity tuning (CWE-22)
Path Traversal findings are now tiered by source risk. Findings from lower-risk sources are automatically reclassified from High/Medium to Low severity, reducing noise while keeping high-risk vectors prominent.

Java, Kotlin, Groovy — Apache Camel framework coverage (CWE-89 / CWE-22 / CWE-611)
Apache Camel Exchange HTTP sources are now tracked as taint origins. Applications using Apache Camel will see new findings where HTTP body and header values flow into SQL injection, path traversal, or XXE sinks. Customers using Apache Camel may see an increase in findings.

All languages — Improved .snyk exclude precision
.snyk exclude patterns now use full .gitignore-style glob semantics for more expressive and consistent scan scope control. Customers relying on .snyk exclude rules may see changes in scan scope.

Python — Reduced false positives on archive extraction (CWE-22 / CWE-73)
Python TarSlip detection is now scoped to genuine archive operations. Previously, any .extract() method call was flagged regardless of context - causing false positives in document parsers, ML pipelines, and custom extraction classes.
Findings now only fire when the receiver is a tarfile.open() or zipfile.ZipFile() object. ZipSlip detection via zipfile.ZipFile is also improved. Customers may see a reduction in Python TarSlip findings and new ZipSlip findings where archive contents are extracted without path sanitisation.

Important details to note

All percentage improvements are based on Snyk's curated open-source data set. As part of these updates, you may see a decrease in High and Medium severity counts for Path Traversal as findings move to Low based on source risk tier. Total finding counts remain stable. Customers using Apache Camel may see an increase in findings as new data flows are detected. These changes apply specifically to the languages and CWEs listed above, while other scan areas remain unchanged.