Product Updates

We're updating the Assets API to introduce a new PATCH endpoint that allows you to modify asset attributes (for example: class). We're introducing new, structured (key:value) asset tagging capability that will be called tags.

This update provides a significant enhancement by providing a flexible way to enrich asset data. The new functionality enables you to add specific, structured context to your assets for powerful filtering and integration with your internal systems aligning with industry best practices. We are introducing a new PATCH endpoint to address the need to programmatically modify asset attributes.

The update introduces an enhancement to the Assets API , to provide a more powerful way to categorize assets using structured key-value pairs, and allowing to update Class , free-form labels, and the new key:value tags attributes via API.

Terminology Alignment: We are renaming the existing, simple text-based tags attribute to Labels, whereas Tags now refer to the new, structured key:value pairs

To learn more, visit Update asset attributes (Early Access) and Manage assets in our user documentation.

We are introducing a more robust and customizable risk acceptance workflow. While providing a Reason for acceptance remains a mandatory requirement for all users, account owners can now also mandate the following fields:

• Expiration Date: The date when the risk acceptance expires.

• Approver Name: The individual who authorized the risk acceptance.

• Approval Date: The date of the approval.

Once an acceptance period expires, the finding's status will automatically revert from Accepted Risk to Not Fixed, ensuring it is reviewed again. All acceptance details are captured in the finding's log to provide a complete audit trail.

We understand that manually tracking accepted risks is inefficient and can lead to overlooked vulnerabilities. This update automates the lifecycle of accepted risks, creating a clear, auditable, and enforceable process that ensures expired risks are never forgotten.

• For account owners: A new configuration module is available in Settings > Scan Settings where you can define the new mandatory fields for your risk acceptance process.

• For all users: The Accept Risk modal will continue to require a Reason and will now also display any additional fields required by the account owner. Any risk accepted with an expiration date will automatically re-enter the workflow as Not Fixed upon expiration, prompting a timely review.

To learn more, visit Configure the risk acceptance workflow in our user documentation.

We’re pleased to announce that on October 20th, we will be releasing several improvements to the Reachability analysis for Snyk Open Source. 

• As a Group admin, you can now enable Reachability for your Orgs at scale by using new Group-level settings. See our User Docs for more details on how to set this up.

• As part of the Early Access of Reachability for Python, we’ve improved our vulnerability coverage. Reachability is now supported for over 99% of applicable vulnerabilities. You may see an increase in the number of issues detected as reachable across pip, pipenv, and Poetry projects.

• In June, we announced that you can expect to see ongoing coverage improvements to Reachability for Java. We have made some changes that will provide greater coverage for your packages. You may see an increase in the number of issues detected as reachable across Maven and Gradle projects.

• We’ve made some tweaks to how we handle transitivity in first party code, now capturing only the “entry points” where you directly call third-party packages. This should improve performance and make the reachable paths information easier to understand. 

We hope these improvements make it easier for you to begin using reachability as a prioritization signal when planning your remediation efforts. If you have any questions, please reach out.

We're giving you more control over how scans behave when a navigation sequence fails. In your Target Settings, you'll now find an option to immediately fail a scan if a navigation sequence cannot be completed. When enabled, the scan stops right away, allowing you to fix the issue sooner.

Previously, a failed navigation sequence would not stop a scan, potentially leading to incomplete results and wasted resources. This change allows you to get faster feedback on broken test sequences, saving time and preventing tedious manual reviews to identify why a scan may not have covered the intended user journeys.

Starting September 30, 2025, you will see a new checkbox in the Navigation Sequences module within your Target Settings: When a navigation sequence fails, fail the scan immediately and notify me. This option is disabled by default, so existing scans will continue to run as they do now. To enable this fail-fast behavior, you will need to edit your Target Settings. You can also configure new notifications for these failures in your Slack integration settings.

To learn more, visit How to set up Navigation Sequences and Slack integration in our user documentation.

We are enhancing how secrets and sensitive data are managed in Snyk API & Web. Effective today, you can designate specific fields as sensitive within your target settings, ensuring their values are automatically masked. Furthermore, Account Owners now have a new level of control with the ability to make sensitive information permanently non-retrievable after it is saved.

This enhancement is designed to significantly reduce the risk of accidental information disclosure and prevent unauthorized access to your sensitive data. By giving you granular control to define and mask specific fields, we are moving beyond a reliance on simplistic patterns and heuristics. The option to make secrets non-retrievable adds a critical layer of security, ensuring that once a secret is stored, it cannot be exposed again through the application.

This update introduces two key changes:

• For Account Owners: A new module is available on the Settings > Authentication page. This allows Account Owners to enforce that all designated sensitive information becomes non-retrievable for everyone in the account once saved.

• For all users: When configuring a target, you will now see a 'Mark as sensitive' checkbox for relevant fields. Selecting this option will automatically mask the field's value after it is saved. This applies to configurations such as:

  • API authentication payload

  • Login form

  • Login sequence

  • Basic authentication credentials

  • Custom headers and authentication headers

  • Custom cookies and authentication cookies

  • API Parameter Custom Values

  • Postman Environment Values

To learn more, visit How to manage secrets and sensitive data in Snyk API & Web in our user documentation.

We’ve introduced a new is not filter option for Snyk reports, which lets you exclude unwanted items directly within the platform. This feature is now available across a wide range of filters, including groups, organizations, Common Vulnerabilities and Exposures (CVEs), package names, collections, tags, asset names, and owners.

Previously, you had to export Snyk report data and manually filter out unwanted items, which was time-consuming and inefficient. We've improved this by allowing you to exclude items within Snyk, giving you a focused view, and eliminating the need for manual data manipulation outside the platform.

You can now get to the insights you need faster and more efficiently. For example, you can exclude known, low-priority issues to focus on high-severity vulnerabilities, quickly find unassigned assets by filtering for is not, or exclude environments to only see issues related to production. To use the new feature, simply select the desired filter and choose the is not option before entering the value you wish to filter out.

To learn more, visit our user documentation.

We’ve expanded the Featured Zero-Day Report to include the Shai-Hulud npm supply chain attack, one of the largest compromises in the npm ecosystem to date.

This update enables Enterprise users to:

• Identify exposure to compromised npm packages such as ngx-bootstrap and @ctrl/tinycolor.

• Prioritize remediation and monitor progress directly in the Featured Zero-Day Report.

• Improve visibility and accountability in zero-day response.

This addition strengthens visibility into high-impact zero-day events within Snyk Reports. By integrating the Shai-Hulud supply chain incident, customers can rapidly assess exposure, track remediation, and improve governance during ongoing threat response.

No manual action is required - data updates automatically as new advisories are published. However, running a new scan is recommended to ensure the latest results are reflected.

To learn more, visit the Featured Zero-Day Report documentation or read our blog post, Zero-day extensive NPM package compromise Shai Hulud Supply Chain Attack.

We heard your feedback that it can be hard to keep up with all the changes, so we've introduced new ways to help you find the information that's most relevant to you.

You now see a Subscribe via email link to set your email preferences directly and sign up to an occasional email about product updates. There's also a Subscribe to RSS feed link if you prefer to be notified about every new product update as they are announced. On the left, you can filter product updates using tags like Open Source CLI or MCP to find exactly what you're looking for.

We know how important it is for you to be aware of new features and changes that impact your work. Our goal is to give you more control and a better way to get the right information at the right time. We also want to ensure our communications are consistent with our Snyk brand for you to enjoy.

The product updates link in the Snyk user interface now takes you directly to this website The red notification dot on the bell icon, in the user interface, will be paused for approximately one week from today, before returning to its usual function of alerting you to new updates. We plan to introduce a search feature for this website in a later phase and we're assessing how best to surface product updates directly in our platform.

We know that AppSec teams need to track and report on how Snyk is being used throughout your development lifecycle. Understanding where and how often Snyk tests are run helps you promote early testing, prevent more vulnerabilities, and see the value you're getting from Snyk. We're excited to announce the availability of the Test Usage Data in the Export API!

What's New?

Currently, detailed pre-deployment CLI test data is only available through Snowflake data share or limited CSV exports. The new dataset will provide a more direct and flexible way to access this critical information.

The Test Usage Dataset will give you programmatic access to comprehensive data on your Snyk test activities, including details like:

• When and where tests are run: See timestamps and the environment (e.g., IDE, CLI, CI/CD).

• Test outcomes: Understand interaction statuses and exit codes.

• User and organization details: Identify which users and organizations are performing tests.

• Product usage: See which Snyk products (Open Source, Container, IaC, Code) are being used for tests.

How Does It Help You?

This new Test Usage Dataset unlocks crucial data that was previously harder to access, allowing you to:

• Boost Pre-Deployment Testing: By easily monitoring CLI test adoption, you can identify opportunities to encourage developers to test earlier and more often, leading to better vulnerability prevention.

• Measure Snyk's ROI: Gain clearer insights into how Snyk is being utilized across your teams, helping you demonstrate the value and justify your security investments.

• Integrate Data Easily: Pull test usage data directly into your internal dashboards, reporting tools, or custom analytics solutions without manual exports or Snowflake integration.

We are excited to announce the UI enhancement to have a clearer empty state in Inventory! This provides clarification to why the enrichments might be empty. Main highlights include:

• Ensure that no cell is empty without a reason; this change removes all guesswork.

• To provide clarity on why the fields are missing, the Inventory page will display a defined empty state, including informative tooltips to guide users.

This update is scheduled to be rolled out across all Snyk environments on September 3rd. No actions are needed to enable these changes.