Product Updates

Snyk API & Web now supports the OWASP Top 10:2025 standard for compliance reporting. Users can generate compliance reports against either OWASP 2025 or OWASP 2021 — both versions remain available.

The OWASP Top 10 is the most widely referenced application security framework globally. It's used by enterprises for compliance programs, audit preparation, security training, and vulnerability prioritization.

The OWASP Top 10:2025 was officially published in November 2025 and is being adopted by enterprises, auditors, and compliance programs now. Organizations need their security tools to support the current standard for audit-ready compliance reports.

Without 2025 support, compliance teams face manual workarounds — exporting findings to spreadsheets and cross-referencing against the new standard — a time-consuming and error-prone process.

What changed in OWASP Top 10 2025:

• Two new categories: A03 (Software Supply Chain Failures) and A10 (Mishandling of Exceptional Conditions)

• Re-ranked categories: Security Misconfiguration moved from #5 to #2; Injection dropped from #3 to #5; Cryptographic Failures dropped from #2 to #4

• SSRF reclassification: Server-Side Request Forgery is now classified under A01 (Broken Access Control) instead of having its own category

You can now generate compliance reports against either OWASP 2025 or OWASP 2021 directly from the Snyk API & Web interface — both versions remain available.

How to use:

1. From the Scan Activity list or from your Scan details, click on the Reports button to expand it

2. Select the OWASP version you need:

   • OWASP Top 10 2025 — for audits, compliance programs, or reporting against the current standard

   • OWASP Top 10 2021 — for historical comparisons or programs that haven't migrated to the 2025 edition yet

3. Generate your report — all findings are automatically mapped to the selected standard

What you'll see:

• Compliance reports are clearly labeled with the selected OWASP version

• Versioned compliance labels throughout the product (target details, scan details, finding details) show which standard a finding is failing to comply with (e.g., OWASP 2025, OWASP 2021)

To learn more, visit Types of scan reports you can generate with Snyk API & Web in our user documentation.

We've improved the recently introduced Download CSV feature to offer greater flexibility when exporting data directly from the Snyk API & Web interface.

We understand that analyzing security data often happens outside of our platform. The original Download CSV functionality was added to save you time and streamline custom reporting and internal data manipulation. This expansion provides even more power and flexibility by allowing you to select from a comprehensive range of fields, ensuring you get exactly the data you need for your external analysis.

This feature is available to all users across all account plans. If you have access to a table, you can download its data.

To learn more, visit How to export table data to CSV in our user documentation.

We’ve expanded our DAST capabilities by adding GraphQL as a supported API target type in Snyk API & Web. This enables security tests specifically designed for GraphQL operations, including queries and mutations. In addition to schema ingestion via URL or file upload, you can now fetch your schema directly from an introspection endpoint to ensure tests stay up to date. To support these scans, we've also updated our authentication settings to include dedicated options for GraphQL targets.

To learn more, visit How to configure and scan an API and How to set target authentication: GraphQL in our user documentation.

We added a new Test configuration option to the Scan dropdown menu and the Target Settings page. This allows you to verify that your target is accessible and correctly configured before starting a full dynamic application security testing (DAST) scan. When you click this button, a side panel opens in your target settings to provide real-time feedback on connectivity, authentication, web application firewall (WAF) interference, schema validity, and any detected extra hosts.

We want to simplify your onboarding experience and prevent failed scans caused by misconfigured settings. By validating your setup upfront, we help you identify and fix issues immediately, reducing the need for troubleshooting or technical support later in the process.

You can now proactively test your target configuration. To use this feature, ensure you have the view_target, change_target_settings, and start_scan permissions.

To learn more, visit How to test target configuration in our user documentation.

We’re introducing a new Download CSV feature to help you export your data directly from the interface. Starting today, you can download a comma-separated values (CSV) file that matches your current table view, including any active filters or hidden columns. We'll follow this implementation soon after, with an enhanced version that gives you even more flexibility, by allowing you to choose from a wider range of fields, which ones to include in your CSV file. 

We recognize that managing security data often requires analysis outside of our platform. Previously, moving table data into other tools required manual effort or copy-pasting. We're adding this functionality to save you time and provide a powerful way to leverage your data for custom reporting and internal manipulation without the manual overhead.

This feature is available to all users across all account plans. If you have access to a table, you can now download its data.

To learn more, visit How to export table data to CSV in our user documentation.

We're introducing a new permission called Change Finding State to give you more granular control over how your teams manage security findings. Previously, the Change Finding permission covered several actions: changing a finding's state, review status, assignee, labels, and adding notes. We've separated these capabilities so that Change Finding State now specifically handles changing a finding's state and review status, and the existing Change Finding permission now focuses on managing assignees, labels, and notes. To prevent any workflow interruptions, all built-in and existing custom roles that currently have the Change Finding permission will automatically receive the new Change Finding State permission.

We made this change to help you better implement the principle of least privilege within your security programs. We heard that many organizations need to allow team members to contribute to the triage process — such as by adding notes or labels — without granting them the authority to officially ignore a finding or accept a risk. By decoupling these actions, we provide the flexibility to define more specific roles for your developers and security analysts.

You can now create custom roles that allow users to add context to findings without giving them the ability to change the security posture of an application. For example, if you want a user to be able to add notes to a finding, you can assign them the View Target and Change Finding permissions, but if you want a user to be able to ignore or accept findings, they will now require the Change Finding State permission. While this update does not change current access for existing users, we recommend reviewing your custom roles to see if you can further restrict permissions.

To learn more, visit Understanding Permissions at Snyk API & Web in our user documentation.

Snyk API & Web MCP Server brings even more security to your IDE

You can use the Snyk API & Web MCP server to bring Snyk security capabilities directly into your AI-native development environment. By using the Model Context Protocol (MCP), you can use natural language to onboard targets, configure DAST authentication, scan targets, and triage vulnerabilities without leaving your IDE.

Security workflows often require manual effort and constant context switching. We built the Snyk API & Web MCP server to eliminate this friction. Previously, setting up and onboarding new targets required significant manual work. This integration simplifies these processes and removes the need for security plumbing between tools.

This release benefits Appsec and Dev Teams using MCP-enabled tools like Claude Desktop, Cursor, or Windsurf.

• From UI-heavy to chat-native: Instead of navigating menus to set up a scan, you can tell your assistant to automatically onboard and configure a new Snyk API & Web target

• Automated authentication: Use AI to help generate and implement the authentication scripts required for deep web scans.

Learn more about these capabilities in the Snyk API & Web MCP Server documentation.

We’ve added a new Custom Headers module to the Scanner tab within Postman target settings. Much like our existing functionality for Web and OpenAPI targets, you can now configure specific headers and determine whether they should be included in the test surface or not. By default, we treat these headers as static prerequisites — such as authentication tokens — that are sent with every request to satisfy API requirements without being actively tested. If you select the checkbox to test a header, the scanner treats that header value as a testable attack surface and runs full security checks against it.

We’re introducing this update to give you more flexibility and precision when scanning Postman targets. Many APIs require specific headers to function, but not all of those headers need to be subjected to security testing. By allowing you to define which headers are static prerequisites and which should be actively tested, we’re ensuring your scans are both compatible with your API requirements and focused on the right attack surfaces.

You can now manage your Postman targets’ scan configurations more effectively by adding custom headers directly in the UI. When you view your results, the Scan results page for Postman targets now includes a Custom Headers entry in the USED SETTINGS module. This clearly indicates whether custom headers were Enabled or Disabled for that specific scan, providing better auditability for your security testing.

To learn more, visit Understanding Custom Headers in Snyk API & Web in our user documentation.

Starting on March 6, 2026, we’re introducing Credentials Manager to help you store and manage sensitive authentication data separately from your target configurations. This update simplifies secrets management and allows teams to share authentication setups without exposing actual credentials.

The Credentials Manager replaces the Secret Obfuscation feature, which is now discontinued.

Running dynamic application security testing (DAST) scans requires sensitive information like logins, passwords, and tokens. Previously, these were stored directly within each Target. This made it difficult to manage authentication across multiple targets and made regular password rotation time-consuming. We built this to provide a centralized way to manage these secrets more efficiently.

The Credentials Manager introduces several changes to how you handle sensitive data:

• Centralized storage: You store credentials in a dedicated place, keeping them separate from your Target configuration.

• Write-only secrets: Some credentials are write-only. You can use these in authentication settings, but the values remain hidden after you save them.

• Flexible configuration: You can still create credentials for a single Target if you do not want to save them to the central Credentials Manager.

To learn more, visit How to manage target authentication credentials in Snyk API & Web.

We are excited to announce the general availability of Broken Object Level Authorization (BOLA) detection for OpenAPI targets, starting today. This feature uses artificial intelligence (AI), particularly large language models (LLMs), to identify unauthorized data access risks. You can now test for these vulnerabilities using the built-in API Normal or API Full scanning profiles.

BOLA is ranked as the primary risk in the OWASP API Top 10. By automating the detection of this complex vulnerability, we help you move beyond manual security reviews and reduce the risk of data leaks. Our goal is to provide proactive protection for your APIs by identifying authorization flaws before they can be exploited.

To use this feature, you must configure API target authentication for two separate users. The second user acts as the attacker and should have the same or lower privileges than the first user, and should not have access to the first user's resources. Once configured, our scanning engines will automatically attempt to detect if the second user can inadvertently access data belonging to the first, providing clear visibility into potential authorization gaps.

To learn more, visit How to set up your target for testing BOLA vulnerabilities? in our user documentation.