Product Updates

We’ve activated direct links to Snyk Learn lessons within the findings details pages of Snyk API & Web. When you are reviewing a vulnerability, you can now find educational content under the Description tab. Snyk Learn provides hands-on lessons to help you understand, prevent, and fix security issues in your code.

We want to bridge the gap between identifying a security risk and knowing how to remediate it. By embedding these lessons directly where you work, we're making it easier for you to build security knowledge without leaving the platform.

You can now quickly access expert-guided security training for specific vulnerabilities you encounter. This helps you not only resolve the current issue but also acquire the skills to prevent similar vulnerabilities in the future, ultimately enhancing your overall security posture.

To learn more, visit Snyk Learn.

Experience greater flexibility in authenticating your scans with the new Signature capabilities for API targets. With Snyk API & Web, you can now configure signed requests using your own algorithms.

We added this feature to support complex authentication requirements that require signed requests. By providing a dedicated space to manage these signatures, we're making it easier for you to run automated security scans against protected API endpoints that verify message integrity and authenticity.

If you have the message signature feature enabled, you can now navigate to your API target settings to set up signing methods. This ensures your scans can successfully authenticate with APIs that require cryptographic signatures for every request.

To enable this feature, please contact the Sales team.

To learn more, visit How to configure Signed Requests for API Targets in our user documentation.

We added support for mutual TLS (mTLS) configuration for Web, OpenAPI, and Postman targets in Snyk API & Web. This allows you to extend your security testing to cover even your most strictly secured and authenticated endpoints.

We implemented this feature to support organizations that required higher levels of security or mutual trust between client and server. This allows our crawler and scanner to authenticate successfully with services that enforce strict mTLS requirements, ensuring comprehensive security coverage for your protected targets.

In the authentication tab for your Web and API targets, you will see a new CLIENT AUTHENTICATION CERTIFICATE module under your target Settings. You can use this to upload the necessary certificates for authentication. This change allows you to scan targets that were previously inaccessible due to mutual TLS requirements.

To enable this feature, please contact the Sales team.

To learn more, visit How To Configure Mutual TLS Authentication in our user documentation.

Customize your dashboard with the new analytics experience. We’re launching the general availability of the redesigned Snyk Analytics experience. You now have access to a customizable tenant-level landing page featuring a widget inventory, allowing you to arrange widgets for a personalized dashboard. This update also includes Saved views, a centralized Report catalog for discovering reports, and enhanced drill-down capabilities for issues and assets.

We want to provide a more flexible way to visualize your security posture. These changes ensure you can surface the metrics most relevant to your organization and access critical data faster through a centralized view.

You can create a dashboard tailored to your specific monitoring needs by selecting widgets from the inventory. The new experience simplifies how you find pre-built reports and allows you to investigate specific security topics directly from your customized view.

To learn more, check out our Redesigned Analytics docs.

We are pleased to announce the General Availability (GA) of the Severity Condition in Group-Level Policies.

This new capability empowers you to create more granular policies for taking action (such as ignoring or changing severity) on findings based on their severity. The condition is available for both Code and OS Security group-level policies within the UI.

To learn more about setting up group-level policies, visit our Snyk User Documentation.

We're updating the Assets API to introduce a new PATCH endpoint that allows you to modify asset attributes (for example: class). We're introducing new, structured (key:value) asset tagging capability that will be called tags.

This update provides a significant enhancement by providing a flexible way to enrich asset data. The new functionality enables you to add specific, structured context to your assets for powerful filtering and integration with your internal systems aligning with industry best practices. We are introducing a new PATCH endpoint to address the need to programmatically modify asset attributes.

The update introduces an enhancement to the Assets API , to provide a more powerful way to categorize assets using structured key-value pairs, and allowing to update Class , free-form labels, and the new key:value tags attributes via API.

Terminology Alignment: We are renaming the existing, simple text-based tags attribute to Labels, whereas Tags now refer to the new, structured key:value pairs

To learn more, visit Update asset attributes (Early Access) and Manage assets in our user documentation.

We are introducing a more robust and customizable risk acceptance workflow. While providing a Reason for acceptance remains a mandatory requirement for all users, account owners can now also mandate the following fields:

• Expiration Date: The date when the risk acceptance expires.

• Approver Name: The individual who authorized the risk acceptance.

• Approval Date: The date of the approval.

Once an acceptance period expires, the finding's status will automatically revert from Accepted Risk to Not Fixed, ensuring it is reviewed again. All acceptance details are captured in the finding's log to provide a complete audit trail.

We understand that manually tracking accepted risks is inefficient and can lead to overlooked vulnerabilities. This update automates the lifecycle of accepted risks, creating a clear, auditable, and enforceable process that ensures expired risks are never forgotten.

• For account owners: A new configuration module is available in Settings > Scan Settings where you can define the new mandatory fields for your risk acceptance process.

• For all users: The Accept Risk modal will continue to require a Reason and will now also display any additional fields required by the account owner. Any risk accepted with an expiration date will automatically re-enter the workflow as Not Fixed upon expiration, prompting a timely review.

To learn more, visit Configure the risk acceptance workflow in our user documentation.

We’re pleased to announce that on October 20th, we will be releasing several improvements to the Reachability analysis for Snyk Open Source. 

• As a Group admin, you can now enable Reachability for your Orgs at scale by using new Group-level settings. See our User Docs for more details on how to set this up.

• As part of the Early Access of Reachability for Python, we’ve improved our vulnerability coverage. Reachability is now supported for over 99% of applicable vulnerabilities. You may see an increase in the number of issues detected as reachable across pip, pipenv, and Poetry projects.

• In June, we announced that you can expect to see ongoing coverage improvements to Reachability for Java. We have made some changes that will provide greater coverage for your packages. You may see an increase in the number of issues detected as reachable across Maven and Gradle projects.

• We’ve made some tweaks to how we handle transitivity in first party code, now capturing only the “entry points” where you directly call third-party packages. This should improve performance and make the reachable paths information easier to understand. 

We hope these improvements make it easier for you to begin using reachability as a prioritization signal when planning your remediation efforts. If you have any questions, please reach out.

We're giving you more control over how scans behave when a navigation sequence fails. In your Target Settings, you'll now find an option to immediately fail a scan if a navigation sequence cannot be completed. When enabled, the scan stops right away, allowing you to fix the issue sooner.

Previously, a failed navigation sequence would not stop a scan, potentially leading to incomplete results and wasted resources. This change allows you to get faster feedback on broken test sequences, saving time and preventing tedious manual reviews to identify why a scan may not have covered the intended user journeys.

Starting September 30, 2025, you will see a new checkbox in the Navigation Sequences module within your Target Settings: When a navigation sequence fails, fail the scan immediately and notify me. This option is disabled by default, so existing scans will continue to run as they do now. To enable this fail-fast behavior, you will need to edit your Target Settings. You can also configure new notifications for these failures in your Slack integration settings.

To learn more, visit How to set up Navigation Sequences and Slack integration in our user documentation.

We are enhancing how secrets and sensitive data are managed in Snyk API & Web. Effective today, you can designate specific fields as sensitive within your target settings, ensuring their values are automatically masked. Furthermore, Account Owners now have a new level of control with the ability to make sensitive information permanently non-retrievable after it is saved.

This enhancement is designed to significantly reduce the risk of accidental information disclosure and prevent unauthorized access to your sensitive data. By giving you granular control to define and mask specific fields, we are moving beyond a reliance on simplistic patterns and heuristics. The option to make secrets non-retrievable adds a critical layer of security, ensuring that once a secret is stored, it cannot be exposed again through the application.

This update introduces two key changes:

• For Account Owners: A new module is available on the Settings > Authentication page. This allows Account Owners to enforce that all designated sensitive information becomes non-retrievable for everyone in the account once saved.

• For all users: When configuring a target, you will now see a 'Mark as sensitive' checkbox for relevant fields. Selecting this option will automatically mask the field's value after it is saved. This applies to configurations such as:

  • API authentication payload

  • Login form

  • Login sequence

  • Basic authentication credentials

  • Custom headers and authentication headers

  • Custom cookies and authentication cookies

  • API Parameter Custom Values

  • Postman Environment Values

To learn more, visit How to manage secrets and sensitive data in Snyk API & Web in our user documentation.