Product Updates

We are introducing a more robust and customizable risk acceptance workflow. While providing a Reason for acceptance remains a mandatory requirement for all users, account owners can now also mandate the following fields:

• Expiration Date: The date when the risk acceptance expires.

• Approver Name: The individual who authorized the risk acceptance.

• Approval Date: The date of the approval.

Once an acceptance period expires, the finding's status will automatically revert from Accepted Risk to Not Fixed, ensuring it is reviewed again. All acceptance details are captured in the finding's log to provide a complete audit trail.

We understand that manually tracking accepted risks is inefficient and can lead to overlooked vulnerabilities. This update automates the lifecycle of accepted risks, creating a clear, auditable, and enforceable process that ensures expired risks are never forgotten.

• For account owners: A new configuration module is available in Settings > Scan Settings where you can define the new mandatory fields for your risk acceptance process.

• For all users: The Accept Risk modal will continue to require a Reason and will now also display any additional fields required by the account owner. Any risk accepted with an expiration date will automatically re-enter the workflow as Not Fixed upon expiration, prompting a timely review.

To learn more, visit Configure the risk acceptance workflow in our user documentation.

We are pleased to announce the release of new stable versions for our IDE plugins. The new versions are:

• Visual Studio Code v2.26.0

• JetBrains v2.17.0

• Eclipse v3.5.0

• Visual Studio v2.5.0

This release is focused on enhancing stability and reliability, with key updates including:

• Visual Studio Code: Secure at Inception: Includes an update to the experimental settings that enable Secure at Inception in Cursor, Windsurf, and VS Code, allowing users to toggle the frequency of SAST scans running against AI-generated code. For new installs of the VS Code extension, a modal will show to allow users to optionally enable this capability with ease.

Please refer to the changelog for each of our plugins for a more detailed list of additional bug fixes and enhancements. You can learn more about the Snyk IDE plugins in our Learn resources.

If you have any questions, feel free to reach out to the Snyk Support team.

We have released a new CLI hotfix (v1.1300.1) to address bugs and improve the overall user experience.

• Improvements to how Snyk’s MCP server works with our VSCode IDE extension, sharing context between the two implementations, which reduces the number of steps needed to get started

• Security, stability, and usability: This release features important security and bug fixes, alongside enhanced usability thanks to improved network error categorization.

Release notes can be found here.

If you have any questions, feel free to reach out to the Snyk support team.

We encourage everyone to upgrade to the latest version to take advantage of these improvements.

We’re pleased to announce that on October 20th, we will be releasing several improvements to the Reachability analysis for Snyk Open Source. 

• As a Group admin, you can now enable Reachability for your Orgs at scale by using new Group-level settings. See our User Docs for more details on how to set this up.

• As part of the Early Access of Reachability for Python, we’ve improved our vulnerability coverage. Reachability is now supported for over 99% of applicable vulnerabilities. You may see an increase in the number of issues detected as reachable across pip, pipenv, and Poetry projects.

• In June, we announced that you can expect to see ongoing coverage improvements to Reachability for Java. We have made some changes that will provide greater coverage for your packages. You may see an increase in the number of issues detected as reachable across Maven and Gradle projects.

• We’ve made some tweaks to how we handle transitivity in first party code, now capturing only the “entry points” where you directly call third-party packages. This should improve performance and make the reachable paths information easier to understand. 

We hope these improvements make it easier for you to begin using reachability as a prioritization signal when planning your remediation efforts. If you have any questions, please reach out.

Snyk Code CLI Upload is now Generally Available. This powerful capability bridges the gap between local CLI scanning and the centralized power of the Snyk Platform. By uploading your scan results directly from the CLI to the Snyk Web UI, you unlock the full range of Snyk features, helping your teams gain a comprehensive, centralized view of their security posture.

This means that projects scanned via the Snyk CLI are now seamlessly integrated into the platform, giving you unified management and visibility, including:

• Centralized Reporting: View historical trends, metrics, and risk overviews for CLI-scanned projects alongside your SCM-integrated projects.

• Full Platform Features: Access Organization and Group level views, enabling better governance, policy enforcement, and holistic security management across all your code, dependencies, and configurations.

• Unified Issue Management: Manage, triage, and collaborate on issues found by the CLI directly in the Snyk Web UI.

For all users, the Snyk Code CLI Upload functionality is available by updating to the latest Snyk CLI version and using the appropriate upload command/flag. This functionality is enabled and ready for use by default.

For more detailed information on how Snyk Code CLI Upload works and how to implement it, visit our CLI Upload documentation.

We're excited to announce that our support for the pnpm package manager is now generally available (GA). This update applies across the command line interface (CLI) and all Snyk source code management (SCM) integrations. Any new pnpm projects you import will now be correctly identified and scanned.

This has been a top request from the JavaScript community. We listened to your feedback and are thrilled to deliver this improvement to better support your workflows.

There is no action required from you. Over the next month, we will automatically migrate any of your existing projects that were previously misidentified as npm projects. All project history and any ignores you have configured will be preserved during this migration.

To learn more, visit the Supported Languages List in our user documentation.

We are pleased to announce the latest stable Snyk CLI release, v1.1300.0.

We are introducing the following key improvements in this version. To learn more about bug fixes and additional enhancements beyond what is highlighted below, please reference the full release notes.

This update includes the following:

• Snyk Container: Support for scanning system JARs has been introduced behind a feature flag. Also, the TargetOS is now part of the container scan output.

• Snyk Open Source: Maven projects relying on metaversions (RELEASE/LATEST) will now have those correctly resolved when executing snyk test commands. 

• General: We have introduced runAutomationDetails ID to the SARIF outputs.

• Stability, security, and performance: This release also includes numerous bug fixes and enhancements to improve the overall stability, security, and performance of the CLI.

Release notes can be found here.

If you have any questions, feel free to reach out to the Snyk support team.

We encourage everyone to upgrade to the latest version to benefit from these new features and improvements!

Universal Broker is now generally available, simplifying how you manage multiple broker connections. We know that many customers use the Snyk Broker to control access to their secured resources, and now you can run multiple integrations through a single client. This change not only reduces the complexity of your setup but also can result in meaningful savings on hosting costs.

We know that managing multiple broker connections can be a source of overhead and complexity. Universal Broker was built to address this specific pain point, allowing you to streamline your AppSec program.

Universal Broker could benefit all Snyk customers who use the Snyk Broker. While your existing broker clients will continue to work, we recommend that all new broker installs use Universal Broker. We also encourage existing customers who manage multiple broker clients to consider the benefits of migrating.

To learn more, visit our Universal Broker documentation.

Starting October 13, 2025, we're rolling out several analysis improvements in Snyk Code for the Java and VB.NET ecosystems. For Java, we are improving taint flow analysis to correctly handle variadic method parameters and enhancing inter-file sanitization logic. For VB.NET, we are adding support for aliased namespace imports.

These enhancements are designed to improve the accuracy of our static application security testing (SAST) engine. By better understanding how data flows through your applications and recognizing more language features, we can provide more precise scan results.

You may notice an increase in true positive findings and a reduction of false positives in your projects. These updates will be applied automatically as part of our standard support for Java and VB.NET, with no action required from you.

To learn more, visit our Snyk User Documentation.

We're excited to introduce a new design for PR summary comments, which will give developers and reviewers a clearer, more organized view of their PR check results.

• Streamlined summaries: Results are now displayed in a simple table, with links to the full test report and the number of issues per scan type. This helps teams quickly see whether a PR includes open-source vulnerabilities, license issues, or code vulnerabilities, and then dive deeper into the details in Snyk.

• Cleaner experience: The banner has been removed, making it easier to see PR check results at a glance, even if they're being consumed by other integrations (like Slack notifications).

The new design for summary comments is enabled by default, and is available across all supported SCMs.

We're excited to see how this helps your teams streamline code reviews and address issues more efficiently!