Product Updates

We’re pleased to announce that Issue Summary Comments and High-Context Inline Comments are now live and enabled by default for all customers using PR Checks with the following Source Code Manager (SCM) integrations:

• GitLab

• Azure Repos

• Bitbucket Server

What’s included:

• Issue Summary Comment for both successful and failed PR checks, covering Snyk Code and Open Source security & license findings.

• Inline Comments for Snyk Code findings, providing high-context feedback directly in the pull request.

To adjust your preferences, head over to Integration Settings in the Snyk UI where you can toggle comments on or off at any time. This release is a big step forward in our mission to make security native to the developer experience. Refer to the user documentation for more details.

At Snyk, our goal is to provide developers with the most secure and reliable tools. To deliver on that promise, we are focusing our support for Ruby Fix PRs on modern, actively supported versions of the language (3.1 and newer).

What's Changing?

As part of this focus, we will be ending support for creating Fix PRs for projects that use end-of-life (EOL) Ruby versions (those below 3.1)

This means that if you are using a Ruby version older than 3.1, you will no longer be able to automatically generate Fix PRs from Snyk.

Why We're Making This Change

• Focus on Security and Reliability: By concentrating on modern Ruby versions, we can ensure the quality and reliability of our Fix PRs, providing you with more accurate and secure fixes.

• Aligning with Ruby's Lifecycle: We're aligning our support with the official Ruby EOL schedule, ensuring that you're always working with supported and secure versions.

What This Means for You

• If you're using Ruby 3.1 or newer, there's no change for you. You will continue to receive Fix PRs as usual.

• If you're using a Ruby version older than 3.1, we encourage you to upgrade. This will not only allow you to continue using our Fix PR feature but also ensure you're benefiting from the latest security updates and performance improvements from the Ruby community.

Timeline

• October 1, 2025: End of Fix PR support for Ruby v2.3.

• February 1, 2026: End of Fix PR support for all Ruby versions below 3.1.

We're excited to continue improving Snyk for Ruby developers and helping you build secure applications.

If you're using Ruby 3.1 or newer, there's no change for you and you will continue to receive Fix PRs as usual. If you're using an older version, we encourage you to upgrade. This will allow you to continue using our Fix PR feature and benefit from the latest security updates and performance improvements from the Ruby community.

To learn more, visit our Snyk User Documentation.

Over the coming weeks we will be releasing a number of exciting improvements for JavaScript developers across the npm, pnpm, and Yarn ecosystems.

✨ pnpm general availability (GA)

pnpm is a fast and efficient JavaScript package manager often used for large monorepos. We’re excited that our support for pnpm will be generally available across CLI and SCM integrations in October 2025.

Starting on September 10th, we will begin gradually rolling out support to all customers. During this time, Snyk Projects previously misidentified as npm due to the presence of a package.json will be migrated to pnpm, maintaining all history and ignores.

Here's a summary of what's supported, but please keep an eye on our User Docs for more details:

• pnpm versions 7-10, including workspaces

• All Snyk SCM integrations

• Snyk CLI

• Snyk CI plug-ins

• PR Checks

• Fix PRs

✨ npm & Yarn improvements (GA)

npm and Yarn are two of the most extensively used package managers in the JavaScript ecosystem.

Over the next month, we will be gradually rolling out some minor improvements to how we scan Projects from these ecosystems in our SCM integrations—improving accuracy and offering consistency with our CLI.

Stay tuned for the following changes:

• Snyk now supports using multiple versions of the same dependency with Yarn through our SCM integrations. Previously, this would lead to errors.

• Snyk now correctly throws errors for out-of-sync Yarn manifest files using resolutions, when running under the default strict out of sync mode. Previously, this setting would get ignored for Yarn resolutions.

• Snyk now supports dependency aliases with Yarn and npm through our SCM integrations. Previously, aliases were not supported and could lead to false negatives.

• Snyk now offers more accurate results for npm projects using top level Bundled Dependencies.

These improvements have the potential to change the number of dependencies and issues detected in the project.

As part of our continued effort to improve developer productivity, we have released several enhancements to High-Context Inline Comments today. These updates aim to reduce context switching by delivering contextual and actionable security findings directly within your workflow.

What’s new:

• Data Flow support for GitLab & Azure Repos - Data flows are now supported for both GitLab and Azure Repos, helping developers trace how a vulnerability travels from source to sink in their code, making investigation and fixes faster. For users leveraging Snyk Broker, they are supported for the following versions:

  • Gitlab: Broker version 4.215.2 or higher

  • Azure Repos: Broker version 4.218.2 or higher

• We’ve resolved an issue for GitHub and Bitbucket users leveraging Snyk Broker. Data flows will now correctly point to the intended commit reference for the following versions:

  • GitHub: Broker version 4.216.1 or higher

  • Bitbucket: Broker version 4.217.3 or higher

No action is required to enable these changes. You can find more details in the user docs.

As of January 28th, 2026, 6 months from today, Snyk will require customers to use Bitbucket Server version 7.4 or higher, or Bitbucket Data Center 8 or higher to continue using Snyk PR Checks, and Snyk Broker version 4.218.0 or higher when using a brokered connection.

We are making this change to provide consistent operation across our integrations, and to ensure customers have access to the latest Pull Request experience from Snyk.

With this change going into effect, the minimum requirements for using Snyk PR Checks with Bitbucket Server/Data Center are as follows:

1. Bitbucket Server version 7.4 or higher, or Bitbucket Data Center version 8 or higher

2. The integration must have been set up in accordance with Snyk's documented requirements, including the necessary scopes for the token associated with your Snyk Bitbucket Server/Data Center integration.

   This includes webhooks read and write scopes, for continued feature support

3. When using a brokered connection, Snyk Broker version 4.218.0 or higher is required

If you have any questions, please reach out to Snyk's support team.

Useful Links

• Prerequisites for automated PR checks

• Bitbucket Cloud and Bitbucket Data Center/Server token permissions

• Update the Snyk Broker client

Snyk Code Consistent Ignores is now Generally Available (GA) for all Snyk Code customers.

This capability ensures ignores are consistently applied in all surfaces throughout the development lifecycle, helping your teams eliminate distractions and focus on the risks that matter most. This means ignores are now respected across projects, branches, and integrations within a repository, notably in the IDE plugins, the Snyk CLI, and native PR checks.

For existing customers, Snyk Code Consistent Ignores can be enabled by toggling this on in your Group or Org settings. Any newly created groups or orgs will have this functionality enabled by default going forward.

We're thrilled to bring this powerful capability as a core offering of the Snyk platform, bringing a new level of focus and efficiency to your security workflows. For more detailed information on how Snyk Code Consistent Ignores works, check out the documentation and the Snyk Learn lesson.

We’re excited to announce that Issue Summary Comments and High-Context Inline Comments are now Generally Available! 🎉

As of May 1, 2025, the features are enabled by default for all customers using PR Checks on supported SCMs, marking a major milestone in how Snyk brings security into the developer workflow.

What’s included:

• Issue Summary Comments for both successful and failed PR checks, covering Snyk Code and Open Source security & license findings.

• Inline Comments for Snyk Code issue findings, providing high-context feedback directly in the pull request.

This applies to repositories connected via:

• GitHub: GitHub OAuth, GitHub Enterprise (PAT), and GitHub Cloud App

• BitBucket: Bitbucket Cloud (PAT) and Bitbucket Cloud App

To adjust your preferences, head over to Integration Settings in the Snyk UI where you can toggle comments on or off at any time. This release is a big step forward in our mission to make security native to the developer experience. We’re excited to see how this helps your teams catch and fix issues faster, right within your SCM! 🚀

Refer to the user documentation for more details!

Update: The rollout has officially started on April 22 and will proceed gradually through to May 1.

We are excited to announce that Issue Summary comment and High Context Inline comments are coming to General Availability soon! As part of this exciting milestone, we're taking the next step by enabling these capabilities by default for all customers who use PR checks on April 22nd, 2025. With this update, all GitHub and Bitbucket (except Bitbucket Server) repositories with PR checks enabled will automatically include both the Issue Summary comment and SAST High Context Inline comments, revolutionizing how your developers identify and address vulnerabilities without ever leaving the SCM.

The repositories onboarded via the following SCM integrations are in scope of this change:

• GitHub: GitHub OAuth*, GitHub Enterprise (PAT), and GitHub Cloud App

• Bitbucket: Bitbucket Cloud (PAT), Bitbucket Cloud App

Key highlights ​​of this release

On April 22nd, 2025, all repositories with PR checks enabled will automatically activate the following capabilities:

• Issue Summary comment for both PR check success and failure cases, covering Snyk Code and Open Source security & license checks.

• High Context Inline comments for Snyk Code findings.

Repositories that have either (1) manually disabled either of the comments after initial enablement or (2) disabled summary comments for success scenarios during Early Access will remain unchanged, ensuring prior preferences are respected.

Opt-Out Requests

• Opt-out requests can be submitted via our dedicated form or through your Snyk POC (include Group/Org IDs)

• Opt-out submissions received before April 21st, 2025 will not be default enabled

To customize your preferences at any time after default enablement, you can simply visit your integration settings in the Snyk WebUI where you can toggle comments off.

This milestone represents our ongoing commitment to transforming the developer experience with Snyk, making security an integrated, intuitive part of your development workflow 🚀

*Note: For GitHub OAuth integrations, a PAT token with the right permissions will need to be added to start receiving PR comments.

Currently, Snyk’s BitBucket Server integration reports on commit statuses (Snyk PR Checks) per project (i.e., per manifest file in the repo). This reporting approach consumes excessive SCM resources in large or complex repositories. To remedy this, the Snyk BitBucket Server integration will report per-product commit statuses beginning April 22, 2025.

By moving to per-product statuses, BitBucket Server integration users will benefit from:

• A more consistent UX with the rest of Snyk’s SCM integrations, which report their statuses on a per-product basis (Snyk Code, Snyk Open Source)

• Performance improvements through fewer calls made to their SCM by Snyk

• Access to existing features like Mark as Successful or new features such as PR Comments, which were not supported by per-project statuses.

We are announcing the Early Access release of PR Issue Summary Comment and SAST High-Context Inline Comments as part of our ongoing efforts to enhance the pull request experience. These features bring critical security insights directly into your PRs, reducing context switching and streamlining vulnerability remediation.

• PR Issue Summary Comment - With this feature, developers using Snyk PR Checks will receive a comment with a summary count of security, license, and code checks directly within their pull requests, categorized by severity (Critical, High, Medium, Low). This empowers developers to identify and address issues early, with detailed links provided for deeper investigation.

• High-Context Inline Comments display each SAST security finding alongside key information such as CWE (Common Weakness Enumeration) and priority score and a Snyk Learn link for further guidance—helping developers remediate issues faster without leaving their SCM. 🚀

This is part of a series of enhancements designed to improve your developers’ pull request experience with Snyk, and we remain committed to further improving it. If you’re interested in enabling this feature for your organization, you can self-opt in via the Pull Request Experience section in the SCM integration settings. Check out the user docs for more details. Try it out and connect with your account team to participate in feedback sessions to shape the future of your Snyk’s workflows.