Product Updates

We are excited to announce the general availability of Broken Object Level Authorization (BOLA) detection for OpenAPI targets, starting today. This feature uses artificial intelligence (AI), particularly large language models (LLMs), to identify unauthorized data access risks. You can now test for these vulnerabilities using the built-in API Normal or API Full scanning profiles.

BOLA is ranked as the primary risk in the OWASP API Top 10. By automating the detection of this complex vulnerability, we help you move beyond manual security reviews and reduce the risk of data leaks. Our goal is to provide proactive protection for your APIs by identifying authorization flaws before they can be exploited.

To use this feature, you must configure API target authentication for two separate users. The second user acts as the attacker and should have the same or lower privileges than the first user, and should not have access to the first user's resources. Once configured, our scanning engines will automatically attempt to detect if the second user can inadvertently access data belonging to the first, providing clear visibility into potential authorization gaps.

To learn more, visit How to set up your target for testing BOLA vulnerabilities? in our user documentation.

We're excited to introduce the first automatic solution for correlating static application security testing (SAST) and dynamic application security testing (DAST) findings. By connecting Snyk Code issues with Snyk API & Web results, we can now pinpoint the exact line of code responsible for a DAST vulnerability, helping you understand exactly where your code needs to be fixed and speed up your remediation process.

Vulnerabilities discovered during DAST can often be difficult and time-consuming for developers to locate within the source code. This update automates that manual search process. By using artificial intelligence to map runtime findings back to static code analysis, we're helping your teams reduce the mean time to remediate and focus on fixing issues rather than finding them.

In order to use our SAST/DAST correlation, you just need to link your Snyk API & Web targets to your Snyk Code projects and scan your API & Web targets the way you're used to. We'll do all the heavy lifting for you, and show you the corresponding SAST issue that matches our DAST finding, with the context and link directly to the code that needs to be fixed to mitigate the vulnerability.

Learn more about it here

We’re expanding our analytics capabilities by making the analytics page available at the Group and Organization (Org) levels. Previously, this customizable view was only accessible at the tenant level. We've renamed the Reports page in the left navigation to Analytics at both the Group and Org levels. To access all reports, navigate to Analytics and select the Reports tab, which will display the Reports Catalog. We've also updated the URL path to use "analytics" instead of "reporting."

We want to provide Group and Org admins with a top-down, customizable view into their specific security data. By bringing the analytics page to every level of the hierarchy, we’re making it easier for you to gain insights without needing tenant-level access. This update allows you to build and customize dashboards that hone in on the specific metrics you care about, such as filtering by specific Orgs within a Group or tracking high-priority vulnerability trends across your immediate business units. This flexibility ensures you can focus on the risk data most relevant to your specific area of responsibility.

You can now build and view analytics dashboards tailored to your specific Group or Org. While we’ve removed the report selector dropdown, we’ve put redirects in place so your saved views and favorited pages continue to work. Under our current permission model, Group admins can view analytics for their specific group and all associated Orgs, while Org admins can focus on their individual Org data.

To learn more, visit Snyk Analytics in our user documentation.

We’ve activated direct links to Snyk Learn lessons within the findings details pages of Snyk API & Web. When you are reviewing a vulnerability, you can now find educational content under the Description tab. Snyk Learn provides hands-on lessons to help you understand, prevent, and fix security issues in your code.

We want to bridge the gap between identifying a security risk and knowing how to remediate it. By embedding these lessons directly where you work, we're making it easier for you to build security knowledge without leaving the platform.

You can now quickly access expert-guided security training for specific vulnerabilities you encounter. This helps you not only resolve the current issue but also acquire the skills to prevent similar vulnerabilities in the future, ultimately enhancing your overall security posture.

To learn more, visit Snyk Learn.

We added support for mutual TLS (mTLS) configuration for Web, OpenAPI, and Postman targets in Snyk API & Web. This allows you to extend your security testing to cover even your most strictly secured and authenticated endpoints.

We implemented this feature to support organizations that required higher levels of security or mutual trust between client and server. This allows our crawler and scanner to authenticate successfully with services that enforce strict mTLS requirements, ensuring comprehensive security coverage for your protected targets.

In the authentication tab for your Web and API targets, you will see a new CLIENT AUTHENTICATION CERTIFICATE module under your target Settings. You can use this to upload the necessary certificates for authentication. This change allows you to scan targets that were previously inaccessible due to mutual TLS requirements.

To enable this feature, please contact the Sales team.

To learn more, visit How To Configure Mutual TLS Authentication in our user documentation.

Experience greater flexibility in authenticating your scans with the new Signature capabilities for API targets. With Snyk API & Web, you can now configure signed requests using your own algorithms.

We added this feature to support complex authentication requirements that require signed requests. By providing a dedicated space to manage these signatures, we're making it easier for you to run automated security scans against protected API endpoints that verify message integrity and authenticity.

If you have the message signature feature enabled, you can now navigate to your API target settings to set up signing methods. This ensures your scans can successfully authenticate with APIs that require cryptographic signatures for every request.

To enable this feature, please contact the Sales team.

To learn more, visit How to configure Signed Requests for API Targets in our user documentation.

Customize your dashboard with the new analytics experience. We’re launching the general availability of the redesigned Snyk Analytics experience. You now have access to a customizable tenant-level landing page featuring a widget inventory, allowing you to arrange widgets for a personalized dashboard. This update also includes Saved views, a centralized Report catalog for discovering reports, and enhanced drill-down capabilities for issues and assets.

We want to provide a more flexible way to visualize your security posture. These changes ensure you can surface the metrics most relevant to your organization and access critical data faster through a centralized view.

You can create a dashboard tailored to your specific monitoring needs by selecting widgets from the inventory. The new experience simplifies how you find pre-built reports and allows you to investigate specific security topics directly from your customized view.

To learn more, check out our Redesigned Analytics docs.

We are pleased to announce the General Availability (GA) of the Severity Condition in Group-Level Policies.

This new capability empowers you to create more granular policies for taking action (such as ignoring or changing severity) on findings based on their severity. The condition is available for both Code and OS Security group-level policies within the UI.

To learn more about setting up group-level policies, visit our Snyk User Documentation.

We're updating the Assets API to introduce a new PATCH endpoint that allows you to modify asset attributes (for example: class). We're introducing new, structured (key:value) asset tagging capability that will be called tags.

This update provides a significant enhancement by providing a flexible way to enrich asset data. The new functionality enables you to add specific, structured context to your assets for powerful filtering and integration with your internal systems aligning with industry best practices. We are introducing a new PATCH endpoint to address the need to programmatically modify asset attributes.

The update introduces an enhancement to the Assets API , to provide a more powerful way to categorize assets using structured key-value pairs, and allowing to update Class , free-form labels, and the new key:value tags attributes via API.

Terminology Alignment: We are renaming the existing, simple text-based tags attribute to Labels, whereas Tags now refer to the new, structured key:value pairs

To learn more, visit Update asset attributes (Early Access) and Manage assets in our user documentation.

We are introducing a more robust and customizable risk acceptance workflow. While providing a Reason for acceptance remains a mandatory requirement for all users, account owners can now also mandate the following fields:

• Expiration Date: The date when the risk acceptance expires.

• Approver Name: The individual who authorized the risk acceptance.

• Approval Date: The date of the approval.

Once an acceptance period expires, the finding's status will automatically revert from Accepted Risk to Not Fixed, ensuring it is reviewed again. All acceptance details are captured in the finding's log to provide a complete audit trail.

We understand that manually tracking accepted risks is inefficient and can lead to overlooked vulnerabilities. This update automates the lifecycle of accepted risks, creating a clear, auditable, and enforceable process that ensures expired risks are never forgotten.

• For account owners: A new configuration module is available in Settings > Scan Settings where you can define the new mandatory fields for your risk acceptance process.

• For all users: The Accept Risk modal will continue to require a Reason and will now also display any additional fields required by the account owner. Any risk accepted with an expiration date will automatically re-enter the workflow as Not Fixed upon expiration, prompting a timely review.

To learn more, visit Configure the risk acceptance workflow in our user documentation.