Product Updates

We are excited to announce the release of Snyk Azure DevOps Task v1.9.0. This update introduces a key improvement that simplifies the experience for users in complex network environments.

This release includes the following enhancement:

• Automatic Proxy Detection: The Snyk task will now automatically detect and use the HTTP/HTTPS proxy configuration from the Azure DevOps agent it is running on. This removes the need for any manual setup, streamlining pipeline configuration in restricted environments.

To enable this feature, simply update to version 1.9.0 in your Azure DevOps pipelines. No other configuration is required.

If you have any questions, please don’t hesitate to reach out to the Snyk support team.

We’re excited to announce that Issue Summary Comments and High-Context Inline Comments will be coming to General Availability for the second wave of SCMs. Starting August 26, 2025, these capabilities will be enabled by default for all customers using PR checks. The rollout will complete by September 8, 2025.

The following SCM integrations are in scope:

• GitLab

• Azure Repos

• Bitbucket Server
  

What’s included in this release

Repositories with PR checks enabled will automatically receive:

• Issue Summary Comments for both success and failure cases (covering Snyk Code + Open Source security and license findings)

• High-Context Inline Comments for Snyk Code issues

Repositories that have either been (1) manually disabled either of the comments after initial enablement or (2) disabled summary comments for success scenarios during Early Access will remain unchanged, ensuring prior preferences are respected.

🛑 Opt-Out Requests

Opt-out requests can be submitted via our dedicated form or through your Snyk POC (include Group/Org IDs). Submissions received on or before Aug 25, 2025 will not be default enabled. To customize your preferences at any time after default enablement, you can simply visit your integration settings in the Snyk WebUI where you can toggle comments off.

This release will be a big step forward in our mission to make security native to the developer experience and we’re excited to see how this helps your teams fix issues faster. Please reach out to your account team if you’d like to join upcoming feedback sessions and help shape the future of Snyk’s Pull Request experience.

We're excited to announce the general availability of Snyk's latest report, "Snyk Generated Pull Requests."

Originally launched to early access late last year for Enterprise plans, this report sought to provide high-level visibility over your Snyk-generated manual and auto-fix PRs. The premise was simple: many Snyk accounts have hundreds, if not thousands, of projects within a single Group, which makes monitoring PRs near impossible.

Until now, AppSec teams have been left to their own devices to understand concepts such as PR volume, state, merge rates, and even mean time to merge. With the introduction of the 'Snyk Generated Pull Request' report, we make it simple to view this information and take action on it. Moreover, the report is available at both the organizational and group levels, allowing you to spend more time analyzing and less time filtering for the right granularity.

What's new in the general availability release:

• A new global filter for specific package managers (thanks for your feedback!)

• A new table in the drawer to track PRs created for a specific repo

• Performance enhancements in filtering, data population, and overall loading time

To view the report, select Reports in the left-hand navigation of Snyk's UI. At the top of the page, under the Change Report dropdown, select Snyk Generated Pull Request.

Happy Remediating!

We are excited to announce that a couple of new asset enrichments from the SCM will be available beginning July 30th!

The new asset context properties introduced are:

1. SCM Project from BitBucket and Azure DevOps

2. SCM Organization from all SCMs (representing the SCM Organization in GitHub & Azure DevOps,Workspace in BitBucket, and Group in GitLab)

With additional asset context, it is possible to better prioritize and classify repositories based also on their SCM properties. Additionally this enables users to enforce coverage controls based on the SCM properties.

We are constantly working to provide additional asset context! If you have any asset context that you would like to see in Snyk or have any questions, contact the Snyk Support Team.

Following our Early Access launch of Snyk MCP for Agentic Workflows, we are excited to introduce powerful new visibility into how your teams are adopting Snyk in their local and AI-driven development environments.

We are rolling out key new metrics to the Developer IDE and CLI usage report to capture detailed MCP usage. This update will provide deeper insights into developer adoption with three key additions:

• Top-Level MCP Scan Count: A high-level summary of the total number of MCP scans performed by your team.

• Usage Breakdown Chart: A new chart that visualizes the usage split between the Snyk CLI, our various IDE plugins, and Agentic Scans (MCP), helping you clearly see which platforms developers leverage.

• MCP Host Breakdown Chart: To offer more granular insights, a new chart will break down Agentic Scans by the specific host application, such as Windsurf, Cursor, and others.

These new reporting features will allow security teams to demonstrate strong shift-left behavior and identify teams that are successfully adopting Snyk locally as a model for the rest of the organization.

To enable this new level of insight, it is required for users to update to the latest versions of the Snyk CLI (v1.1298.1).

Please reference our documentation for all the details and prerequisites to use the report.

Finding and providing up-to-date API schemas for security scanning is a common challenge. To solve this, Snyk API & Web now integrates with Akamai to simplify and automate your API security workflow, helping you maintain comprehensive coverage with significantly less manual effort.

This integration connects directly to your Akamai account to automatically discover your complete API inventory and import the corresponding schemas required for security testing.

Key Features

• Automated API Discovery: The integration automatically imports your API inventory and schemas from Akamai, eliminating the manual work of finding and uploading them.

• Increased Scan Coverage: By discovering all your Akamai-managed APIs, you can ensure broader security testing coverage across your application portfolio.

• One-Click Onboarding: Add discovered APIs as targets with a single click, with their schemas pre-populated and ready for testing.

How to Get Started

Availability: This feature will be available in your Snyk API & Web account on August 4, 2025.

Once available, you can begin using the integration by following these steps:

1. Connect to Akamai: Go to Settings > Integrations in your Snyk API & Web account to configure the new Akamai integration.

2. View Imported Domains: After a successful connection, Snyk API & Web imports your domains from Akamai. You can see these new domains under Targets > Domains.

3. Discover and Scan Your APIs: Snyk API & Web then automatically scans these domains to find the associated API assets. When the scan is complete, your discovered APIs are displayed when you select the Discovery menu option. From there, you can add them as targets and begin scanning immediately.

To find specific API assets, use the following filters:

• Filter by Type > API to display only API assets.

• Filter by Source > Akamai to display assets imported from this integration.

Need Help?

If you have any questions or need assistance with the new integration, please contact the Snyk support team.

We’ve released a CLI hotfix (v1.1298.1) to address regressions from a recent release and improve analytics tracking.

This update includes the following:

• Container Scanning: Fixes a bug that may have caused scans of local container images to fail. This issue could occur in various environments, particularly those using base images with alternative default shells (e.g., Alpine, BusyBox).

• Enhanced MCP Analytics: Improves analytics for MCP scans in order to support upcoming reporting capabilities.

As this is a targeted hotfix, no other changes in behavior or new features are expected.

Release notes are available here.

We encourage everyone to upgrade to the latest version to ensure stability and benefit from these important fixes. If you have any questions, please don’t hesitate to reach out to the Snyk support team.

We've rolled out an enhanced tenant-level Snyk Analytics experience! This update empowers you with more control and deeper insights into your security posture, making it easier than ever to manage risk across your organization.

What's New & Improved?

• Customizable Dashboards: You can now build your own analytics dashboards using a new set of widgets. This lets you focus on the metrics that matter most to you.

• Centralized Reporting Catalog: Access a new catalog of Snyk tenant-level reports. This central hub makes it simpler to find and access the reports you need, providing a unified view of your security data.

• Improved Data Access: Users with group reporting permissions now have direct access to tenant-level analytics for all the groups they are authorized to view, streamlining data visibility and collaboration.

Who Can Access This Early Access?

This exciting Early Access is currently available for our Enterprise plan customers who have group-level reporting permissions.

How to Opt-In:

Look for a banner link on your existing Tenant Analytics page to opt in. You can switch back to the current General Availability (GA) experience at any time.

Also, Now Generally Available!

As part of this release, we're also pleased to announce that the Repositories Tested in CI/CD report and the PCI-DSS v4.0.1 report have been moved to General Availability.

Go to Redesigned Analytics to learn more about this new Analytics page!

As part of the Snyk AI Trust platform, Snyk Agent Fix will be available in pull requests starting next week, on 23 June. This feature aims to reduce the manual overhead of resolving vulnerabilities and minimize PR time to merge, all while ensuring seamless integration into existing developer workflows. With Snyk Agent Fix, developers are empowered to act immediately on SAST findings by generating and applying fix suggestions directly within pull requests, reducing context switching and streamlining remediation.

The following capabilities are supported for Early Access:

• Generate fix suggestions using the @snyk /fix command in a PR inline comment, displaying a proposed code change.

• View an explanation of the suggested fix alongside the code snippet.

• Apply the suggested code directly to the PR as a commit using the @snyk /apply command.

• Generate multiple fix suggestions within the same PR, where applicable.

Early access is currently focused on GitHub integrations: GitHub App (Cloud and Server). GitHub and GitHub Enterprise while support for additional SCM integrations is coming soon. This is part of an ongoing series of enhancements aimed at improving the developer pull request experience with Snyk. If you’d like to enable this feature for your organization, you will be able to self-opt in via the Pull Request Experience section in your SCM integration settings.

Check out the user docs for more details. We’re committed to continuously improving this experience — reach out to your account team if you’d like to join feedback sessions and help shape the future of your Snyk workflows.

On August 5th, 2025, Snyk Code will receive a significant analysis and coverage upgrade. This update will enhance detection capabilities and may lead to a change in findings for some customers, including new findings and a reduction in false positives for most.

Key improvements in this release include:

• Go & PHP: Improved analysis of multi-variable declarations to reduce false positives in common assignment patterns.

• All Languages: Enhanced inter-file analysis to more accurately track when data is sanitized across multiple files, significantly reducing a common source of false positives.

• All Languages (except Scala & Ruby): Better detection of field-level sanitization within a single file, reducing false positives where tainted data is later made safe.

• JavaScript and TypeScript: Support for mongoose as well as express-mongo-sanitize has been added.

• Java: Added support for the JAX-RS framework.

• Go: Added support for the sqlx library.

• Scala: Added support for the Slick framework.

• Python: Introduced initial support for CWE-330, detecting insecure random number generation related to ciphers.