v1.1304.0

1.1304.0 (2026-04-09)

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

Features

• aibom: Introduces the snyk aibom test command. (2978044)
• test, monitor, sbom: Introduce --maven-skip-wrapper flag to force the use of a globally installed mvn command. (0ee90ca, ff31066)
• general: Introduce explicit configuration for network retry max-attempts. (1fbdf38)
• container: Add deprecation warnings for -shaded-jars-depth and non-numeric values for --nested-jars-depth. (321b6f5)
• container: Extend support for java runtime binary scanning (b60473a)
• mcp: Improves auto-enable behavior for Snyk Code, promotes package health checks to stable. (5f5898f)
• redteam: Adds a vulnerability summary to scanned output. (52eaf5a)
• redteam: Add --json flag support for list commands, exhaustive and eager modes. (e962c4d)

Bug Fixes

• general: Fix printing JSON output on stdout when only --json-file-output is specified. (32f65f0)
• test: Fixes an issue where no files were uploaded when using --skip-unresolved. (71ca761)
• test: Prevents scan failures when Maven builds succeed with non-fatal errors. (b30db97)
• test: Fixes Go PackageURL generation and import path normalization for projects using replace directives. (7c7a366, ee7d72b)
• test: Improves SDK detection when host and SDK versions differ. (96d0817)
• test: Ensures project names are populated when scanning NuGet projects from repository root. (c043553)
• container: Snyk Container scans of tar files on Windows should now report vulnerabilities for Python application package files. (9b86790)
• container: Override packages with inaccurate pom.properties files (b60473a)
• test: Ensure Yarn workspace pacakges matches are actual members defined in the root package.json. (0dd6581)
• test: Fix increased scan times when testing Golang projects. (f2f5ba2)
• code: Snyk Code scans now return clearer error message and exit codes when testing unsupported projects (6f5b4e3)
• test: Fix a bug where aliased packages were being resolved with the target name insted of the alias for yarn projects. (dcbec6f)
• test: Fix a bug where Python packages with . characters in their name were incorrectly parsed to include - characters. (9a2a36e)
• deps: Updates dependencies to fix vulnerabilities:
  • CVE-2026-26996 (8e7873f)
  • CVE-2026-29786 (1a08533)
  • CVE-2026-31802 (1321575)
  • CVE-2025-69873 (8ff6aad)
  • CVE-2026-33186 (e98d9ef)
  • CVE-2026-32283 (d26e83f)
  • CVE-2026-29181 (f5418b6)

v1.1303.2

1.1303.2 (2026-03-23)

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

Features

• redteam: Introducing Snyk Agent Red Teaming with attack profiles (fast, security, safety) via the new --profile flag, allowing users to select pre-configured sets of attack goals. (99e2953)
• redteam: New terminology for goals, strategies, and attacks to better describe Agent Red Teaming workflows. (99e2953)
• redteam: Tenant-based authentication using --tenant-id for routing Agent Red Teaming commands. (99e2953)
• redteam: Interactive wizard to guide users through Agent Red Teaming configuration and setup. (99e2953)
• container: Add Go stdlib vulnerability detection to container scans (aacdc53)

Bug Fixes

• test: Fixes a bug where the CLI repeatedly evaluated user privileges (feature flags) when scanning multiple Go projects.(d348cb7)
• test: Fixes a bug where scanning Go projects (with a replace directive pointing at a relative path) would fail due to badly formatted PackageURLs.(4c6b663)
• container: upgrade minimatch dependency to 3.1.3 (aacdc53)
• dependencies: Fix CVE-2026-33186 (f8a0602)
• dependencies: Fix CVE-2025-69873 (d240fcf)
• container: Fixes an issue where container scans of OCI archive images (including hybrid-format archives produced by Docker Desktop's containerd image store) could silently fail, returning exit code 0 with no vulnerability results. (4ad137f)

v1.1303.1

1.1303.1 (2026-03-04)

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

Bug Fixes

• ui: Fixed an issue where JSON output was incorrectly printed to stdout when only --json-file-output was specified. (d6d465d)
• language-server: Fixed an issue where scans would not trigger when Snyk Code was enabled in IDE settings. (7567881)
• mcp: Fixed an issue where Snyk rules were not written locally. (7567881)

v1.1303.0

1.1303.0 (2026-02-26)

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

Features

• iac: users can now exclude specific files and directories from IaC scans using the --exclude parameter (3acbc6b)
• test, sbom: --json output of snyk test and snyk sbom test should now contain fields which were previously missing (isDisputed, proprietary, severityBasedOn, alternativeIds, mavenModuleName) (9996b27)
• sbom: sbom generated output will contain maven/npm scope information for those organizations with the show-maven-build-scope/show-npm-scope feature flag enabled (89d26f0)
• aibom: users can now pass the --upload and --repo flag to the experimental aibom command to persist their AI BOM into their Snyk organisation (e1fdae7)
• redteam: users can now retrieve red team scan results using snyk redteam --experimental get --id=<scan-id>. The scan command also now shows progress during execution. (fba40cc)
• redteam: users can now return an HTML report via --html or --html-file-output flags (aa76c04)
• mcp: users can now use snyk_package_health to validate package health (2b0edd2)
• mcp: users can now use profiles to select which tools are registered based on their use case, profiles can be configured via CLI flag (--profile=<lite|full|experimental>) or environment variable (SNYK_MCP_PROFILE). (2b0edd2)
• mcp: users will now have their Secure At Inception rules written at the global level. (495a2e0)
• container: snyk container sbom users can now use --username and --password to generate SBOMs for images in private registries (a7015a7)
• container: snyk container sbom users can now use --exclude-node-modules to exclude node_modules directories from the SBOM (a7015a7)
• container: snyk container sbom users can now use --nested-jars-depth to control the depth of nested JAR unpacking (a7015a7)
• container: snyk container sbom users can now pass docker-archive:, oci-archive:, kaniko-archive: prefixed paths or bare .tar file paths as the image argument (a7015a7)
• dependencies: updated minimum go version to v1.25.7 (5927337)

Bug Fixes

• test correctly scan NuGet package names case-insensitively (44bf86b)
• test handle absolute target file paths for poetry (d902590)
• test: improved maven version detection for versions greater than 3.6.3 (87853a8)
• test: fixes an issue where the runAutomationDetails field in sarif output is not unique (07dd36f)
• test: the automationDetails field is now rendered correctly when using the --sarif flag (3191e4d)
• test: improve error reporting when using --all-projects (6e3b5d5)
• ignores: ignores created via the snyk ignore command are now correctly applied if an expiry is set or if using an absolute filepath (a61589c)
• container use correct projectName value in container monitor JSON output (0e8feca)
• container: the --target-reference option is now correctly applied to application scan results in container tests, not just the OS scan results (70db44f)
• container: reverts previously introduced stricter validation that was a breaking change (rejecting true as a valid numeric argument) (70db44f)
• network: fix a possible panic when TLS config is nil (f601681)
• language-server: fixes an issue around API URL construction (35800c1)
• ui: improve the readability of error messages (763ac26)
• ui: some SNYK-CLI-0000 errors are now correctly categorised and displayed (3d02788)
• dependencies: update dependencies to fix SNYK-JS-AXIOS-15252993 (1e80d74)
• dependencies: update dependencies to fix SNYK-GOLANG-GOOPENTELEMETRYIOOTELSDKRESOURCE-15182758 [IAC-3497] (4b3d826)
• dependencies: update dependencies to fix SNYK-JS-TAR-15307072 (fbc5cb4)
• dependencies: update dependencies to fix SNYK-JS-MINIMATCH-15309438 (8e7873f)
• dependencies: update dependencies to fix SNYK-GOLANG-GOLANGORGXCRYPTOSSH-14059803 and SNYK-GOLANG-GITHUBCOMULIKUNITZXZLZMA-12230262 [IAC-3478] (1d2d723)

v1.1302.1

1.1302.1 (2026-01-21)

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

Bug Fixes

• code: Resolves FedRAMP URI construction in the IDE (35800c1)
• test: PackageURL validation failed with go.mod replace directive (SNYK-CLI-0000) for snyk test (7eb2978)
• sbom: PackageURL validation failed with go.mod replace directive (SNYK-CLI-0000) for snyk sbom (fda61e0)

v1.1302.0

1.1302.0 (2026-01-14)

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

Features

• aibom: Improved Exit Code handling (d8fed82)
• container: Added support for OCI images with manifests missing platform fields (dae56aa)
• container: Added container scan support for cgo and stripped Go binaries (9b2ee6e)
• container: Added pnpm lockfile support (47db111)
• mcp-scan: Added experimental mcp-scan command (54b8376)
• sbom: Improved PackageURLs in SBOM documents for go.mod projects (c145efc)
• sbom test: Added support for deb, apk and rpm (9fd6f84)
• test: Added PackageURL information to go.mod dependency graphs (d90b54e)
• test: Added support for poetry development dependencies (6977004)

Bug Fixes

• container: Resolves false positive vulnerabilities for RHEL 10 container images (d4afe60)
• general: Upgraded multiple dependencies (e185c92)
• general: Fixed Exit Code handling when using incompatible glibc versions (66fbb50)
• general: Improved file filtering support with .gitignore (a16b853)
• mcp: Added rule file to .gitignore if not previously ignored (cc78694)
• test: Improved upload speed when using --reachability (da21315)
• test: Fixed npm v2 dependency resolution when using shadowing aliases (237a4f5)
• test: Fixed --exclude support for pnpm workspaces (293d9b1)
• test: Fixed SARIF output for Gradle projects to include the complete path in artifactLocation (ec1262e)

v1.1301.2

1.1301.2 (2025-12-16)

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

Bug Fixes

• mcp: Fix MCP compliance issue (51d3f8d)

v1.1301.1

1.1301.1 (2025-12-08)

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

Bug Fixes

• test: Rendering of fix advice for multiple dependency paths when using the reachability flag (eaf50bb)
• monitor: snyk monitor --reachability=true command should now work even if double dashed arguments are provided (e8bdac6)
• test, monitor: Code upload speed will be improved when running snyk test --reachability/snyk monitor --reachability (d0bdba1)
• language-server: Multiple Snyk Language Server related fixes (485ae55)
• dependencies: Upgrade dependencies to address multiple issues. (e185c92)

v1.1301.0

1.1301.0 (2025-11-12)

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

Features

• container: The Snyk CLI now supports scanning Ubuntu Chisel images for vulnerabilities (9328757)
• container: The Snyk CLI now supports scanning container images with zstd-compressed layers (5080e42)
• container: Added a new parameter, --include-system-jars, to support scanning of usr/lib JARs (57078b6)
• test(maven): Initial maven 4 support, testing against the most recent release candidate (88cf47e)
• test(maven): A new experimental flag --include-provenance that will produce DepGraphs containing purls with checksum qualifiers for each package. Primarily to be used via --print-graph, not yet used in the main testing flow (5b8fe0a)
• sbom(maven): A new experimental flag --include-provenance that will produce an SBOM with checksum qualifiers in each purl (5b8fe0a)
• language-server: Automatic selection of the organization for IDEs based on workspace folder (EA). (2cc554e)
• language-server: Analytics for configuration and folder trust (2cc554e)
• mcp: Support for writing scan output into a file (2cc554e)
• mcp: Service Account support (2cc554e)

Bug Fixes

• general: Fix incorrect error mapping for varying status codes (5829500)
• general: Some invalid flag combinations are now correctly handled (ca5903b)
• test: The Snyk CLI now correctly handles optional dependencies without separate package entries
  (bfcbda7)
• test: The Snyk CLI now correctly handles aliased packages with nested dependencies (bfcbda7)
• test: The Snyk CLI now correctly handles bundled dependencies with non-hoisted bundle owners (bfcbda7)
• test: Fixes issue where sub packages were getting grouped incorrectly, leading to deps getting marked as missing. (b904e8c)
• test, sbom: Stops misclassifying NX Build project.json as a NuGet project (ff6860f)
• test(npm): Improve npm alias support (cb37da7)
• test(npm): The Snyk CLI now correctly handles npm packages with bundled dependencies (7d93b86)
• test(python): Scanning projects using Python 2.7 will no longer fail with a string formatting error (4effc7f)
• test(python): Fixed JSON parsing error for Python projects with missing packages (4effc7f)
• test(maven): Underlying maven commands adjusted slightly to make aggregate projects that encounter issues when rebuilding more likely to succeed (3b72d86)
• test(dotnet): Fix an issue with NuGet v3 scanner where the netstandard and netcoreapp TargetFrameworks were treated as .netx.x (227b50c)
• test(dotnet): Fix an issue with NuGet v3 scanner where the pinned dependencies were not discovered (0d9b0c4)
• container: Fixed a bug where scanning docker images with very large files would result in the CLI crashing with no message (57078b6)
• container: Fix rare crash when scanning large Docker images (195ed78)
• container: Fix issue where go binaries in Linux images with complex paths were not properly detected as go binaries when scanning on Windows (be8098b)
• code: Add missing explicit error handling (755d01f)
• unmanaged: Ignored vulnerabilities in unmanaged (C/C++) projects are now properly excluded from JSON output when using .snyk policy files. This ensures that snyk-to-html and other tools that consume JSON output will correctly respect vulnerability ignores. (fa808c1)
• dependencies: Fix CVE-2025-58058 and CVE-2025-11065 (d7e87e2)
• dependencies: Upgrade golang to 1.24.10 to fix vulnerabilities (c039f99)
• dependencies: Upgrade to golang 1.24.8 (4dcf97a)
• dependencies: Upgrade xcode to avoid flaky signing (bdcb991)
• dependencies: Fix CVE-2025-47913 (a00b0dc)
• language-server: Various Language Server related fixes (2cc554e)

v1.1300.2

1.1300.2 (2025-10-28)

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

Bug Fixes

• security: Upgrades dependencies to address CVE-2025-47913 (d7e87e2)
• general: Improved error messaging (5d16466)