Product Updates

[Edited] 09-Aug-24 Please note that we extended this by 4 weeks, update here.

++

This is the final reminder to Snyk customers using the following images which are scheduled to be removed on the 12th of August 2024:

• Snyk CLI Images which were deprecated in 2022

• A subset of Snyk Images containing EoL software

Action Required

Snyk customers using any of the listed images need to take action immediately to minimise disruption to their build pipelines. Snyk has documented the following migration guides to help customers take necessary steps.

• CircleCI migration guide: For customers using the scan-iac job will need to switch to using snyk/scan with the iac test command.

• Bitbucket migration guide: For customers using snyk-scan.

• GitHub Actions migration guide: For customers using actions containing Python 3.6, Python 3.7 or scala/sbt.

• Instructions for creating custom images to suit your needs

Useful Information

Customers may find the following information useful:

• EoL Policy on images provided by Snyk Images build tool chain

• List of Snyk Images scheduled to be removed on 12th August 2024

• List of Snyk CLI Images scheduled to be removed on 12th August 2024

Previous Announcements

You can find previous product announcements about these changes inline:

• Important update on Snyk Images: Obsolete software packages

• Deprecation notice for Snyk CLI Images

• Deprecation notice for obsolete Snyk Images

• Decoupling Snyk Scan from Snyk CLI Docker Images

• Decoupling Snyk Orb from Snyk CLI Docker Images

If you have any questions regarding this planned removal, please contact Snyk Support.

As we mentioned in our communications on June 20th, we have rolled out Snyk’s API end-of-life program. We encourage you to read the documentation to understand what you should expect from the program, the endpoints that will be sunsetted, and the timelines and milestones (including dates for brownouts).

Today we’re announcing that the endpoints that have met the criteria for end-of-life will now be marked as deprecated, and the timeline for end-of-life has started. You can find the end-of-life dates and brownouts associated with the specific endpoints in the documentation.

What you can expect from July 22nd is to see the documentation and endpoint responses state that the selected endpoints are being sunsetted (or the documentation will be removed completely); selected v1 endpoints will be fully removed on January 22nd 2025, and selected experimental endpoints will be fully removed on October 22nd 2024.

The endpoints will remain functional during the end-of-life timeline for existing customers but new customers will not be able to integrate with the endpoints. The endpoints will no longer be functional on January 22nd 2025 for v1 endpoints, and October 22nd 2024 experimental endpoints.

In addition, there will be periodic brownouts occurring for each of the selected endpoints, and you can find the dates, times, and durations of these brownouts in the documentation. Snyk will also share an announcement 2 weeks before a brownout occurs.

We're pleased to announce 4 AppRisk Integration for AppRisk to bring application context. Integrate with the IDPs and service catalogs application containing information that will add extra application context (teams, owners, repo to application mapping, etc.) into AppRisk.

What are the integrations included in this release?

1. OpsLevel

2. Atlassian Compass

3. Harness

4. Datadog Service Catalog

What use cases are supported by this integration?

1. Enable user to onboard their IDPs and service catalogs tools, and allow the user to bring their application context into AppRisk.

2. Enrich repo assets with metadata from IDPs and service catalogs tools. This will help Security team manage their assets and create policies for their assets using application context metadata.

This improvement is available for AppRisk Essentials and AppRisk Pro customers. Please see our user docs for more details, and contact your account team with any questions.

We're pleased to share the improvement to the Snyk AppRisk - Edit Integration Profile experience.

What are the improvements?

1. For all the integration in AppRisk Integration Hub, we anonymize the credentials when user wants to edit their integration profile. This improvement allows the user to edit their profile without resubmitting the credentials. This improvement is applied to all the integration in the integration hub (SCM, App Context, SAST, Secrets, Runtime )

2. For GitHub integration in AppRisk integration Hub, we allow customers to add wildcards (*) to their GitHub Org, so we will onboard their GitHub Org that fits with the pattern described with the wildcards.

This improvement is available for AppRisk Essentials and AppRisk Pro customers. Please see our user docs for more details, and contact your account team with any questions.

We're pleased to share improvements to the Snyk AppRisk Asset Inventory filtering experience. These changes are designed to improve the user experience and speed up workflows.

What is this feature about?

With the improved experience, applying a filter will display a flat list of assets that match the criteria directly, without showing them in a hierarchical structure. In addition, the detailed view for assets now includes a list of “Related Assets”, the package manifests found in the repository. Similarly, package details now feature a link back to their parent repository.

Finally, we've renamed and reordered the Inventory layouts. These changes not only make the filtering process clearer and less confusing but also significantly improve speed, helping users find the information they need faster.

This feature will be available for AppRisk Essentials and AppRisk Pro customers. Please see our user docs for more details, and contact your account team with any questions.

We are excited to announce the new "Developer IDE and CLI usage" report. This report shows the adoption of Snyk's testing in local development, through the IDE plugins, and in using the CLI locally.

Security teams can use this report to leverage where shift left behavior is strong as model behavior to bring to other teams. More powerfully, security folks can identify where teams or individual developers are not adopting Snyk locally to encourage better shift left behavior.

The report is available under the "Change Report" dropdown at the group and organization levels.

Learn more about this report in Snyk documentation.

We would like to notify on an improvement related to the issues' Mean Time To Resolve (MTTR) measurements.

With the current implementation, issue resolutions of under a day are not being counted correctly during MTTR measurements, which leads to a slightly lower MTTR. The planned release will solve it and provide a more accurate MTTR results.

Once the improved logic is released you should expect seeing higher MTTR measurements, which will reflect a more accurate result.

We plan to release this improvement during the week of July 8th. Please reach out to your account team for any questions.

[Hot fix update 27-June-24]

We identified an issue that caused snyk test and snyk monitorto fail for some users. To address this problem, we have released a hot fix, version 1.1292.1. Incident causing this hot fix was announced here.

We would like to remind our users that hot fix will be deployed automatically for those who are subscribed to our stable release channel. You can also upgrade directly to the latest version containing this hot fix by following our user documentation.

[Original announcement 26-June-24]

We are pleased to announce the latest stable Snyk CLI release v1.1292.0.

We are introducing the following new features in this version. To learn more about the bug fixes, please reference the release notes.

• Improved security prioritization with CVSS version 4.0

Starting 18-June-2024, and in accordance with the latest official CVSS version published by First.org, new vulnerabilities will be assigned with hand curated CVSS v4.0 vectors by Snyk’s team of Security Analysts. You can read more about this in this blog post.

CVSSv4.0 will be available in previously released CLI versions too. It is an additive change.

• Improved .NET scanning for Snyk Open Source: Early Access

The new scanning approach leverages closer integration with the internal workings of the .NET ecosystem, and works with the Snyk CLI and SCM integrations. You can learn more about this change in user documentation.

• Support for --target-reference in Snyk Container CLI

Snyk Container now supports the --target-reference CLI option, allowing you to specify a reference to differentiate this project from other monitored projects. This helps with monitoring different states of a project within a target, for example: branches, releases, or deployments.

When used, --target-reference option will create sub-groupings on the Projects page in Snyk's web UI.

You can learn more about Snyk CLI release channels in user documentation.

As part of our continual improvements at Snyk we are releasing new GA REST API endpoints to replace v1 API endpoints as well as beta and/or experimental REST API endpoints (collectively referred to as “Sunsetting Endpoints”). This helps us maintain the performance, stability, and security of the Snyk platform for all customers.

Last year, we performed a major end-of-life for the v1 List All Project endpoint and following feedback and learnings from the initiative, we are pleased to announce that we are rolling out an API end-of-life process for our v1 endpoints and non-GA REST endpoints. The process aims to provide you with improved predictability, efficiency, and reliability when Snyk is in a position to sunset v1 and non-GA REST endpoints.

v1 and non-GA REST endpoints will be sunsetted across two cadences per year; in January and July (with communication one month prior on which endpoints will be included in an end-of-life cadence).

The timelines for how long migrations last for (based on whether it's a v1 or non-GA REST endpoint) can be found in the user documentation, along with the endpoint migration guides, key milestones and dates, and expectations you should have around future API migrations.

The first API end-of-life cadence will begin on July 22nd 2024:

Deprecated API endpoints

• v1 Group and Org audit logs endpoints

• Experimental Get all Issues by Org and Get all Issues by Group endpoints

GA REST endpoint(s) replacement(s)

• GA REST Group and Org level audit log endpoints

• GA REST Issues API

You can read more about the endpoints in this end-of-life cadence in the user documentation.

We are happy to announce that DeepCode AI Fix is now available in all tenant regions including EU and AU.

To enable DeepCode AI Fix in your Organization or Group, please go to Settings -> Snyk Preview -> Turn on 'Snyk Code Fix Suggestions' and start seamlessly fixing Snyk Code issues in your IDEs.

To make sure we enable as many developers as we can, DeepCode AI Fix is now available in all JetBrains IDEs including IntelliJ. You will require the Snyk JetBrains plugin version v2.8.0 or newer to start fixing.

For more information please visit our documentation. If you have any questions or feedback please reach out to your account team.