1.1305.1 (2026-06-02)

Bug Fixes

• general: Improve retry behavior when rate limited by respecting the X-RateLimit-Reset header. (2e690df)
• deps: Updates dependencies to fix vulnerabilities:
  • CVE-2026-39827 (e3816fc)
  • CVE-2026-39831 (e3816fc)
  • CVE-2026-33186 in IaC extensions (21b268b)

1.1305.0 (2026-05-20)

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

Features

• sbom: Introduces the --allow-incomplete-sbom flag for snyk sbom, allowing the SBOM to be generated even when individual projects fail to resolve. Failed projects are surfaced as per-project errors alongside the successful results. (29ba128)
• container: Speed up snyk container monitor by sending dependency requests in parallel, configurable via the SNYK_REQUEST_CONCURRENCY environment variable. (186c5fb, 6764f65)
• general: Linux ARM64 and AMD64 binaries are now statically linked by default. (f02b850)
• mcp: Adds an experimental breakability evaluation tool to the Snyk MCP Server. (69806f5)

Bug Fixes

• test: Fixes resolution of aliased npm packages so the alias from the lockfile is used instead of the target package name. (9b0e4d9)
• test: Fixes parsing of Python .whl files when scanning projects with --all-projects. (12ac0db)
• deps: Updates dependencies to fix vulnerabilities:
  • CVE-2026-34165 (1eec8f8)
  • CVE-2026-33762 (1eec8f8)
  • CVE-2025-62718 (0c4bdcc)
  • CVE-2026-6321 (2670813)
  • CVE-2026-6322 (2670813)

1.1304.3 (2026-05-13)

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

Bug Fixes

• dependencies: Updates dependencies to fix vulnerabilities:
  • CVE-2026-45022 (aa226a9)
  • CVE-2026-33814 (1691c3b)
  • CVE-2026-33811 (1691c3b)
  • CVE-2026-39836 (1691c3b)

Known Issues

• container-image: Two vulnerabilities are reported in the snyk/snyk container images via the transitive github.com/gomarkdown/markdown dependency (SNYK-GOLANG-GITHUBCOMGOMARKDOWNMARKDOWNHTML-16066911, SNYK-GOLANG-GITHUBCOMGOMARKDOWNMARKDOWNPARSER-8220052). We have assessed these vulnerabilities and confirmed they do not impact CLI users. A fix is scheduled for the stable release on 2026-05-20.

1.1304.2 (2026-05-06)

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

Bug Fixes

• mcp: Add missing tools annotations (700d640)
• dependencies: Updates dependencies to fix vulnerabilities:
  • SNYK-GOLANG-GITHUBCOMAWSAWSSDKGOV2AWSPROTOCOLEVENTSTREAM-16316402 (3706eda)
  • SNYK-GOLANG-GITHUBCOMAWSAWSSDKGOV2SERVICES3-16316411 (3706eda)
  • CVE-2026-39892 (7e03e4f)
  • CVE-2026-33750 (8b9bec7)

1.1304.1 (2026-04-27)

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

Bug Fixes

• general: Improved error handling to prioritize and surface the most relevant error and derive the correct exit code when multiple errors occur during CLI execution. (b505a96)
• deps: Updates dependencies to fix vulnerabilities for CVE-2026-4660 and CVE-2026-39883 (2a95d85)
• agent-scan: Improved CI flexibility with an issues ignore option, and added support for Windows x86 and macOS x86 architectures. (7d72bbf)

1.1304.0 (2026-04-09)

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

Features

• aibom: Introduces the snyk aibom test command. (2978044)
• test, monitor, sbom: Introduce --maven-skip-wrapper flag to force the use of a globally installed mvn command. (0ee90ca, ff31066)
• general: Introduce explicit configuration for network retry max-attempts. (1fbdf38)
• container: Add deprecation warnings for -shaded-jars-depth and non-numeric values for --nested-jars-depth. (321b6f5)
• container: Extend support for java runtime binary scanning (b60473a)
• mcp: Improves auto-enable behavior for Snyk Code, promotes package health checks to stable. (5f5898f)
• redteam: Adds a vulnerability summary to scanned output. (52eaf5a)
• redteam: Add --json flag support for list commands, exhaustive and eager modes. (e962c4d)

Bug Fixes

• general: Fix printing JSON output on stdout when only --json-file-output is specified. (32f65f0)
• test: Fixes an issue where no files were uploaded when using --skip-unresolved. (71ca761)
• test: Prevents scan failures when Maven builds succeed with non-fatal errors. (b30db97)
• test: Fixes Go PackageURL generation and import path normalization for projects using replace directives. (7c7a366, ee7d72b)
• test: Improves SDK detection when host and SDK versions differ. (96d0817)
• test: Ensures project names are populated when scanning NuGet projects from repository root. (c043553)
• container: Snyk Container scans of tar files on Windows should now report vulnerabilities for Python application package files. (9b86790)
• container: Override packages with inaccurate pom.properties files (b60473a)
• test: Ensure Yarn workspace pacakges matches are actual members defined in the root package.json. (0dd6581)
• test: Fix increased scan times when testing Golang projects. (f2f5ba2)
• code: Snyk Code scans now return clearer error message and exit codes when testing unsupported projects (6f5b4e3)
• test: Fix a bug where aliased packages were being resolved with the target name insted of the alias for yarn projects. (dcbec6f)
• test: Fix a bug where Python packages with . characters in their name were incorrectly parsed to include - characters. (9a2a36e)
• deps: Updates dependencies to fix vulnerabilities:
  • CVE-2026-26996 (8e7873f)
  • CVE-2026-29786 (1a08533)
  • CVE-2026-31802 (1321575)
  • CVE-2025-69873 (8ff6aad)
  • CVE-2026-33186 (e98d9ef)
  • CVE-2026-32283 (d26e83f)
  • CVE-2026-29181 (f5418b6)

1.1303.2 (2026-03-23)

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

Features

• redteam: Introducing Snyk Agent Red Teaming with attack profiles (fast, security, safety) via the new --profile flag, allowing users to select pre-configured sets of attack goals. (99e2953)
• redteam: New terminology for goals, strategies, and attacks to better describe Agent Red Teaming workflows. (99e2953)
• redteam: Tenant-based authentication using --tenant-id for routing Agent Red Teaming commands. (99e2953)
• redteam: Interactive wizard to guide users through Agent Red Teaming configuration and setup. (99e2953)
• container: Add Go stdlib vulnerability detection to container scans (aacdc53)

Bug Fixes

• test: Fixes a bug where the CLI repeatedly evaluated user privileges (feature flags) when scanning multiple Go projects.(d348cb7)
• test: Fixes a bug where scanning Go projects (with a replace directive pointing at a relative path) would fail due to badly formatted PackageURLs.(4c6b663)
• container: upgrade minimatch dependency to 3.1.3 (aacdc53)
• dependencies: Fix CVE-2026-33186 (f8a0602)
• dependencies: Fix CVE-2025-69873 (d240fcf)
• container: Fixes an issue where container scans of OCI archive images (including hybrid-format archives produced by Docker Desktop's containerd image store) could silently fail, returning exit code 0 with no vulnerability results. (4ad137f)

1.1303.1 (2026-03-04)

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

Bug Fixes

• ui: Fixed an issue where JSON output was incorrectly printed to stdout when only --json-file-output was specified. (d6d465d)
• language-server: Fixed an issue where scans would not trigger when Snyk Code was enabled in IDE settings. (7567881)
• mcp: Fixed an issue where Snyk rules were not written locally. (7567881)

1.1303.0 (2026-02-26)

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

Features

• iac: users can now exclude specific files and directories from IaC scans using the --exclude parameter (3acbc6b)
• test, sbom: --json output of snyk test and snyk sbom test should now contain fields which were previously missing (isDisputed, proprietary, severityBasedOn, alternativeIds, mavenModuleName) (9996b27)
• sbom: sbom generated output will contain maven/npm scope information for those organizations with the show-maven-build-scope/show-npm-scope feature flag enabled (89d26f0)
• aibom: users can now pass the --upload and --repo flag to the experimental aibom command to persist their AI BOM into their Snyk organisation (e1fdae7)
• redteam: users can now retrieve red team scan results using snyk redteam --experimental get --id=<scan-id>. The scan command also now shows progress during execution. (fba40cc)
• redteam: users can now return an HTML report via --html or --html-file-output flags (aa76c04)
• mcp: users can now use snyk_package_health to validate package health (2b0edd2)
• mcp: users can now use profiles to select which tools are registered based on their use case, profiles can be configured via CLI flag (--profile=<lite|full|experimental>) or environment variable (SNYK_MCP_PROFILE). (2b0edd2)
• mcp: users will now have their Secure At Inception rules written at the global level. (495a2e0)
• container: snyk container sbom users can now use --username and --password to generate SBOMs for images in private registries (a7015a7)
• container: snyk container sbom users can now use --exclude-node-modules to exclude node_modules directories from the SBOM (a7015a7)
• container: snyk container sbom users can now use --nested-jars-depth to control the depth of nested JAR unpacking (a7015a7)
• container: snyk container sbom users can now pass docker-archive:, oci-archive:, kaniko-archive: prefixed paths or bare .tar file paths as the image argument (a7015a7)
• dependencies: updated minimum go version to v1.25.7 (5927337)

Bug Fixes

• test correctly scan NuGet package names case-insensitively (44bf86b)
• test handle absolute target file paths for poetry (d902590)
• test: improved maven version detection for versions greater than 3.6.3 (87853a8)
• test: fixes an issue where the runAutomationDetails field in sarif output is not unique (07dd36f)
• test: the automationDetails field is now rendered correctly when using the --sarif flag (3191e4d)
• test: improve error reporting when using --all-projects (6e3b5d5)
• ignores: ignores created via the snyk ignore command are now correctly applied if an expiry is set or if using an absolute filepath (a61589c)
• container use correct projectName value in container monitor JSON output (0e8feca)
• container: the --target-reference option is now correctly applied to application scan results in container tests, not just the OS scan results (70db44f)
• container: reverts previously introduced stricter validation that was a breaking change (rejecting true as a valid numeric argument) (70db44f)
• network: fix a possible panic when TLS config is nil (f601681)
• language-server: fixes an issue around API URL construction (35800c1)
• ui: improve the readability of error messages (763ac26)
• ui: some SNYK-CLI-0000 errors are now correctly categorised and displayed (3d02788)
• dependencies: update dependencies to fix SNYK-JS-AXIOS-15252993 (1e80d74)
• dependencies: update dependencies to fix SNYK-GOLANG-GOOPENTELEMETRYIOOTELSDKRESOURCE-15182758 [IAC-3497] (4b3d826)
• dependencies: update dependencies to fix SNYK-JS-TAR-15307072 (fbc5cb4)
• dependencies: update dependencies to fix SNYK-JS-MINIMATCH-15309438 (8e7873f)
• dependencies: update dependencies to fix SNYK-GOLANG-GOLANGORGXCRYPTOSSH-14059803 and SNYK-GOLANG-GITHUBCOMULIKUNITZXZLZMA-12230262 [IAC-3478] (1d2d723)

1.1302.1 (2026-01-21)

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

Bug Fixes

• code: Resolves FedRAMP URI construction in the IDE (35800c1)
• test: PackageURL validation failed with go.mod replace directive (SNYK-CLI-0000) for snyk test (7eb2978)
• sbom: PackageURL validation failed with go.mod replace directive (SNYK-CLI-0000) for snyk sbom (fda61e0)