Product Updates

We're excited to share that "improved .NET scanning" has moved out of Snyk Preview and is now generally available.

It is now easier than ever to onboard your .NET repos and gain visibility into your software supply chain with a high degree of accuracy.

This release covers both SCM integrations, the CLI and CI/CD plugins, and the IDE—providing consistent results across your software development lifecycle.

Private package and Snyk Broker support

Managing private dependencies is critical for enterprise development, so we have expanded support for self-hosted and private NuGet packages to ensure you have visibility into your entire software supply chain.

• Universal Broker: If you use the universal Broker, you can now fully scan private packages hosted on brokered connections to Artifactory and Nexus.

Enhanced accuracy and performance

We have updated the scanning architecture to use the native dependency resolution logic of the .NET ecosystem. By using the dotnet SDK directly to resolve dependencies,  Snyk now provides a highly precise representation of your project's dependency graph.

Expanded project support

We are removing the barriers to scanning complex configurations. You can now scan any SDK-style Project that builds successfully with the dotnet SDK. This includes broad support for standard build customization files such as global.json, Directory.Build.props, and Directory.Packages.props without requiring additional configuration.

Additionally, this update unlocks support for Windows-specific frameworks—including WPF and WCF—for environments running .NET SDK 10 or higher.

Availability

These improvements will be released gradually starting in mid-February and are designed to be non-disruptive to your existing workflows.

For more information on configuration and support, see the Snyk documentation for .NET.

We’ve introduced the follow-scan command to the Snyk API & Web (DAST) command-line interface (CLI) starting with version 0.0.1a15. This update allows the CLI to wait for a scan to finish before your CI/CD pipeline continues. We've also added new configuration options that let you set time limits for scans and define specific vulnerability thresholds that will automatically fail a build. After each run, we provide a direct link to your results for faster triaging.

You can now automatically block high-risk code from progressing through your CI/CD pipeline. By using the latest CLI version, you gain native control over build failures without needing to manage complex workarounds or manual checks.

To learn more, visit Snyk API & Web CLI documentation.

We are excited to share that we've made several improvements to how you test CycloneDX and SPDX SBOM files with Snyk, now available in Early Access for Snyk Open Source and Snyk Container.

These changes give you greater feature parity and a more consistent experience across your CLI testing workflows.

Here's what you can expect in Snyk CLI version 1.1302.0 and greater:

• The snyk sbom test command no longer requires the use of the --experimental option.

• You can now use previously unsupported options, including --severity-threshold, --reachability, --reachability-filter. These additions provide more granular control over your SBOM scanning results.

• Findings are returned by default in a human readable output and now include any applicable enrichments such as Reachability, Policy, Ignores, and Fix Advice.

• When you use the --json option, findings will be returned in a new JSON schema.

• We've also introduced clearer error messages, helping you quickly understand and resolve issues if Snyk is unable to test your SBOM file.

To minimize disruption to your workflows, we recommend reviewing your current integration and making any necessary changes prior to updating.

For those using Snyk CLI versions 1.1301.0 and below, the --experimental flag remains supported, and findings are returned in the previous format.

For more details, please refer to our User Docs.

We have introduced a new optimization mechanism to support scanning for enterprise-scale projects with massive dependency graphs. We added a graph pruning capability that allows scans exceeding the standard maxVulnPathsLimit to complete successfully.

Certain large projects generate dependency graphs with over 100,000 vulnerable paths. Previously, these massive graphs hit a hard limit in the Snyk Container monitor, causing the scan to fail completely for large enterprise workloads.

This unblocks scans for large projects. Users who were previously unable to monitor their largest containers due to timeout or complexity errors can now successfully scan them.

CLI users can use the --prune-repeated-subdependencies flag immediately. Customers using container registry integrations should request that the corresponding Feature Flag be enabled for their organization by contacting support.

We have updated Snyk Container to support scanning for stripped Go binaries and those built using CGo. We have enhanced the scanner to use module-level analysis via .go.buildinfo, allowing Snyk to accurately identify dependencies even when debug information is removed or C libraries are used.

Historically, stripped binaries and CGo builds made it difficult for scanners to accurately parse dependencies, potentially leaving vulnerabilities undetectable. This update closes that visibility gap.

Users scanning Go containers may now see new vulnerabilities that were previously hidden due to the limitations of scanning these specific binary types. This ensures more complete security coverage for Go applications.

This improvement is available in Snyk CLI v1.1302.0 (preview and stable releases). Update your CLI to the latest version to ensure your Go container artifacts are fully covered.

We have added support for scanning Node.js applications that use pnpm as their package manager within container images. When you scan a container image, Snyk will now automatically detect pnpm-lock.yaml files. If your project contains both a lockfile and node_modules, we will use the lockfile to generate a more accurate dependency graph.

Previously, Snyk Container scans for pnpm-based projects relied on node_modules analysis or less granular detection methods. As pnpm adoption has grown due to its speed and disk efficiency, we wanted to ensure container scanning provided the same depth of coverage as our CLI and SCM integrations.

This update brings container scanning into parity with other Snyk integrations. Users will see improved accuracy in their scan results without needing to change any configurations.

This feature is available in the latest Snyk CLI release. To learn more, visit the Supported workloads page in our user documentation.

We are pleased to announce the latest stable Snyk CLI release, v1.1302.0.

We are introducing the following key improvements in this version. To learn more about bug fixes and additional enhancements beyond what is highlighted below, please reference the full release notes.

This update includes the following:

• Snyk Container

  • Support for OCI images with manifests missing platform fields

  • Container scan support for cgo and stripped Go binaries

  • Added pnpm lockfile support

• Snyk Open Source

  • Improved PackageURLs in SBOM documents for go.mod projects

  • Added support for deb, apk, and rpm in SBOM test

  • Added PackageURL information to go.mod dependency graphs for snyk test

  • Added support for poetry development dependencies

• Additional changes

  • MCP Scan is now part of the Snyk CLI, allowing you to test the supply chain of agent-based developer tools like Cursor and Claude Code.

Release notes can be found here.

If you have any questions, feel free to reach out to the Snyk support team. We encourage everyone to upgrade to the latest version to take advantage of these new features and improvements.

We're excited to announce a series of coverage and quality improvements for Snyk Open Source across several key developer ecosystems, rolling out over the coming weeks. Our goal is to help you secure your applications as you evolve and scale them, keeping pace with the latest releases and reliably scanning large, complex projects.

Improved SCA Coverage

We are committed to keeping up with the rapid pace of ecosystem updates. By broadening our support for the latest language versions and library structures, we help ensure your projects remain modern and protected without any friction.

Yarn 4

Snyk now supports Yarn 4 in both the CLI and the SCM integrations.

• Availability: CLI support is available on January 14 in version 1.1302.0, with a gradual SCM rollout throughout January.

• Note: Fix PRs and Upgrade PRs are currently not supported for Yarn workspaces.

• No action required: Projects that previously failed now successfully scan.

Ruby 4

Snyk now supports Ruby 4 in both the CLI and the SCM integrations.

• Availability: Support for both the CLI and SCM becomes available the week of January 21..

• No action required: Since the Ruby version is selected based on your Gemfile, no customer action is needed to begin using this.

PHP 8.5 & Swift 6.2

In addition to the above, we are pleased to announce upcoming support for PHP 8.5 and Swift 6.2 to ensure our users on the bleeding edge of these ecosystems remain secure.

Improved vulnerability coverage

We’ve enhanced our coverage for Go by adding vulnerabilities impacting packages in the Go Standard library to our vulnerability database. Previously, these vulnerabilities were not supported they are now detectable in both the CLI and SCM integrations.

• Availability: SCM and CLI support will become available throughout January.

Improved Quality

Beyond just supporting new versions, we are constantly refining our underlying scanning technology. These "under the hood" improvements focus on making scans faster and more resilient, especially for resource-intensive modern workloads.

Python (pip) Performance Improvements

We've introduced significant performance improvements for Python pip projects using SCM scanning. Previously, large projects—including those using AI and ML libraries such as pytorch—occasionally failed to resolve dependencies during scans. This problem has been resolved, helping you secure your Python applications.

• Availability: SCM rollout is happening throughout January, with CLI support following  in March.

We have released a new CLI hotfix (v1.1301.2) to address a bug when using Snyk with agentic integrations such as Amazon Kiro:

• MCP: Ensure compliance with the model context protocol specification

Release notes can be found here.

If you have any questions, feel free to reach out to the Snyk Support team.

We have released a new CLI hotfix (v1.1301.1) to address bugs and improve the overall user experience:

• Reachability

  • Fixed an issue in test, when using reachability, that caused the fix advice to display incorrectly on certain occasions

  • Resolved a monitor bug with double-dashed arguments when using reachability

• General improvements

  • Improved scanning speed when running test/monitor with reachability

  • Improved SCA scanning through MCP with fewer I/O operations

  • Fixed multiple issues to make Snyk work more smoothly in your code editor

  • Updated dependencies to improve stability and security

Release notes can be found here.

If you have any questions, feel free to reach out to the Snyk Support team.