Product Updates

We’re pleased to announce that on October 20th, we will be releasing several improvements to the Reachability analysis for Snyk Open Source. 

• As a Group admin, you can now enable Reachability for your Orgs at scale by using new Group-level settings. See our User Docs for more details on how to set this up.

• As part of the Early Access of Reachability for Python, we’ve improved our vulnerability coverage. Reachability is now supported for over 99% of applicable vulnerabilities. You may see an increase in the number of issues detected as reachable across pip, pipenv, and Poetry projects.

• In June, we announced that you can expect to see ongoing coverage improvements to Reachability for Java. We have made some changes that will provide greater coverage for your packages. You may see an increase in the number of issues detected as reachable across Maven and Gradle projects.

• We’ve made some tweaks to how we handle transitivity in first party code, now capturing only the “entry points” where you directly call third-party packages. This should improve performance and make the reachable paths information easier to understand. 

We hope these improvements make it easier for you to begin using reachability as a prioritization signal when planning your remediation efforts. If you have any questions, please reach out.

Snyk Code CLI Upload is now Generally Available. This powerful capability bridges the gap between local CLI scanning and the centralized power of the Snyk Platform. By uploading your scan results directly from the CLI to the Snyk Web UI, you unlock the full range of Snyk features, helping your teams gain a comprehensive, centralized view of their security posture.

This means that projects scanned via the Snyk CLI are now seamlessly integrated into the platform, giving you unified management and visibility, including:

• Centralized Reporting: View historical trends, metrics, and risk overviews for CLI-scanned projects alongside your SCM-integrated projects.

• Full Platform Features: Access Organization and Group level views, enabling better governance, policy enforcement, and holistic security management across all your code, dependencies, and configurations.

• Unified Issue Management: Manage, triage, and collaborate on issues found by the CLI directly in the Snyk Web UI.

For all users, the Snyk Code CLI Upload functionality is available by updating to the latest Snyk CLI version and using the appropriate upload command/flag. This functionality is enabled and ready for use by default.

For more detailed information on how Snyk Code CLI Upload works and how to implement it, visit our CLI Upload documentation.

We're excited to announce that our support for the pnpm package manager is now generally available (GA). This update applies across the command line interface (CLI) and all Snyk source code management (SCM) integrations. Any new pnpm projects you import will now be correctly identified and scanned.

This has been a top request from the JavaScript community. We listened to your feedback and are thrilled to deliver this improvement to better support your workflows.

There is no action required from you. Over the next month, we will automatically migrate any of your existing projects that were previously misidentified as npm projects. All project history and any ignores you have configured will be preserved during this migration.

To learn more, visit the Supported Languages List in our user documentation.

We are pleased to announce the latest stable Snyk CLI release, v1.1300.0.

We are introducing the following key improvements in this version. To learn more about bug fixes and additional enhancements beyond what is highlighted below, please reference the full release notes.

This update includes the following:

• Snyk Container: Support for scanning system JARs has been introduced behind a feature flag. Also, the TargetOS is now part of the container scan output.

• Snyk Open Source: Maven projects relying on metaversions (RELEASE/LATEST) will now have those correctly resolved when executing snyk test commands. 

• General: We have introduced runAutomationDetails ID to the SARIF outputs.

• Stability, security, and performance: This release also includes numerous bug fixes and enhancements to improve the overall stability, security, and performance of the CLI.

Release notes can be found here.

If you have any questions, feel free to reach out to the Snyk support team.

We encourage everyone to upgrade to the latest version to benefit from these new features and improvements!

Universal Broker is now generally available, simplifying how you manage multiple broker connections. We know that many customers use the Snyk Broker to control access to their secured resources, and now you can run multiple integrations through a single client. This change not only reduces the complexity of your setup but also can result in meaningful savings on hosting costs.

We know that managing multiple broker connections can be a source of overhead and complexity. Universal Broker was built to address this specific pain point, allowing you to streamline your AppSec program.

Universal Broker could benefit all Snyk customers who use the Snyk Broker. While your existing broker clients will continue to work, we recommend that all new broker installs use Universal Broker. We also encourage existing customers who manage multiple broker clients to consider the benefits of migrating.

To learn more, visit our Universal Broker documentation.

Starting October 13, 2025, we're rolling out several analysis improvements in Snyk Code for the Java and VB.NET ecosystems. For Java, we are improving taint flow analysis to correctly handle variadic method parameters and enhancing inter-file sanitization logic. For VB.NET, we are adding support for aliased namespace imports.

These enhancements are designed to improve the accuracy of our static application security testing (SAST) engine. By better understanding how data flows through your applications and recognizing more language features, we can provide more precise scan results.

You may notice an increase in true positive findings and a reduction of false positives in your projects. These updates will be applied automatically as part of our standard support for Java and VB.NET, with no action required from you.

To learn more, visit our Snyk User Documentation.

We're excited to introduce a new design for PR summary comments, which will give developers and reviewers a clearer, more organized view of their PR check results.

• Streamlined summaries: Results are now displayed in a simple table, with links to the full test report and the number of issues per scan type. This helps teams quickly see whether a PR includes open-source vulnerabilities, license issues, or code vulnerabilities, and then dive deeper into the details in Snyk.

• Cleaner experience: The banner has been removed, making it easier to see PR check results at a glance, even if they're being consumed by other integrations (like Slack notifications).

The new design for summary comments is enabled by default, and is available across all supported SCMs.

We're excited to see how this helps your teams streamline code reviews and address issues more efficiently!

This feature eliminates the manual overhead of resolving vulnerabilities, helping developers merge secure PRs faster while integrating seamlessly into their existing workflows. With Snyk Agent Fix, developers are empowered to act immediately on SAST findings by generating and applying fix suggestions directly within pull requests, reducing context switching and streamlining remediation.

The following capabilities are supported for Early Access:

• Generate fix suggestions using @snyk /fix command in a PR inline comment, displaying a proposed code change.

• View and explanation of the suggested fix alongside the code snippet.

• Apply the suggested code directly to the PR as a commit using the @snyk /apply command.

• Generate multiple fix suggestions within the same PR, where applicable.

If you'd like to enable this feature for your organization, you can do so in the Pull Request Experience section in your SCM integration settings.

Check our user documentation for more details and connect with your account team to participate in feedback sessions to shape the future of your workflows with Snyk.

We are introducing a new Snyk Learn engagement report in Snyk Reporting at the group level, which gives you a deeper understanding of your security education and training program's performance. The report lets you track overall Snyk Learn lesson assignment progress, which is great for continuous education and compliance programs. You can also use the report to see which content is most popular with your teams, along with a leaderboard for your users, and how long people have spent learning, helpful to identify your future security champions!

This report provides valuable insights into user adoption of Snyk Learn, including the ability to track and report on assignment progress.

To access this report you need to have the Snyk Learning Management Add-on, in addition to an Snyk Enterprise plan.

You can access the report by navigating to the Group > Reports menu in the Snyk App. Any user role that can view in-app reports at the Group level can access this feature.

To learn more about this new report, visit our documentation. To find out about our Learning Management Add-On speak with your Snyk account team.

We're giving you more control over how scans behave when a navigation sequence fails. In your Target Settings, you'll now find an option to immediately fail a scan if a navigation sequence cannot be completed. When enabled, the scan stops right away, allowing you to fix the issue sooner.

Previously, a failed navigation sequence would not stop a scan, potentially leading to incomplete results and wasted resources. This change allows you to get faster feedback on broken test sequences, saving time and preventing tedious manual reviews to identify why a scan may not have covered the intended user journeys.

Starting September 30, 2025, you will see a new checkbox in the Navigation Sequences module within your Target Settings: When a navigation sequence fails, fail the scan immediately and notify me. This option is disabled by default, so existing scans will continue to run as they do now. To enable this fail-fast behavior, you will need to edit your Target Settings. You can also configure new notifications for these failures in your Slack integration settings.

To learn more, visit How to set up Navigation Sequences and Slack integration in our user documentation.