Product Updates

We’ve moved the pull request (PR) check report to general availability (GA). This update includes several enhancements to help you track how your teams adopt security scanning within their workflows. We added Snyk Code errors to the error PR checks, fixed historical calculation discrepancies in adoption metrics, and optimized the underlying tables so that all reporting components load and filter much faster. Additionally, we updated the display of source code manager (SCM) icons to better organize the PR scanning adoption by organization table, and we added PR check data to the Export application programming interface (API), enabling you to programmatically export this information.

We want to provide a reliable, high-performance way for you to verify that security checks are consistently running across your repositories. By moving this to GA, optimizing data loading, and providing API access, we ensure you have accurate, trendable metrics to measure the health of your application security (AppSec) program whether you are using the Snyk Web UI or your own internal reporting tools.

You can now filter and trend PR check adoption metrics by date to see progress over time. If you use GitLab, you will see a notification regarding data prior to February 5, 2025. When viewing the PR scanning adoption by organization table, you will notice a cleaner interface with updated source code manager (SCM) badges. Additionally, you can now automate your reporting workflows by pulling PR check data directly through the Export API.

To learn more, visit Pull Request check reporting in our user documentation.

We're updating the stable Export API (version 2024-10-15) to include more granular filtering for the issues dataset. You can now filter your export request payloads using additional parameters, including issue status, issue type, and project origin. We've also added support for advanced filters such as common vulnerabilities and exposures (CVE) ID, reachability, and National Vulnerability Database (NVD) severity to help you refine your reporting.

We want to make data consumption more manageable and relevant for your specific workflows. Previously, these fields were available as export columns but could not be used to filter the initial request. By adding these parameters directly to the API contract, we're enabling you to reduce noise and achieve parity between our user interface (UI) reporting and your automated exports.

You can now customize your issue exports by applying the following new filters to your API requests:

• ISSUE_STATUS: Filter by Open, Resolved, or Ignored.

• ISSUE_TYPE: Limit results to vulnerabilities or licenses.

• PROJECT_ORIGIN: Filter by source, such as CLI, GitHub, or Jenkins.

• PROJECT_TARGET_REF: Target specific branches or artifacts.

• CVE: Search for a specific vulnerability ID.

• NVD_SEVERITY: Filter based on external severity ratings.

• REACHABILITY: Separate reachable from unreachable vulnerabilities.

• PROJECT_TARGET_DISPLAY_NAME: Use human-readable names for your reports.
  

To learn more, visit Export in our user documentation.

We've made it easier to manage the security of your data exports by implementing a configurable, shorter time-to-live (TTL) for the presigned URLs created by the Export API (application programming interface). Now, when you use the Export API, you can limit how long the download link remains active by passing a value between 0 and 3,600 to the url_expiration_seconds attribute. Once the timeout expires, the CSV data can no longer be downloaded, and you'll need to start a new export.

We understand that some security policies require a shorter expiration time for temporary download links containing sensitive data than the default time we provide. This update gives you the control to align the Export API's presigned URL expiration with your organization's specific security and compliance requirements.

This enhancement affects all users who utilize the Export API to generate CSV data. This change is optional: your existing Export API integrations will continue to work without modification, using the default link expiration time. If you require a shorter link expiry, you can simply add the url_expiration_seconds attribute to your export request with a value from 0 to 3,600 seconds.

To learn more, visit the Export API documentation.

We're updating the Assets API to introduce a new PATCH endpoint that allows you to modify asset attributes (for example: class). We're introducing new, structured (key:value) asset tagging capability that will be called tags.

This update provides a significant enhancement by providing a flexible way to enrich asset data. The new functionality enables you to add specific, structured context to your assets for powerful filtering and integration with your internal systems aligning with industry best practices. We are introducing a new PATCH endpoint to address the need to programmatically modify asset attributes.

The update introduces an enhancement to the Assets API , to provide a more powerful way to categorize assets using structured key-value pairs, and allowing to update Class , free-form labels, and the new key:value tags attributes via API.

Terminology Alignment: We are renaming the existing, simple text-based tags attribute to Labels, whereas Tags now refer to the new, structured key:value pairs

To learn more, visit Update asset attributes (Early Access) and Manage assets in our user documentation.

We’ve released a new CLI version (v1.1298.3) with new features, bug fixes and improvements to enhance your security scanning.

This update includes the following two changes:

1. Open Source: Gradle 9 Support

We are pleased to announce that the Snyk CLI now supports scanning Gradle 9 projects!

Previously, when scanning version 9 projects in the CLI, some operations might fail due to reliance on a deprecated and removed Gradle CLI flag. This has now been resolved, and Gradle 9 is officially supported in the Snyk CLI.

2. AI-BOM: The snyk aibom command

The AI-BOM CLI command is now publicly accessible.

You can use the snyk aibom command to identify AI models, datasets, and map the AI supply chain, including connections to external tools and services using the Model Context Protocol (MCP).

Note: AI-BOM is an experimental feature and is subject to breaking changes without notice. Read more in our documentation.

Release notes are available here.

We encourage everyone to upgrade to the latest version to take advantage of these new capabilities. If you have any questions, please don’t hesitate to reach out to the Snyk support team.

We're excited to announce a crucial enhancement to our new Export API: we've added the project_target_file field. This update is a significant step in helping customers transition from the deprecated Reporting V1 API to our more robust and modern Export API. The project_target_file field, which was previously only available in the older Reporting V1 API, is now included in the Export API. This field provides critical information for disambiguating ownership in monorepos.

How Does This Benefit You?

• Seamless Migration: If your workflows, especially those involving monorepos, relied on project+target_file from the Reporting V1 API, you can now migrate those processes entirely to the Export API.

• Improved Ownership Clarity: For complex projects like monorepos, target_file helps you precisely identify and manage project ownership, leading to more accurate reporting and better security insights. It contains the file path within a project that Snyk is targeting for security scanning, such as /var/www/composer.lock, /app/package.json, or other dependency manifest files.

• Access to Modern API Features: By fully moving to the Export API, you can leverage its improved performance, scalability, and other advanced capabilities.

• Reduced Reliance on Legacy API: This addition helps reduce the need for the older Reporting V1 API, allowing us to focus on enhancing our newer, more efficient solutions.

What You Need to Know

The data for target_file is consistent with what you've seen in the Reporting V1 API and our internal datasets. We've ensured a direct mapping to provide you with reliable information. To make this field available, we've updated several underlying data structures. While this required a full refresh of some datasets on our end, you don't need to take any action other than updating your API integrations to utilize the new field. This enhancement directly addresses feedback from customers, enabling a smoother and more complete transition to the Export API.

The Export API is now GA, allowing our customers to create and download Snyk Issues data as a CSV file. It's useful for making custom reports and using Snyk data with other tools.

What it is and why it's helpful

The Export API, which Snyk Analytics supports, facilitates data export by enabling users to create and manage CSV files. These files are safely stored by Snyk. Designed for efficiency and security, the Export API helps users organize and scale the export of large datasets, which is useful for reporting and analytics tasks.

• Consume predefined datasets, based on Snyk reporting data

• Datasets evolve in parallel to Snyk Analytics' scope

• Focus on the user experience and ease of consumption

More information

You can find more details, including how to use the API, in our product documentation.

• Snyk Product Documentation

• Snyk API Documentation

Finding and providing up-to-date API schemas for security scanning is a common challenge. To solve this, Snyk API & Web now integrates with Akamai to simplify and automate your API security workflow, helping you maintain comprehensive coverage with significantly less manual effort.

This integration connects directly to your Akamai account to automatically discover your complete API inventory and import the corresponding schemas required for security testing.

Key Features

• Automated API Discovery: The integration automatically imports your API inventory and schemas from Akamai, eliminating the manual work of finding and uploading them.

• Increased Scan Coverage: By discovering all your Akamai-managed APIs, you can ensure broader security testing coverage across your application portfolio.

• One-Click Onboarding: Add discovered APIs as targets with a single click, with their schemas pre-populated and ready for testing.

How to Get Started

Availability: This feature will be available in your Snyk API & Web account on August 4, 2025.

Once available, you can begin using the integration by following these steps:

1. Connect to Akamai: Go to Settings > Integrations in your Snyk API & Web account to configure the new Akamai integration.

2. View Imported Domains: After a successful connection, Snyk API & Web imports your domains from Akamai. You can see these new domains under Targets > Domains.

3. Discover and Scan Your APIs: Snyk API & Web then automatically scans these domains to find the associated API assets. When the scan is complete, your discovered APIs are displayed when you select the Discovery menu option. From there, you can add them as targets and begin scanning immediately.

To find specific API assets, use the following filters:

• Filter by Type > API to display only API assets.

• Filter by Source > Akamai to display assets imported from this integration.

Need Help?

If you have any questions or need assistance with the new integration, please contact the Snyk support team.

We're pleased to announce that on Friday, July 11th, 2025 we will be introducing several improvements to the "List issues for a package" APIs.

This release will reduce request latency and improve the timeliness of newly published advisories being returned by the API.

In addition, this release will address several bugs listed below, which may result in changes to the number of vulnerabilities returned for some packages:

• Currently the API responds with all vulnerabilities about a package in Linux ecosystems (apk, deb and rpm). The fix reduces those down to only the vulnerabilities affecting the specified version.

• Requests for npm purls that contain an @ symbol in the namespace currently cause a 400 Bad Request. This change properly parses these purls and instead correctly returns a 200 OK with the expected vulnerabilities.

• When there is no remedy, the remedies array will now be empty.

• The problems array is now consistently sorted by each objects id.
  

Please reach out if you have any questions.

The Assets API is now available in Early Access, providing AppSec teams with programmatic access to comprehensive asset data. This eliminates the need for manual data exports and simplifies integration with other systems. With reliable, centralized access to asset information from sources like Snyk, SCMs, and runtime environments, teams can automate targeted actions, improve prioritization, and enhance visibility. The API empowers organizations to make more informed decisions and align security and development efforts more effectively.

Key capabilities of the Assets API include:

• Programmatic access to asset data — retrieve asset information from Snyk, SCMs, runtime, app context, and more

• Flexible filtering — query specific assets or subsets based on your chosen criteria

Check out the user docs for more details. We're dedicated to continuously enhancing this experience. If you'd like to share your feedback and help shape future improvements, please reach out to your account team to join upcoming feedback sessions.