Product Updates

We’re excited to announce the Early Access launch of the PR Check Report, a powerful new way to see how PR checks are performing and driving security outcomes across your organization. This release sets the stage for measuring the true security impact of PR checks across your organization and strengthening your overall prevention posture.

The current release of the report helps you:

• Monitor performance: Track pass, fail, error, and marked-as-successful rates over time across Snyk Open Source and Snyk Code checks. 

• Measure coverage: Understand where PR checks are enabled across your repositories to identify adoption gaps.

• Uncover recurring errors: Surface common error types and configuration issues to improve scan reliability and developer confidence.

Feature highlights:

• Flexible filters by time window, Snyk product (Snyk Open Source / Snyk Code), and project parameters like origin (SCM) and asset class.

• Org, Group, and Tenant-level insights into PR check performance and coverage.

• Export options for deeper data exploration and sharing.

The report is available under Analytics in the All Reports section for Tenant-level visibility. You can also find it in the Reports section of your Group or Organization by selecting Pull Request Checks Usage & Performance from the Change Report menu.

Learn more in our user documentation and connect with your account team to share feedback or help shape upcoming improvements.

This feature eliminates the manual overhead of resolving vulnerabilities, helping developers merge secure PRs faster while integrating seamlessly into their existing workflows. With Snyk Agent Fix, developers are empowered to act immediately on SAST findings by generating and applying fix suggestions directly within pull requests, reducing context switching and streamlining remediation.

The following capabilities are supported for Early Access:

• Generate fix suggestions using @snyk /fix command in a PR inline comment, displaying a proposed code change.

• View and explanation of the suggested fix alongside the code snippet.

• Apply the suggested code directly to the PR as a commit using the @snyk /apply command.

• Generate multiple fix suggestions within the same PR, where applicable.

If you'd like to enable this feature for your organization, you can do so in the Pull Request Experience section in your SCM integration settings.

Check our user documentation for more details and connect with your account team to participate in feedback sessions to shape the future of your workflows with Snyk.

We're excited to introduce a new design for PR summary comments, which will give developers and reviewers a clearer, more organized view of their PR check results.

• Streamlined summaries: Results are now displayed in a simple table, with links to the full test report and the number of issues per scan type. This helps teams quickly see whether a PR includes open-source vulnerabilities, license issues, or code vulnerabilities, and then dive deeper into the details in Snyk.

• Cleaner experience: The banner has been removed, making it easier to see PR check results at a glance, even if they're being consumed by other integrations (like Slack notifications).

The new design for summary comments is enabled by default, and is available across all supported SCMs.

We're excited to see how this helps your teams streamline code reviews and address issues more efficiently!

We're excited to share an improvement to our GitLab integration that ensures Snyk's Pull Request (PR) Check status always reports to the correct pipeline.

Previously, the PR Check status could appear on the wrong pipeline, especially with Merged Result Pipelines. This sometimes prevented GitLab's "Pipelines must succeed" feature from working correctly, potentially alowing insecure merges. With this update, you can now confidently set branch protection rules with Snyk PR Checks and merge with peace of mind.

• Enforce secure merges with confidence: Snyk PR Check status now correctly attaches to the highest-priority pipeline (Merge Result, Merge Request, or Branch). This ensures GitLab's merge gate always has Snyk scan results, so vulnerable code can be blocked reliably.

• Improved clarity for developers: The Snyk status now attaches to the right pipeline, removing confusion about which pipeline reflects the security scan.

This improvement has been rolled out to all customers today, and no explicit action is required. For more details, check our user documentation.

We’re pleased to announce that Issue Summary Comments and High-Context Inline Comments are now live and enabled by default for all customers using PR Checks with the following Source Code Manager (SCM) integrations:

• GitLab

• Azure Repos

• Bitbucket Server

What’s included:

• Issue Summary Comment for both successful and failed PR checks, covering Snyk Code and Open Source security & license findings.

• Inline Comments for Snyk Code findings, providing high-context feedback directly in the pull request.

To adjust your preferences, head over to Integration Settings in the Snyk UI where you can toggle comments on or off at any time. This release is a big step forward in our mission to make security native to the developer experience. Refer to the user documentation for more details.

At Snyk, our goal is to provide developers with the most secure and reliable tools. To deliver on that promise, we are focusing our support for Ruby Fix PRs on modern, actively supported versions of the language (3.1 and newer).

What's Changing?

As part of this focus, we will be ending support for creating Fix PRs for projects that use end-of-life (EOL) Ruby versions (those below 3.1)

This means that if you are using a Ruby version older than 3.1, you will no longer be able to automatically generate Fix PRs from Snyk.

Why We're Making This Change

• Focus on Security and Reliability: By concentrating on modern Ruby versions, we can ensure the quality and reliability of our Fix PRs, providing you with more accurate and secure fixes.

• Aligning with Ruby's Lifecycle: We're aligning our support with the official Ruby EOL schedule, ensuring that you're always working with supported and secure versions.

What This Means for You

• If you're using Ruby 3.1 or newer, there's no change for you. You will continue to receive Fix PRs as usual.

• If you're using a Ruby version older than 3.1, we encourage you to upgrade. This will not only allow you to continue using our Fix PR feature but also ensure you're benefiting from the latest security updates and performance improvements from the Ruby community.

Timeline

• October 1, 2025: End of Fix PR support for Ruby v2.3.

• February 1, 2026: End of Fix PR support for all Ruby versions below 3.1.

We're excited to continue improving Snyk for Ruby developers and helping you build secure applications.

If you're using Ruby 3.1 or newer, there's no change for you and you will continue to receive Fix PRs as usual. If you're using an older version, we encourage you to upgrade. This will allow you to continue using our Fix PR feature and benefit from the latest security updates and performance improvements from the Ruby community.

To learn more, visit our Snyk User Documentation.

Over the coming weeks we will be releasing a number of exciting improvements for JavaScript developers across the npm, pnpm, and Yarn ecosystems.

✨ pnpm general availability (GA)

pnpm is a fast and efficient JavaScript package manager often used for large monorepos. We’re excited that our support for pnpm will be generally available across CLI and SCM integrations in October 2025.

Starting on September 10th, we will begin gradually rolling out support to all customers. During this time, Snyk Projects previously misidentified as npm due to the presence of a package.json will be migrated to pnpm, maintaining all history and ignores.

Here's a summary of what's supported, but please keep an eye on our User Docs for more details:

• pnpm versions 7-10, including workspaces

• All Snyk SCM integrations

• Snyk CLI

• Snyk CI plug-ins

• PR Checks

• Fix PRs

✨ npm & Yarn improvements (GA)

npm and Yarn are two of the most extensively used package managers in the JavaScript ecosystem.

Over the next month, we will be gradually rolling out some minor improvements to how we scan Projects from these ecosystems in our SCM integrations—improving accuracy and offering consistency with our CLI.

Stay tuned for the following changes:

• Snyk now supports using multiple versions of the same dependency with Yarn through our SCM integrations. Previously, this would lead to errors.

• Snyk now correctly throws errors for out-of-sync Yarn manifest files using resolutions, when running under the default strict out of sync mode. Previously, this setting would get ignored for Yarn resolutions.

• Snyk now supports dependency aliases with Yarn and npm through our SCM integrations. Previously, aliases were not supported and could lead to false negatives.

• Snyk now offers more accurate results for npm projects using top level Bundled Dependencies.

These improvements have the potential to change the number of dependencies and issues detected in the project.

As part of our continued effort to improve developer productivity, we have released several enhancements to High-Context Inline Comments today. These updates aim to reduce context switching by delivering contextual and actionable security findings directly within your workflow.

What’s new:

• Data Flow support for GitLab & Azure Repos - Data flows are now supported for both GitLab and Azure Repos, helping developers trace how a vulnerability travels from source to sink in their code, making investigation and fixes faster. For users leveraging Snyk Broker, they are supported for the following versions:

  • Gitlab: Broker version 4.215.2 or higher

  • Azure Repos: Broker version 4.218.2 or higher

• We’ve resolved an issue for GitHub and Bitbucket users leveraging Snyk Broker. Data flows will now correctly point to the intended commit reference for the following versions:

  • GitHub: Broker version 4.216.1 or higher

  • Bitbucket: Broker version 4.217.3 or higher

No action is required to enable these changes. You can find more details in the user docs.

As of January 28th, 2026, 6 months from today, Snyk will require customers to use Bitbucket Server version 7.4 or higher, or Bitbucket Data Center 8 or higher to continue using Snyk PR Checks, and Snyk Broker version 4.218.0 or higher when using a brokered connection.

We are making this change to provide consistent operation across our integrations, and to ensure customers have access to the latest Pull Request experience from Snyk.

With this change going into effect, the minimum requirements for using Snyk PR Checks with Bitbucket Server/Data Center are as follows:

1. Bitbucket Server version 7.4 or higher, or Bitbucket Data Center version 8 or higher

2. The integration must have been set up in accordance with Snyk's documented requirements, including the necessary scopes for the token associated with your Snyk Bitbucket Server/Data Center integration.

   This includes webhooks read and write scopes, for continued feature support

3. When using a brokered connection, Snyk Broker version 4.218.0 or higher is required

If you have any questions, please reach out to Snyk's support team.

Useful Links

• Prerequisites for automated PR checks

• Bitbucket Cloud and Bitbucket Data Center/Server token permissions

• Update the Snyk Broker client

Snyk Code Consistent Ignores is now Generally Available (GA) for all Snyk Code customers.

This capability ensures ignores are consistently applied in all surfaces throughout the development lifecycle, helping your teams eliminate distractions and focus on the risks that matter most. This means ignores are now respected across projects, branches, and integrations within a repository, notably in the IDE plugins, the Snyk CLI, and native PR checks.

For existing customers, Snyk Code Consistent Ignores can be enabled by toggling this on in your Group or Org settings. Any newly created groups or orgs will have this functionality enabled by default going forward.

We're thrilled to bring this powerful capability as a core offering of the Snyk platform, bringing a new level of focus and efficiency to your security workflows. For more detailed information on how Snyk Code Consistent Ignores works, check out the documentation and the Snyk Learn lesson.