Product Updates

We are pleased to announce the latest stable Snyk CLI release v1.1294.0.

We are introducing the following new features in this version. To learn more about bug fixes beyond what is highlighted below, please reference the release notes.

CycloneDX 1.6 SBOM support This new version now supports generating CycloneDX 1.6 SBOMs using the snyk sbom command, providing you with more comprehensive and detailed information about your software components and their dependencies. Read more about the CycloneDX version announcement here.

Improved CLI monitoring of large Cocoapods projects

When doing a snyk monitor on very large Cocoapods applications, the CLI sometimes returned an Invalid String OOM error and the operation would fail. Although this error was rare, we have fixed it so large Cocoapods applications can now be monitored successfully.

Fix for security issue

The Snyk CLI before 1.1294.0 is vulnerable to Code Injection when scanning an untrusted (PHP|Gradle) project. The vulnerability can be triggered if Snyk test is run inside the untrusted project due to the improper handling of the current working directory name. Snyk always recommends not scanning untrusted projects.

You can learn more about Snyk CLI release channels in user documentation.

Effective October 23rd, we will release new versions of Snyk IDE plugins for VS Code and JetBrains, with the possibility of seeing only newly introduced issues.

This functionality will reduce noise for developers and allow them to focus on their current changes. Developers will prevent issues early, thus unlocking their CI/CD pipeline and speeding up delivery.

A new IDE plugin setting will control this behavior. In this release, it will be turned off by default, so manual action is required to turn it on.

The logic uses a local Git repository and shows the difference between current findings minus those in a base branch.

Supported Snyk products: Code, Open Source, IaC

We're excited to announce significant improvements to Deepcode AI Fix functionality of the Snyk JetBrains IDE plugin. This release is providing feature parity between the JetBrains IDE and VS Code experience, aligning with what has resonated strongly based on customer feedback in VS Code.

AI Fix in the IDEs provides developers with real fixes to first party code as opposed to relying on similar issues and associated fix examples.

Details of these capabilities:

• Clear differentiation between auto-fixable findings and others

• The ability to receive and review up to five AI-generated fix suggestions

• The capability to accept a suggestion and smoothly apply changes directly to the source code

Planned release on October 23rd.

Today, we’re excited to now announce that we are launching a new analysis engine that’s much smarter at analyzing your C# code, including both older versions of the language and C#12.

This builds on our existing support for C# and .NET, and allows us to provide coverage for the .NET 8 framework ahead of the upcoming EOL for .NET 6 in early November.

From our benchmarking, we expect you’ll see improved accuracy with reduction in both false positives and false negatives across all your C# and .NET projects. Given the added coverage for the C#12 syntax, you may also see an increase in findings for applicable projects.

This improvement will be released on October 23rd, and will take effect automatically with no action required to enable. It will be available across all product surfaces and environments.

Note: ⚠️ If you expect this to impact your triage, prioritization, and reporting processes — please plan accordingly. You can learn more about how to use Snyk’s reports to review findings and changes for your Projects here.

We're excited to introduce new REST versions of our Group and Organization membership APIs.

As we mentioned in past updates, Snyk’s API landscape is evolving, and we’re making efforts toward sunsetting our v1 and non-GA REST APIs. These new endpoints provide a more robust and efficient alternative to the v1 Membership ones, which are not going away for now.

The new endpoints have improved functionality under the hood, such as cascading membership checks and updated responses (hello pagination 🙌). You can find all the details in our REST API docs: Group memberships & Organization memberships.

Effective October 4th, we will be adjusting the testing frequency for free projects to a weekly cadence. This change is designed to optimize resource allocation and ensure equitable access to our services for all users.

Please note that this adjustment will not impact your ability to initiate via manual retest in app.snyk.io or CLI.

This update will be released on Friday, October 4th.

For increases in test limits and the ability to use daily project test frequencies, upgrade to a paid plan by visiting https://snyk.io/plans/.

As Snyk's API landscape is evolving through efforts to end-of-life v1 and non-GA REST APIs, we need to also evolve our approach to REST API versioning. Therefore we are excited to announce an upcoming simplification to our API versioning scheme, aimed at reducing customer confusion while not introducing any breaking changes.

Please note that existing APIs and documentation will remain unchanged. Your existing integrations should be unaffected by this new versioning strategy.

After October 17th, no new experimental endpoints will be created. Instead, we are introducing new “/closed-beta” endpoints. The purpose of these endpoints will be to provide a handful of users with a tech preview, giving them a sneak peek at new API features we're considering to ship to GA in the future. Closed beta endpoints will not be appropriate for integrations or major workloads.

For these new closed beta and beta endpoints, we will be enforcing our API deprecation policy at the sunset date. Removing outdated endpoints will simplify our API landscape further and hopefully reduce confusion when customers are trying to find the endpoint that fits their use case.

As part of versioning simplification, Snyk will expose one API specification per version-date, rather than one for each stability. New versions of the Snyk API will only be published when necessitated by breaking changes. For newer versions, you should only specify the date for beta versions, i.e 2024-08-02 rather than 2024-08-02~beta. It's important to note that existing versions won't be affected by these changes; this new approach only applies to upcoming new versions.

We hope that this simplified API Versioning strategy will reduce customer confusion and make it easier to find the best endpoint for your use case.

The Developer IDE and CLI usage Report was enhanced with new filters, enabling deeper insights into Snyk IDE and CLI adoption in your company. The new filters include:

• Environment filter: analyze usage for specific coding environments, such as VS Code, IntelliJ, Visual Studio, Eclipse, and CLI.

• Snyk product filter: refine the viewed metrics by focusing on the specific Snyk Products that executed the scan.

With these new filters, you can explore additional use-cases, such as:

• Comparing scan adoption by organizations for specific Snyk products or IDEs.

• Reviewing developers usage trend by Snyk product within selected IDEs.

• Measuring IDE usage according to the Snyk product of interest.

To learn more about the Developer IDE and CLI usage Report visit our product docs. For any question, please contact your Snyk account team.

We are pleased to announce the Broker improvement; Universal Broker!

The Universal Broker is an innovative improvement to the Broker, providing a more scalable, secure, and user-friendly platform to alleviate management of Snyk Broker deployments and connections.

Previously, Snyk customers encountered difficulties managing multiple broker connections, leading to configuration challenges and risks. Universal Broker simplifies this process by allowing customers to consolidate all system types into a single Broker instance. Additionally, by implementing authenticated clients and abstracting sensitive values from the user interface, Snyk reaffirms its commitment to security.

By safeguarding credentials and providing a more intuitive user experience, this update aims to enhance overall efficiency and security for our customers.

The Universal Broker is particularly beneficial for customers who prioritize Github Server App or find managing multiple broker clients cumbersome.

To learn more about Universal Broker check out the user docs here! For any questions, please contact your Snyk Support team.

We are pleased to announce that improved accuracy for Gradle projects imported via git integrations is now in Early Access 🙌

Gradle is a powerful build tool with complex configuration and dependency management features, which has traditionally meant the only way to get good SCA results is to scan in CI/CD pipelines.

With this Early Access release, you can now also reliably scan your Gradle applications simply by connecting Snyk to your git repositories.

This makes it easier to roll out at scale across your organisation, and to benefit from shift-left, developer friendly features such as pull request checks.

For more details on improved Gradle scanning, and how to get started, see our documentation.