Product Updates

Starting June 1, 2025, Snyk Code will enhance its JavaScript analysis. This improves the understanding of function declarations, leading to more accurate scan results and a significant reduction in false positives.

• JavaScript Function Declarations: More precise recognition of various declaration methods, including prototype patterns, to improve taint flow analysis.

This update will be released as part of Snyk Code’s GA JavaScript support.

We are pleased to announce the latest stable Snyk CLI release v1.1297.0.

We are introducing the following new features and improvements in this version. To learn more about bug fixes and additional enhancements beyond what is highlighted below, please reference the release notes.

Container Enhancements

We've made scanning container image archives more straightforward. You can now directly scan image archives (e.g., image.tar) using snyk container test image.tar or snyk container monitor image.tar without needing to specify the image type as a prefix. This simplifies the command structure and streamlines your container security workflows.

Open Source Enhancements

This release brings significant improvements to Gradle module resolutions. The Snyk CLI's Gradle dependency resolution will now default to finding all artifacts against resolved dependencies. You can read more about this here.

Release notes can be found here.

If you have any questions, feel free to reach out to the Snyk support team.

We encourage everyone to upgrade to the latest version to benefit from these new features and improvements!

We are excited to announce that major improvements to scanning NuGet .NET applications in Snyk Open Source are available in Early Access!

The new scanning approach leverages closer integration with the internal workings of the .NET ecosystem, and works with the Snyk CLI and SCM integrations.

The key benefits over the previous solution include:

• Greater consistency across CLI and SCM results

• No false positives from runtime dependencies

• Support for more .NET features, such as .props files, global.json, and Central Package Management

• Support for private NuGet package repositories (inc. Azure Artifacts)

To get up and running with improved .NET scanning, check out the documentation.

Customers participating in the Snyk Code Consistent Ignores early access can now convert pre-existing ignores created via project page or via API in bulk. Bulk conversions can be executed via UI from a project page and customers can also choose to write scripts for ignore conversion by leveraging the API.

Documentation outlining the details of this new functionality is available here.

We are pleased to announce a bug fix for Snyk Open Source PHP support in the Snyk CLI.

With this update CLI support for PHP will be improved as follows:

• Today, Snyk CLI test and monitor commands may fail for users who only have composer.phar locally, and no global composer. With this bug fix, these scans will now succeed

How will my scan results change?

• CI/CD pipelines that were failing due to this error may now succeed after upgrading to the new CLI version

• New issues may be found when the projects are scanned successfully

What are the next steps?

The changes are available now in the preview channel of the CLI, and will be included in the stable channel on 14 May 2025.

We’re excited to announce that Project Context on Assets is now Generally Available! This feature brings powerful visibility and clarity into how your assets connect to underlying Snyk Projects and Organizations.

What’s New?

• Easily see which Projects and Orgs each asset belongs to

• View key scanning details like last scan time and surface (SCM or CLI)

• Filter assets by associated Snyk Orgs for faster, smarter asset management

With this change, AppSec teams can now better understand how, where, and when assets are being scanned – making it easier to act on security insights and streamline workflows.

Please see our user docs for more details, and contact your account team with any questions.

We’re excited to announce that Issue Summary Comments and High-Context Inline Comments are now Generally Available! 🎉

As of May 1, 2025, the features are enabled by default for all customers using PR Checks on supported SCMs, marking a major milestone in how Snyk brings security into the developer workflow.

What’s included:

• Issue Summary Comments for both successful and failed PR checks, covering Snyk Code and Open Source security & license findings.

• Inline Comments for Snyk Code issue findings, providing high-context feedback directly in the pull request.

This applies to repositories connected via:

• GitHub: GitHub OAuth, GitHub Enterprise (PAT), and GitHub Cloud App

• BitBucket: Bitbucket Cloud (PAT) and Bitbucket Cloud App

To adjust your preferences, head over to Integration Settings in the Snyk UI where you can toggle comments on or off at any time. This release is a big step forward in our mission to make security native to the developer experience. We’re excited to see how this helps your teams catch and fix issues faster, right within your SCM! 🚀

Refer to the user documentation for more details!

We're excited to share that the REST Issues API now includes code details and issue descriptions. This enhancement significantly improves prioritization workflows, risk assessment, and the remediation of security issues.

The following fields will be added:

1. Snyk Code details

• File Path - allows tracing all Snyk code issues within a specific file.

• Code Region - guides the users to the specific lines and columns where the issue was found.

• Commit ID - allow users to match between Snyk Code issues to their commit ID, so that they can tell which specific version of code has the issue.

• Key Asset - allows to identify Snyk Code issues with a unique ID per repository.

2. Description - provides users with a clearer understanding of the issue’s nature and aids in prioritization.

For more information, please refer to the API documentation.

Stay secure,

We are pleased to announce two Snyk Open Source bug fixes for Gradle support in the CLI.

With this update CLI support for Gradle will be improved as follows:

• Multiple packages with the same artifactId will be included in the dependency graph correctly.

• platform dependencies will no longer be included in the dependency graph. Platform dependencies are not regular dependencies of the project, and do not result in an artifact. Rather they control the versions of other dependencies, in a similar way to dependency management BOMs in Maven.

How will my scan results change?

Overall, this release should not lead to an increase in vulns or issues.

• artifactId change - we might find more paths in the dependency graph, but the packages and issues should remain the same.

• platform change - potentially fewer issues.

What are the next steps?

The changes are available now in the preview channel of the CLI, and will be included in the stable channel on 14 May 2025.

We are excited to announce that the asset enrichments of the Repository Visibility will be available on April 29th!

A new type of enrichment called Visibility had been added. This provides visibility information for assets of type repository (Public/Private/Internal), which will be introduced as a new column called "Visibility". The main highlights include:

• Allow prioritization/classification of repository assets based on their visibility (Public/Private/Internal).

• Allow enforcement of coverage controls based on the visibility of the repositories.

We are constantly working on providing additional asset context! If you have any repository context that you would like to enrich your assets or have any questions, contact the Snyk Support Team.