Product Updates

From January 7th 2025, Snyk's improved Gradle scanner (available in Snyk Preview) will support type-safe project accessors in both Groovy and Kotlin.

Existing users of the new scanner should see the improved results in the next re-scan of their projects. Or, to start using the new scanner, see the documentation.

What are type-safe project accessors?

Gradle type-safe project accessors allow project references to be statically checked for correctness. Incorrectly specified project references trigger compilation errors, helping you catch build problems earlier.

Type-safe project accessors are an incubating Gradle feature, and can be enabled by adding the TYPESAFE_PROJECT_ACCESSORS feature preview to your settings file. For example:

// settings.gradle.kts
enableFeaturePreview("TYPESAFE_PROJECT_ACCESSORS")

Once enabled, you can reference a project ":commons:utils:some:lib" as projects.commons.utils.some.lib.

We’re excited to announce various improvements that will be made to Cross-site Request Forgery findings in Javascript, to be released on January 15th, 2025! This update will improve overall accuracy for the rule and expand our support for several common mitigation libraries.

Changes include:

• New support for express-csrf-protect library

• Improved support for lusca, csrf-csrf, and csurf libraries

• Improved: findings will now only be raised in cases where basic auth or cookie usage is detected

• New support for detection as part of PUT, DELETE, and PATCH HTTP methods

• New support for cases where an Express middleware (used to protect against Cross-site Request Forgery issues) is setup in a separate file

Customers with Javascript projects which have Cross-site Request Forgery findings should expect to see a decrease in False-Positive findings.

Please don't hesitate to reach out to your account teams with any inquiries!

We are happy to share that the asset and application context will be soon supported in Snyk Reports!

The following columns and filters will be added in the main reports in both the Org and Group levels:

• Asset context

  • Asset name (and ID)

  • Parent Asset name (and ID)

  • Asset class

  • Asset type

  • Asset tags

  • Repository freshness

• Application context (learn more about populating this data here):

  • Asset Application

  • Asset Owner

  • Asset Category

  • Asset Catalog Name

  • Asset Lifecycle

These enhancements unlock a wide range of new use-cases, such as:

• Enhance data-driven prioritization based on the asset business criticality and repository freshness.

• Drill into remediation performance (such as backlog burn down rate and MTTR) within specific applications and code owners.

• Identify prevalent CVEs in business critical assets or strategic applications.

The mentioned columns and filters will be available in Snyk Reports starting January, 8th.

For any question, please contact your account team.

In July, we kicked off the first official cadence of Snyk’s API end-of-life and set out to end-of-life the following endpoints:

• The experimental “Get all issues by Org and Group” REST endpoints (Experimental versions from 2023-03-10 inclusive up to 2023-09-29 exclusive)

• The v1 Get Group and Org level audit logs endpoints

We’re pleased to say that we have successfully end-of-life’d the experimental endpoint (and its respective version), and the v1 audit logs endpoints will be end-of-life’d on January 22nd.

For the next scheduled end-of-life cycle that is due to start on January 23rd 2025, there will be no endpoints slated for end-of-life. The next batch of APIs will be announced in June 2025.

However, we have just released a page in the user docs which is dedicated to v1, non-GA REST endpoints, and old GA REST endpoints that have GA REST equivalents that can be migrated to, and a migration guide to go with them.

The endpoints found in this page are candidates for future end-of-lifes but does not mean that they are included in an existing cadence or are guaranteed to be part of the next cadence. The purpose of this section is to enable you to be proactive and start migrating endpoints that align with our end-of-life process, ahead of an end-of-life announcement.

We are announcing the availability of the GitHub Server App in Early Access. This app is designed specifically for organizations using self-hosted or private cloud deployments of GitHub Enterprise Server, offering a secure and simplified integration with Snyk as an alternative to the existing integration with personal access tokens (PATs).

With features like Role-Based Access Control (RBAC) and granular repository-level permissions, you can manage access efficiently, ensuring your users only see the data they need. These benefits not only simplify policy management but also align with modern security practices, eliminating the need for managing individual accounts. The app is also compatible with the newly introduced Universal Broker. You can access the app directly through the integration page. Please check out the user docs for more details! 🚀

We have responded to customer requests and are pleased to announce that we have open sourced Universal-broker-helm and Broker-config. Snyk Universal-broker-helm and Broker-config are essential for deploying and configuring the Universal Broker Client. Since they are executed by customers within their environment, there is often security concerns to know what the software actually does.

Open sourcing these tools not only empowers customers and fosters a collaborative ecosystem, it also increases transparency and security awareness for customers.

If you have any questions or comments, please reach out to Snyk support.

We are announcing the anticipated deprecation of Code-Agent. The official deprecation of Code-Agent will be on 20 Dec 2024. Code-Agent was used to enable access from Synk to customer’s locally hosted SCM. Now, the preferred method for running Code analysis is using Snyk Broker through Brokered Code (Git Cloning through Broker).

This can be enabled through the UI; the Snyk Broker toggle in the organization and/or group Broker settings page allows customers to enable Git Cloning through Broker for Snyk Code. Now, existing organizations and groups have the ability for self service and enable this capability at the time of their choosing (new organizations and groups are automatically enabled with this). Turning on this feature effectively disables Code Agent.

If you are still using Code-Agent, you have been emailed and/or reached out to by your support team; please check your email or work with the support team if you run into any issues switching off of Code-Agent.

We’re excited to announce that Reachability for Python is now available in Early Access! 🐍 🎉

This new capability provides an essential signal for assessing risk in your pip, Poetry, and Pipenv projects within Snyk.

Snyk Reachability analyzes your source code using Snyk's DeepCode AI Engine to determine whether a path exists to a vulnerable code element. This insight helps you gauge the likelihood of exploitation, enabling you to make more informed decisions about addressing vulnerabilities.

Whether used independently or as part of a comprehensive risk-based prioritization strategy with Risk Score, Reachability helps you focus on the vulnerabilities that matter most.

Reachability data is seamlessly integrated across multiple Snyk’s product surfaces: Projects, Risk Score, Reporting, and API, and is available for all supported source code management (SCM) integrations.

To enable this feature, see Snyk Preview and start gaining deeper insights into your Python projects.

Over the following weeks, we will roll out an updated navigation menu for all Enterprise customers in the Snyk web app. Besides browsing Organizations and Groups, the left-side navigation menu will now include the Tenant that brings together all the Snyk entities of the customer:

View image description

The Tenant entry in the hierarchical nav menu will not give visibility into everything inside the Tenant. Customers will continue to see only the Groups and Organizations they’re a member of. The new Tenant-level nav menu will include:

• A new “Members” page for managing all the Tenant users and assigning Tenant-level admin rights.

• Access to Snyk Analytics for Analytics Early Access customers.

More details will follow in the upcoming week when the rollout will begin.

We are announcing the Early access release of High-Context Inline Comments as part of our ongoing initiatives to enhance the pull request experience. This feature brings detailed security findings directly into your PRs, streamlining the process of identifying and fixing vulnerabilities without leaving your SCM.

With High-Context Inline Comments, you’ll see each SAST security finding alongside key information such as CWE (Common Weakness Enumeration) and priority score which makes it easier to act on vulnerabilities quickly, reducing the need for developers to switch between platforms and improving your team’s workflow. You can also access relevant Snyk Learn lessons, and see an embedded data flow to introspect on your findings.

If you’re interested in enabling this feature for your organization, you can now directly enable it from integration settings for the supported SCMs.

Inline comments are available in Early Access for the following SCM integrations:

• GitHub: GitHub OAuth, GitHub Enterprise (PAT), and GitHub Cloud App

• Bitbucket: Bitbucket Cloud (PAT), Bitbucket Cloud App

Please refer to our user documentation for more details and start streamlining your workflows today!