Product Updates

We’re excited to announce the Early Access launch of the PR Check Report, a powerful new way to see how PR checks are performing and driving security outcomes across your organization. This release sets the stage for measuring the true security impact of PR checks across your organization and strengthening your overall prevention posture.

The current release of the report helps you:

• Monitor performance: Track pass, fail, error, and marked-as-successful rates over time across Snyk Open Source and Snyk Code checks. 

• Measure coverage: Understand where PR checks are enabled across your repositories to identify adoption gaps.

• Uncover recurring errors: Surface common error types and configuration issues to improve scan reliability and developer confidence.

Feature highlights:

• Flexible filters by time window, Snyk product (Snyk Open Source / Snyk Code), and project parameters like origin (SCM) and asset class.

• Org, Group, and Tenant-level insights into PR check performance and coverage.

• Export options for deeper data exploration and sharing.

The report is available under Analytics in the All Reports section for Tenant-level visibility. You can also find it in the Reports section of your Group or Organization by selecting Pull Request Checks Usage & Performance from the Change Report menu.

Learn more in our user documentation and connect with your account team to share feedback or help shape upcoming improvements.

We’re pleased to share that on November 5th, 2025 we will release improvements to Reachability for JavaScript and TypeScript. Upon release, Reachability will be supported for over 98% of applicable vulnerabilities, helping you better prioritize which issues to fix first.

You may see minor fluctuations in the reachability and Risk Score for issues in your npm, pnpm, or Yarn projects.

This release is a part of ongoing engine improvements related to coverage and quality. You can expect similar improvements to be released twice monthly for all languages in General Availability, helping to regulate false positives and negatives across your projects.

To learn more about how to get up and running with Reachability, please read our User Docs.

We’re excited to introduce the Learning Impact & Opportunities report, designed to help you understand how your security education and training programs are influencing both code issue remediation and code issue prevention, and to highlight where future training can have the greatest impact.

The report provides a data-driven view into how training affects your development teams, allowing you to track:

• The impact of education and training on code issue remediation

• The impact of education and training on code issue prevention

• Recommendations for further training opportunities

• Coverage rates for users who have completed relevant Snyk Learn lessons for your top CWE issue categories.

Custom filters let you refine results by time period, users, organizations, lesson title, CWE, or issue severity.

Learning Impact Report

To access this report you need to have the Snyk Learning Management Add-on, in addition to an Snyk Enterprise plan.

You can access the report by navigating to the Group > Reports menu in the Snyk App. Any user role that can view in-app reports at the Group level can access this feature.

Read more in our Program Reporting documentation. To find out about our Learning Management Add-On speak with your Snyk account team.

We've made it easier to manage the security of your data exports by implementing a configurable, shorter time-to-live (TTL) for the presigned URLs created by the Export API (application programming interface). Now, when you use the Export API, you can limit how long the download link remains active by passing a value between 0 and 3,600 to the url_expiration_seconds attribute. Once the timeout expires, the CSV data can no longer be downloaded, and you'll need to start a new export.

We understand that some security policies require a shorter expiration time for temporary download links containing sensitive data than the default time we provide. This update gives you the control to align the Export API's presigned URL expiration with your organization's specific security and compliance requirements.

This enhancement affects all users who utilize the Export API to generate CSV data. This change is optional: your existing Export API integrations will continue to work without modification, using the default link expiration time. If you require a shorter link expiry, you can simply add the url_expiration_seconds attribute to your export request with a value from 0 to 3,600 seconds.

To learn more, visit the Export API documentation.

We're updating the Assets API to introduce a new PATCH endpoint that allows you to modify asset attributes (for example: class). We're introducing new, structured (key:value) asset tagging capability that will be called tags.

This update provides a significant enhancement by providing a flexible way to enrich asset data. The new functionality enables you to add specific, structured context to your assets for powerful filtering and integration with your internal systems aligning with industry best practices. We are introducing a new PATCH endpoint to address the need to programmatically modify asset attributes.

The update introduces an enhancement to the Assets API , to provide a more powerful way to categorize assets using structured key-value pairs, and allowing to update Class , free-form labels, and the new key:value tags attributes via API.

Terminology Alignment: We are renaming the existing, simple text-based tags attribute to Labels, whereas Tags now refer to the new, structured key:value pairs

To learn more, visit Update asset attributes (Early Access) and Manage assets in our user documentation.

We're happy to announce that we now support Python 3.14. Following its release on October 7, 2025, this support is now generally available (GA). You can now scan your Python 3.14 projects using both the command line interface (CLI) and your source control manager (SCM) integrations.

Python is a top-priority ecosystem for many of our users. We're committed to providing support for new language versions as quickly as possible so you can upgrade and stay secure without interruption.

You can now import and scan your Python 3.14 projects from the CLI or your connected SCM. Please remember: if your project does not have a Python version specified, you need to configure it in the UI to use Python 3.14.

To learn more, visit Snyk for Python in our user documentation.

We are introducing a more robust and customizable risk acceptance workflow. While providing a Reason for acceptance remains a mandatory requirement for all users, account owners can now also mandate the following fields:

• Expiration Date: The date when the risk acceptance expires.

• Approver Name: The individual who authorized the risk acceptance.

• Approval Date: The date of the approval.

Once an acceptance period expires, the finding's status will automatically revert from Accepted Risk to Not Fixed, ensuring it is reviewed again. All acceptance details are captured in the finding's log to provide a complete audit trail.

We understand that manually tracking accepted risks is inefficient and can lead to overlooked vulnerabilities. This update automates the lifecycle of accepted risks, creating a clear, auditable, and enforceable process that ensures expired risks are never forgotten.

• For account owners: A new configuration module is available in Settings > Scan Settings where you can define the new mandatory fields for your risk acceptance process.

• For all users: The Accept Risk modal will continue to require a Reason and will now also display any additional fields required by the account owner. Any risk accepted with an expiration date will automatically re-enter the workflow as Not Fixed upon expiration, prompting a timely review.

To learn more, visit Configure the risk acceptance workflow in our user documentation.

We are pleased to announce the release of new stable versions for our IDE plugins. The new versions are:

• Visual Studio Code v2.26.0

• JetBrains v2.17.0

• Eclipse v3.5.0

• Visual Studio v2.5.0

This release is focused on enhancing stability and reliability, with key updates including:

• Visual Studio Code: Secure at Inception: Includes an update to the experimental settings that enable Secure at Inception in Cursor, Windsurf, and VS Code, allowing users to toggle the frequency of SAST scans running against AI-generated code. For new installs of the VS Code extension, a modal will show to allow users to optionally enable this capability with ease.

Please refer to the changelog for each of our plugins for a more detailed list of additional bug fixes and enhancements. You can learn more about the Snyk IDE plugins in our Learn resources.

If you have any questions, feel free to reach out to the Snyk Support team.

We have released a new CLI hotfix (v1.1300.1) to address bugs and improve the overall user experience.

• Improvements to how Snyk’s MCP server works with our VSCode IDE extension, sharing context between the two implementations, which reduces the number of steps needed to get started

• Security, stability, and usability: This release features important security and bug fixes, alongside enhanced usability thanks to improved network error categorization.

Release notes can be found here.

If you have any questions, feel free to reach out to the Snyk support team.

We encourage everyone to upgrade to the latest version to take advantage of these improvements.

We’re pleased to announce that on October 20th, we will be releasing several improvements to the Reachability analysis for Snyk Open Source. 

• As a Group admin, you can now enable Reachability for your Orgs at scale by using new Group-level settings. See our User Docs for more details on how to set this up.

• As part of the Early Access of Reachability for Python, we’ve improved our vulnerability coverage. Reachability is now supported for over 99% of applicable vulnerabilities. You may see an increase in the number of issues detected as reachable across pip, pipenv, and Poetry projects.

• In June, we announced that you can expect to see ongoing coverage improvements to Reachability for Java. We have made some changes that will provide greater coverage for your packages. You may see an increase in the number of issues detected as reachable across Maven and Gradle projects.

• We’ve made some tweaks to how we handle transitivity in first party code, now capturing only the “entry points” where you directly call third-party packages. This should improve performance and make the reachable paths information easier to understand. 

We hope these improvements make it easier for you to begin using reachability as a prioritization signal when planning your remediation efforts. If you have any questions, please reach out.