Product Updates

We're excited to share that "improved .NET scanning" has moved out of Snyk Preview and is now generally available.

It is now easier than ever to onboard your .NET repos and gain visibility into your software supply chain with a high degree of accuracy.

This release covers both SCM integrations, the CLI and CI/CD plugins, and the IDE—providing consistent results across your software development lifecycle.

Private package and Snyk Broker support

Managing private dependencies is critical for enterprise development, so we have expanded support for self-hosted and private NuGet packages to ensure you have visibility into your entire software supply chain.

• Universal Broker: If you use the universal Broker, you can now fully scan private packages hosted on brokered connections to Artifactory and Nexus.

Enhanced accuracy and performance

We have updated the scanning architecture to use the native dependency resolution logic of the .NET ecosystem. By using the dotnet SDK directly to resolve dependencies,  Snyk now provides a highly precise representation of your project's dependency graph.

Expanded project support

We are removing the barriers to scanning complex configurations. You can now scan any SDK-style Project that builds successfully with the dotnet SDK. This includes broad support for standard build customization files such as global.json, Directory.Build.props, and Directory.Packages.props without requiring additional configuration.

Additionally, this update unlocks support for Windows-specific frameworks—including WPF and WCF—for environments running .NET SDK 10 or higher.

Availability

These improvements will be released gradually starting in mid-February and are designed to be non-disruptive to your existing workflows.

For more information on configuration and support, see the Snyk documentation for .NET.

We're excited to announce a series of coverage and quality improvements for Snyk Open Source across several key developer ecosystems, rolling out over the coming weeks. Our goal is to help you secure your applications as you evolve and scale them, keeping pace with the latest releases and reliably scanning large, complex projects.

Improved SCA Coverage

We are committed to keeping up with the rapid pace of ecosystem updates. By broadening our support for the latest language versions and library structures, we help ensure your projects remain modern and protected without any friction.

Yarn 4

Snyk now supports Yarn 4 in both the CLI and the SCM integrations.

• Availability: CLI support is available on January 14 in version 1.1302.0, with a gradual SCM rollout throughout January.

• Note: Fix PRs and Upgrade PRs are currently not supported for Yarn workspaces.

• No action required: Projects that previously failed now successfully scan.

Ruby 4

Snyk now supports Ruby 4 in both the CLI and the SCM integrations.

• Availability: Support for both the CLI and SCM becomes available the week of January 21..

• No action required: Since the Ruby version is selected based on your Gemfile, no customer action is needed to begin using this.

PHP 8.5 & Swift 6.2

In addition to the above, we are pleased to announce upcoming support for PHP 8.5 and Swift 6.2 to ensure our users on the bleeding edge of these ecosystems remain secure.

Improved vulnerability coverage

We’ve enhanced our coverage for Go by adding vulnerabilities impacting packages in the Go Standard library to our vulnerability database. Previously, these vulnerabilities were not supported they are now detectable in both the CLI and SCM integrations.

• Availability: SCM and CLI support will become available throughout January.

Improved Quality

Beyond just supporting new versions, we are constantly refining our underlying scanning technology. These "under the hood" improvements focus on making scans faster and more resilient, especially for resource-intensive modern workloads.

Python (pip) Performance Improvements

We've introduced significant performance improvements for Python pip projects using SCM scanning. Previously, large projects—including those using AI and ML libraries such as pytorch—occasionally failed to resolve dependencies during scans. This problem has been resolved, helping you secure your Python applications.

• Availability: SCM rollout is happening throughout January, with CLI support following  in March.

We've enhanced our Docker Hub integrations by adding GitHub App support. This update allows you to attach a Dockerfile to your Snyk Container images directly through your GitHub Cloud and GitHub Server App integrations.

Attaching a Dockerfile gives you more precise fix advice, including smarter base image recommendations for both major and minor upgrades, and a wider range of alternative upgrade paths. This new capability means Snyk gains deeper context about your image during scans, leading to more actionable and tailored recommendations.

No explicit action is required to enable this feature. To start, simply navigate to your Snyk Container image Project settings. There, you can use the Configure Dockerfile option to select the appropriate Dockerfile via your GitHub App integration.

To learn more, visit Detect Vulnerable Base Images from your Dockerfile.

We're excited to announce support for .NET 10 for Open Source, which was released on November 11. This update ensures you can securely build and scan your newest .NET applications. We’ve added this support for scans using both our command line interface (CLI) and integrations with source code management (SCM) systems. This feature is now generally available (GA) and supported within our "Improved .NET scanning" capability.

The .NET ecosystem is a top priority for many developers and for us. We are committed to providing quick support for all new major releases, and this update continues that commitment. This allows you to adopt new technology without sacrificing security visibility.

All developers using .NET 10 can immediately begin scanning their projects using the Snyk CLI or their integrated SCM tools—no manual configuration or action is required to enable this feature. Please be aware that simply changing your .NET target framework does not automatically update the associated project dependencies.

Note that RestoreEnablePackagePruning flag introduced in .NET 10 prunes unused system packages from the project. Those dependencies can be including again by setting the RestoreEnablePackagePruning property to false in your project file or Directory.Build.props file.

To learn more, visit our Snyk User Documentation and for more information about see updating the projects, see this help article.

Maven 4 is the long-awaited next major upgrade for Maven. We are happy to announce General Availability (GA) support for Maven 4 Release Candidate 4 (RC4). This new capability is available for both our command-line interface (CLI) and source code management (SCM) integrations, giving you the opportunity to test your repositories with this new version of Maven before its official release.

While the official Maven 4 GA release date is not set, we want to provide an opportunity to test your projects in advance. By supporting the final planned Release Candidate, you can get ahead of the official upgrade and help us by giving feedback before the final release.

This update is for early adopters who want to test their repositories against Maven 4 before it becomes official. You can now use Snyk to scan your Maven 4 RC4 projects through the CLI and your SCM integrations. Please be aware that this is support for a Release Candidate, and the following features are not supported:

• CI-friendly variables

• Conditional Profile Activation

• Alternative Project Object Model (POM) syntaxes

Snyk Suport for Java and Kotlin

We’re pleased to share that on November 5th, 2025 we will release improvements to Reachability for JavaScript and TypeScript. Upon release, Reachability will be supported for over 98% of applicable vulnerabilities, helping you better prioritize which issues to fix first.

You may see minor fluctuations in the reachability and Risk Score for issues in your npm, pnpm, or Yarn projects.

This release is a part of ongoing engine improvements related to coverage and quality. You can expect similar improvements to be released twice monthly for all languages in General Availability, helping to regulate false positives and negatives across your projects.

To learn more about how to get up and running with Reachability, please read our User Docs.

We're happy to announce that we now support Python 3.14. Following its release on October 7, 2025, this support is now generally available (GA). You can now scan your Python 3.14 projects using both the command line interface (CLI) and your source control manager (SCM) integrations.

Python is a top-priority ecosystem for many of our users. We're committed to providing support for new language versions as quickly as possible so you can upgrade and stay secure without interruption.

You can now import and scan your Python 3.14 projects from the CLI or your connected SCM. Please remember: if your project does not have a Python version specified, you need to configure it in the UI to use Python 3.14.

To learn more, visit Snyk for Python in our user documentation.

We’re pleased to announce that on October 20th, we will be releasing several improvements to the Reachability analysis for Snyk Open Source. 

• As a Group admin, you can now enable Reachability for your Orgs at scale by using new Group-level settings. See our User Docs for more details on how to set this up.

• As part of the Early Access of Reachability for Python, we’ve improved our vulnerability coverage. Reachability is now supported for over 99% of applicable vulnerabilities. You may see an increase in the number of issues detected as reachable across pip, pipenv, and Poetry projects.

• In June, we announced that you can expect to see ongoing coverage improvements to Reachability for Java. We have made some changes that will provide greater coverage for your packages. You may see an increase in the number of issues detected as reachable across Maven and Gradle projects.

• We’ve made some tweaks to how we handle transitivity in first party code, now capturing only the “entry points” where you directly call third-party packages. This should improve performance and make the reachable paths information easier to understand. 

We hope these improvements make it easier for you to begin using reachability as a prioritization signal when planning your remediation efforts. If you have any questions, please reach out.

We're excited to announce that our support for the pnpm package manager is now generally available (GA). This update applies across the command line interface (CLI) and all Snyk source code management (SCM) integrations. Any new pnpm projects you import will now be correctly identified and scanned.

This has been a top request from the JavaScript community. We listened to your feedback and are thrilled to deliver this improvement to better support your workflows.

There is no action required from you. Over the next month, we will automatically migrate any of your existing projects that were previously misidentified as npm projects. All project history and any ignores you have configured will be preserved during this migration.

To learn more, visit the Supported Languages List in our user documentation.

Users have reported having duplicated repository count in Inventory for their Azure DevOps repositories. Snyk has developed a fix for this issue which will be applied in all regions on September 17th. No action is required to apply the fix. Users affected by the duplications will see a corresponding decrease in their repository count in the Inventory.

For any questions, don't hesitate to reach out to the Snyk support team.