Product Updates

We've enhanced our Docker Hub integrations by adding GitHub App support. This update allows you to attach a Dockerfile to your Snyk Container images directly through your GitHub Cloud and GitHub Server App integrations.

Attaching a Dockerfile gives you more precise fix advice, including smarter base image recommendations for both major and minor upgrades, and a wider range of alternative upgrade paths. This new capability means Snyk gains deeper context about your image during scans, leading to more actionable and tailored recommendations.

No explicit action is required to enable this feature. To start, simply navigate to your Snyk Container image Project settings. There, you can use the Configure Dockerfile option to select the appropriate Dockerfile via your GitHub App integration.

To learn more, visit Detect Vulnerable Base Images from your Dockerfile.

We're excited to announce support for .NET 10 for Open Source, which was released on November 11. This update ensures you can securely build and scan your newest .NET applications. We’ve added this support for scans using both our command line interface (CLI) and integrations with source code management (SCM) systems. This feature is now generally available (GA) and supported within our "Improved .NET scanning" capability.

The .NET ecosystem is a top priority for many developers and for us. We are committed to providing quick support for all new major releases, and this update continues that commitment. This allows you to adopt new technology without sacrificing security visibility.

All developers using .NET 10 can immediately begin scanning their projects using the Snyk CLI or their integrated SCM tools—no manual configuration or action is required to enable this feature. Please be aware that simply changing your .NET target framework does not automatically update the associated project dependencies.

Note that RestoreEnablePackagePruning flag introduced in .NET 10 prunes unused system packages from the project. Those dependencies can be including again by setting the RestoreEnablePackagePruning property to false in your project file or Directory.Build.props file.

To learn more, visit our Snyk User Documentation and for more information about see updating the projects, see this help article.

Maven 4 is the long-awaited next major upgrade for Maven. We are happy to announce General Availability (GA) support for Maven 4 Release Candidate 4 (RC4). This new capability is available for both our command-line interface (CLI) and source code management (SCM) integrations, giving you the opportunity to test your repositories with this new version of Maven before its official release.

While the official Maven 4 GA release date is not set, we want to provide an opportunity to test your projects in advance. By supporting the final planned Release Candidate, you can get ahead of the official upgrade and help us by giving feedback before the final release.

This update is for early adopters who want to test their repositories against Maven 4 before it becomes official. You can now use Snyk to scan your Maven 4 RC4 projects through the CLI and your SCM integrations. Please be aware that this is support for a Release Candidate, and the following features are not supported:

• CI-friendly variables

• Conditional Profile Activation

• Alternative Project Object Model (POM) syntaxes

Snyk Suport for Java and Kotlin

We’re pleased to share that on November 5th, 2025 we will release improvements to Reachability for JavaScript and TypeScript. Upon release, Reachability will be supported for over 98% of applicable vulnerabilities, helping you better prioritize which issues to fix first.

You may see minor fluctuations in the reachability and Risk Score for issues in your npm, pnpm, or Yarn projects.

This release is a part of ongoing engine improvements related to coverage and quality. You can expect similar improvements to be released twice monthly for all languages in General Availability, helping to regulate false positives and negatives across your projects.

To learn more about how to get up and running with Reachability, please read our User Docs.

We're happy to announce that we now support Python 3.14. Following its release on October 7, 2025, this support is now generally available (GA). You can now scan your Python 3.14 projects using both the command line interface (CLI) and your source control manager (SCM) integrations.

Python is a top-priority ecosystem for many of our users. We're committed to providing support for new language versions as quickly as possible so you can upgrade and stay secure without interruption.

You can now import and scan your Python 3.14 projects from the CLI or your connected SCM. Please remember: if your project does not have a Python version specified, you need to configure it in the UI to use Python 3.14.

To learn more, visit Snyk for Python in our user documentation.

We’re pleased to announce that on October 20th, we will be releasing several improvements to the Reachability analysis for Snyk Open Source. 

• As a Group admin, you can now enable Reachability for your Orgs at scale by using new Group-level settings. See our User Docs for more details on how to set this up.

• As part of the Early Access of Reachability for Python, we’ve improved our vulnerability coverage. Reachability is now supported for over 99% of applicable vulnerabilities. You may see an increase in the number of issues detected as reachable across pip, pipenv, and Poetry projects.

• In June, we announced that you can expect to see ongoing coverage improvements to Reachability for Java. We have made some changes that will provide greater coverage for your packages. You may see an increase in the number of issues detected as reachable across Maven and Gradle projects.

• We’ve made some tweaks to how we handle transitivity in first party code, now capturing only the “entry points” where you directly call third-party packages. This should improve performance and make the reachable paths information easier to understand. 

We hope these improvements make it easier for you to begin using reachability as a prioritization signal when planning your remediation efforts. If you have any questions, please reach out.

We're excited to announce that our support for the pnpm package manager is now generally available (GA). This update applies across the command line interface (CLI) and all Snyk source code management (SCM) integrations. Any new pnpm projects you import will now be correctly identified and scanned.

This has been a top request from the JavaScript community. We listened to your feedback and are thrilled to deliver this improvement to better support your workflows.

There is no action required from you. Over the next month, we will automatically migrate any of your existing projects that were previously misidentified as npm projects. All project history and any ignores you have configured will be preserved during this migration.

To learn more, visit the Supported Languages List in our user documentation.

Users have reported having duplicated repository count in Inventory for their Azure DevOps repositories. Snyk has developed a fix for this issue which will be applied in all regions on September 17th. No action is required to apply the fix. Users affected by the duplications will see a corresponding decrease in their repository count in the Inventory.

For any questions, don't hesitate to reach out to the Snyk support team.

Atlassian will deprecate App Passwords in Bitbucket Cloud and transition to API tokens, which provide a more secure authentication method, increased admin flexibility, and additional expiry controls. To align and support this change, Snyk Essentials will be supporting API tokens starting September 9th.

Main highlights include:

• Support of the API Key

• Users who integrate on or after September 9th, 2025, will need to provide user email and API Key

• Existing integrations that are already using app passwords will continue to function without interruption until June 9th, 2026, when app passwords will stop working entirely (or if the app password expires before June 9th).

Users are advised to migrate to the API key starting September 9th, 2025. For any questions, don't hesitate to reach out to the Snyk support team.

Over the coming weeks we will be releasing a number of exciting improvements for JavaScript developers across the npm, pnpm, and Yarn ecosystems.

✨ pnpm general availability (GA)

pnpm is a fast and efficient JavaScript package manager often used for large monorepos. We’re excited that our support for pnpm will be generally available across CLI and SCM integrations in October 2025.

Starting on September 10th, we will begin gradually rolling out support to all customers. During this time, Snyk Projects previously misidentified as npm due to the presence of a package.json will be migrated to pnpm, maintaining all history and ignores.

Here's a summary of what's supported, but please keep an eye on our User Docs for more details:

• pnpm versions 7-10, including workspaces

• All Snyk SCM integrations

• Snyk CLI

• Snyk CI plug-ins

• PR Checks

• Fix PRs

✨ npm & Yarn improvements (GA)

npm and Yarn are two of the most extensively used package managers in the JavaScript ecosystem.

Over the next month, we will be gradually rolling out some minor improvements to how we scan Projects from these ecosystems in our SCM integrations—improving accuracy and offering consistency with our CLI.

Stay tuned for the following changes:

• Snyk now supports using multiple versions of the same dependency with Yarn through our SCM integrations. Previously, this would lead to errors.

• Snyk now correctly throws errors for out-of-sync Yarn manifest files using resolutions, when running under the default strict out of sync mode. Previously, this setting would get ignored for Yarn resolutions.

• Snyk now supports dependency aliases with Yarn and npm through our SCM integrations. Previously, aliases were not supported and could lead to false negatives.

• Snyk now offers more accurate results for npm projects using top level Bundled Dependencies.

These improvements have the potential to change the number of dependencies and issues detected in the project.