Product Updates

Over the coming weeks we will be introducing a few improvements to Maven and Ruby projects imported through SCM integrations.

Ruby

Starting today, we are releasing minor improvements to Fix PRs for Ruby.

• Snyk fixes vulnerabilities by updating vulnerable gems, running bundle update to re-lock your Gemfile.lock.

• When a Ruby version is not explicitly declared in the Gemfile, Snyk now defaults to Ruby 3.3 or latest. Previously, Snyk would default to 2.7.

• Additionally, Snyk now supports Ruby versions 3.3 and 3.4.

These changes have no impact on findings, but should improve the success rate of Fix PRs.

Maven

Starting two weeks from today, we’ll start gradually rolling out improvements to dependency resolution for Maven. The roll-out is expected to last approximately 1 month.

• Snapshot artifacts, e.g. org.example:foo:1.0.0-SNAPSHOT are published to Maven with unique versioning information. Snyk was previously not correctly resolving these dependencies, impacting the accuracy of projects and related issues. This will be fixed and projects will accurately detect these dependencies.

• Logic for “provided” transitive dependencies is now correct and aligns with Snyk CLI and how Maven handles these cases.

Both of the Maven improvements have the potential to change the number of dependencies and issues detected in the project.

Please refer to our User Docs for more information on supported languages.

We’ve released a new CLI version (v1.1298.3) with new features, bug fixes and improvements to enhance your security scanning.

This update includes the following two changes:

1. Open Source: Gradle 9 Support

We are pleased to announce that the Snyk CLI now supports scanning Gradle 9 projects!

Previously, when scanning version 9 projects in the CLI, some operations might fail due to reliance on a deprecated and removed Gradle CLI flag. This has now been resolved, and Gradle 9 is officially supported in the Snyk CLI.

2. AI-BOM: The snyk aibom command

The AI-BOM CLI command is now publicly accessible.

You can use the snyk aibom command to identify AI models, datasets, and map the AI supply chain, including connections to external tools and services using the Model Context Protocol (MCP).

Note: AI-BOM is an experimental feature and is subject to breaking changes without notice. Read more in our documentation.

Release notes are available here.

We encourage everyone to upgrade to the latest version to take advantage of these new capabilities. If you have any questions, please don’t hesitate to reach out to the Snyk support team.

We're excited to announce a crucial enhancement to our new Export API: we've added the project_target_file field. This update is a significant step in helping customers transition from the deprecated Reporting V1 API to our more robust and modern Export API. The project_target_file field, which was previously only available in the older Reporting V1 API, is now included in the Export API. This field provides critical information for disambiguating ownership in monorepos.

How Does This Benefit You?

• Seamless Migration: If your workflows, especially those involving monorepos, relied on project+target_file from the Reporting V1 API, you can now migrate those processes entirely to the Export API.

• Improved Ownership Clarity: For complex projects like monorepos, target_file helps you precisely identify and manage project ownership, leading to more accurate reporting and better security insights. It contains the file path within a project that Snyk is targeting for security scanning, such as /var/www/composer.lock, /app/package.json, or other dependency manifest files.

• Access to Modern API Features: By fully moving to the Export API, you can leverage its improved performance, scalability, and other advanced capabilities.

• Reduced Reliance on Legacy API: This addition helps reduce the need for the older Reporting V1 API, allowing us to focus on enhancing our newer, more efficient solutions.

What You Need to Know

The data for target_file is consistent with what you've seen in the Reporting V1 API and our internal datasets. We've ensured a direct mapping to provide you with reliable information. To make this field available, we've updated several underlying data structures. While this required a full refresh of some datasets on our end, you don't need to take any action other than updating your API integrations to utilize the new field. This enhancement directly addresses feedback from customers, enabling a smoother and more complete transition to the Export API.

The Export API is now GA, allowing our customers to create and download Snyk Issues data as a CSV file. It's useful for making custom reports and using Snyk data with other tools.

What it is and why it's helpful

The Export API, which Snyk Analytics supports, facilitates data export by enabling users to create and manage CSV files. These files are safely stored by Snyk. Designed for efficiency and security, the Export API helps users organize and scale the export of large datasets, which is useful for reporting and analytics tasks.

• Consume predefined datasets, based on Snyk reporting data

• Datasets evolve in parallel to Snyk Analytics' scope

• Focus on the user experience and ease of consumption

More information

You can find more details, including how to use the API, in our product documentation.

• Snyk Product Documentation

• Snyk API Documentation

We've just released an enhancement for the Snyk Container Registry Agent to improve compatibility with a wider range of container registries. You can now disable the repository listing feature to prevent integration errors and reduce API calls.

This is especially useful if you are using a registry that does not support the GET /v2/_catalog endpoint, or if your organization's security policies restrict access to it.

Key Benefits

• Expanded Registry Support: Ensures smooth integration with registries like GitHub Container Registry and GitLab Container Registry.

• Work Around Permission Issues: Allows the agent to function correctly even when it doesn't have permissions to list all repositories.

• Reduce API Calls: Optimizes performance by preventing unnecessary calls to your registry's catalog endpoint.

How to Enable

You can enable this feature by setting the SNYK_DISABLE_LIST_REPOS environment variable to true in your deployment. When enabled, the agent immediately returns an empty list instead of trying to query the registry, resolving potential errors.

For full setup instructions for Docker, Helm, and Kubernetes, please see the updated Snyk Container Registry Agent documentation.

Launching in Early Access on August 4th, 2025, Snyk Agent Fix eliminates the manual overhead of resolving vulnerabilities, helping developers merge secure PRs faster while integrating seamlessly into their existing workflows. With Snyk Agent Fix, developers are empowered to act immediately on SAST findings by generating and applying fix suggestions directly within pull requests, reducing context switching and streamlining remediation.

The following capabilities are supported for Early Access:

• Generate fix suggestions using the @snyk /fix command in a PR inline comment, displaying a proposed code change.

• View an explanation of the suggested fix alongside the code snippet.

• Apply the suggested code directly to the PR as a commit using the @snyk /apply command.

• Generate multiple fix suggestions within the same PR, where applicable.

The following Bitbucket integrations: Bitbucket Cloud, Bitbucket Cloud App, and Bitbucket Server will be supported. If you’d like to enable this feature for your organization, you can self-opt in via the Pull Request Experience section in your SCM integration settings.

Check out our user docs for more details and connect with your account team to participate in feedback sessions to shape the future of your workflows with Snyk.

As of January 28th, 2026, 6 months from today, Snyk will require customers to use Bitbucket Server version 7.4 or higher, or Bitbucket Data Center 8 or higher to continue using Snyk PR Checks, and Snyk Broker version 4.218.0 or higher when using a brokered connection.

We are making this change to provide consistent operation across our integrations, and to ensure customers have access to the latest Pull Request experience from Snyk.

With this change going into effect, the minimum requirements for using Snyk PR Checks with Bitbucket Server/Data Center are as follows:

1. Bitbucket Server version 7.4 or higher, or Bitbucket Data Center version 8 or higher

2. The integration must have been set up in accordance with Snyk's documented requirements, including the necessary scopes for the token associated with your Snyk Bitbucket Server/Data Center integration.

   This includes webhooks read and write scopes, for continued feature support

3. When using a brokered connection, Snyk Broker version 4.218.0 or higher is required

If you have any questions, please reach out to Snyk's support team.

Useful Links

• Prerequisites for automated PR checks

• Bitbucket Cloud and Bitbucket Data Center/Server token permissions

• Update the Snyk Broker client

Get ready to supercharge your security prioritization! Snyk API & Web is rolling out a new Critical severity level for findings. This enhancement brings our platform even closer to industry standards, helping you zero in on the most urgent vulnerabilities that demand immediate attention.

Key Dates

• September 2, 2025: The Critical severity level will become visible within the Snyk API & Web UI. While no findings will be assigned this severity yet, this is your prime opportunity to prepare your systems. Read this article for more information.

• September 16, 2025: Snyk API & Web will begin automatically assigning the Critical severity to all eligible findings (those with a CVSS score of 9.0 or higher). Existing finding severities won't change unless they are detected in a new scan after September 16th.

This update empowers you to focus on what matters most in safeguarding your applications. If you have any questions, please reach out to Snyk’s support team.

We’ve released a new CLI hotfix (v1.1298.2) to address several bugs and improve the overall user experience.

This update includes the following:

• MCP: Streamlines local project testing by preventing unnecessary security prompts for folders you have already trusted. This category also includes security hardening to improve the container scanning tool’s resilience against potential prompt injection.

• Snyk Code: Resolves an issue where running the snyk code test --report command could fail in environments where a PROJECT_ID environment variable is set.

• Snyk Agent Fix: Resolves an issue that could prevent Snyk Agent Fix from being available in IDE plugins for users whose default organization didn't have the feature enabled.

As this is a targeted hotfix, no other changes in behavior or new features are expected.

Release notes are available here.

We encourage everyone to upgrade to the latest version to ensure stability and benefit from these important fixes.

If you have any questions, please don’t hesitate to reach out to the Snyk support team.

We’ve released hotfix v2.23.1 for our Visual Studio Code extension.

This update addresses two use cases that improve stability and the overall user experience. We have enhanced how the plugin handles network proxies and certificates, which will reduce download errors within the IDE. This release also fixes a bug that prevented the GCA integration from working correctly in some cases.

There are no other functional changes in this version, so your day-to-day experience using the extension will remain the same.

If you have any questions, feel free to reach out to our support team.

We encourage everyone to upgrade to the latest version to benefit from these improvements!