Product Updates

We're pleased to announce that on Friday, July 11th, 2025 we will be introducing several improvements to the "List issues for a package" APIs.

This release will reduce request latency and improve the timeliness of newly published advisories being returned by the API.

In addition, this release will address several bugs listed below, which may result in changes to the number of vulnerabilities returned for some packages:

• Currently the API responds with all vulnerabilities about a package in Linux ecosystems (apk, deb and rpm). The fix reduces those down to only the vulnerabilities affecting the specified version.

• Requests for npm purls that contain an @ symbol in the namespace currently cause a 400 Bad Request. This change properly parses these purls and instead correctly returns a 200 OK with the expected vulnerabilities.

• When there is no remedy, the remedies array will now be empty.

• The problems array is now consistently sorted by each objects id.
  

Please reach out if you have any questions.

Snyk Code’s Python analysis has been updated to support __init__.py files, improving scan accuracy and depth.

This enhancement allows for the correct importing of symbols defined in package initialization files. This leads to a more accurate analysis of projects that use this common packaging structure, which is detailed in the official Python documentation on modules.

As a result of this deeper analysis, customers with projects utilizing this module structure may see new findings in their scan results.

This update affects Python projects only and was rolled out to all Snyk customers as part of recent support case work.

We're excited to announce that Snyk Assist is now available for Snyk Learning Management customers across all Snyk Multi-Tenant regions.

What is Snyk Assist?

Snyk Assist is an AI-powered assistant integrated into the Snyk Learn platform. It is designed to answer your Snyk product and application security questions instantly, helping you learn faster and resolve queries efficiently directly within your learning environment.

How do I get access?

• Be a Snyk Learning Management Add-On customer.

• Have a Group Admin enable the Group level setting.

• Set your preferred org to an org within the group where Snyk Assist is enabled.

• Navigate to any Snyk Learn lesson and Snyk Assist will pop up to help!

Dive deeper

For more information on Snyk Assist, check out our Snyk Assist docs, take our Snyk Learn Lesson on Snyk Assist and read our blog on AI assisted development.

Starting July 14, 2025, Snyk Code will release an update to improve the accuracy of CSRF (CWE-352) detection in C# WebAPI applications.

• This fix significantly reduces false positives, helping developers focus on real issues without being distracted by incorrect CSRF findings. Other vulnerability results are unaffected.

The update will roll out as part of Snyk Code’s General Availability (GA) support for C#.

To enhance developer efficiency and optimize our security tools, Snyk is excited to introduce a new architecture for the Snyk integrations public documentation. This centralized documentation section offers a dedicated and organized area for all Snyk CLI, IDE, and CI/CD integrations.

The objective is to integrate security seamlessly into the software development lifecycle. This update directly supports that goal by offering a cohesive discovery point of the developer tools, clearly distinct from SCM and other platform integrations. The result is a more logical and intuitive user experience.

This change provides the following advantages:

• Improved usability: By creating a dedicated section for developer-centric integrations, users can locate and configure the necessary tools with greater precision and fewer errors.

• Accelerated tool adoption: The centralized documentation section simplifies the discovery process, allowing development and security teams to implement and deploy Snyk more quickly across their workflow environments.

• Increased efficiency: Users can save considerable time when accessing and managing the integrations essential to their daily development and security workflows.

To ensure continuity, all bookmarks and links to previous integration pages will be automatically redirected to their new locations within the public documentation, preventing any disruption to user workflows.

This information architecture change will officially come into effect on July 9, 2025.

Snyk users without a configured Snyk Essentials Group-level integration will soon benefit from Automatic Repository Discovery, which provides visibility into the users' security coverage, out of the box. This feature helps users identify which repositories have been imported and are being tested in Snyk, and which have not. The discovered repositories will appear in the Snyk Essentials Inventory tab.

Automatic Repository Discovery is currently available for users with GitHub Cloud App, GitHub Enterprise, GitLab, and Azure DevOps Org-level integrations, and will soon be available to users with BitBucket Cloud, BitBucket Cloud App, and BitBucket Server Organization-level integrations, including brokered setups.

We’ll begin gradually rolling this out to all Enterprise plan customers starting July 16th, 2025. If you’d like early access, please reach out to your account team.

We are releasing Snyk CLI v1.1297.3, a follow-up hotfix to our recent v1.1297.2 announcement. This update further enhances the security of debug logging.

We encourage all users to upgrade to v1.1297.3 to benefit from these important security enhancements. Release notes can be found here.

CVE-2025-6624 has been published to address this vulnerability.

Important: This hotfix resolves a potential vulnerability. Please review the details below.

By default, the Snyk CLI sanitizes sensitive credential information from logs. However, previous versions of the Snyk container CLI tool had potential vulnerabilities in this sanitization, where sensitive credentials could potentially be written into local Snyk CLI debug logs, if the Snyk CLI is executed in DEBUG or DEBUG/TRACE mode. There is no exposure to these vulnerabilities if the DEBUG flag is not used when executing Snyk CLI commands. Exact details are listed below.

Although these logs are only stored locally where the CLI is invoked, debug logs might have been manually sent as part of support queries to Snyk Support Engineers or copied/backed up to other locations by your processes.

Snyk has already proactively reached out to any customers we believe may have been exposed to this vulnerability, based on our internal usage logs. However, we recommend that users of Snyk CLI upgrade to this hotfix to avoid any future exposure.

This hotfix resolves the following vulnerabilities:

• When the snyk container test or snyk container monitor commands are run against a container registry, with debug mode enabled, the container registry credentials could previously be written into the local Snyk CLI debug log in some circumstances. This only happens with credentials specified in environment variables (SNYK_REGISTRY_USERNAME and SNYK_REGISTRY_PASSWORD), or in the CLI (--password/-p and --username/-u).

• When the snyk auth command is executed with debug mode enabled AND the log level is set to TRACE, the access / refresh credential tokens used to connect the CLI to Snyk could previously be written into the local CLI debug logs.

• When the snyk iac test is executed with a Remote IAC Custom rules bundle, debug mode enabled AND the log level is set to TRACE, the docker registry token could previously be written into the local CLI debug logs.

As part of the Snyk AI Trust platform, Snyk Agent Fix will be available in pull requests starting this week, on 23 June. This feature aims to reduce the manual overhead of resolving vulnerabilities and minimize PR time to merge, all while ensuring seamless integration into existing developer workflows. With Snyk Agent Fix, developers are empowered to act immediately on SAST findings by generating and applying fix suggestions directly within pull requests, reducing context switching and streamlining remediation.

The following capabilities are supported for Early Access:

• Generate fix suggestions using the @snyk /fix command in a PR inline comment, displaying a proposed code change.

• View an explanation of the suggested fix alongside the code snippet.

• Apply the suggested code directly to the PR as a commit using the @snyk /apply command.

• Generate multiple fix suggestions within the same PR, where applicable.

Early access is currently focused on GitHub integrations: GitHub App (Cloud and Server). GitHub and GitHub Enterprise while support for additional SCM integrations is coming soon. This is part of an ongoing series of enhancements aimed at improving the developer pull request experience with Snyk. If you’d like to enable this feature for your organization, you will be able to self-opt in via the Pull Request Experience section in your SCM integration settings.

Check out the user docs for more details. We’re committed to continuously improving this experience — reach out to your account team if you’d like to join feedback sessions and help shape the future of your Snyk workflows.

The Assets API is now available in Early Access, providing AppSec teams with programmatic access to comprehensive asset data. This eliminates the need for manual data exports and simplifies integration with other systems. With reliable, centralized access to asset information from sources like Snyk, SCMs, and runtime environments, teams can automate targeted actions, improve prioritization, and enhance visibility. The API empowers organizations to make more informed decisions and align security and development efforts more effectively.

Key capabilities of the Assets API include:

• Programmatic access to asset data — retrieve asset information from Snyk, SCMs, runtime, app context, and more

• Flexible filtering — query specific assets or subsets based on your chosen criteria

Check out the user docs for more details. We're dedicated to continuously enhancing this experience. If you'd like to share your feedback and help shape future improvements, please reach out to your account team to join upcoming feedback sessions.

Dear customers,

This is a reminder about the important changes to our support policy and the deprecation of certain IDE features, which are just around the corner.

As previously announced, our new 12-month Support Policy for IDE, Language Server, CI/CD plugins and CLI versions will officially come into effect on June 24, 2025. To ensure you continue to receive full support and access to the latest innovations, please upgrade your IDE plugin, Language Server, CI/CD plugins and CLI to a version released within the last 12 months by this date.

Additionally, as part of our upcoming IDE plugin release on July 17, 2025, the following features will be removed:

• Code Quality Findings in Snyk Code (WebUI and IDE Plugins):

  This functionality will no longer be provided.

• JavaScript CDN Library Detection

  in HTML Files: This will apply as well to JavaScript and TypeScript files, not just HTML. Note: This applies to CDN library detection only - it does not affect Snyk Code or Snyk Open Source JavaScript/TypeScript core capabilities

• Container Image Detection in Kubernetes YAML Files

  : This experimental feature will be removed from the Snyk JetBrains IDE Integration.

We encourage you to review the original announcement for full details and guidance on these changes/

If you have any questions or require assistance with upgrading, please don't hesitate to contact our support team.

Thank you for your continued partnership!