Product Updates

We’ve launched an Active security incident assessment banner to help you manage major zero-day events. When our Security team identifies a high-severity zero-day vulnerability in a widely used package, we’ll trigger a dedicated banner at the top of the Zero Day report. This assessment provides a look at your exposure, including the total number of assets needing triage, assets cleared, and the specific open-source (OSS) packages involved.

We’ve also improved the report interface by expanding the selection filters and adding detailed breakdown charts for the issues backlog.

During a newly discovered security incident, teams need to quickly determine which assets may be affected and where to start investigating.

The active security incident assessment provides earlier visibility into repository exposure, helping teams:

• Understand the potential blast radius of an incident

• Identify assets requiring investigation

• Prioritize remediation and response faster

During an active indecent, you can now immediately see which assets may contain vulnerable packages through the assets needing triage metric. As you remove or update impacted dependencies, SCM-based scans for Snyk Open Source will automatically move those repositories to assets cleared, giving you a record of your progress.

Additional usability updates to the Zero day report now enable you to better view applied filters, filter by open or closed issues within the issue drill-down drawer, and view the backlog trend line across multiple events to see exactly how previous zero-day incidents are affecting your long-term security posture.

To learn more, visit Zero-Day report, Snyk Vulnerability Database, or Snyk Open Source in our user documentation.

We’re introducing a new Download CSV feature to help you export your data directly from the interface. Starting today, you can download a comma-separated values (CSV) file that matches your current table view, including any active filters or hidden columns. We'll follow this implementation soon after, with an enhanced version that gives you even more flexibility, by allowing you to choose from a wider range of fields, which ones to include in your CSV file. 

We recognize that managing security data often requires analysis outside of our platform. Previously, moving table data into other tools required manual effort or copy-pasting. We're adding this functionality to save you time and provide a powerful way to leverage your data for custom reporting and internal manipulation without the manual overhead.

This feature is available to all users across all account plans. If you have access to a table, you can now download its data.

To learn more, visit How to export table data to CSV in our user documentation.

We're introducing a new permission called Change Finding State to give you more granular control over how your teams manage security findings. Previously, the Change Finding permission covered several actions: changing a finding's state, review status, assignee, labels, and adding notes. We've separated these capabilities so that Change Finding State now specifically handles changing a finding's state and review status, and the existing Change Finding permission now focuses on managing assignees, labels, and notes. To prevent any workflow interruptions, all built-in and existing custom roles that currently have the Change Finding permission will automatically receive the new Change Finding State permission.

We made this change to help you better implement the principle of least privilege within your security programs. We heard that many organizations need to allow team members to contribute to the triage process — such as by adding notes or labels — without granting them the authority to officially ignore a finding or accept a risk. By decoupling these actions, we provide the flexibility to define more specific roles for your developers and security analysts.

You can now create custom roles that allow users to add context to findings without giving them the ability to change the security posture of an application. For example, if you want a user to be able to add notes to a finding, you can assign them the View Target and Change Finding permissions, but if you want a user to be able to ignore or accept findings, they will now require the Change Finding State permission. While this update does not change current access for existing users, we recommend reviewing your custom roles to see if you can further restrict permissions.

To learn more, visit Understanding Permissions at Snyk API & Web in our user documentation.

We’ve added a new Custom Headers module to the Scanner tab within Postman target settings. Much like our existing functionality for Web and OpenAPI targets, you can now configure specific headers and determine whether they should be included in the test surface or not. By default, we treat these headers as static prerequisites — such as authentication tokens — that are sent with every request to satisfy API requirements without being actively tested. If you select the checkbox to test a header, the scanner treats that header value as a testable attack surface and runs full security checks against it.

We’re introducing this update to give you more flexibility and precision when scanning Postman targets. Many APIs require specific headers to function, but not all of those headers need to be subjected to security testing. By allowing you to define which headers are static prerequisites and which should be actively tested, we’re ensuring your scans are both compatible with your API requirements and focused on the right attack surfaces.

You can now manage your Postman targets’ scan configurations more effectively by adding custom headers directly in the UI. When you view your results, the Scan results page for Postman targets now includes a Custom Headers entry in the USED SETTINGS module. This clearly indicates whether custom headers were Enabled or Disabled for that specific scan, providing better auditability for your security testing.

To learn more, visit Understanding Custom Headers in Snyk API & Web in our user documentation.

Starting on March 6, 2026, we’re introducing Credentials Manager to help you store and manage sensitive authentication data separately from your target configurations. This update simplifies secrets management and allows teams to share authentication setups without exposing actual credentials.

The Credentials Manager replaces the Secret Obfuscation feature, which is now discontinued.

Running dynamic application security testing (DAST) scans requires sensitive information like logins, passwords, and tokens. Previously, these were stored directly within each Target. This made it difficult to manage authentication across multiple targets and made regular password rotation time-consuming. We built this to provide a centralized way to manage these secrets more efficiently.

The Credentials Manager introduces several changes to how you handle sensitive data:

• Centralized storage: You store credentials in a dedicated place, keeping them separate from your Target configuration.

• Write-only secrets: Some credentials are write-only. You can use these in authentication settings, but the values remain hidden after you save them.

• Flexible configuration: You can still create credentials for a single Target if you do not want to save them to the central Credentials Manager.

To learn more, visit How to manage target authentication credentials in Snyk API & Web.

We’ve added new analytics functionality to the Risk Exposure report to help you better understand and manage your security posture. We’re introducing clickable objects within the Risk Breakdown table that allow you to drill down into specific issues and assets directly from the report. To provide more context, we’ve also added tooltips for categories such as Baseline Issue, Non Preventable Issue, Preventable Issue, and Other New Issue. Additionally, the Risk Exposure Trend now includes new viewing options, allowing you to filter open issues by Snyk product, exploit maturity, and top organizations (Orgs).

We’re moving this report from early access to general availability (GA) to provide a more comprehensive view of your application security (AppSec) risk. By aligning widget filters and adding trend data for specific products and exploit maturity levels, we're making it easier for you to pinpoint exactly where risk is originating and how it's evolving over time.

You can now interact with the Risk Breakdown table and trend lines to open detailed drawers for specific issues and impacted assets. This makes it faster to investigate why a trend has changed without leaving the report. The new tooltips clearly define how we categorize different issue types, ensuring your team has a shared understanding of risk definitions. If you manage multiple organizations, the new "Top Orgs" view helps you quickly identify which areas of your business require the most attention based on open issue counts.

We are excited to announce the general availability of Broken Object Level Authorization (BOLA) detection for OpenAPI targets, starting today. This feature uses artificial intelligence (AI), particularly large language models (LLMs), to identify unauthorized data access risks. You can now test for these vulnerabilities using the built-in API Normal or API Full scanning profiles.

BOLA is ranked as the primary risk in the OWASP API Top 10. By automating the detection of this complex vulnerability, we help you move beyond manual security reviews and reduce the risk of data leaks. Our goal is to provide proactive protection for your APIs by identifying authorization flaws before they can be exploited.

To use this feature, you must configure API target authentication for two separate users. The second user acts as the attacker and should have the same or lower privileges than the first user, and should not have access to the first user's resources. Once configured, our scanning engines will automatically attempt to detect if the second user can inadvertently access data belonging to the first, providing clear visibility into potential authorization gaps.

To learn more, visit How to set up your target for testing BOLA vulnerabilities? in our user documentation.

We're excited to introduce the first automatic solution for correlating static application security testing (SAST) and dynamic application security testing (DAST) findings. By connecting Snyk Code issues with Snyk API & Web results, we can now pinpoint the exact line of code responsible for a DAST vulnerability, helping you understand exactly where your code needs to be fixed and speed up your remediation process.

Vulnerabilities discovered during DAST can often be difficult and time-consuming for developers to locate within the source code. This update automates that manual search process. By using artificial intelligence to map runtime findings back to static code analysis, we're helping your teams reduce the mean time to remediate and focus on fixing issues rather than finding them.

In order to use our SAST/DAST correlation, you just need to link your Snyk API & Web targets to your Snyk Code projects and scan your API & Web targets the way you're used to. We'll do all the heavy lifting for you, and show you the corresponding SAST issue that matches our DAST finding, with the context and link directly to the code that needs to be fixed to mitigate the vulnerability.

Learn more about it here

We’re expanding our analytics capabilities by making the analytics page available at the Group and Organization (Org) levels. Previously, this customizable view was only accessible at the tenant level. We've renamed the Reports page in the left navigation to Analytics at both the Group and Org levels. To access all reports, navigate to Analytics and select the Reports tab, which will display the Reports Catalog. We've also updated the URL path to use "analytics" instead of "reporting."

We want to provide Group and Org admins with a top-down, customizable view into their specific security data. By bringing the analytics page to every level of the hierarchy, we’re making it easier for you to gain insights without needing tenant-level access. This update allows you to build and customize dashboards that hone in on the specific metrics you care about, such as filtering by specific Orgs within a Group or tracking high-priority vulnerability trends across your immediate business units. This flexibility ensures you can focus on the risk data most relevant to your specific area of responsibility.

You can now build and view analytics dashboards tailored to your specific Group or Org. While we’ve removed the report selector dropdown, we’ve put redirects in place so your saved views and favorited pages continue to work. Under our current permission model, Group admins can view analytics for their specific group and all associated Orgs, while Org admins can focus on their individual Org data.

To learn more, visit Snyk Analytics in our user documentation.

We’re replacing the OWASP Top 10 (2021) report with the newly updated OWASP Top 10 (2025) report. This update ensures that your security reporting reflects the latest industry standards for web application risks. We’ve also resolved a bug where filters were not correctly applied when navigating from the report to the issue details page.

The Open Web Application Security Project (OWASP) updated their list of the ten most critical web application security risks in 2025. To help you maintain compliance and stay ahead of evolving threats, we’ve updated our reporting to map security issues to these current controls rather than the previous 2021 versions.

You can now view and filter security issues based on the frequency and severity cited in the 2025 OWASP rankings. To access this, navigate to Reports > OWASP Top 10 (2025). While the 2021 version of the report is no longer available in the dropdown menu, you can temporarily still access it via its direct URL if needed.

To learn more, visit OWASP Top 10 report in our user documentation.