Product Updates

We're thrilled to announce an upcoming update to Snyk Code, to be released on Wed, November 13th where we will be adding support for the popular Gin framework for Go! 🚀

This update will allow teams to identify and address potential security vulnerabilities in Gin-based applications and will apply to all rules supported today.

For more details, please reach out to your account team with any questions.

In order to safeguard the security of our services and our customers, Snyk has begun the deprecation of its integration with AWS CodePipeline.

Action Required: To minimize disruption, we recommend that you transition to using AWS CodeBuild and the Snyk CLI as an alternative which will support the same use case and functionality.

Migration Timeline: Effective Oct 30th, 2024, you will no longer be able to add or modify the Snyk plug-in for new or existing pipelines. Existing pipelines will continue to work as-is for 6 months, though we recommend migrating to the new process as soon as possible. To avoid disrupting your CI/CD workflows, you must transition to the Snyk CLI before April 30, 2025. Please refer to the steps in this migration guide to use Snyk CLI with AWS CodeBuild.

We are confident that AWS CodeBuild and the Snyk CLI will meet your requirements.

We're excited to announce an improvement to Snyk Code's reporting of Open Redirect vulnerabilities, to be released on Wed, November 6th.

Previously, Open Redirect issues in C# and VB.NET were categorized as high severity, while other languages reported them as Medium severity. Additionally, the descriptions for these vulnerabilities may have varied across languages.

To enhance consistency and provide a better user experience, we've made the following changes:

• Consistent Severity: Open Redirect vulnerabilities will now be reported as medium severity across all languages, including C#, VB.NET

• Standardized Descriptions: The descriptions for Open Redirect issues will be standardized to ensure clarity and consistency

If you have any questions, please reach out to your account teams.

We are excited to announce that DeepCode AI Fix in the IDE is now GA. As of October 29th, DeepCode AI Fix is available to be turned on at Group/Organization level from:

• Settings -> DeepCode AI Fix

The GA release reflects the maturity of DeepCode AI Fix and Snyk's confidence in the fixes it generates and the customer experience. This release has the following improvements based on customer feedback collected throughout the Early Access phase:

• Increased coverage of languages from 1 to 8 - with JavaScript, TypeScript, Java and Python being GA and the rest in limited support

• New improved IDE experience for VS Code and JetBrains IDEs

• Upgraded our internal LLM to improve fix quality and continue to improve quality through labelling and new training methods

• Improved our infrastructure to provide faster fixes at scale

You can learn more about DeepCode AI Fix in user documentation and blog post.

We’re excited to announce the introduction of the Cluster Name attribute for image assets in Asset Inventory. This feature enhances visibility into the clusters where runtime images are deployed, streamlining the management of asset security.

What is this feature about?

The new Clusters attribute will automatically capture and display the names of all clusters where an image is deployed. Users can now filter images based on these clusters, making it easier to locate and address security issues. Additional metadata, including timestamps and source information, will also be available for deeper insights.

This feature will be accessible to AppRisk Pro customers. For more details, please refer to our user documentation or reach out to your account team with any questions.

We are pleased to announce the latest stable releases for:

• Visual Studio Code v2.19.1

• JetBrains v2.10.0

• Eclipse 2.2.0

As part of these releases, we are happy to conclude the work announced previously:

• Delta findings in VS Code & JetBrains (Early Access)

• Improvements to Deepcode AI Fix in JetBrains

In addition to significant features, these releases contain multiple fixes. The most important are:

• Significantly reduced memory consumption by Snyk Language Server

• Improved error handling of particular edge cases of Open Source analysis

• Unified and Improved rendering of Issue details panel

Snyk documentation for VS Code and JetBrains were updated to reflect these improvements.

We encourage everyone to upgrade to the newest versions.

We are pleased to announce the latest stable Snyk CLI release v1.1294.0.

We are introducing the following new features in this version. To learn more about bug fixes beyond what is highlighted below, please reference the release notes.

CycloneDX 1.6 SBOM support This new version now supports generating CycloneDX 1.6 SBOMs using the snyk sbom command, providing you with more comprehensive and detailed information about your software components and their dependencies. Read more about the CycloneDX version announcement here.

Improved CLI monitoring of large Cocoapods projects

When doing a snyk monitor on very large Cocoapods applications, the CLI sometimes returned an Invalid String OOM error and the operation would fail. Although this error was rare, we have fixed it so large Cocoapods applications can now be monitored successfully.

Fix for security issue

The Snyk CLI before 1.1294.0 is vulnerable to Code Injection when scanning an untrusted (PHP|Gradle) project. The vulnerability can be triggered if Snyk test is run inside the untrusted project due to the improper handling of the current working directory name. Snyk always recommends not scanning untrusted projects.

You can learn more about Snyk CLI release channels in user documentation.

Effective October 23rd, we will release new versions of Snyk IDE plugins for VS Code and JetBrains, with the possibility of seeing only newly introduced issues.

This functionality will reduce noise for developers and allow them to focus on their current changes. Developers will prevent issues early, thus unlocking their CI/CD pipeline and speeding up delivery.

A new IDE plugin setting will control this behavior. In this release, it will be turned off by default, so manual action is required to turn it on.

The logic uses a local Git repository and shows the difference between current findings minus those in a base branch.

Supported Snyk products: Code, Open Source, IaC

We're excited to announce significant improvements to Deepcode AI Fix functionality of the Snyk JetBrains IDE plugin. This release is providing feature parity between the JetBrains IDE and VS Code experience, aligning with what has resonated strongly based on customer feedback in VS Code.

AI Fix in the IDEs provides developers with real fixes to first party code as opposed to relying on similar issues and associated fix examples.

Details of these capabilities:

• Clear differentiation between auto-fixable findings and others

• The ability to receive and review up to five AI-generated fix suggestions

• The capability to accept a suggestion and smoothly apply changes directly to the source code

Planned release on October 23rd.

Today, we’re excited to now announce that we are launching a new analysis engine that’s much smarter at analyzing your C# code, including both older versions of the language and C#12.

This builds on our existing support for C# and .NET, and allows us to provide coverage for the .NET 8 framework ahead of the upcoming EOL for .NET 6 in early November.

From our benchmarking, we expect you’ll see improved accuracy with reduction in both false positives and false negatives across all your C# and .NET projects. Given the added coverage for the C#12 syntax, you may also see an increase in findings for applicable projects.

This improvement will be released on October 23rd, and will take effect automatically with no action required to enable. It will be available across all product surfaces and environments.

Note: ⚠️ If you expect this to impact your triage, prioritization, and reporting processes — please plan accordingly. You can learn more about how to use Snyk’s reports to review findings and changes for your Projects here.