snyk.io updates

Announcing Repo Monitor Configuration

Nathan Hart, Senior Product Manager — Wed, 15 Apr 2026 05:00:00 GMT

We are excited to be launching Repo Monitor Configuration, which allows for management of repository coverage and monitoring configurations centrally across your entire Snyk Group from the Group-level Inventory page. This means you can monitor and manage repositories without navigating between individual Snyk Organizations.

Repo Monitor Configuration provides the following capabilities:

Centralized asset monitoring: view monitoring status for all products, identify health status, and see required actions (such as enabling Snyk Code or resolving SCM integration issues) in one view.
Bulk import: import repositories directly from the Group Inventory page into specific Snyk Organizations.
On-demand retesting: trigger a retest for specific repositories directly from Inventory.
Actionable error resolution: clear guidance ia available when testing fails due to integration issues or entitlements. After the underlying issue is resolved, testing resumes automatically.

Repo Content Sync in Early Access

Nathan Hart, Senior Product Manager — Mon, 13 Apr 2026 23:00:00 GMT

We are excited to be launching Repository Content Sync (Early Access), an enhancement to how Snyk manages your imported repositories, ensuring your security posture always reflects your current codebase. This will be available to all Enterprise customers via Snyk Preview during the week of April 13th, 2026.

This new feature provides native, automated synchronization between your Source Code Management (SCM) tool and Snyk, eliminating the need for manual re-imports or external synchronization tools. It ensures: New Files are Detected: Snyk automatically creates new projects and monitors manifest, Docker, or configuration files as they are added to your SCM. Deletions are Reflected: Projects associated with manifest files deleted in your SCM are automatically deactivated in Snyk. This functionality is available across all Snyk-supported SCMs.

Please note: Because this feature enables Snyk to automatically detect and potentially create projects from newly added files, customers who enable the feature are likely to see an increase in issues.

Announcing new versions of Snyk IDE plugins

Matt Dolan, Senior Product Manager — Sun, 12 Apr 2026 23:00:00 GMT

We are pleased to announce the release of new stable versions for our IDE plugins. The new versions are:

This release is focused on enhancing stability and reliability, with key updates including:

Fixed download URL fallback when the CLI is not found
Fixed race conditions in authentication flows
Added support for JetBrains 2026.1

Along with additional bug fixes, security updates, and improvements.

Please refer to the changelog for each of our plugins for a more detailed list of additional bug fixes and enhancements. You can learn more about the Snyk IDE plugins in our Learn resources.

If you have any questions, feel free to reach out to the Snyk Support team.

Native GraphQL Scanning for Snyk API & Web

Natalia Yurchenko, Senior Product Manager — Fri, 10 Apr 2026 08:00:00 GMT

We’ve expanded our DAST capabilities by adding GraphQL as a supported API target type in Snyk API & Web. This enables security tests specifically designed for GraphQL operations, including queries and mutations. In addition to schema ingestion via URL or file upload, you can now fetch your schema directly from an introspection endpoint to ensure tests stay up to date. To support these scans, we've also updated our authentication settings to include dedicated options for GraphQL targets.

Test target configuration for smoother scans with Snyk API & Web

Ana Pascoal, Product Manager — Thu, 09 Apr 2026 14:00:00 GMT

We added a new Test configuration option to the Scan dropdown menu and the Target Settings page. This allows you to verify that your target is accessible and correctly configured before starting a full dynamic application security testing (DAST) scan. When you click this button, a side panel opens in your target settings to provide real-time feedback on connectivity, authentication, web application firewall (WAF) interference, schema validity, and any detected extra hosts.

Announcing native uv support for the Snyk CLI

Johann Sutherland, undefined — Thu, 09 Apr 2026 12:30:00 GMT

Python is at the heart of the modern AI revolution but for many developers the packaging ecosystem has felt like a bottleneck: burdened by slow installs and fragmented tooling. The emergence of uv has changed that, offering a high-performance alternative that has quickly become the industry standard.

Today, we are excited to announce that Snyk is bringing native support for uv to the Snyk CLI, IDE, and GitHub Actions. This integration ensures that teams can embrace the speed of uv without ever having to trade off on security.

With this update, Snyk enables you to seamlessly integrate uv security scanning directly into your existing Snyk workflows, wherever you are using the CLI.

Announcing Snyk CLI v1.1304.0

Matt Dolan, Senior Product Manager — Wed, 08 Apr 2026 23:00:00 GMT

We are pleased to announce the latest stable Snyk CLI release, v1.1304.0.

We are introducing the following key improvements in this version. To learn more about bug fixes and additional enhancements beyond what is highlighted below, please reference the full release notes.

This update includes the following:

Snyk Evo
- Accelerate AI Governance and Security: Generate an AI-BOM and instantly validate it against your tenant's Evo policies using the new snyk aibom test command.
- Enhanced Red Teaming insights: Agent Red Teaming scanned output now includes a vulnerability summary for quicker triage. Also improved JSON support and new exhaustive and eager modes.
MCP
- Faster setup: Improved auto-enable behavior for Snyk Code.
- Ensure Reliable Package Quality: Package health checks are now fully promoted to the stable release channel, providing consistent and reliable risk information.
Container
- Extended support for Java runtime binary scanning.
Additional Reliability and Performance Improvements
- Increased stability with explicit network retry configuration, option to force global Maven usage, faster Golang scans, improved dependency resolution for Go, Yarn, and Python, and enhanced resilience against non-fatal Maven build errors.

Release notes can be found here.

If you have any questions, feel free to reach out to the Snyk support team. We encourage everyone to upgrade to the latest version to take advantage of these new features and improvements.

snyk_package_health_check for Snyk Studio is now available in Full profile

Noa Yaffe-Ermoza, Product Manager — Tue, 07 Apr 2026 21:00:00 GMT

Following our previous announcement, snyk_package_health_check is now available in the Full (default) profile for Snyk MCP.

This capability brings Secure at Inception protection to dependency selection in agentic development workflows, enabling AI agents to evaluate open-source packages before they are added to a project using insights from Snyk’s Security Database.

snyk_package_health_check is now generally available and enabled by default for supported ecosystems: npm, PyPI, Maven, NuGet, and Golang.

What’s new

Now included in the Full (default) profile - snyk_package_health_check is enabled by default for Snyk-supported MCP workflows.
Package health checks across four dimensions: Security, Maintenance, Community, and Popularity.
Clear guidance outcomes to help manage agent behavior, including Healthy, Review recommended, Not recommended, and Unknown/insufficient data.

Why this matters

Available by default - snyk_package_health_check is now included in the Full profile, so customers get dependency health checks in MCP workflows without additional setup.
Ready for production use - With this move to the Full profile, customers can confidently integrate Secure at Inception into their standard development workflows.

If you have any questions, please reach out to the Snyk Support team. To learn more about snyk_package_health_check, visit the Snyk documentation.

PR check report is now generally available

undefined, undefined — Tue, 07 Apr 2026 04:00:00 GMT

We’ve moved the pull request (PR) check report to general availability (GA). This update includes several enhancements to help you track how your teams adopt security scanning within their workflows. We added Snyk Code errors to the error PR checks, fixed historical calculation discrepancies in adoption metrics, and optimized the underlying tables so that all reporting components load and filter much faster. Additionally, we updated the display of source code manager (SCM) icons to better organize the PR scanning adoption by organization table, and we added PR check data to the Export application programming interface (API), enabling you to programmatically export this information.

Introducing Unified Navigation: A Faster Way to Secure Your Application Stack

Maor Kuriel, Director of Product — Mon, 06 Apr 2026 21:00:00 GMT

Key Capabilities of Unified Navigation

1. A Single Source of Truth The new navigation bar consolidates all Snyk products—Code, Container, IaC, and Cloud—into one sidebar. You can now access the global search to find any project or issue across your entire organization instantly.

2. Context-Aware Shortcuts Snyk now recognizes what you are working on and provides intelligent shortcuts. This reduces the steps for common workflows from 8 clicks down to just 2 or 3, allowing you to move at the speed of development.

3. Developer-First Interface We’ve redesigned the experience to match how developers actually work. This includes Persistent Views; the platform now remembers your filters and workspace settings, so you don't have to rebuild them every time you log in.

4. Simplified Project Management Setting up new scans is now more intuitive. With a visual policy builder and templates, you can configure security rules without editing complex YAML files.

Automatically Close Obsolete Fix Open Source PRs with Help from Snyk

Ryan McMorrow, Product Lead, Remediation — Mon, 06 Apr 2026 04:00:00 GMT

Nobody likes a cluttered PR backlog. That's why Snyk now automatically closes Open Source Fix PRs if the vulnerabilities they target are no longer present in your project.

Whether a developer manually applied a fix, removed the dependency, or a transitive update resolved the issue, Snyk will catch it during your next recurring test and close the outdated PR. We will also drop a comment on the PR explaining exactly which issues were resolved, ensuring your team always has the right context without the extra noise.

How it works:

Snyk checks your open Fix PRs during your regular recurring tests.
If the targeted issues are gone—whether the dependency was removed, updated transitively, or fixed manually—the PR is automatically closed.
Snyk leaves a comment on the PR listing the resolved issues so your team knows exactly why it was closed.

This update gives you a cleaner, more actionable PR pipeline with zero extra effort.

Get Started Today This feature is going live as an opt-in starting today. Just navigate to the Snyk Preview panel to get started, and we'll begin closing up to five obsolete PRs from your backlog per day. As we move towards General Availability, we'll be bringing you the ability to configure that daily limit to best suit your team's workflow.

Please note that this feature is opt-in for Early Access, but once we move to General Availability, it will move to opt-out. This feature is tentatively scheduled to move to General Availability on June 15, 2026.

And stay tuned—there is a lot more to come in our ongoing efforts to revolutionize the Snyk PR experience!

Active Security Incident Assessment

Sara Meadzinger, Staff Product Manager — Fri, 03 Apr 2026 04:00:00 GMT

We’ve launched an Active security incident assessment banner to help you manage major zero-day events. When our Security team identifies a high-severity zero-day vulnerability in a widely used package, we’ll trigger a dedicated banner at the top of the Zero Day report. This assessment provides a look at your exposure, including the total number of assets needing triage, assets cleared, and the specific open-source (OSS) packages involved.

Snyk Learn lesson roundup: what’s new in April

Alex Ley, Director, Snyk Learn — Wed, 01 Apr 2026 15:00:00 GMT

We’ve added new secure coding content, Snyk platform training, and expanded Snyk Learn coverage to help your security engineers and developers stay ahead of the latest risks.

We’ve included direct links to every new and updated lesson so you can easily share them with your team. You can also assign them directly through the Snyk Learning Management Add-On.

Security lessons

We are creating lessons for the new OWASP Top 10 for Agentic Applications, with the first 4 lessons available.
- [New] Agentic 01 - Agent goal hijack
- [New] Agentic 02 - Agent tool misuse
- [New] Agentic 03 - Identity and privilege abuse
- [New] Agentic 04 - Agentic supply chain vulnerabilities
[New] Cross-origin resource sharing

Snyk platform lessons

[New] Snyk Billing and Credit Usage - a new lesson on how credits function within the Snyk platform and how to track and manage them in the Billing module.
We have refreshed the following lessons to ensure all content reflects our current platform and products, also providing a streamlined learning experience:
- [Updated] Prioritizing issues with Snyk
- [Updated] Integrations for asset management and discovery
- [Updated] Reviewing Inventory for asset management and discovery
- [Updated] Asset Dashboard report for asset management and discovery
- [Updated] Policies for asset management and discovery
- [Updated] Overview of Snyk for asset management and discovery
- [Updated] Snyk terminology for asset management and discovery
- [Updated] Snyk Platform using Snyk Analytics
- [Updated] Application context with ServiceNow® CMDB
- [Updated] Application context with Backstage software catalog

Expanded framework & language coverage

We’ve also expanded Snyk Learn content to cover more of your tech stack:

We have added support to almost 50 lessons for Ruby
We have added support to 30 lessons for Rust

Enhanced issue filtering for the export API

Sara Meadzinger, Staff Product Manager — Tue, 31 Mar 2026 04:00:00 GMT

We're updating the stable Export API (version 2024-10-15) to include more granular filtering for the issues dataset. You can now filter your export request payloads using additional parameters, including issue status, issue type, and project origin. We've also added support for advanced filters such as common vulnerabilities and exposures (CVE) ID, reachability, and National Vulnerability Database (NVD) severity to help you refine your reporting.

Track your monitored projects with a new analytics widget

Sara Meadzinger, Staff Product Manager — Tue, 31 Mar 2026 04:00:00 GMT

We’re adding an analytics overview widget that tracks the total number of Snyk projects being monitored. This key performance indicator (KPI) is available in the Widget selector, allowing you to add it to your saved dashboards. This update helps you visualize the total count of projects being continuously monitored for open-source vulnerabilities and license issues, after you use the snyk monitor command.

Updates to finding management permissions at Snyk API & Web

Ana Pascoal, Product Manager — Mon, 30 Mar 2026 10:15:00 GMT

We're introducing a new permission called Change Finding State to give you more granular control over how your teams manage security findings. Previously, the Change Finding permission covered several actions: changing a finding's state, review status, assignee, labels, and adding notes. We've separated these capabilities so that Change Finding State now specifically handles changing a finding's state and review status, and the existing Change Finding permission now focuses on managing assignees, labels, and notes. To prevent any workflow interruptions, all built-in and existing custom roles that currently have the Change Finding permission will automatically receive the new Change Finding State permission.

Export table data to CSV with Snyk API & Web

Ana Pascoal, Product Manager — Mon, 30 Mar 2026 10:15:00 GMT

We’re introducing a new Download CSV feature to help you export your data directly from the interface. Starting today, you can download a comma-separated values (CSV) file that matches your current table view, including any active filters or hidden columns. We'll follow this implementation soon after, with an enhanced version that gives you even more flexibility, by allowing you to choose from a wider range of fields, which ones to include in your CSV file.

SPDX License List Updated to v3.28

Noa Yaffe-Ermoza, Product Manager — Sun, 29 Mar 2026 21:00:00 GMT

We’ve updated Snyk Open Source license detection to use the latest SPDX license list (v3.28), upgrading from the previously supported version (v3.20).

This update improves license recognition across dependencies and reduces the number of licenses previously categorized as “Unknown”. With this change, Snyk can now recognize and surface additional standard SPDX licenses, enabling more accurate license compliance insights and allowing customers to define policies for these licenses directly.

What’s changed

Updated SPDX License List support to the latest version, v3.28 (previously v3.20).
Snyk Open Source license detection now recognizes additional SPDX licenses included in the latest version.
Newly recognized licenses can now be managed in License Policies, reducing cases where licenses appear as “Unknown.”

Who’s affected

This update applies to all customers using Snyk Open Source license scanning.
Newly supported licenses will appear after the next dependency scan or project re-test.

Why this matters

Previously, some dependencies using valid SPDX licenses were categorized as “Unknown” because they were not yet supported by Snyk.

By expanding SPDX license coverage, this update helps teams:

Improve the accuracy of license detection in dependency scans.
Define policies for a broader set of open source licenses.
Reduce manual investigation when licenses appear as “Unknown”.

If you have any questions about this update, please reach out to the Snyk Support team.

To learn more about licenses, visit the Snyk documentation.

Improved License Policy Behavior for Newly Added Licenses

Noa Yaffe-Ermoza, Product Manager — Sun, 29 Mar 2026 21:00:00 GMT

We’ve updated how newly supported licenses behave in Snyk Open Source license policies.

When Snyk adds support for new licenses, they will now default to a severity of None and will not inherit the severity configured for the Unknown license type.

As a result, newly supported licenses will not generate findings unless a severity is explicitly configured in your License Policy.

What’s changed

Newly added licenses now default to severity = None.
Newly added licenses do not inherit the severity configured for the Unknown license type.
These licenses will only generate findings if a severity is explicitly configured in your License Policy. These licenses will still be detected and visible in SBOMs and in your Project’s dependency data.
You can review and configure severity levels for newly supported licenses directly in your License Policies.

Why this matters

This change makes license policy behavior more predictable and gives you full control over how newly supported licenses are classified.
Previously, newly added licenses could inherit the severity configured for the Unknown license type, leading to unexpected findings when new licenses were introduced.

Recommended action

If you rely on license policies to flag licenses in scan results, we recommend periodically reviewing your License Policies and assigning severity levels to newly supported licenses that are relevant to your organization.

If you have any questions about this change, please reach out to the Snyk Support team.

To learn more about licenses, visit the Snyk documentation.

Snyk Code - COBOL support now available in Snyk Preview

Sebastian Roth, Senior Product Manager — Thu, 26 Mar 2026 09:00:00 GMT

You can now scan COBOL codebases for security vulnerabilities using Snyk Code. This update helps large Organizations, particularly in retail and financial services, include legacy mainframe applications in their security programs and meet compliance or audit requirements.

Many Organizations manage significant COBOL codebases that previously lacked automated security scanning support. By adding COBOL support to Snyk Code, you can identify risks earlier in the development process and maintain a consistent security posture across your entire application portfolio.

Supported features

This release provides security coverage for standard COBOL, including CICS constructs.

Key features include:

Support for .cbl, .ccp, .cob, and .cpy file extensions.
15 security rules across cryptography, injection, secrets, and error handling.
Integration with the Snyk web UI for vulnerability management.

How to get started

You can access this feature through Snyk Preview.

Snyk Code - Ruby Interfile GA

Sebastian Roth, Senior Product Manager — Thu, 26 Mar 2026 09:00:00 GMT

Snyk Code expands Ruby analysis with interfile data flow support

Starting April 7, 2026, Snyk Code includes interfile data flow analysis for all Ruby Projects. This update moves beyond single-file analysis to detect vulnerabilities that span multiple files, providing a more accurate assessment of your code.

Improve Ruby on Rails security

Ruby on Rails applications often distribute logic across models, views, and controllers. By analyzing data flows across the entire codebase rather than individual files, Snyk Code identifies complex vulnerabilities that were previously difficult to detect. We've also refreshed the Ruby on Rails ruleset to provide better coverage for modern development patterns.

Key enhancements

Interfile analysis:
You can now trace data flows across multiple files in all Ruby Projects scanned by Snyk Code.
Updated ruleset:
We've improved the Ruby on Rails rules to ensure more comprehensive vulnerability detection.
Zero configuration:
This feature is active by default for all customers on April 7, 2026, and requires no manual setup.

Support for security teams

These improvements help security teams perform more effective risk assessments on large Ruby codebases. By closing the gap on interfile support, Snyk Code provides the same depth of analysis for Ruby as it does for other major languages.

Because analysis quality is enhanced, you may notice a change in your scan results, including new true positives and the removal of previous false positives.

For more information, you can review the current Ruby and rules documentation at https://docs.snyk.io.

Snyk API & Web MCP Server

Ricardo Alves, Director, Product Management — Tue, 24 Mar 2026 12:00:00 GMT

Snyk API & Web MCP Server brings even more security to your IDE You can use the Snyk API & Web MCP server to bring Snyk security capabilities directly into your AI-native development environment. By using the Model Context Protocol (MCP), you can use natural language to onboard targets, configure DAST authentication, scan targets, and triage vulnerabilities without leaving your IDE.

Announcing Snyk CLI v1.1303.2

undefined, undefined — Mon, 23 Mar 2026 03:00:00 GMT

We have released a new CLI hotfix (v1.1303.2) to address the following:

Security Fixes
- We have implemented a fix for a vulnerability identified in our underlying gRPC library
Snyk Open Source
- Optimized Privilege Evaluation: Resolved a bug where the CLI repeatedly checked user feature flags when scanning multiple Go projects, resulting in smoother performance.
- Enhanced PackageURL Handling: Fixed an issue where Go projects using a replace directive with relative paths would encounter formatting errors.
Snyk Container
- Go Standard Library: This update introduces expanded support for the Go Standard Library within Snyk Container scans.
Snyk Evo (Agent Red Teaming)
- Attack Profiles: Users can now leverage the --profile flag to choose from pre-configured attack goals, including fast, security, and safety profiles.
- Improved Terminology: We have updated our internal naming conventions for goals, strategies, and attacks to provide a more intuitive user experience.
- Improved Onboarding: Interactive wizard to guide users through Agent Red Teaming configuration and setup.

Release notes can be found here.

If you have any questions, please don’t hesitate to reach out to the Snyk support team.

Snyk Code - March Update

Sebastian Roth, Senior Product Manager — Thu, 12 Mar 2026 10:00:00 GMT

Starting March 30, 2026, we’ve updated Snyk Code to provide more accurate results and reduce developer friction. These improvements help you focus on exploitable production code by reducing false positives and automatically deprioritizing issues found in test environments.

By refining our detection logic across several languages, we've lowered noise and increased the catch rate for critical vulnerabilities.

Improvements to scanning precision

We've focused on three key areas to improve your triage experience:

Reduced noise: We've significantly lowered the number of false positives for .NET CSRF and JVM-based certificate validation.
Risk-based triage: JavaScript vulnerabilities located in test classes now appear as Low severity. This change allows you to spend more time on production code rather than test mocks.
Higher confidence: We've increased the true positive catch rate for hardcoded passwords in PHP and CSRF vulnerabilities in Kotlin.

Language-specific updates

You can see these improvements reflected in the following areas:

.NET (C#): Enhanced CSRF detection with an 18% reduction in false positives.
JavaScript: Automated detection of test classes to reclassify issues as Low severity.
Java/Kotlin: Improved support for detecting disabled CSRF protection in Spring Apps and refined SQLi precision.
JVM (Java, Groovy, Kotlin, Scala): Improved logic for CWE-295 (Improper Certificate Validation).
PHP: Expanded patterns for hardcoded password detection.

Important details to note

All percentage improvements are based on Snyk’s curated open-source data set. As part of these updates, you may see a decrease in High and Medium severity counts for JavaScript as issues move to Low based on their file location. These changes apply specifically to the languages and CWEs listed above, while other scan areas remain unchanged.

Snyk Code - March Ruby Update

Sebastian Roth, Senior Product Manager — Thu, 12 Mar 2026 00:00:00 GMT

Snyk Code updates for Ruby include Sinatra support and RSpec noise reduction

Starting March 23, 2026, we've updated Snyk Code to provide broader coverage and more precise results for Ruby developers. These improvements expand support to the Sinatra framework and general Ruby applications while helping you manage alert noise in test files.

Expanding Ruby support beyond Rails

You can now use Snyk Code to secure applications built with Sinatra or vanilla Ruby. We've added new sources, sinks, and sanitizers to our knowledge base to ensure your microservices and monoliths receive accurate security analysis regardless of the framework you choose.

Reducing noise in RSpec test suites

To prevent non-production vulnerabilities from cluttering your results, Snyk Code now automatically identifies RSpec files. The engine regrades security issues found in these files to Low Severity. This change acknowledges the lower risk profile of test code and helps ensure your PR Checks remain focused on production-ready code.

Higher precision for object-oriented code

We've enhanced how Snyk Code tracks data flow through Ruby classes. The engine now better understands custom getters, setters, and direct field accesses. This improvement leads to more accurate detection and reduces both false positives and false negatives in complex codebases. Organizations making extensive use of custom fields can expect more reliable results that reflect how their data actually moves through the application.

To learn more, visit our Snyk User Documentation.

To learn more, visit Snyk Code language and framework support.