Product Updates

We are thrilled to announce that the Prevention Report is now available in Early Access!

Measuring the true impact of "shifting left" has traditionally been a challenge. We designed the Prevention report to give you clear, actionable visibility into the effectiveness of security adoption directly within your development lifecycle.

This new report tracks the vulnerabilities developers proactively remediate at the point of creation in Snyk Code and Secrets—long before those issues ever reach a pull request or production environment. Data is seamlessly captured in the background as your team works across our developer surfaces, including Snyk Studio (MCP), IDE plugins and extensions, and the CLI.

The Prevention report enables you to:

• Measure proactive security: Track the total number of raw fixes and monitor your fix rate over time using our new prevention key performance indicators (KPIs).

• Analyze developer workflows: Break down fixes by surface area to understand exactly where your team prefers to resolve issues (MCP, IDE, or CLI).

• Identify trends and champions: Leverage the Fix-by-Developer leaderboard and detailed vulnerability breakdowns to see which types of vulnerabilities developers squash immediately, and which ones are detected but left unfixed.

• Enrich your Analytics Overview: Enable fix-by-surface KPIs and a new fix trends chart directly within your primary Analytics Overview dashboard for a comprehensive view of your security posture.

You can now directly measure the effectiveness of your IDE or MCP-based security efforts. By tracking vulnerabilities remediated early in the development lifecycle, you gain the data needed to prove the success of your security programs and validate your application security strategy.

To learn more, visit our Snyk User Documentation.

We're expanding Snyk Code analysis for the .NET (C# and VB) ecosystem with broader detection across TLS configuration, cryptographic algorithms, and third-party crypto libraries. We built these improvements to surface a wider range of crypto-related security issues in .NET codebases while keeping false positives in check. Coverage extends across the standard library and the most common third-party crypto packages, so customers using BouncyCastle see the same depth of detection as native .NET code.

We're also expanding PHP coverage for SQL injection, Snyk Code now detects interfile taint flow when the SQL sink is wrapped in a database-access class. These improvements arrive with the June release on 15 June 2026.

What's changing

New TLS vulnerability detection for .NET (CWE-326)

Snyk Code now identifies insecure TLS protocol configuration across the most common .NET HTTP and network stacks: ServicePointManager, HttpClientHandler, WinHttpHandler, SocketsHttpHandler, Kestrel, and SslStream. Only TLS 1.2 and 1.3 are considered safe. Earlier protocols are flagged as vulnerable, including bitwise flag combinations.

Broader Insecure Cipher coverage for .NET (CWE-327)

Generalised cipher detection for C# and VB, with new third-party support via BouncyCastle. Algorithms now flagged: PAKE, Triple DES, DES, Skipjack, RC4, RC2, MD-5, and SHA-1.

Expanded weak-key-size detection for .NET (CWE-326)

Native standard-library coverage added for ECDHE, ECDH, ECDSA, RSA, AES (GCM), and HMAC-SHA1, HMAC-SHA2, and HMAC-SHA3 across Base, Windows, and Linux .NET types. Third-party support was added for DH, DHE (BouncyCastle), AES-XTS (BouncyCastle), and CMAC-AES (BouncyCastle).

Generalised crypto rule templates for .NET (CWE-326, CWE-327)

The InsecureCipher, TooSmallKeySize, and WeakEccCurve rules have been refactored into unified report templates.

PHP SQL injection interfile taint flow through wrapper classes (CWE-89)

Snyk Code now detects SQL injection where the sink is defined in a wrapper class (single level: caller → wrapper → mysql_query)

Important details to note

• You may notice an increase in .NET vulnerability findings after the June release, particularly around TLS misconfiguration and weak cryptographic algorithms.

• RC2 is reclassified from TooSmallKeySize to InsecureCipher. Customers with ignores or policies tied to specific rule keys should be aware (Scope is .NET (C# and VB) only).

• A small number of CryptoServiceProviders false positives related to read-only KeySize properties will no longer fire. These were never actionable in the first place (Scope is .NET (C# and VB) only).

• PHP customers may see new SQL injection findings after the June release, particularly in codebases that route database calls through wrapper classes.

To learn more, visit our Snyk User Documentation.

Starting May 5, 2026, we're updating Snyk Code to improve scanning precision and reduce noise across all supported languages.

Improvements to scanning precision

All languages — Path Traversal severity tuning (CWE-22)
Path Traversal findings are now tiered by source risk. Findings from lower-risk sources are automatically reclassified from High/Medium to Low severity, reducing noise while keeping high-risk vectors prominent.

Java, Kotlin, Groovy — Apache Camel framework coverage (CWE-89 / CWE-22 / CWE-611)
Apache Camel Exchange HTTP sources are now tracked as taint origins. Applications using Apache Camel will see new findings where HTTP body and header values flow into SQL injection, path traversal, or XXE sinks. Customers using Apache Camel may see an increase in findings.

All languages — Improved .snyk exclude precision
.snyk exclude patterns now use full .gitignore-style glob semantics for more expressive and consistent scan scope control. Customers relying on .snyk exclude rules may see changes in scan scope.

Python — Reduced false positives on archive extraction (CWE-22 / CWE-73)
Python TarSlip detection is now scoped to genuine archive operations. Previously, any .extract() method call was flagged regardless of context - causing false positives in document parsers, ML pipelines, and custom extraction classes.
Findings now only fire when the receiver is a tarfile.open() or zipfile.ZipFile() object. ZipSlip detection via zipfile.ZipFile is also improved. Customers may see a reduction in Python TarSlip findings and new ZipSlip findings where archive contents are extracted without path sanitisation.

Important details to note

All percentage improvements are based on Snyk's curated open-source data set. As part of these updates, you may see a decrease in High and Medium severity counts for Path Traversal as findings move to Low based on source risk tier. Total finding counts remain stable. Customers using Apache Camel may see an increase in findings as new data flows are detected. These changes apply specifically to the languages and CWEs listed above, while other scan areas remain unchanged.

We are excited to be launching Repo Monitor Configuration, which allows for management of repository coverage and monitoring configurations centrally across your entire Snyk Group from the Group-level Inventory page. This means you can monitor and manage repositories without navigating between individual Snyk Organizations.

Repo Monitor Configuration provides the following capabilities:

• Centralized asset monitoring: view monitoring status for all products, identify health status, and see required actions (such as enabling Snyk Code or resolving SCM integration issues) in one view.

• Bulk import: import repositories directly from the Group Inventory page into specific Snyk Organizations.

• On-demand retesting: trigger a retest for specific repositories directly from Inventory.

• Actionable error resolution: clear guidance ia available when testing fails due to integration issues or entitlements. After the underlying issue is resolved, testing resumes automatically.

Snyk Code expands Ruby analysis with interfile data flow support

Starting April 7, 2026, Snyk Code includes interfile data flow analysis for all Ruby Projects. This update moves beyond single-file analysis to detect vulnerabilities that span multiple files, providing a more accurate assessment of your code.

Improve Ruby on Rails security

Ruby on Rails applications often distribute logic across models, views, and controllers. By analyzing data flows across the entire codebase rather than individual files, Snyk Code identifies complex vulnerabilities that were previously difficult to detect. We've also refreshed the Ruby on Rails ruleset to provide better coverage for modern development patterns.

Key enhancements

• Interfile analysis:

  You can now trace data flows across multiple files in all Ruby Projects scanned by Snyk Code.

• Updated ruleset:

  We've improved the Ruby on Rails rules to ensure more comprehensive vulnerability detection.

• Zero configuration:

  This feature is active by default for all customers on April 7, 2026, and requires no manual setup.

Support for security teams

These improvements help security teams perform more effective risk assessments on large Ruby codebases. By closing the gap on interfile support, Snyk Code provides the same depth of analysis for Ruby as it does for other major languages.

Because analysis quality is enhanced, you may notice a change in your scan results, including new true positives and the removal of previous false positives.

For more information, you can review the current Ruby and rules documentation at https://docs.snyk.io.

You can now scan COBOL codebases for security vulnerabilities using Snyk Code. This update helps large Organizations, particularly in retail and financial services, include legacy mainframe applications in their security programs and meet compliance or audit requirements.

Many Organizations manage significant COBOL codebases that previously lacked automated security scanning support. By adding COBOL support to Snyk Code, you can identify risks earlier in the development process and maintain a consistent security posture across your entire application portfolio.

Supported features

This release provides security coverage for standard COBOL, including CICS constructs.

Key features include:

• Support for .cbl, .ccp, .cob, and .cpy file extensions.

• 15 security rules across cryptography, injection, secrets, and error handling.

• Integration with the Snyk web UI for vulnerability management.

How to get started

You can access this feature through Snyk Preview.

Learn more about Snyk Codes COBOL support int he documentation.

Starting March 30, 2026, we’ve updated Snyk Code to provide more accurate results and reduce developer friction. These improvements help you focus on exploitable production code by reducing false positives and automatically deprioritizing issues found in test environments.

By refining our detection logic across several languages, we've lowered noise and increased the catch rate for critical vulnerabilities.

Improvements to scanning precision

We've focused on three key areas to improve your triage experience:

• Reduced noise: We've significantly lowered the number of false positives for .NET CSRF and JVM-based certificate validation.

• Risk-based triage: JavaScript vulnerabilities located in test classes now appear as Low severity. This change allows you to spend more time on production code rather than test mocks.

• Higher confidence: We've increased the true positive catch rate for hardcoded passwords in PHP and CSRF vulnerabilities in Kotlin.

Language-specific updates

You can see these improvements reflected in the following areas:

• .NET (C#): Enhanced CSRF detection with an 18% reduction in false positives.

• JavaScript: Automated detection of test classes to reclassify issues as Low severity.

• Java/Kotlin: Improved support for detecting disabled CSRF protection in Spring Apps and refined SQLi precision.

• JVM (Java, Groovy, Kotlin, Scala): Improved logic for CWE-295 (Improper Certificate Validation).

• PHP: Expanded patterns for hardcoded password detection.

Important details to note

All percentage improvements are based on Snyk’s curated open-source data set. As part of these updates, you may see a decrease in High and Medium severity counts for JavaScript as issues move to Low based on their file location. These changes apply specifically to the languages and CWEs listed above, while other scan areas remain unchanged.

Snyk Code updates for Ruby include Sinatra support and RSpec noise reduction

Starting March 23, 2026, we've updated Snyk Code to provide broader coverage and more precise results for Ruby developers. These improvements expand support to the Sinatra framework and general Ruby applications while helping you manage alert noise in test files.

Expanding Ruby support beyond Rails

You can now use Snyk Code to secure applications built with Sinatra or vanilla Ruby. We've added new sources, sinks, and sanitizers to our knowledge base to ensure your microservices and monoliths receive accurate security analysis regardless of the framework you choose.

Reducing noise in RSpec test suites

To prevent non-production vulnerabilities from cluttering your results, Snyk Code now automatically identifies RSpec files. The engine regrades security issues found in these files to Low Severity. This change acknowledges the lower risk profile of test code and helps ensure your PR Checks remain focused on production-ready code.

Higher precision for object-oriented code

We've enhanced how Snyk Code tracks data flow through Ruby classes. The engine now better understands custom getters, setters, and direct field accesses. This improvement leads to more accurate detection and reduces both false positives and false negatives in complex codebases. Organizations making extensive use of custom fields can expect more reliable results that reflect how their data actually moves through the application.

To learn more, visit our Snyk User Documentation.

To learn more, visit Snyk Code language and framework support.

We have released a new CLI hotfix (v1.1303.1) to address the following:

• IDE plugins: Fixes an issue where customers using our most recent IDE plugins release may encounter scans not triggering when Snyk Code is enabled in their IDE settings

• UI: Fixes an issue where JSON output was rendered twice to disk and to standard output

• MCP: Fixes an issue where Snyk rules were not written locally

Release notes can be found here.

If you have any questions, please don’t hesitate to reach out to the Snyk support team.

Starting February 24, 2026, Snyk Code will begin a phased rollout of support for Ruby 4.0. This initial update focuses on foundational parser improvements and enhanced support for Ruby modules to accommodate the latest language features.

• Ruby 4.0 Parser: Support for new syntax and language features introduced in the Ruby 4.0 specification.

• Module Analysis: Improved understanding of Ruby module structures for more accurate pathing and taint flow.

Impact on Results: Because this update provides a more precise interpretation of Ruby codebases, customers may see an increase in findings as the engine identifies issues that were previously outside the parser's scope.

This release is the first in a series of planned enhancements to our Ruby analysis engine scheduled for the first half of 2026. We will continue to announce significant updates and further improvements in this area as they are rolled out.

This update will be automatically available to all customers using Snyk Code for Ruby.