snyk.io updates

Announcing Snyk CLI v1.1305.1

Matt Dolan, Senior Product Manager — Tue, 02 Jun 2026 10:24:00 GMT

We are pleased to announce Snyk CLI release, v1.1305.1

This release contains fixes and minor improvements. To learn more beyond what is highlighted below, please reference the full release notes.

This update includes the following:

Improved rate-limit handling: the CLI now respects the X-RateLimit-Reset header when it is rate limited by the API, so retries wait the correct amount of time. This improves the reliability of scans in high-volume and CI/CD environments.
Fixed vulnerabilities:
- CVE-2026-39827
- CVE-2026-39831
- CVE-2026-33186 (IaC extensions)

If you have any questions, feel free to reach out to the Snyk support team. We encourage everyone to upgrade to the latest version to take advantage of these improvements.

Announcing a new Snyk User Docs site structure!

Natasha Ellingford, Senior Technical Writer — Thu, 28 May 2026 17:00:00 GMT

We are excited to announce a redesign of the Snyk User Docs site, introducing a new structure built around site sections.

What's changed?

The docs are now reorganized into six clearly defined site sections:

Discover Snyk: An introduction to the platform, capabilities, and supported languages.
Platform administration: Settings, user management, Org configuration, and more.
Scan, fix, and prevent: Snyk core security scanning, fixing and prevention workflows
Developer tools: CLI, IDE integrations, related tooling, and more
Agent security: Agentic and AI-powered security features.
Snyk data and governance: Data handling, compliance, and policies.

In addition, there are dedicated sections for Getting started guides and Implementation guides to support onboarding and deployment workflows.

Snyk Code: June Update

Nina Kanti, Senior Product Manager — Thu, 28 May 2026 04:00:00 GMT

We're expanding Snyk Code analysis for the .NET (C# and VB) ecosystem with broader detection across TLS configuration, cryptographic algorithms, and third-party crypto libraries. We built these improvements to surface a wider range of crypto-related security issues in .NET codebases while keeping false positives in check. Coverage extends across the standard library and the most common third-party crypto packages, so customers using BouncyCastle see the same depth of detection as native .NET code.

We're also expanding PHP coverage for SQL injection, Snyk Code now detects interfile taint flow when the SQL sink is wrapped in a database-access class. These improvements arrive with the June release on 15 June 2026.

What's changing

New TLS vulnerability detection for .NET (CWE-326)

Snyk Code now identifies insecure TLS protocol configuration across the most common .NET HTTP and network stacks: ServicePointManager, HttpClientHandler, WinHttpHandler, SocketsHttpHandler, Kestrel, and SslStream. Only TLS 1.2 and 1.3 are considered safe. Earlier protocols are flagged as vulnerable, including bitwise flag combinations.

Broader Insecure Cipher coverage for .NET (CWE-327)

Generalised cipher detection for C# and VB, with new third-party support via BouncyCastle. Algorithms now flagged: PAKE, Triple DES, DES, Skipjack, RC4, RC2, MD-5, and SHA-1.

Expanded weak-key-size detection for .NET (CWE-326)

Native standard-library coverage added for ECDHE, ECDH, ECDSA, RSA, AES (GCM), and HMAC-SHA1, HMAC-SHA2, and HMAC-SHA3 across Base, Windows, and Linux .NET types. Third-party support was added for DH, DHE (BouncyCastle), AES-XTS (BouncyCastle), and CMAC-AES (BouncyCastle).

Generalised crypto rule templates for .NET (CWE-326, CWE-327)

The InsecureCipher, TooSmallKeySize, and WeakEccCurve rules have been refactored into unified report templates.

PHP SQL injection interfile taint flow through wrapper classes (CWE-89)

Snyk Code now detects SQL injection where the sink is defined in a wrapper class (single level: caller → wrapper → mysql_query)

Important details to note

You may notice an increase in .NET vulnerability findings after the June release, particularly around TLS misconfiguration and weak cryptographic algorithms.
RC2 is reclassified from TooSmallKeySize to InsecureCipher. Customers with ignores or policies tied to specific rule keys should be aware (Scope is .NET (C# and VB) only).
A small number of CryptoServiceProviders false positives related to read-only KeySize properties will no longer fire. These were never actionable in the first place (Scope is .NET (C# and VB) only).
PHP customers may see new SQL injection findings after the June release, particularly in codebases that route database calls through wrapper classes.

Announcing Agent Fix: New Agentic Workflow & Model Upgrade

David Alessi, Staff Product Manager — Thu, 28 May 2026 03:00:00 GMT

New Model & New Architecture

We're happy to announce we're upgrading Agent Fix to use the Claude family of models enhanced by Snyk's tooling and intelligence. This move delivers the following major improvements:

Security & Functional Enhancements

Agentic Retries: Our new workflow now detects where code suggestions deviate from security best practices. Instead of discarding the result, the system analyzes the failure and injects tailored guidance into the agent's subsequent attempts.
Dynamic Few-Shot Prompting: We now use the same training set used to fine-tune our internal model to dynamically provide secure fix examples for the new model to follow.

Expanded Support

Full Language Coverage: We will enable support for all Snyk Code languages on Day 1, removing previous limitations on language availability.
Comprehensive Rule Support: AI-powered fixes are now available for all supported rules and vulnerability types across the platform.

Measurable Impact

Golden Test Benchmark: Both Sonnet 4.6 and Opus 4.6 saw improved performance against Snyk’s Golden Test benchmark (72.4% to 82.5% and 74.6% to 85.4% respectively) with this new architecture vs. the models on their own.

Check out the blog for more details. This update started rolling out on May 26th and will reach 100% by end of day on May 28th.

OWASP Top 10:2025 Support in Snyk API & Web

Ana Pascoal, Product Manager — Thu, 21 May 2026 08:00:00 GMT

Snyk API & Web now supports the OWASP Top 10:2025 standard for compliance reporting. Users can generate compliance reports against either OWASP 2025 or OWASP 2021 — both versions remain available.

Announcing Snyk CLI v1.1305.0

Matt Dolan, Senior Product Manager — Wed, 20 May 2026 14:15:00 GMT

We are pleased to announce the latest stable Snyk CLI release, v1.1305.0.

We are introducing the following key improvements in this version. To learn more about bug fixes and additional enhancements beyond what is highlighted below, please reference the full release notes.

This update includes the following:

SBOM
- Introduces the --allow-incomplete-sbom flag for snyk sbom, allowing the SBOM to be generated even when individual projects fail to resolve. Failed projects are surfaced as per-project errors alongside the successful results.
Container
- Speed up snyk container monitor by sending dependency requests in parallel, configurable via the SNYK_REQUEST_CONCURRENCY environment variable.
MCP
- Adds an experimental breakability evaluation tool to the Snyk MCP Server.
Static CLI binaries for Linux
- Linux ARM64 and AMD64 binaries are now statically linked by default.
Additional Reliability and Performance Improvements
- npm package aliases from lockfile now appropriately used in test command.
- Fixes parsing of Python .whl files when scanning projects with --all-projects.
- Updates dependencies to fix vulnerabilities

Release notes can be found here.

If you have any questions, feel free to reach out to the Snyk support team. We encourage everyone to upgrade to the latest version to take advantage of these new features and improvements.

More flexibility when exporting table data to CSV with Snyk API & Web

Ana Pascoal, Product Manager — Wed, 20 May 2026 12:00:00 GMT

We've improved the recently introduced Download CSV feature to offer greater flexibility when exporting data directly from the Snyk API & Web interface.

Snyk Learn lesson roundup: what’s new in May

undefined, undefined — Mon, 11 May 2026 16:25:00 GMT

This month on Snyk Learn, there are brand new lessons for Evo by Snyk, along with a refreshed "Snyk in an IDE" lesson set. We are also excited to launch the new AI Secure Development learning path, where you will learn to build any app securely using AI while mastering foundational AI-powered security topics such as prompt injection and MCP.

Try the new "Feedback" button on learn.snyk.io (login required) to share feedback and topic suggestions.

Security lessons

[New] Learning Path - AI Secure Development
[New] Getting started with AI development
[New] Prompt engineering
[New] AI app development
[New] Securing your AI app
[New] AI in the Software Development Life Cycle (SDLC)
[New] AI Agents: Securing Autonomous Workflows

Snyk platform lessons

[New] Navigating the Evo Interface - a new lesson to familiarize yourself with the unified agentic interface in Evo by Snyk.
[New] AI Security Posture Management (AI-SPM) - a new lesson that enables users to detect AI assets via AI-BOM scans and enforce governance through Natural Language Policies as well as traditional menu items. We have refreshed the following lessons to ensure all content reflects our current platform and products, also providing a streamlined, role-based learning experience:
[Updated] Using Snyk in an IDE - updated to reflect the Developer’s workflow, including installing the plugin, authenticating, and using real-time scanning to find and fix vulnerabilities without leaving your IDE.
[Updated] Administrating Snyk in an IDE - formerly part of the “Using Snyk in an IDE” course, this lesson now focuses on the Administrator’s workflow, including advanced configuration and governance.

Expanded framework and coding languages coverage

We’ve also expanded Snyk Learn content to cover more of your tech stack:

New/expanded language support:
- Multiple lessons expanded into Python, Rust, and Ruby for the OWASP Top 10 learning path.

Each new/updated lesson above links directly to the relevant content so you can share it with your teams or assign it as part of your training program with the Snyk Learning Management Add-On.

Snyk Studio: Introducing Asynchronous, Hooks-Based Guardrails for AI Agents

Sam Broadaway, Senior Product Manager — Mon, 11 May 2026 16:00:00 GMT

Introducing Hooks-Based Guardrails

Snyk Studio is evolving our agentic guardrails to enable deeper trust in agent-generated code. We are debuting a new asynchronous, hooks-based approach to replace traditional rules-based guardrails, ensuring that security remains deterministic and efficient without slowing down the developer loop.

As agentic development has matured, initial friction points in rules-based models have become apparent. By transitioning to a hooks-based architecture, Snyk Studio resolves these key challenges with the traditional rules-based approach:

Determinism: While agents may occasionally ignore traditional rules, hooks are deterministic, ensuring that defined security scans are executed every time.
Zero Latency: Unlike rules-based models that add visible friction to the developer experience, hooks leverage background scans to provide a low-latency workflow.
Context Window Efficiency: The rules-based approach injected Snyk scan results into the agent's context window, consuming limited token space. Hooks decouple scan execution and results, keeping the context window focused on coding tasks.

Support for Leading ADEs

We have targeted support for the hook-based approach to cover popular Agentic Development Environments (ADEs) across both Windows and macOS. You can now leverage Snyk Studio guardrails in:

Claude Code
Cursor
Gemini CLI
Codex CLI (coming soon)

We also support automatic configuration of the /snyk-fix command, /snyk-batch-fix command, MCP server, and secure dependency health check skill for:

Kiro
Windsurf
Copilot CLI
Copilot VS Code Extension

Scaling for the Enterprise

To simplify adoption, we have released an installation script to automate configuration and deployment. The install script:

Supports Windows and Mac
Can be used via MDM to support distribution at scale
Installs the /snyk-fix command, /snyk-batch-fix command, MCP server, and secure dependency health check skill on: Claude Code, Cursor, Gemini CLI, Codex CLI (coming soon), Kiro, Windsurf, Copilot CLI, and the Copilot VS Code Extension
Installs hooks on: Claude Code, Cursor, Gemini CLI, Codex CLI (coming soon)

Getting Started

See our revamped documentation to get hooks configured and installed in your favorite ADE.

What’s Next

We will continue to expand support for additional ADEs and are working to integrate Snyk Studio distribution directly with Agent Scan and Agent Guard.

New Analytics Overview Widgets

Sara Meadzinger, Staff Product Manager — Fri, 08 May 2026 04:00:00 GMT

We've added several new widgets to the analytics overview to provide better visibility into your security program. These updates include key performance indicators (KPIs) from the Snyk Studio and pull request (PR) check reports directly into your main dashboard.

Announcing Snyk CLI v1.1304.2

Matt Dolan, Senior Product Manager — Wed, 06 May 2026 12:30:00 GMT

We are pleased to announce Snyk CLI release, v1.1304.2

This release contains fixes and minor improvements. To learn more beyond what is highlighted below, please reference the full release notes.

This update includes the following:

Fixed vulnerabilities:
- SNYK-GOLANG-GITHUBCOMAWSAWSSDKGOV2AWSPROTOCOLEVENTSTREAM-16316402
- SNYK-GOLANG-GITHUBCOMAWSAWSSDKGOV2SERVICES3-16316411
- CVE-2026-39892
- CVE-2026-33750
Snyk Studio: Adding missing tools annotations to MCP server

If you have any questions, feel free to reach out to the Snyk support team. We encourage everyone to upgrade to the latest version to take advantage of these improvements.

Improved zero-day report filtering and visibility

Sara Meadzinger, Staff Product Manager — Tue, 05 May 2026 04:00:00 GMT

We’re improving the usability of our zero-day reports to help you manage multiple security incidents more effectively. We expanded the filter bar for selected zero-day events to provide better context when you view data from several incidents at once. Additionally, the Accumulative Issues Backlog trend chart now breaks out each selected incident individually, and we added a new filter to the open issues side panel that allows you to toggle between open and resolved issues.

Expanded Container JVM Support

undefined, undefined — Thu, 30 Apr 2026 20:00:00 GMT

We are pleased to announce expanded JVM support for Snyk Container vulnerability scanning. Previously, detection for unmanaged Java container software was limited to OpenJDK 8 binaries. With this update, customers can now identify vulnerabilities in their container images for Java versions beyond OpenJDK 8.

Announcing Snyk CLI v1.1304.1

Matt Dolan, Senior Product Manager — Mon, 27 Apr 2026 12:30:00 GMT

We are pleased to announce Snyk CLI release, v1.1304.1

This release contains fixes and minor improvements. To learn more beyond what is highlighted below, please reference the full release notes.

This update includes the following:

Improved error handling to prioritize and surface the most relevant error and correct exit code when multiple errors occur during maintenance windows. Exit code behavior is documented here:
- https://docs.snyk.io/developer-tools/snyk-cli/debugging-the-snyk-cli#exit-codes
- https://docs.snyk.io/scan-with-snyk/error-catalog#snyk-0099
Snyk Agent Scan: Improved CI flexibility with an issues ignore option, and added support for Windows x86 and macOS x86 architectures.
Fixed vulnerabilities:
- CVE-2026-4660
- CVE-2026-39883

If you have any questions, feel free to reach out to the Snyk support team. We encourage everyone to upgrade to the latest version to take advantage of these improvements.

Snyk Code - Early May 2026 Update

Sebastian Roth, Senior Product Manager — Thu, 23 Apr 2026 08:00:00 GMT

Starting May 5, 2026, we're updating Snyk Code to improve scanning precision and reduce noise across all supported languages.

Improvements to scanning precision

All languages — Path Traversal severity tuning (CWE-22) Path Traversal findings are now tiered by source risk. Findings from lower-risk sources are automatically reclassified from High/Medium to Low severity, reducing noise while keeping high-risk vectors prominent.

Java, Kotlin, Groovy — Apache Camel framework coverage (CWE-89 / CWE-22 / CWE-611) Apache Camel Exchange HTTP sources are now tracked as taint origins. Applications using Apache Camel will see new findings where HTTP body and header values flow into SQL injection, path traversal, or XXE sinks. Customers using Apache Camel may see an increase in findings.

All languages — Improved .snyk exclude precision .snyk exclude patterns now use full .gitignore-style glob semantics for more expressive and consistent scan scope control. Customers relying on .snyk exclude rules may see changes in scan scope.

Python — Reduced false positives on archive extraction (CWE-22 / CWE-73) Python TarSlip detection is now scoped to genuine archive operations. Previously, any .extract() method call was flagged regardless of context - causing false positives in document parsers, ML pipelines, and custom extraction classes. Findings now only fire when the receiver is a tarfile.open() or zipfile.ZipFile() object. ZipSlip detection via zipfile.ZipFile is also improved. Customers may see a reduction in Python TarSlip findings and new ZipSlip findings where archive contents are extracted without path sanitisation.

Important details to note

All percentage improvements are based on Snyk's curated open-source data set. As part of these updates, you may see a decrease in High and Medium severity counts for Path Traversal as findings move to Low based on source risk tier. Total finding counts remain stable. Customers using Apache Camel may see an increase in findings as new data flows are detected. These changes apply specifically to the languages and CWEs listed above, while other scan areas remain unchanged.

Identify CISA KEV vulnerabilities for compliance

Sara Meadzinger, Staff Product Manager — Wed, 22 Apr 2026 04:00:00 GMT

We added a new Known Exploited Vulnerabilities (KEV) filter to help you identify risks that the Cybersecurity and Infrastructure Security Agency (CISA) tracks as already exploited in the wild. While we already allow you to filter vulnerabilities and Common Vulnerabilities and Exposures (CVE) by their exploit maturity level, this update specifically targets the CISA KEV catalog. You can find this filter on any page where issue filters are available to help you manage your security backlog.

Announcing Repo Monitor Configuration

Nathan Hart, Senior Product Manager — Wed, 15 Apr 2026 05:00:00 GMT

We are excited to be launching Repo Monitor Configuration, which allows for management of repository coverage and monitoring configurations centrally across your entire Snyk Group from the Group-level Inventory page. This means you can monitor and manage repositories without navigating between individual Snyk Organizations.

Repo Monitor Configuration provides the following capabilities:

Centralized asset monitoring: view monitoring status for all products, identify health status, and see required actions (such as enabling Snyk Code or resolving SCM integration issues) in one view.
Bulk import: import repositories directly from the Group Inventory page into specific Snyk Organizations.
On-demand retesting: trigger a retest for specific repositories directly from Inventory.
Actionable error resolution: clear guidance ia available when testing fails due to integration issues or entitlements. After the underlying issue is resolved, testing resumes automatically.

Repo Content Sync in Early Access

Nathan Hart, Senior Product Manager — Mon, 13 Apr 2026 23:00:00 GMT

We are excited to be launching Repository Content Sync (Early Access), an enhancement to how Snyk manages your imported repositories, ensuring your security posture always reflects your current codebase. This will be available to all Enterprise customers via Snyk Preview during the week of April 13th, 2026.

This new feature provides native, automated synchronization between your Source Code Management (SCM) tool and Snyk, eliminating the need for manual re-imports or external synchronization tools. It ensures: New Files are Detected: Snyk automatically creates new projects and monitors manifest, Docker, or configuration files as they are added to your SCM. Deletions are Reflected: Projects associated with manifest files deleted in your SCM are automatically deactivated in Snyk. This functionality is available across all Snyk-supported SCMs.

Please note: Because this feature enables Snyk to automatically detect and potentially create projects from newly added files, customers who enable the feature are likely to see an increase in issues.

Announcing new versions of Snyk IDE plugins

Matt Dolan, Senior Product Manager — Sun, 12 Apr 2026 23:00:00 GMT

We are pleased to announce the release of new stable versions for our IDE plugins. The new versions are:

This release is focused on enhancing stability and reliability, with key updates including:

Fixed download URL fallback when the CLI is not found
Fixed race conditions in authentication flows
Added support for JetBrains 2026.1

Along with additional bug fixes, security updates, and improvements.

Please refer to the changelog for each of our plugins for a more detailed list of additional bug fixes and enhancements. You can learn more about the Snyk IDE plugins in our Learn resources.

If you have any questions, feel free to reach out to the Snyk Support team.

Native GraphQL Scanning for Snyk API & Web

Natalia Yurchenko, Senior Product Manager — Fri, 10 Apr 2026 08:00:00 GMT

We’ve expanded our DAST capabilities by adding GraphQL as a supported API target type in Snyk API & Web. This enables security tests specifically designed for GraphQL operations, including queries and mutations. In addition to schema ingestion via URL or file upload, you can now fetch your schema directly from an introspection endpoint to ensure tests stay up to date. To support these scans, we've also updated our authentication settings to include dedicated options for GraphQL targets.

Test target configuration for smoother scans with Snyk API & Web

Ana Pascoal, Product Manager — Thu, 09 Apr 2026 14:00:00 GMT

We added a new Test configuration option to the Scan dropdown menu and the Target Settings page. This allows you to verify that your target is accessible and correctly configured before starting a full dynamic application security testing (DAST) scan. When you click this button, a side panel opens in your target settings to provide real-time feedback on connectivity, authentication, web application firewall (WAF) interference, schema validity, and any detected extra hosts.

Announcing native uv support for the Snyk CLI

Johann Sutherland, undefined — Thu, 09 Apr 2026 12:30:00 GMT

Python is at the heart of the modern AI revolution but for many developers the packaging ecosystem has felt like a bottleneck: burdened by slow installs and fragmented tooling. The emergence of uv has changed that, offering a high-performance alternative that has quickly become the industry standard.

Today, we are excited to announce that Snyk is bringing native support for uv to the Snyk CLI, IDE, and GitHub Actions. This integration ensures that teams can embrace the speed of uv without ever having to trade off on security.

With this update, Snyk enables you to seamlessly integrate uv security scanning directly into your existing Snyk workflows, wherever you are using the CLI.

Announcing Snyk CLI v1.1304.0

Matt Dolan, Senior Product Manager — Wed, 08 Apr 2026 23:00:00 GMT

We are pleased to announce the latest stable Snyk CLI release, v1.1304.0.

We are introducing the following key improvements in this version. To learn more about bug fixes and additional enhancements beyond what is highlighted below, please reference the full release notes.

This update includes the following:

Snyk Evo
- Accelerate AI Governance and Security: Generate an AI-BOM and instantly validate it against your tenant's Evo policies using the new snyk aibom test command.
- Enhanced Red Teaming insights: Agent Red Teaming scanned output now includes a vulnerability summary for quicker triage. Also improved JSON support and new exhaustive and eager modes.
MCP
- Faster setup: Improved auto-enable behavior for Snyk Code.
- Ensure Reliable Package Quality: Package health checks are now fully promoted to the stable release channel, providing consistent and reliable risk information.
Container
- Extended support for Java runtime binary scanning.
Additional Reliability and Performance Improvements
- Increased stability with explicit network retry configuration, option to force global Maven usage, faster Golang scans, improved dependency resolution for Go, Yarn, and Python, and enhanced resilience against non-fatal Maven build errors.

Release notes can be found here.

If you have any questions, feel free to reach out to the Snyk support team. We encourage everyone to upgrade to the latest version to take advantage of these new features and improvements.

snyk_package_health_check for Snyk Studio is now available in Full profile

Noa Yaffe-Ermoza, Product Manager — Tue, 07 Apr 2026 21:00:00 GMT

Following our previous announcement, snyk_package_health_check is now available in the Full (default) profile for Snyk MCP.

This capability brings Secure at Inception protection to dependency selection in agentic development workflows, enabling AI agents to evaluate open-source packages before they are added to a project using insights from Snyk’s Security Database.

snyk_package_health_check is now generally available and enabled by default for supported ecosystems: npm, PyPI, Maven, NuGet, and Golang.

What’s new

Now included in the Full (default) profile - snyk_package_health_check is enabled by default for Snyk-supported MCP workflows.
Package health checks across four dimensions: Security, Maintenance, Community, and Popularity.
Clear guidance outcomes to help manage agent behavior, including Healthy, Review recommended, Not recommended, and Unknown/insufficient data.

Why this matters

Available by default - snyk_package_health_check is now included in the Full profile, so customers get dependency health checks in MCP workflows without additional setup.
Ready for production use - With this move to the Full profile, customers can confidently integrate Secure at Inception into their standard development workflows.

If you have any questions, please reach out to the Snyk Support team. To learn more about snyk_package_health_check, visit the Snyk documentation.

PR check report is now generally available

Sara Meadzinger, Staff Product Manager — Tue, 07 Apr 2026 04:00:00 GMT

We’ve moved the pull request (PR) check report to general availability (GA). This update includes several enhancements to help you track how your teams adopt security scanning within their workflows. We added Snyk Code errors to the error PR checks, fixed historical calculation discrepancies in adoption metrics, and optimized the underlying tables so that all reporting components load and filter much faster. Additionally, we updated the display of source code manager (SCM) icons to better organize the PR scanning adoption by organization table, and we added PR check data to the Export application programming interface (API), enabling you to programmatically export this information.