Product Updates

Customize your dashboard with the new analytics experience. We’re launching the general availability of the redesigned Snyk Analytics experience. You now have access to a customizable tenant-level landing page featuring a widget inventory, allowing you to arrange widgets for a personalized dashboard. This update also includes Saved views, a centralized Report catalog for discovering reports, and enhanced drill-down capabilities for issues and assets.

We want to provide a more flexible way to visualize your security posture. These changes ensure you can surface the metrics most relevant to your organization and access critical data faster through a centralized view.

You can create a dashboard tailored to your specific monitoring needs by selecting widgets from the inventory. The new experience simplifies how you find pre-built reports and allows you to investigate specific security topics directly from your customized view.

To learn more, check out our Redesigned Analytics docs.

We are pleased to announce the General Availability (GA) of the Severity Condition in Group-Level Policies.

This new capability empowers you to create more granular policies for taking action (such as ignoring or changing severity) on findings based on their severity. The condition is available for both Code and OS Security group-level policies within the UI.

To learn more about setting up group-level policies, visit our Snyk User Documentation.

We're updating the Assets API to introduce a new PATCH endpoint that allows you to modify asset attributes (for example: class). We're introducing new, structured (key:value) asset tagging capability that will be called tags.

This update provides a significant enhancement by providing a flexible way to enrich asset data. The new functionality enables you to add specific, structured context to your assets for powerful filtering and integration with your internal systems aligning with industry best practices. We are introducing a new PATCH endpoint to address the need to programmatically modify asset attributes.

The update introduces an enhancement to the Assets API , to provide a more powerful way to categorize assets using structured key-value pairs, and allowing to update Class , free-form labels, and the new key:value tags attributes via API.

Terminology Alignment: We are renaming the existing, simple text-based tags attribute to Labels, whereas Tags now refer to the new, structured key:value pairs

To learn more, visit Update asset attributes (Early Access) and Manage assets in our user documentation.

We are introducing a more robust and customizable risk acceptance workflow. While providing a Reason for acceptance remains a mandatory requirement for all users, account owners can now also mandate the following fields:

• Expiration Date: The date when the risk acceptance expires.

• Approver Name: The individual who authorized the risk acceptance.

• Approval Date: The date of the approval.

Once an acceptance period expires, the finding's status will automatically revert from Accepted Risk to Not Fixed, ensuring it is reviewed again. All acceptance details are captured in the finding's log to provide a complete audit trail.

We understand that manually tracking accepted risks is inefficient and can lead to overlooked vulnerabilities. This update automates the lifecycle of accepted risks, creating a clear, auditable, and enforceable process that ensures expired risks are never forgotten.

• For account owners: A new configuration module is available in Settings > Scan Settings where you can define the new mandatory fields for your risk acceptance process.

• For all users: The Accept Risk modal will continue to require a Reason and will now also display any additional fields required by the account owner. Any risk accepted with an expiration date will automatically re-enter the workflow as Not Fixed upon expiration, prompting a timely review.

To learn more, visit Configure the risk acceptance workflow in our user documentation.

We’re pleased to announce that on October 20th, we will be releasing several improvements to the Reachability analysis for Snyk Open Source. 

• As a Group admin, you can now enable Reachability for your Orgs at scale by using new Group-level settings. See our User Docs for more details on how to set this up.

• As part of the Early Access of Reachability for Python, we’ve improved our vulnerability coverage. Reachability is now supported for over 99% of applicable vulnerabilities. You may see an increase in the number of issues detected as reachable across pip, pipenv, and Poetry projects.

• In June, we announced that you can expect to see ongoing coverage improvements to Reachability for Java. We have made some changes that will provide greater coverage for your packages. You may see an increase in the number of issues detected as reachable across Maven and Gradle projects.

• We’ve made some tweaks to how we handle transitivity in first party code, now capturing only the “entry points” where you directly call third-party packages. This should improve performance and make the reachable paths information easier to understand. 

We hope these improvements make it easier for you to begin using reachability as a prioritization signal when planning your remediation efforts. If you have any questions, please reach out.

We're giving you more control over how scans behave when a navigation sequence fails. In your Target Settings, you'll now find an option to immediately fail a scan if a navigation sequence cannot be completed. When enabled, the scan stops right away, allowing you to fix the issue sooner.

Previously, a failed navigation sequence would not stop a scan, potentially leading to incomplete results and wasted resources. This change allows you to get faster feedback on broken test sequences, saving time and preventing tedious manual reviews to identify why a scan may not have covered the intended user journeys.

Starting September 30, 2025, you will see a new checkbox in the Navigation Sequences module within your Target Settings: When a navigation sequence fails, fail the scan immediately and notify me. This option is disabled by default, so existing scans will continue to run as they do now. To enable this fail-fast behavior, you will need to edit your Target Settings. You can also configure new notifications for these failures in your Slack integration settings.

To learn more, visit How to set up Navigation Sequences and Slack integration in our user documentation.

We are enhancing how secrets and sensitive data are managed in Snyk API & Web. Effective today, you can designate specific fields as sensitive within your target settings, ensuring their values are automatically masked. Furthermore, Account Owners now have a new level of control with the ability to make sensitive information permanently non-retrievable after it is saved.

This enhancement is designed to significantly reduce the risk of accidental information disclosure and prevent unauthorized access to your sensitive data. By giving you granular control to define and mask specific fields, we are moving beyond a reliance on simplistic patterns and heuristics. The option to make secrets non-retrievable adds a critical layer of security, ensuring that once a secret is stored, it cannot be exposed again through the application.

This update introduces two key changes:

• For Account Owners: A new module is available on the Settings > Authentication page. This allows Account Owners to enforce that all designated sensitive information becomes non-retrievable for everyone in the account once saved.

• For all users: When configuring a target, you will now see a 'Mark as sensitive' checkbox for relevant fields. Selecting this option will automatically mask the field's value after it is saved. This applies to configurations such as:

  • API authentication payload

  • Login form

  • Login sequence

  • Basic authentication credentials

  • Custom headers and authentication headers

  • Custom cookies and authentication cookies

  • API Parameter Custom Values

  • Postman Environment Values

To learn more, visit How to manage secrets and sensitive data in Snyk API & Web in our user documentation.

We’ve introduced a new is not filter option for Snyk reports, which lets you exclude unwanted items directly within the platform. This feature is now available across a wide range of filters, including groups, organizations, Common Vulnerabilities and Exposures (CVEs), package names, collections, tags, asset names, and owners.

Previously, you had to export Snyk report data and manually filter out unwanted items, which was time-consuming and inefficient. We've improved this by allowing you to exclude items within Snyk, giving you a focused view, and eliminating the need for manual data manipulation outside the platform.

You can now get to the insights you need faster and more efficiently. For example, you can exclude known, low-priority issues to focus on high-severity vulnerabilities, quickly find unassigned assets by filtering for is not, or exclude environments to only see issues related to production. To use the new feature, simply select the desired filter and choose the is not option before entering the value you wish to filter out.

To learn more, visit our user documentation.

We’ve expanded the Featured Zero-Day Report to include the Shai-Hulud npm supply chain attack, one of the largest compromises in the npm ecosystem to date.

This update enables Enterprise users to:

• Identify exposure to compromised npm packages such as ngx-bootstrap and @ctrl/tinycolor.

• Prioritize remediation and monitor progress directly in the Featured Zero-Day Report.

• Improve visibility and accountability in zero-day response.

This addition strengthens visibility into high-impact zero-day events within Snyk Reports. By integrating the Shai-Hulud supply chain incident, customers can rapidly assess exposure, track remediation, and improve governance during ongoing threat response.

No manual action is required - data updates automatically as new advisories are published. However, running a new scan is recommended to ensure the latest results are reflected.

To learn more, visit the Featured Zero-Day Report documentation or read our blog post, Zero-day extensive NPM package compromise Shai Hulud Supply Chain Attack.

We heard your feedback that it can be hard to keep up with all the changes, so we've introduced new ways to help you find the information that's most relevant to you.

You now see a Subscribe to RSS feed link if you prefer to be notified about every new product update as they are announced. On the left, you can filter product updates using tags like Open Source CLI or MCP to find exactly what you're looking for. We are looking to provide an email subscription service in the new year too.

We know how important it is for you to be aware of new features and changes that impact your work. Our goal is to give you more control and a better way to get the right information at the right time. We also want to ensure our communications are consistent with our Snyk brand for you to enjoy.

The product updates link in the Snyk user interface now takes you directly to this website The red notification dot on the bell icon, in the user interface, will be paused for approximately one week from today, before returning to its usual function of alerting you to new updates. We plan to introduce a search feature for this website in a later phase and we're assessing how best to surface product updates directly in our platform.