Product Updates

We have released a new CLI hotfix (v1.1301.1) to address bugs and improve the overall user experience:

• Reachability

  • Fixed an issue in test, when using reachability, that caused the fix advice to display incorrectly on certain occasions

  • Resolved a monitor bug with double-dashed arguments when using reachability

• General improvements

  • Improved scanning speed when running test/monitor with reachability

  • Improved SCA scanning through MCP with fewer I/O operations

  • Fixed multiple issues to make Snyk work more smoothly in your code editor

  • Updated dependencies to improve stability and security

Release notes can be found here.

If you have any questions, feel free to reach out to the Snyk Support team.

We are excited to share that Reachability for Python will gradually enter General Availability (GA) across all Snyk environments during the period of December 11th, 2025 to January 12th, 2026.

What is Reachability?

If enabled for your Group or Org, Reachability works by scanning your source code and determining whether the code (e.g. a specific function) that makes a vulnerability exploitable is actually reachable, either directly or transitively.

This contextual risk factor can help you prioritize which issues to prevent or fix first, based on the exploitability risk they pose to your applications.

What's changing with this release?

With the GA release of Reachability for Python, Snyk will automatically detect the reachability of issues across all pip, pipenv, and poetry projects.

If you use Reachability today but have not opted into the Snyk Preview of Reachability for Python, you may notice changes in the Risk Score for issues in these projects due to the inclusion of the reachability risk factor.

You can also expect ongoing Reachability improvements to be released twice monthly for all languages in General Availability, helping to regulate false positives and negatives across your projects.

How do I get started?

Not using Reachability yet at all? You can read our User Docs to learn more about how to get started.

We’re introducing Objective C support in preview to help you secure your iOS and macOS applications. This update allows you to identify vulnerabilities across industry-standard libraries like AFNetworking and Realm, as well as native frameworks including Core Data and Security. You can now enable this feature directly in your settings to start scanning your code immediately.

We built this to ensure you have comprehensive coverage for your Apple ecosystem development, particularly for critical use cases like encrypted offline-first storage and hardened credential management. By supporting common libraries such as OpenSSL and Couchbase Lite alongside native frameworks, we help you secure legacy and active projects against complex risks.

This update affects developers and security teams managing Objective C codebases. If you use libraries like SQLite, RNCryptor, or Foundation, you can now detect security issues within your existing workflows. To benefit from this new capability, you must manually enable Objective C support within Snyk Preview.

To learn more, visit our Snyk User Documentation.

We’re improving Snyk Code analysis for the Java, Kotlin, and .NET ecosystems. These updates include support for the Netty framework and ASPX inline code expression blocks, arriving with our GA support for these languages on December 15.

We built these improvements to increase the accuracy of your scan results. By refining our analysis engines and expanding coverage to frameworks like Netty, we can help you identify more real issues while reducing distracting false positives.

You may notice changes in your vulnerability results after December 15. These improvements are designed to surface more true positive findings and remove false positives, specifically improving accuracy for Java, Kotlin, and .NET projects.

To learn more, visit our Snyk User Documentation.

We are pleased to announce the General Availability (GA) of the Severity Condition in Group-Level Policies.

This new capability empowers you to create more granular policies for taking action (such as ignoring or changing severity) on findings based on their severity. The condition is available for both Code and OS Security group-level policies within the UI.

To learn more about setting up group-level policies, visit our Snyk User Documentation.

On November 24th, 2025, we detected a new supply chain attack, SHA1-Hulud, impacting the npm ecosystem. We suspect this to be a second wave of the Shai-Hulud attack which took place in September 2025.

As communicated on our Trust Center, Snyk will continue to monitor this active incident through resolution. As of now, we believe over 700 packages have been compromised.

To help you better understand whether or not you have been impacted, we have released a new Featured Zero Day Report named SHA1-Hulud npm Supply Chain Attack - Nov 2025.

As new advisories are added and projects are re-tested, this Report will be populated with issues if Snyk detects the usage of any compromised packages.

We're excited to announce support for .NET 10 for Open Source, which was released on November 11. This update ensures you can securely build and scan your newest .NET applications. We’ve added this support for scans using both our command line interface (CLI) and integrations with source code management (SCM) systems. This feature is now generally available (GA) and supported within our "Improved .NET scanning" capability.

The .NET ecosystem is a top priority for many developers and for us. We are committed to providing quick support for all new major releases, and this update continues that commitment. This allows you to adopt new technology without sacrificing security visibility.

All developers using .NET 10 can immediately begin scanning their projects using the Snyk CLI or their integrated SCM tools—no manual configuration or action is required to enable this feature. Please be aware that simply changing your .NET target framework does not automatically update the associated project dependencies.

Note that RestoreEnablePackagePruning flag introduced in .NET 10 prunes unused system packages from the project. Those dependencies can be including again by setting the RestoreEnablePackagePruning property to false in your project file or Directory.Build.props file.

To learn more, visit our Snyk User Documentation and for more information about see updating the projects, see this help article.

We are pleased to announce the release of new stable versions for our IDE plugins. The new versions are:

• Visual Studio Code v2.27.0

• JetBrains v2.18.0

• Eclipse v3.6.0

• Visual Studio v2.6.0

This release is focused on enhancing stability and reliability, with key updates including:

• Automated Org Selection (Early Access): When enabled, Snyk will automatically select the most appropriate organization for your project using context found in your repository and your authentication. If an organization is configured manually, this feature will be overridden. If an appropriate organization cannot be identified automatically, the preferred organization defined in your web account settings will be used as a fallback.

Note: For Visual Studio Code, new Settings will only appear after the application has been restarted.

Please refer to the changelog for each of our plugins for a more detailed list of additional bug fixes and enhancements. You can learn more about the Snyk IDE plugins in our Learn resources.

If you have any questions, feel free to reach out to the Snyk Support team.

We’re pleased to announce that Reachability for Snyk CLI and CI/CD integrations is now available in Early Access for all Snyk Open Source customers.

As a refresher, Snyk’s Reachability analysis works by scanning your source code and determining whether the code that makes a vulnerability exploitable is reachable, either directly or transitively.

Starting today, you can now use Reachability with the latest Snyk CLI and CI/CD integrations to prevent these contextually relevant and higher risk issues from reaching production.

For more information on how to get started, please take a look our our User Docs.

We are pleased to announce the latest stable Snyk CLI release, v1.1301.0.

We are introducing the following key improvements in this version. To learn more about bug fixes and additional enhancements beyond what is highlighted below, please reference the full release notes.

This update includes the following:

• Snyk Container: Container scanning now supports both Ubuntu Chisel images and zstd-compressed layers, as well as usr/lib JAR files via the `--include-system-jars` parameter.

• Snyk Open Source: Initial support for Maven 4 is available for Open Source's test, monitor and SBOM commands.

• Snyk Open Source: Reachability for Snyk CLI and CI/CD integrations is now available in Early Access for all Snyk Open Source customers.

• Snyk SBOM: A new experimental flag, `--include-provenance`, for Maven projects that includes verification checksums in SBOMs.

• Snyk Studio: Snyk Studio now supports writing scan output into a file, and Service Account support.

• Stability, security, and performance: This release also includes numerous bug fixes and enhancements to improve the overall stability, security, and performance of the CLI.

Release notes can be found here.

If you have any questions, feel free to reach out to the Snyk support team.

We encourage everyone to upgrade to the latest version to take advantage of these new features and improvements.