Product Updates

We are pleased to announce the new stable releases for our IDE plugins. The new versions are:

• Visual Studio Code v2.23.0

• JetBrains v2.15.0

• Visual Studio v2.3.0

• Eclipse v3.2.0

The releases include notable enhancements and changes:

• Personal Access Token (PAT) Support: We've added support for Personal Access Tokens (PAT) for authentication across all IDEs. This provides another secure method to connect to Snyk, in addition to our existing OAuth and legacy token methods.

• Feature Removals: The following three features are being removed (as previously announced here):

  • Code Quality Findings in Snyk Code

  • JavaScript CDN Library Detection in HTML, JS, and TS files

  • Container Image Detection in Kubernetes YAML Files

• VS Code Copilot Integration: The Snyk VS Code extension will now be automatically detected to support the Model Context Protocol (MCP) in GitHub Copilot, allowing for a more integrated AI-driven security experience directly in the editor. More details here.

Please consult the changelog for each of our plugins for a more detailed list of other bug fixes and enhancements.

You can learn more about the Snyk IDE plugins in our Learn resources.

If you have any questions, feel free to reach out to the Snyk support team.

We encourage everyone to upgrade to the newest versions once they are available in your IDE's marketplace!

We've added a new asset policy template to easily keep up with new repositories discovered across all SCMs used within a specific Snyk Group.

The out-of-the-box logic is set notify on newly discovered repositories from the past 7 days that are not yet tested with Snyk. Customers only need to add the list of email recipients to save and start using it.

The template can be tweaked and adjusted as needed.

We're excited to announce a new default vulnerability experience coming to Snyk Open Source, launching over the next couple of weeks to all Maven, .NET, npm, Python, Ruby, and Yarn projects.

What's New?

We've shifted the focus from individual vulnerabilities to the libraries they belong to. This new dependency-grouped view provides a holistic look at your remediation options, allowing you to see the full impact of each potential library upgrade.

Instead of fixing vulnerabilities one by one, you can now perform a true cost/benefit analysis. See exactly how many issues you can resolve with a single upgrade, compare the impact of different library updates, and make more informed decisions to maximize your team's efficiency. We've also streamlined the Fix PR process, making it easier to understand and customize your upgrades with just a few clicks.

How do I use it?

This new experience will begin rolling out to all applicable Snyk projects over the next couple of weeks. Once enabled, navigate to an individual project in your organization to see it in action. To switch back to the legacy view, click the “Group by” dropdown in the right-hand corner and select "none".

Happy Remediating!

We are excited to announce that Snyk MCP for Agentic Workflows is transitioning from an experimental feature to Early Access. This milestone introduces significant enhancements to how developers can integrate Snyk's security intelligence into their AI-driven workflows, making security an even more seamless part of the development process.

As we move to Early Access, we are introducing several key changes and new features to improve security, usability, and visibility.

• Folder Trust Mechanism: Before a scan can be initiated, MCP will now require the explicit trust of the target folder via a browser popup confirmation. The path of the trusted folder is then saved in the local configuration for future use. For developers who require it, this security mechanism can be disabled using the --disable-trust flag.

• New MCP Tools: This release introduces a suite of new, dedicated tools to expand the capabilities of MCP. These include: snyk_aibom, snyk_container_scan, snyk_iac_scan, snyk_sbom_scan, and snyk_trust. These tools provide more granular control and a wider range of security scans that can be programmatically invoked within your AI environments.

• Improved Logging and Analytics: We've enhanced our logging and analytics to provide better insights and easier debugging. Logs are now sent as notifications to the MCP Host and are also persisted locally.

• VS Code Extension Auto-Discovery: To simplify the setup process for developers using Visual Studio Code, MCP will be auto-discovered through our VS Code extension (starting v2.23.0) for GitHub Copilot. This makes it even easier to get started with AI-powered security scanning directly within your IDE.

• --experimental Flag Removal: With the move to Early Access, the --experimental flag is no longer required to use MCP. We've streamlined the process, allowing for easier integration and a cleaner command-line experience. Existing workflows that have the flag configured will not be affected and will continue to work as expected.

If you have any questions, feel free to reach out to the Snyk support team.

We encourage everyone to explore these new capabilities. To benefit from a more powerful and secure Snyk MCP experience, including all the features mentioned, please upgrade to Snyk CLI v1.1298.0!

We are pleased to announce the latest stable Snyk CLI release, v1.1298.0.

We are introducing the following new features and improvements in this version. To learn more about bug fixes and additional enhancements beyond what is highlighted below, please reference the release notes.

General Enhancements

• Updated glibc requirements: This version introduces new expectations for the underlying glibc requirements for Linux users. We recommend reviewing the updated requirements to ensure continued smooth operation. More details here.

• Personal Access Token (PAT) Support: We have added support for Personal Access Tokens (PAT) for authentication. More details here.

• MCP Enhancements: Further improvements have been made to the Snyk MCP for Agentic Workflows to enhance AI-driven security workflows. More details here.

Open Source Enhancements

• Maven: For long-running test, monitor, and sbom scans on projects with dense dependency graphs, the Dverbose flag now provides improved output and progress indication.

• Dotnet: We have improved support for comments within global.json files. Scans that previously failed when the file contained special content, such as URLs, will now complete successfully.

• NPM/Yarn: Package aliases are now supported and honored by default, leading to more accurate dependency resolution in complex projects.

• Node.js: The dependency graph produced by snyk test --print-graph has been enhanced. Node IDs will now contain type and classifier information for greater clarity.

• Gradle: For projects scanned with the --gradle-normalize-deps flag, internal project dependencies with multiple artifacts under a single coordinate will now correctly show all dependencies instead of a single, randomly selected one.

Container Enhancements

• Red Hat Vulnerability scanning: Starting from RHEL 10 Red Hat will be providing vulnerability data in CSAF/VEX format, and we now support this new format.

• Support for new versions of Chainguard Wolf images: Chainguard has made some changes in file locations. With this new version we now accurately support scanning Chainguard images.

Release notes can be found here.

If you have any questions, feel free to reach out to the Snyk support team.

We encourage everyone to upgrade to the latest version to benefit from these new features and improvements!

Starting July 23, 2025, Snyk Code will be updated to recognize new application entry points within MCP (Model Context Protocol) server implementations.

The security analysis will now trace data from these MCP sources as it enters an application, expanding security coverage for agentic workflows. As a result of this expanded analysis, findings in affected projects may change.

This support covers the following key frameworks and libraries:

• Java: Spring AI (org.springframework.ai)

• JavaScript: FastMCP, modelcontextprotocol/typescript-sdk

• Python: FastMCP, modelcontextprotocol/python-sdk, aiofiles

Snyk Code’s Python analysis has been updated to support __init__.py files, improving scan accuracy and depth.

This enhancement allows for the correct importing of symbols defined in package initialization files. This leads to a more accurate analysis of projects that use this common packaging structure, which is detailed in the official Python documentation on modules.

As a result of this deeper analysis, customers with projects utilizing this module structure may see new findings in their scan results.

This update affects Python projects only and was rolled out to all Snyk customers as part of recent support case work.

We're excited to announce that Snyk Assist is now available for Snyk Learning Management customers across all Snyk Multi-Tenant regions.

What is Snyk Assist?

Snyk Assist is an AI-powered assistant integrated into the Snyk Learn platform. It is designed to answer your Snyk product and application security questions instantly, helping you learn faster and resolve queries efficiently directly within your learning environment.

How do I get access?

• Be a Snyk Learning Management Add-On customer.

• Have a Group Admin enable the Group level setting.

• Set your preferred org to an org within the group where Snyk Assist is enabled.

• Navigate to any Snyk Learn lesson and Snyk Assist will pop up to help!

Dive deeper

For more information on Snyk Assist, check out our Snyk Assist docs, take our Snyk Learn Lesson on Snyk Assist and read our blog on AI assisted development.

We're pleased to announce that on Friday, July 11th, 2025 we will be introducing several improvements to the "List issues for a package" APIs.

This release will reduce request latency and improve the timeliness of newly published advisories being returned by the API.

In addition, this release will address several bugs listed below, which may result in changes to the number of vulnerabilities returned for some packages:

• Currently the API responds with all vulnerabilities about a package in Linux ecosystems (apk, deb and rpm). The fix reduces those down to only the vulnerabilities affecting the specified version.

• Requests for npm purls that contain an @ symbol in the namespace currently cause a 400 Bad Request. This change properly parses these purls and instead correctly returns a 200 OK with the expected vulnerabilities.

• When there is no remedy, the remedies array will now be empty.

• The problems array is now consistently sorted by each objects id.
  

Please reach out if you have any questions.

Starting July 14, 2025, Snyk Code will release an update to improve the accuracy of CSRF (CWE-352) detection in C# WebAPI applications.

• This fix significantly reduces false positives, helping developers focus on real issues without being distracted by incorrect CSRF findings. Other vulnerability results are unaffected.

The update will roll out as part of Snyk Code’s General Availability (GA) support for C#.