Product Updates

In May 2022 we announced the deprecation and end of life (EOL) plan for Snyk’s CLI container images (snyk/snyk-cli); following that, in May 2024 we announced the plan to EOL some additional Snyk container images (a subset of snyk/snyk images) with out-of-date open source components. We are adjusting our timeframe for the EOL.

Originally set for 12-Aug-2024, we are now extending the date to 09-Sep-2024. This change ensures you have ample time for a smooth transition. If you do not use Snyk’s container images as part of your testing toolchain, you are not affected by this EOL notice.

Here is what you need to know:

Impacted Images:

• Snyk CLI Images which were deprecated in 2022

• A subset of Snyk Images containing EoL software

Immediate Action required: Snyk customers using any of the listed images should start transitioning immediately.

Migration Guides: Snyk has documented the following migration guides to help customers take necessary steps.

• CircleCI migration guide: For customers using the scan-iac job will need to switch to using snyk/scan with the iac test command.

• Bitbucket migration guide: For customers using snyk-scan.

• GitHub Actions migration guide: For customers using actions containing Python 3.6, Python 3.7 or scala/sbt.

• Instructions for creating custom images to suit your needs

You can find previous product announcements about these changes inline:

• Final reminder on Snyk CLI Images and Snyk Images containing EoL software

• Important update on Snyk Images: Obsolete software packages

• Deprecation notice for Snyk CLI Images

• Deprecation notice for obsolete Snyk Images

• Decoupling Snyk Scan from Snyk CLI Docker Images

• Decoupling Snyk Orb from Snyk CLI Docker Images

Additional resources:

• EoL Policy on images provided by Snyk Images build tool chain

• List of Snyk Images scheduled to be removed on 12th August 2024

• List of Snyk CLI Images scheduled to be removed on 12th August 2024

If you have any questions or need help please contact Snyk Support or your Technical Success Manager at the earliest.

We are pleased to announce that Reachability for JavaScript & TypeScript is now available in Early Access, bringing you another signal for evaluating risk across your npm and Yarn projects in Snyk.

Snyk’s Reachability will analyze your source code to determine whether or not a path can be found to the vulnerable function of an identified vulnerability, helping you better understand the likelihood of your project being exploited.

Whether used on its own or as part of a more holistic Risk-Based prioritization strategy using Risk Score, Reachability helps identify and prioritize higher risk vulnerabilities in your backlog of issues.

With this release, Reachability data for npm and Yarn is now available across several product surfaces:

• Projects: Filter results by Reachability to focus your list of Issues, or look for the Reachability badge to check an Issue’s reachability status at a glance.

• Risk Score: When a vulnerability is reachable, Snyk’s Risk Score will increase based on Reachability as a contextual factor.

• Reporting: View Group-level or Org-level Issue Details report to better understand your risk across a wider range of applications.

• API: Snyk’s Issues API now returns Reachability level where applicable.

To enable this feature, please see Snyk Preview.

The Computed Fixability field (which is currently used to display Fixable SCA issues on the Projects page) will replace the Auto Fixable column in Reports to ensure consistent user experience across Snyk interfaces.

The computed fixability column Indicates whether an issue can be fixed based on the vulnerability remediation paths, and holds one of the values below:

• Fixable: There is a fix for all the identified issues, meaning that all detailed paths have remediation.

• Partially fixable: The issue has upgradable paths, but not all detailed paths have remediation.

• No supported fix: The issue has no upgradable paths.

This change will be carried out in the next few days.
Please reach out to your account team for any questions, for further details about Computed Fixability, please visit Snyk documentation.

We are excited to announce a significant enhancement to Snyk Pull Requests, furthering our mission in broadening the availability of our features through multiple integrations.

Starting today, all types of Snyk PRs (Fix PRs, Backlog PRs, and Upgrade PRs) are available across all Source Control Management (SCM) platforms that Snyk provides integrations with:

• GitHub

• GitHub Enterprise

• BitBucket Cloud

• BitBucket Server

• BitBucket Connect

• GitLab

• Azure Repos

This update ensures comprehensive coverage for our customers, streamlining workflows and providing a more consistent experience with our PRs workflows.

Learn more about Snyk Pull Requests in our public documentation.

[Edited] 09-Aug-24 Please note that we extended this by 4 weeks, update here.

++

This is the final reminder to Snyk customers using the following images which are scheduled to be removed on the 12th of August 2024:

• Snyk CLI Images which were deprecated in 2022

• A subset of Snyk Images containing EoL software

Action Required

Snyk customers using any of the listed images need to take action immediately to minimise disruption to their build pipelines. Snyk has documented the following migration guides to help customers take necessary steps.

• CircleCI migration guide: For customers using the scan-iac job will need to switch to using snyk/scan with the iac test command.

• Bitbucket migration guide: For customers using snyk-scan.

• GitHub Actions migration guide: For customers using actions containing Python 3.6, Python 3.7 or scala/sbt.

• Instructions for creating custom images to suit your needs

Useful Information

Customers may find the following information useful:

• EoL Policy on images provided by Snyk Images build tool chain

• List of Snyk Images scheduled to be removed on 12th August 2024

• List of Snyk CLI Images scheduled to be removed on 12th August 2024

Previous Announcements

You can find previous product announcements about these changes inline:

• Important update on Snyk Images: Obsolete software packages

• Deprecation notice for Snyk CLI Images

• Deprecation notice for obsolete Snyk Images

• Decoupling Snyk Scan from Snyk CLI Docker Images

• Decoupling Snyk Orb from Snyk CLI Docker Images

If you have any questions regarding this planned removal, please contact Snyk Support.

As we mentioned in our communications on June 20th, we have rolled out Snyk’s API end-of-life program. We encourage you to read the documentation to understand what you should expect from the program, the endpoints that will be sunsetted, and the timelines and milestones (including dates for brownouts).

Today we’re announcing that the endpoints that have met the criteria for end-of-life will now be marked as deprecated, and the timeline for end-of-life has started. You can find the end-of-life dates and brownouts associated with the specific endpoints in the documentation.

What you can expect from July 22nd is to see the documentation and endpoint responses state that the selected endpoints are being sunsetted (or the documentation will be removed completely); selected v1 endpoints will be fully removed on January 22nd 2025, and selected experimental endpoints will be fully removed on October 22nd 2024.

The endpoints will remain functional during the end-of-life timeline for existing customers but new customers will not be able to integrate with the endpoints. The endpoints will no longer be functional on January 22nd 2025 for v1 endpoints, and October 22nd 2024 experimental endpoints.

In addition, there will be periodic brownouts occurring for each of the selected endpoints, and you can find the dates, times, and durations of these brownouts in the documentation. Snyk will also share an announcement 2 weeks before a brownout occurs.

We're pleased to announce 4 AppRisk Integration for AppRisk to bring application context. Integrate with the IDPs and service catalogs application containing information that will add extra application context (teams, owners, repo to application mapping, etc.) into AppRisk.

What are the integrations included in this release?

1. OpsLevel

2. Atlassian Compass

3. Harness

4. Datadog Service Catalog

What use cases are supported by this integration?

1. Enable user to onboard their IDPs and service catalogs tools, and allow the user to bring their application context into AppRisk.

2. Enrich repo assets with metadata from IDPs and service catalogs tools. This will help Security team manage their assets and create policies for their assets using application context metadata.

This improvement is available for AppRisk Essentials and AppRisk Pro customers. Please see our user docs for more details, and contact your account team with any questions.

We're pleased to share the improvement to the Snyk AppRisk - Edit Integration Profile experience.

What are the improvements?

1. For all the integration in AppRisk Integration Hub, we anonymize the credentials when user wants to edit their integration profile. This improvement allows the user to edit their profile without resubmitting the credentials. This improvement is applied to all the integration in the integration hub (SCM, App Context, SAST, Secrets, Runtime )

2. For GitHub integration in AppRisk integration Hub, we allow customers to add wildcards (*) to their GitHub Org, so we will onboard their GitHub Org that fits with the pattern described with the wildcards.

This improvement is available for AppRisk Essentials and AppRisk Pro customers. Please see our user docs for more details, and contact your account team with any questions.

We're pleased to share improvements to the Snyk AppRisk Asset Inventory filtering experience. These changes are designed to improve the user experience and speed up workflows.

What is this feature about?

With the improved experience, applying a filter will display a flat list of assets that match the criteria directly, without showing them in a hierarchical structure. In addition, the detailed view for assets now includes a list of “Related Assets”, the package manifests found in the repository. Similarly, package details now feature a link back to their parent repository.

Finally, we've renamed and reordered the Inventory layouts. These changes not only make the filtering process clearer and less confusing but also significantly improve speed, helping users find the information they need faster.

This feature will be available for AppRisk Essentials and AppRisk Pro customers. Please see our user docs for more details, and contact your account team with any questions.

We are excited to announce the new "Developer IDE and CLI usage" report. This report shows the adoption of Snyk's testing in local development, through the IDE plugins, and in using the CLI locally.

Security teams can use this report to leverage where shift left behavior is strong as model behavior to bring to other teams. More powerfully, security folks can identify where teams or individual developers are not adopting Snyk locally to encourage better shift left behavior.

The report is available under the "Change Report" dropdown at the group and organization levels.

Learn more about this report in Snyk documentation.