Product Updates

We've improved Snyk Code analysis for the .NET, PHP, Python, Go, and Scala ecosystems. These updates increase coverage and analysis quality, providing broader and more accurate static application security testing (SAST) support.

We're expanding our support to include C#13 and .NET9 SDK, additional PHP file extensions (.inc, .module, .install, .theme & .profile), better Python import support for class instances, support for lib/pq in Go, and support for the Tapir web framework in Scala.

These improvements roll out on November 17, 2025, as part of our General Availability (GA) support for these languages in Snyk Code.

Because analysis quality is enhanced, you may notice a change in your scan results, including new true positives and the removal of previous false positives. No action is required; the updates apply automatically.

To learn more, visit our Snyk User Documentation.

We’ve enhanced the package experience on security.snyk.io to make it easier to explore package health and security information in one place.

Package pages now include Snyk Advisor insights, bringing together Popularity, Maintenance, Security, and Community data alongside vulnerability details. This delivers a more complete and consistent experience.

What’s new

• Package intelligence data now appears directly on the package page for supported ecosystems.

• Advisor metrics (Popularity, Maintenance, Security, Community) can now be explored without leaving security.snyk.io.

These improvements bring greater context and transparency to open source package information while maintaining the same trusted data sources from Snyk Advisor.

To explore the updated experience, visit any package page on security.snyk.io. For more details about how the package health score and its underlying parameters are calculated, see Snyk Docs.

Maven 4 is the long-awaited next major upgrade for Maven. We are happy to announce General Availability (GA) support for Maven 4 Release Candidate 4 (RC4). This new capability is available for both our command-line interface (CLI) and source code management (SCM) integrations, giving you the opportunity to test your repositories with this new version of Maven before its official release.

While the official Maven 4 GA release date is not set, we want to provide an opportunity to test your projects in advance. By supporting the final planned Release Candidate, you can get ahead of the official upgrade and help us by giving feedback before the final release.

This update is for early adopters who want to test their repositories against Maven 4 before it becomes official. You can now use Snyk to scan your Maven 4 RC4 projects through the CLI and your SCM integrations. Please be aware that this is support for a Release Candidate, and the following features are not supported:

• CI-friendly variables

• Conditional Profile Activation

• Alternative Project Object Model (POM) syntaxes

Snyk Suport for Java and Kotlin

We’re excited to announce the next step in Snyk’s ongoing rollout of CVSS version 4.0 - expanding Exploit Maturity visibility into the Reporting and Project page (Issues Card) experiences.

With this release, you can now view Exploit Maturity (CVSS v4.0) values directly in both Reporting and the Project page, alongside other vulnerability details. This enhancement brings consistency across Snyk’s interfaces, aligning our API and CLI experiences, so teams can more accurately assess exploitability and prioritize remediation.

What’s new

Exploit Maturity (CVSS v4.0) is now available in:

• Reporting - New Column and Filter Option.

• Project page (Issues Card) - Visible in issue details and Filter Option.

This enhancement builds on earlier phases of our CVSS 4.0 rollout, extending exploit maturity visibility from the REST Issues API and CLI into the product UI.

For more information about CVSS v4.0, please refer to the blog post: What’s new in CVSS 4.0, or visit our User Docs.

We’re excited to announce the Early Access launch of the PR Check Report, a powerful new way to see how PR checks are performing and driving security outcomes across your organization. This release sets the stage for measuring the true security impact of PR checks across your organization and strengthening your overall prevention posture.

The current release of the report helps you:

• Monitor performance: Track pass, fail, error, and marked-as-successful rates over time across Snyk Open Source and Snyk Code checks. 

• Measure coverage: Understand where PR checks are enabled across your repositories to identify adoption gaps.

• Uncover recurring errors: Surface common error types and configuration issues to improve scan reliability and developer confidence.

Feature highlights:

• Flexible filters by time window, Snyk product (Snyk Open Source / Snyk Code), and project parameters like origin (SCM) and asset class.

• Org, Group, and Tenant-level insights into PR check performance and coverage.

• Export options for deeper data exploration and sharing.

The report is available under Analytics in the All Reports section for Tenant-level visibility. You can also find it in the Reports section of your Group or Organization by selecting Pull Request Checks Usage & Performance from the Change Report menu.

Learn more in our user documentation and connect with your account team to share feedback or help shape upcoming improvements.

We’re pleased to share that on November 5th, 2025 we will release improvements to Reachability for JavaScript and TypeScript. Upon release, Reachability will be supported for over 98% of applicable vulnerabilities, helping you better prioritize which issues to fix first.

You may see minor fluctuations in the reachability and Risk Score for issues in your npm, pnpm, or Yarn projects.

This release is a part of ongoing engine improvements related to coverage and quality. You can expect similar improvements to be released twice monthly for all languages in General Availability, helping to regulate false positives and negatives across your projects.

To learn more about how to get up and running with Reachability, please read our User Docs.

We’re excited to introduce the Learning Impact & Opportunities report, designed to help you understand how your security education and training programs are influencing both code issue remediation and code issue prevention, and to highlight where future training can have the greatest impact.

The report provides a data-driven view into how training affects your development teams, allowing you to track:

• The impact of education and training on code issue remediation

• The impact of education and training on code issue prevention

• Recommendations for further training opportunities

• Coverage rates for users who have completed relevant Snyk Learn lessons for your top CWE issue categories.

Custom filters let you refine results by time period, users, organizations, lesson title, CWE, or issue severity.

Learning Impact Report

To access this report you need to have the Snyk Learning Management Add-on, in addition to an Snyk Enterprise plan.

You can access the report by navigating to the Group > Reports menu in the Snyk App. Any user role that can view in-app reports at the Group level can access this feature.

Read more in our Program Reporting documentation. To find out about our Learning Management Add-On speak with your Snyk account team.

We've made it easier to manage the security of your data exports by implementing a configurable, shorter time-to-live (TTL) for the presigned URLs created by the Export API (application programming interface). Now, when you use the Export API, you can limit how long the download link remains active by passing a value between 0 and 3,600 to the url_expiration_seconds attribute. Once the timeout expires, the CSV data can no longer be downloaded, and you'll need to start a new export.

We understand that some security policies require a shorter expiration time for temporary download links containing sensitive data than the default time we provide. This update gives you the control to align the Export API's presigned URL expiration with your organization's specific security and compliance requirements.

This enhancement affects all users who utilize the Export API to generate CSV data. This change is optional: your existing Export API integrations will continue to work without modification, using the default link expiration time. If you require a shorter link expiry, you can simply add the url_expiration_seconds attribute to your export request with a value from 0 to 3,600 seconds.

To learn more, visit the Export API documentation.

We're updating the Assets API to introduce a new PATCH endpoint that allows you to modify asset attributes (for example: class). We're introducing new, structured (key:value) asset tagging capability that will be called tags.

This update provides a significant enhancement by providing a flexible way to enrich asset data. The new functionality enables you to add specific, structured context to your assets for powerful filtering and integration with your internal systems aligning with industry best practices. We are introducing a new PATCH endpoint to address the need to programmatically modify asset attributes.

The update introduces an enhancement to the Assets API , to provide a more powerful way to categorize assets using structured key-value pairs, and allowing to update Class , free-form labels, and the new key:value tags attributes via API.

Terminology Alignment: We are renaming the existing, simple text-based tags attribute to Labels, whereas Tags now refer to the new, structured key:value pairs

To learn more, visit Update asset attributes (Early Access) and Manage assets in our user documentation.

We're happy to announce that we now support Python 3.14. Following its release on October 7, 2025, this support is now generally available (GA). You can now scan your Python 3.14 projects using both the command line interface (CLI) and your source control manager (SCM) integrations.

Python is a top-priority ecosystem for many of our users. We're committed to providing support for new language versions as quickly as possible so you can upgrade and stay secure without interruption.

You can now import and scan your Python 3.14 projects from the CLI or your connected SCM. Please remember: if your project does not have a Python version specified, you need to configure it in the UI to use Python 3.14.

To learn more, visit Snyk for Python in our user documentation.