Product Updates

We are pleased to announce the latest stable Snyk CLI release, v1.1299.0.

We are introducing the following key improvements in this version. To learn more about bug fixes and additional enhancements beyond what is highlighted below, please reference the full release notes.

General Enhancements

• Personal Access Token (PAT) Authentication: When using a Personal Access Token (PAT), the CLI will now automatically detect and configure the correct region during authentication. This improvement simplifies the setup process and ensures a smoother authentication experience without manual configuration.

• Stability and Performance: This release also includes numerous bug fixes and enhancements to improve the overall stability and performance of the CLI.

Release notes can be found here.

If you have any questions, feel free to reach out to the Snyk support team.

We encourage everyone to upgrade to the latest version to benefit from these new features and improvements!

Over the coming weeks we will be releasing a number of exciting improvements for JavaScript developers across the npm, pnpm, and Yarn ecosystems.

✨ pnpm general availability (GA)

pnpm is a fast and efficient JavaScript package manager often used for large monorepos. We’re excited that our support for pnpm will be generally available across CLI and SCM integrations in October 2025.

Starting on September 10th, we will begin gradually rolling out support to all customers. During this time, Snyk Projects previously misidentified as npm due to the presence of a package.json will be migrated to pnpm, maintaining all history and ignores.

Here's a summary of what's supported, but please keep an eye on our User Docs for more details:

• pnpm versions 7-10, including workspaces

• All Snyk SCM integrations

• Snyk CLI

• Snyk CI plug-ins

• PR Checks

• Fix PRs

✨ npm & Yarn improvements (GA)

npm and Yarn are two of the most extensively used package managers in the JavaScript ecosystem.

Over the next month, we will be gradually rolling out some minor improvements to how we scan Projects from these ecosystems in our SCM integrations—improving accuracy and offering consistency with our CLI.

Stay tuned for the following changes:

• Snyk now supports using multiple versions of the same dependency with Yarn through our SCM integrations. Previously, this would lead to errors.

• Snyk now correctly throws errors for out-of-sync Yarn manifest files using resolutions, when running under the default strict out of sync mode. Previously, this setting would get ignored for Yarn resolutions.

• Snyk now supports dependency aliases with Yarn and npm through our SCM integrations. Previously, aliases were not supported and could lead to false negatives.

• Snyk now offers more accurate results for npm projects using top level Bundled Dependencies.

These improvements have the potential to change the number of dependencies and issues detected in the project.

We’ve released a new CLI hotfix (v1.1298.2) to address several bugs and improve the overall user experience.

This update includes the following:

• MCP: Streamlines local project testing by preventing unnecessary security prompts for folders you have already trusted. This category also includes security hardening to improve the container scanning tool’s resilience against potential prompt injection.

• Snyk Code: Resolves an issue where running the snyk code test --report command could fail in environments where a PROJECT_ID environment variable is set.

• Snyk Agent Fix: Resolves an issue that could prevent Snyk Agent Fix from being available in IDE plugins for users whose default organization didn't have the feature enabled.

As this is a targeted hotfix, no other changes in behavior or new features are expected.

Release notes are available here.

We encourage everyone to upgrade to the latest version to ensure stability and benefit from these important fixes.

If you have any questions, please don’t hesitate to reach out to the Snyk support team.

Following our Early Access launch of Snyk MCP for Agentic Workflows, we are excited to introduce powerful new visibility into how your teams are adopting Snyk in their local and AI-driven development environments.

We are rolling out key new metrics to the Developer IDE and CLI usage report to capture detailed MCP usage. This update will provide deeper insights into developer adoption with three key additions:

• Top-Level MCP Scan Count: A high-level summary of the total number of MCP scans performed by your team.

• Usage Breakdown Chart: A new chart that visualizes the usage split between the Snyk CLI, our various IDE plugins, and Agentic Scans (MCP), helping you clearly see which platforms developers leverage.

• MCP Host Breakdown Chart: To offer more granular insights, a new chart will break down Agentic Scans by the specific host application, such as Windsurf, Cursor, and others.

These new reporting features will allow security teams to demonstrate strong shift-left behavior and identify teams that are successfully adopting Snyk locally as a model for the rest of the organization.

To enable this new level of insight, it is required for users to update to the latest versions of the Snyk CLI (v1.1298.1).

Please reference our documentation for all the details and prerequisites to use the report.

We’ve released a CLI hotfix (v1.1298.1) to address regressions from a recent release and improve analytics tracking.

This update includes the following:

• Container Scanning: Fixes a bug that may have caused scans of local container images to fail. This issue could occur in various environments, particularly those using base images with alternative default shells (e.g., Alpine, BusyBox).

• Enhanced MCP Analytics: Improves analytics for MCP scans in order to support upcoming reporting capabilities.

As this is a targeted hotfix, no other changes in behavior or new features are expected.

Release notes are available here.

We encourage everyone to upgrade to the latest version to ensure stability and benefit from these important fixes. If you have any questions, please don’t hesitate to reach out to the Snyk support team.

We are pleased to announce the latest stable Snyk CLI release, v1.1298.0.

We are introducing the following new features and improvements in this version. To learn more about bug fixes and additional enhancements beyond what is highlighted below, please reference the release notes.

General Enhancements

• Updated glibc requirements: This version introduces new expectations for the underlying glibc requirements for Linux users. We recommend reviewing the updated requirements to ensure continued smooth operation. More details here.

• Personal Access Token (PAT) Support: We have added support for Personal Access Tokens (PAT) for authentication. More details here.

• MCP Enhancements: Further improvements have been made to the Snyk MCP for Agentic Workflows to enhance AI-driven security workflows. More details here.

Open Source Enhancements

• Maven: For long-running test, monitor, and sbom scans on projects with dense dependency graphs, the Dverbose flag now provides improved output and progress indication.

• Dotnet: We have improved support for comments within global.json files. Scans that previously failed when the file contained special content, such as URLs, will now complete successfully.

• NPM/Yarn: Package aliases are now supported and honored by default, leading to more accurate dependency resolution in complex projects.

• Node.js: The dependency graph produced by snyk test --print-graph has been enhanced. Node IDs will now contain type and classifier information for greater clarity.

• Gradle: For projects scanned with the --gradle-normalize-deps flag, internal project dependencies with multiple artifacts under a single coordinate will now correctly show all dependencies instead of a single, randomly selected one.

Container Enhancements

• Red Hat Vulnerability scanning: Starting from RHEL 10 Red Hat will be providing vulnerability data in CSAF/VEX format, and we now support this new format.

• Support for new versions of Chainguard Wolf images: Chainguard has made some changes in file locations. With this new version we now accurately support scanning Chainguard images.

Release notes can be found here.

If you have any questions, feel free to reach out to the Snyk support team.

We encourage everyone to upgrade to the latest version to benefit from these new features and improvements!

We are excited to announce that Snyk MCP for Agentic Workflows is transitioning from an experimental feature to Early Access. This milestone introduces significant enhancements to how developers can integrate Snyk's security intelligence into their AI-driven workflows, making security an even more seamless part of the development process.

As we move to Early Access, we are introducing several key changes and new features to improve security, usability, and visibility.

• Folder Trust Mechanism: Before a scan can be initiated, MCP will now require the explicit trust of the target folder via a browser popup confirmation. The path of the trusted folder is then saved in the local configuration for future use. For developers who require it, this security mechanism can be disabled using the --disable-trust flag.

• New MCP Tools: This release introduces a suite of new, dedicated tools to expand the capabilities of MCP. These include: snyk_aibom, snyk_container_scan, snyk_iac_scan, snyk_sbom_scan, and snyk_trust. These tools provide more granular control and a wider range of security scans that can be programmatically invoked within your AI environments.

• Improved Logging and Analytics: We've enhanced our logging and analytics to provide better insights and easier debugging. Logs are now sent as notifications to the MCP Host and are also persisted locally.

• VS Code Extension Auto-Discovery: To simplify the setup process for developers using Visual Studio Code, MCP will be auto-discovered through our VS Code extension (starting v2.23.0) for GitHub Copilot. This makes it even easier to get started with AI-powered security scanning directly within your IDE.

• --experimental Flag Removal: With the move to Early Access, the --experimental flag is no longer required to use MCP. We've streamlined the process, allowing for easier integration and a cleaner command-line experience. Existing workflows that have the flag configured will not be affected and will continue to work as expected.

If you have any questions, feel free to reach out to the Snyk support team.

We encourage everyone to explore these new capabilities. To benefit from a more powerful and secure Snyk MCP experience, including all the features mentioned, please upgrade to Snyk CLI v1.1298.0!

To enhance developer efficiency and optimize our security tools, Snyk is excited to introduce a new architecture for the Snyk integrations public documentation. This centralized documentation section offers a dedicated and organized area for all Snyk CLI, IDE, and CI/CD integrations.

The objective is to integrate security seamlessly into the software development lifecycle. This update directly supports that goal by offering a cohesive discovery point of the developer tools, clearly distinct from SCM and other platform integrations. The result is a more logical and intuitive user experience.

This change provides the following advantages:

• Improved usability: By creating a dedicated section for developer-centric integrations, users can locate and configure the necessary tools with greater precision and fewer errors.

• Accelerated tool adoption: The centralized documentation section simplifies the discovery process, allowing development and security teams to implement and deploy Snyk more quickly across their workflow environments.

• Increased efficiency: Users can save considerable time when accessing and managing the integrations essential to their daily development and security workflows.

To ensure continuity, all bookmarks and links to previous integration pages will be automatically redirected to their new locations within the public documentation, preventing any disruption to user workflows.

This information architecture change will officially come into effect on July 9, 2025.

We are releasing Snyk CLI v1.1297.3, a follow-up hotfix to our recent v1.1297.2 announcement. This update further enhances the security of debug logging.

We encourage all users to upgrade to v1.1297.3 to benefit from these important security enhancements. Release notes can be found here.

CVE-2025-6624 has been published to address this vulnerability.

Important: This hotfix resolves a potential vulnerability. Please review the details below.

By default, the Snyk CLI sanitizes sensitive credential information from logs. However, previous versions of the Snyk container CLI tool had potential vulnerabilities in this sanitization, where sensitive credentials could potentially be written into local Snyk CLI debug logs, if the Snyk CLI is executed in DEBUG or DEBUG/TRACE mode. There is no exposure to these vulnerabilities if the DEBUG flag is not used when executing Snyk CLI commands. Exact details are listed below.

Although these logs are only stored locally where the CLI is invoked, debug logs might have been manually sent as part of support queries to Snyk Support Engineers or copied/backed up to other locations by your processes.

Snyk has already proactively reached out to any customers we believe may have been exposed to this vulnerability, based on our internal usage logs. However, we recommend that users of Snyk CLI upgrade to this hotfix to avoid any future exposure.

This hotfix resolves the following vulnerabilities:

• When the snyk container test or snyk container monitor commands are run against a container registry, with debug mode enabled, the container registry credentials could previously be written into the local Snyk CLI debug log in some circumstances. This only happens with credentials specified in environment variables (SNYK_REGISTRY_USERNAME and SNYK_REGISTRY_PASSWORD), or in the CLI (--password/-p and --username/-u).

• When the snyk auth command is executed with debug mode enabled AND the log level is set to TRACE, the access / refresh credential tokens used to connect the CLI to Snyk could previously be written into the local CLI debug logs.

• When the snyk iac test is executed with a Remote IAC Custom rules bundle, debug mode enabled AND the log level is set to TRACE, the docker registry token could previously be written into the local CLI debug logs.

Snyk Code Consistent Ignores is now Generally Available (GA) for all Snyk Code customers.

This capability ensures ignores are consistently applied in all surfaces throughout the development lifecycle, helping your teams eliminate distractions and focus on the risks that matter most. This means ignores are now respected across projects, branches, and integrations within a repository, notably in the IDE plugins, the Snyk CLI, and native PR checks.

For existing customers, Snyk Code Consistent Ignores can be enabled by toggling this on in your Group or Org settings. Any newly created groups or orgs will have this functionality enabled by default going forward.

We're thrilled to bring this powerful capability as a core offering of the Snyk platform, bringing a new level of focus and efficiency to your security workflows. For more detailed information on how Snyk Code Consistent Ignores works, check out the documentation and the Snyk Learn lesson.