Product Updates

Snyk Code Consistent Ignores is now Generally Available (GA) for all Snyk Code customers.

This capability ensures ignores are consistently applied in all surfaces throughout the development lifecycle, helping your teams eliminate distractions and focus on the risks that matter most. This means ignores are now respected across projects, branches, and integrations within a repository, notably in the IDE plugins, the Snyk CLI, and native PR checks.

For existing customers, Snyk Code Consistent Ignores can be enabled by toggling this on in your Group or Org settings. Any newly created groups or orgs will have this functionality enabled by default going forward.

We're thrilled to bring this powerful capability as a core offering of the Snyk platform, bringing a new level of focus and efficiency to your security workflows. For more detailed information on how Snyk Code Consistent Ignores works, check out the documentation and the Snyk Learn lesson.

We are pleased to announce improved support for Maven default profiles in Open Source SCM scanning. Previously, we only considered profiles where activeByDefault was set to true. With this change, scanning will now more faithfully activate profiles that would be activated by running Maven dependency resolution locally. The will result in more accurate scanning, as the dependency resolution engine will more closely mimic the behavior of Maven itself.

This change will be rolled out on July 9th, and customers may expect changes in the issues detected for existing projects imported into Snyk. For customers scanning projects using both the SCM integration and CLI, you can expect to see more consistent results between these two solutions.

We’ve released a CLI hotfix (v1.1297.2) to enhance security and resolve the following issues:

• Improved Debug Logging Security for Scans: Improves the sanitization of credentials in local debug logs.

• IDE Connectivity for Proxy Users: Fixes an issue where IDE plugins could fail to connect when operating behind an NTLM proxy.

• Snyk Code Local Engine Fix: Addresses a regression that prevented the Snyk Code Local Engine (SCLE) from functioning correctly within the IDEs. As this release is focused on security and stability, no change in behavior or new features are expected.

Release notes can be found here.

If you have any questions, feel free to reach out to the Snyk support team. We encourage everyone to upgrade to the latest version to benefit from these important security and reliability fixes!

Starting July 7, 2025, Snyk Code will expand its framework support for JavaScript and TypeScript. This update increases vulnerability coverage for applications using popular web frameworks:

• New Framework Support: Introducing analysis for web applications built with the hapi.js and TSOA frameworks. Customers using these frameworks will potentially see an increase in vulnerabilities reported

• Express Framework Enhancement: Improving analysis by recognizing object destructuring in request handlers.

• Improved support for for-each loops.

This update will be released as part of Snyk Code’s existing support for JavaScript and TypeScript.

We are pleased to announce that Reachability for JavaScript and TypeScript will begin rolling out for General Availability (GA) on June 18th.

This milestone follows an Early Access program during which we partnered with development and security teams to validate the capability and refine its accuracy, coverage, and scalability.

Reachability analysis helps teams prioritize vulnerabilities by identifying whether a vulnerable code element (functions, classes, modules, etc.) is invoked by their application code. This enables organizations to concentrate remediation efforts on vulnerabilities that are more likely to be exploitable in their application context.

This enhancement also means that customers participating in the Early Access stage may see changes to existing vulnerabilities, marking them as reachable.

Please refer to the documentation on reachability analysis for more information on enablement, supported environments, and package managers.

Back in November, we announced a significant enhancement to Snyk Automatic Fix Pull Requests, furthering our mission to design workflows to match different projects needs.

Today, we're excited to announce the completion of this effort, the setting of a default threshold for any organization leveraging our auto-fixes that hasn't done so already.

Auto Fix Pull Request thresholds are configurable by either severity or score. We understand in some projects, fixing all vulnerabilities constantly is extremely important, whereas in others focusing on specific types boosts velocity. That's why we configured two types of rules for Automatic Fix Pull Requests:

• by score (priority or risk score) - set a threshold from 0 to 1000

• by severity - select among critical, high, medium or low

Starting today, June 5th, we're defaulting any organization that hasn't yet set a threshold to a risk score of 700, the general consensus amongst our early adopters and the value Snyk's seen to most effectively reduce noise while still surfacing fixes for the most important vulnerabilities.

If you've already set thresholds, Snyk will not change your defaults. This option will also not influence our Backlog PR capability.

We are pleased to announce an update to the Java Reachability Engine, which will deliver a more accurate analysis across a broader range of Java packages and vulnerabilities.

As a result of this expanded coverage, customers may see changes to existing vulnerabilities marking them as reachable. We recognize that this update may affect your triage and prioritization workflows, as we ensure that potential issues are identified with greater precision.

This change will gradually roll out on June 16th, and customers should expect to see additional coverage improvements in the upcoming months. No action is needed from customers who have already enabled the reachability feature.

Just so you know, modifications in first-party code, vulnerability analysis updates, and SAST engine improvements (like this update) can affect the reachability results, and vulnerabilities labeled as "No Path Found" can evolve to "Reachable" over time.

See our documentation to learn more about Reachability Analysis.

We are pleased to announce a bug fix for Snyk Open Source Python support.

With this update SCM support for Python will be improved as follows:

• Today, SCM scans for some Python 3.8+ projects omit virtualenv and pip dependencies if they are used, leading to possible false negatives in related issues. With this change, these dependencies will be correctly included.

• CLI scans already accurately represent these dependencies, and are not affected by this release.

How will my scan results change?

• Overall accuracy of Python SCM scans for projects using these dependencies will increase, which may lead to an increase in identified vulnerabilities for projects using these dependencies.

What are the next steps?

The changes will be released on June 18th, and projects will see improved results in their next test.

We're providing an important update regarding an upcoming enhancement to the Snyk CLI that will impact Linux environments. To ensure the Snyk CLI operates as smoothly and securely as possible, providing the strongest security and stability for your development environments, we are updating an internal component.

What's Changing for Linux Users?

Effective with the Snyk CLI release 1.1298.0 targeted for July 16, 2025, the minimum required GNU C Library (glibc) versions on Linux will be updated as follows:

• For Linux x64 environments: glibc version 2.28 or higher

• For Linux arm64 environments: glibc version 2.31 or higher

This change only affects Linux environments. Users on macOS and Windows are not impacted by this specific glibc update.

Why Are We Making This Change?

This update is driven by our commitment to ensure all components within the Snyk CLI are current and supported, preventing the use of components that may no longer receive critical security patches or bug fixes. This transition is crucial for:

• Enhanced Security & Stability: Via this upgrade, we ensure our CLI remains protected against emerging vulnerabilities and benefits from ongoing improvements, addressing potential risks.

• Modern Dependency Compatibility: The broader software ecosystem continually evolves. This upgrade allows us to integrate essential library updates, bug fixes, and new features more effectively and reliably.

Meeting these glibc requirements also means your Linux environments will likely be running on operating system versions that are fully supported and not past their own end-of-support dates, further enhancing your overall security posture.

Timeline and Your Environment Readiness:

We are introducing these new requirements in the Snyk CLI 1.1298.0 release scheduled for July 16, 2025. This provides a window for you to assess and, if necessary, update your Linux environments.What if You Need More Time?We understand that updating your environments might require planning and coordination. If you anticipate needing more time to meet these new glibc requirements beyond the July 16, 2025 release, we recommend the following temporary solutions to continue using the Snyk CLI without interruption:

• Pin your Snyk CLI version: You can temporarily pin your Snyk CLI to version 1.1297.1 (the last version before these new requirements take effect) to allow more time for your glibc upgrade.

• Utilize Snyk CLI Docker Images: Our official Snyk CLI Docker images come with compatible glibc versions and can be a good alternative.

• The CLI preview version was updated starting June 4th to contain the new glibc requirements for testing the coming changes in time.

Our primary goal is to provide you with the most secure and reliable tools, and this update is a key step in that direction.Thank you for your understanding and partnership in maintaining a secure development lifecycle!

We are announcing the End of Life (EOL) for the Snyk Nexus Gatekeeper Plugin, effective September 15th, 2025.

This change is primarily due to Sonatype's discontinuation of Plugin Support. Sonatype, the creators of Nexus Repository, have officially removed all third-party plugin support in Nexus Repository version 3.78 and newer, which was released in March 2025.

Here is what you need to know:

• Impacted Plugin: Snyk Nexus Gatekeeper Plugin.

• End of Life Date: September 15th, 2025.

• Support until EOL: We will continue to offer support for leveraging the plugin until September 15th, 2025. However, please note that no new enhancements or bug fixes will be released for the plugin during this period.

• Action Required: If you are currently using the Snyk Nexus Gatekeeper Plugin, we recommend planning your transition to alternative solutions before the EOL date. We encourage you to leverage other Snyk products (such as Pull Request Checks or SCM integrations) that can help enhance your security posture and integrate seamlessly into your development workflows.

We understand that this change may require adjustments to your current workflows. We encourage you to explore Snyk's other integrations and features to continue securing your software development lifecycle effectively.

If you have any questions or require assistance, please do not hesitate to contact the Snyk support team!