Product Updates

We're excited to introduce a new design for PR summary comments, which will give developers and reviewers a clearer, more organized view of their PR check results.

• Streamlined summaries: Results are now displayed in a simple table, with links to the full test report and the number of issues per scan type. This helps teams quickly see whether a PR includes open-source vulnerabilities, license issues, or code vulnerabilities, and then dive deeper into the details in Snyk.

• Cleaner experience: The banner has been removed, making it easier to see PR check results at a glance, even if they're being consumed by other integrations (like Slack notifications).

The new design for summary comments is enabled by default, and is available across all supported SCMs.

We're excited to see how this helps your teams streamline code reviews and address issues more efficiently!

We are introducing a new Snyk Learn engagement report in Snyk Reporting at the group level, which gives you a deeper understanding of your security education and training program's performance. The report lets you track overall Snyk Learn lesson assignment progress, which is great for continuous education and compliance programs. You can also use the report to see which content is most popular with your teams, along with a leaderboard for your users, and how long people have spent learning, helpful to identify your future security champions!

This report provides valuable insights into user adoption of Snyk Learn, including the ability to track and report on assignment progress.

To access this report you need to have the Snyk Learning Management Add-on, in addition to an Snyk Enterprise plan.

You can access the report by navigating to the Group > Reports menu in the Snyk App. Any user role that can view in-app reports at the Group level can access this feature.

To learn more about this new report, visit our documentation. To find out about our Learning Management Add-On speak with your Snyk account team.

We're giving you more control over how scans behave when a navigation sequence fails. In your Target Settings, you'll now find an option to immediately fail a scan if a navigation sequence cannot be completed. When enabled, the scan stops right away, allowing you to fix the issue sooner.

Previously, a failed navigation sequence would not stop a scan, potentially leading to incomplete results and wasted resources. This change allows you to get faster feedback on broken test sequences, saving time and preventing tedious manual reviews to identify why a scan may not have covered the intended user journeys.

Starting September 30, 2025, you will see a new checkbox in the Navigation Sequences module within your Target Settings: When a navigation sequence fails, fail the scan immediately and notify me. This option is disabled by default, so existing scans will continue to run as they do now. To enable this fail-fast behavior, you will need to edit your Target Settings. You can also configure new notifications for these failures in your Slack integration settings.

To learn more, visit How to set up Navigation Sequences and Slack integration in our user documentation.

We are enhancing how secrets and sensitive data are managed in Snyk API & Web. Effective today, you can designate specific fields as sensitive within your target settings, ensuring their values are automatically masked. Furthermore, Account Owners now have a new level of control with the ability to make sensitive information permanently non-retrievable after it is saved.

This enhancement is designed to significantly reduce the risk of accidental information disclosure and prevent unauthorized access to your sensitive data. By giving you granular control to define and mask specific fields, we are moving beyond a reliance on simplistic patterns and heuristics. The option to make secrets non-retrievable adds a critical layer of security, ensuring that once a secret is stored, it cannot be exposed again through the application.

This update introduces two key changes:

• For Account Owners: A new module is available on the Settings > Authentication page. This allows Account Owners to enforce that all designated sensitive information becomes non-retrievable for everyone in the account once saved.

• For all users: When configuring a target, you will now see a 'Mark as sensitive' checkbox for relevant fields. Selecting this option will automatically mask the field's value after it is saved. This applies to configurations such as:

  • API authentication payload

  • Login form

  • Login sequence

  • Basic authentication credentials

  • Custom headers and authentication headers

  • Custom cookies and authentication cookies

  • API Parameter Custom Values

  • Postman Environment Values

To learn more, visit How to manage secrets and sensitive data in Snyk API & Web in our user documentation.

We're excited to share an improvement to our GitLab integration that ensures Snyk's Pull Request (PR) Check status always reports to the correct pipeline.

Previously, the PR Check status could appear on the wrong pipeline, especially with Merged Result Pipelines. This sometimes prevented GitLab's "Pipelines must succeed" feature from working correctly, potentially alowing insecure merges. With this update, you can now confidently set branch protection rules with Snyk PR Checks and merge with peace of mind.

• Enforce secure merges with confidence: Snyk PR Check status now correctly attaches to the highest-priority pipeline (Merge Result, Merge Request, or Branch). This ensures GitLab's merge gate always has Snyk scan results, so vulnerable code can be blocked reliably.

• Improved clarity for developers: The Snyk status now attaches to the right pipeline, removing confusion about which pipeline reflects the security scan.

This improvement has been rolled out to all customers today, and no explicit action is required. For more details, check our user documentation.

We’ve added support for three new filters to the Export API to help you get more granular data exports. You can now filter your results by Project Tags, Project Type, and Snyk Product.

This update makes it easier to create customized reports and perform analytics by allowing you to filter large datasets based on your specific needs, such as a particular Snyk product or custom project tags.

You can now create more precise data exports for issues and usage events. The new Snyk Product filter supports:

• Snyk IaC

• Snyk Container

• Snyk Code

• Snyk Open Source

To learn more, visit Export API: Specifications, columns, and filters in our user documentation.

We’ve introduced a new is not filter option for Snyk reports, which lets you exclude unwanted items directly within the platform. This feature is now available across a wide range of filters, including groups, organizations, Common Vulnerabilities and Exposures (CVEs), package names, collections, tags, asset names, and owners.

Previously, you had to export Snyk report data and manually filter out unwanted items, which was time-consuming and inefficient. We've improved this by allowing you to exclude items within Snyk, giving you a focused view, and eliminating the need for manual data manipulation outside the platform.

You can now get to the insights you need faster and more efficiently. For example, you can exclude known, low-priority issues to focus on high-severity vulnerabilities, quickly find unassigned assets by filtering for is not, or exclude environments to only see issues related to production. To use the new feature, simply select the desired filter and choose the is not option before entering the value you wish to filter out.

To learn more, visit our user documentation.

We’ve released a new CLI hotfix (v1.1299.1) to address several bugs and improve the overall user experience.

This update includes the following:

• Language Server: We fixed the titles of Snyk Open Source actions in your IDEs to make them clearer.

• Snyk Code: The CLI SARIF outputs now include the missing uploadResults property.

• General: We fixed a bug that was breaking debug logs because of a redaction error.

As this is a targeted hotfix, no other changes in behavior or new features are expected.

Release notes are available here.

We encourage everyone to upgrade to the latest version to ensure stability and benefit from these important fixes.

If you have any questions, please don’t hesitate to reach out to the Snyk support team.

We have released a new version of our Visual Studio Code IDE plugin. This update addresses minor bug fixes and improvements, including:

• Updating the rules trigger for secure at inception workflows

• User documentation link fixes

• Direct publishing of Snyk IDE plugins to OpenVSX marketplaces, including preview versions

• Enabling OS quick fix actions by default

If you have any questions, feel free to reach out to the Snyk support team.

We’ve expanded the Featured Zero-Day Report to include the Shai-Hulud npm supply chain attack, one of the largest compromises in the npm ecosystem to date.

This update enables Enterprise users to:

• Identify exposure to compromised npm packages such as ngx-bootstrap and @ctrl/tinycolor.

• Prioritize remediation and monitor progress directly in the Featured Zero-Day Report.

• Improve visibility and accountability in zero-day response.

This addition strengthens visibility into high-impact zero-day events within Snyk Reports. By integrating the Shai-Hulud supply chain incident, customers can rapidly assess exposure, track remediation, and improve governance during ongoing threat response.

No manual action is required - data updates automatically as new advisories are published. However, running a new scan is recommended to ensure the latest results are reflected.

To learn more, visit the Featured Zero-Day Report documentation or read our blog post, Zero-day extensive NPM package compromise Shai Hulud Supply Chain Attack.