Product Updates

We are pleased to announce that the Snyk CLI now supports scanning Gradle 8 projects!

Previously, when scanning version 8 projects in the CLI, some operations might fail due to incompatibility with the Gradle configuration cache. This has now been resolved, and Gradle 8 is officially supported in the Snyk CLI. 🎉

Upgrade to CLI v1.1273.0 or above to scan your Gradle 8 applications.

With our customers and users security in mind, from version v1.1268.0 onwards, Snyk CLI will redact Snyk API authentication tokens from its debug logs.

Once upgraded, when Snyk users run the following commands to enable Snyk CLI debug logs,

DEBUG=* snyk test -d

or

DEBUG=snyk* snyk test -d

they will see API authentication redacted and displayed as ***.

An example of this change is inline:

Snyk API authentication tokens will be redacted from Snyk CLI debug logs for both service as well as individual Snyk accounts.

We recommend upgrading to v1.1268.0 to benefit from this change.

We are very pleased to announce that you can now define the Python version used when scanning pip projects imported via Git integrations in Snyk Open Source!

Until now, Snyk would always use either Python 2.7 or 3.7 which could lead to some dependencies being omitted from results if they require newer versions.

You can now specify the minor version of Python to use in scans.

To try this out go to your Organization Settings. First enable the beta listed in Snyk Preview. Next, go to Languages > Python and specify the Python version to use.

For more details see the documentation available here.

Snyk AppRisk Essentials is Snyk’s new ASPM product, and is now available for qualified customers.

Snyk AppRisk Essentials supports the following use cases:

Automate application asset discovery: Continually discover application assets and classify them by business context, ensuring a security program is fully in sync with developers. Manage security coverage: Define and manage appropriate security and compliance requirements while verifying applications have the correct controls in place., Prioritize based on risk: Blend business and application context with best-in-class security and fix analysis to quantify risk and create an evidence graph, ensuring developer remediation efforts are focused on the issues that matter most to the business.

You can learn more by reading our blog post and public documentation and training, and by reaching out to your account team.

Project Tags are a lightweight and easy way to organise your Projects into bespoke criteria. They also have great synergy with Project Collections to help you visualise your grouping criteria (such as teams or services), focus work, and generate reports.

However, there has traditionally been a couple of points of friction when it comes to using tags at scale:

• You could only create 1000 tags per group, which meant that you might hit your limit quickly (even with good tag management).

• Different permissions were required to create a tag within a group, and assign a tag to a Project, so even if you had an org role that would allow you to work with tags on a project, you might not have the group permission that allowed you to create the tag.

Ultimately, users want the ability to group their Projects by any criteria without any limits, and to not work inefficiently because they're blocked by permission issues. So we're pleased to announce that we have removed the group tag limit, and we're making tag permissions more predictable in behaviour.

The org permission to assign and remove a tag to a project is now sufficient for all tags and will be applied to group admin, org admin, and collaborator roles whilst the permissions for custom roles will remain as they were before this work was delivered. The two differences to your experience will be:

• When you create a custom role, you do not require separate group permission to work with tags, which also helps improve security as you don't need to provide users with group permissions to enable org level functionality.

• The concept of creating and deleting a tag no longer exists. If a tag isn't assigned to a Project, it will not exist.

All of the Project Tag APIs will continue to work as they currently do today.

We're excited to share an update for the Slack app, introducing a new method for configuring channels to receive notifications. This addresses slow loading times for channel lists by enabling users to input Channel IDs directly. This enhancement ensures a quick verification process and immediate access to channel information, such as the name, right after entering the ID. Experience improved efficiency and responsiveness with this update.

For more details, please refer to our User docs.

We are very pleased to announce that Snyk Open Source support for scanning Pipenv projects via Git integrations is now GA!

The Open Beta for Pipenv Git support has been enabled by default since September, and we are now happy that this is now working well enough to be promoted to GA.

For more details, head over to the docs.

We announced on June 22nd that we will end-of-life the v1 List All Projects API on December 22nd. Alongside the announcement, we have shared a migration guide and have released enhancements to our GA REST APIs to help facilitate the migration. These APIs will provide more consistent versioning, pagination and caching, and improved performance for you.

In addition, we have had two brownouts in October and November, and there is one more to go on December 6th for 4 hours starting 17:00 UTC.

During this time window, the API will return 410 Gone for all requests. If you require further support during these windows, please raise a support ticket. Review the migration guide below and move all your automations over before December 22, 2023!

We recently released a minor change to the Import Targets API. This asynchronous API spawns a separate import job, and returns a 201 Created response and a Location header which should be followed to fetch additional progress details about the import job.

Previously, the Location header was only valid on Snyk’s US-based region. But following this change, the Location header is now a valid URL across all available regions.

If you are performing validation on the Location header, e.g. to verify it is a domain owned by Snyk before following the URL, please update your validation for your appropriate region URL. Snyk’s region-specific URLs are available here.

For any additional questions, please contact support.

Over the next two weeks, we continue to enhance Snyk Code. As a result, we will be making the following improvements:

• APEX: Enabling interfile support. Potential increase in all issues. This will be released week of December 11th

• Go: Source improvements to add buffers and refactoring CMDI sources. Potential increase in all issues

• Java: Sanitizer improvements enabling detection of ContentType. Potential decrease in CWE-79 issues

• PHP: Additional improvements released for PHP interfile. Potential increase in issues

• Python: Sanitizer improvements enabling detection of ContentType for frameworks including Django and Flask. Potential decrease in CWE-79 issues

• Ruby: General sanitizer improvements. Potential decrease in all issues

If you have any questions, please reach out to your account teams.