chore: Update release candidate

.circleci/Dockerfile

@@ -34,6 +34,7 @@ RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
     binutils-gold \
     cmake \
     composer \
+    docker.io \
     elixir \
     faketime \
     g++ \
@@ -64,6 +65,7 @@ RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
     tzdata \
     uuid-dev \
     vim \
+    xdg-utils \
     zip \
     && apt-get auto-remove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
 RUN node -v
@@ -108,6 +110,10 @@ ENV TEMP=/tmp
 ENV TMP=$TEMP
 ENV TMPDIR=$TEMP
 
+# install uv (Python package manager)
+RUN curl -LsSf https://astral.sh/uv/install.sh | sh
+ENV PATH=/home/circleci/.local/bin:$PATH
+
 # install rust and convco
 RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
 RUN ~/.cargo/bin/cargo install convco

.circleci/config.yml

@@ -19,7 +19,7 @@ parameters:
   go_version:
     type: string
     # https://go.dev/doc/devel/release
-    default: '1.25.10'
+    default: '1.26.3'
   aws_version:
     type: string
     # https://github.com/aws/aws-cli/blob/v2/CHANGELOG.rst
@@ -63,31 +63,31 @@ executors:
     resource_class: medium
   docker-amd64:
     docker:
-      - image: snyklabs/cli-build-private:20260219-152627
+      - image: snyklabs/cli-build-private:20260506-072205
         auth:
           username: $DOCKER_CLI_BUILD_USERNAME
           password: $DOCKER_CLI_BUILD_PASSWORD
     # working_directory: /mnt/ramdisk/snyk
     resource_class: large
   docker-amd64-xl:
     docker:
-      - image: snyklabs/cli-build-private:20260219-152627
+      - image: snyklabs/cli-build-private:20260506-072205
         auth:
           username: $DOCKER_CLI_BUILD_USERNAME
           password: $DOCKER_CLI_BUILD_PASSWORD
     # working_directory: /mnt/ramdisk/snyk
     resource_class: xlarge
   docker-arm64:
     docker:
-      - image: snyklabs/cli-build-private-arm64:20260219-152627
+      - image: snyklabs/cli-build-private-arm64:20260506-072205
         auth:
           username: $DOCKER_CLI_BUILD_USERNAME
           password: $DOCKER_CLI_BUILD_PASSWORD
     # working_directory: /mnt/ramdisk/snyk
     resource_class: arm.large
   docker-arm64-xl:
     docker:
-      - image: snyklabs/cli-build-private-arm64:20260219-152627
+      - image: snyklabs/cli-build-private-arm64:20260506-072205
         auth:
           username: $DOCKER_CLI_BUILD_USERNAME
           password: $DOCKER_CLI_BUILD_PASSWORD
@@ -276,7 +276,7 @@ commands:
       - restore_cache:
           name: Restoring Windows tools cache
           keys:
-            - windows-tools-cache-v2-{{ arch }}
+            - windows-tools-cache-v4-{{ arch }}-{{ checksum ".nvmrc" }}
       - run:
           name: Install Node.js (native)
           shell: powershell
@@ -315,9 +315,10 @@ commands:
             .\scripts\windows\ensure-python-uv.ps1
       - save_cache:
           name: Saving Windows tools cache
-          key: windows-tools-cache-v2-{{ arch }}
+          key: windows-tools-cache-v4-{{ arch }}-{{ checksum ".nvmrc" }}
           paths:
             - << pipeline.parameters.windows_cache_dir >>
+            - C:\ProgramData\nvm
 
   install-deps-windows-native-full-signing:
     steps:
@@ -378,17 +379,6 @@ commands:
           name: No dependencies to install
           command: echo all done!
 
-  # this can be removed if we install the xdg-utils package in the docker image
-  install-deps-linux-acceptance-tests:
-    steps:
-      - run:
-          name: Installing linux acceptance tests dependencies
-          command: |
-            sudo apt-get update
-            sudo apt-get install xdg-utils docker.io -y
-            curl -LsSf https://astral.sh/uv/install.sh | sh
-            echo 'export PATH="$HOME/.local/bin:$PATH"' >> $BASH_ENV
-
   install-deps-python:
     parameters:
       os:
@@ -612,7 +602,7 @@ workflows:
           go_target_os: linux
           go_os: linux
           go_arch: amd64
-          static_binary: false # TODO: set to true when we have confidence for v1.1304.0 release
+          static_binary: true
           go_download_base_url: << pipeline.parameters.go_download_base_url >>
           executor: docker-amd64-xl
           requires:
@@ -655,7 +645,7 @@ workflows:
           go_target_os: linux
           go_os: linux
           go_arch: arm64
-          static_binary: false # TODO: set to true when we have confidence for v1.1304.0 release
+          static_binary: true
           go_download_base_url: << pipeline.parameters.go_download_base_url >>
           executor: docker-arm64-xl
           requires:
@@ -778,7 +768,6 @@ workflows:
               ignore:
                 - main
                 - '/release.*/'
-          install_deps_extension: linux-acceptance-tests
           pre_test_cmds: export BROWSER="curl -L"
           requires:
             - build linux static arm64
@@ -801,7 +790,6 @@ workflows:
               ignore:
                 - main
                 - '/release.*/'
-          install_deps_extension: linux-acceptance-tests
           pre_test_cmds: export BROWSER="curl -L"
           requires:
             - build linux amd64
@@ -824,7 +812,6 @@ workflows:
               ignore:
                 - main
                 - '/release.*/'
-          install_deps_extension: linux-acceptance-tests
           pre_test_cmds: export BROWSER="curl -L"
           requires:
             - build linux arm64
@@ -850,7 +837,6 @@ workflows:
               ignore:
                 - main
                 - '/release.*/'
-          install_deps_extension: linux-acceptance-tests
           pre_test_cmds: export BROWSER="curl -L"
           requires:
             - build linux fips arm64
@@ -1158,6 +1144,20 @@ workflows:
                 - '/release.*/'
                 - '/.*e2e.*/'
 
+      - test-release-static:
+          name: e2e snyk-linux tests (scratch-container-amd64)
+          context:
+            - team_hammerhead-cli
+          requires:
+            - upload version
+          cli_download_base_url: << pipeline.parameters.cli_download_base_url >>
+          filters:
+            branches:
+              only:
+                - main
+                - '/release.*/'
+                - '/.*e2e.*/'
+
       - noop:
           name: Start Deployments
           requires:
@@ -1180,6 +1180,7 @@ workflows:
             - e2e fips tests (win-server2022-amd64)
             - e2e experimental tests (linux-static-amd64)
             - e2e experimental tests (scratch-container-amd64)
+            - e2e snyk-linux tests (scratch-container-amd64)
           filters:
             branches:
               only:

.github/CODEOWNERS

@@ -1,5 +1,5 @@
 # CLI
-* @snyk/cli @snyk/productinfra_cli
+* @snyk/cli @snyk/productinfra_cli @snyk/developer-experience_cli
 
 # Unify
-src/lib/plugins/uv/ @snyk/codesec_unify @snyk/productinfra_cli
+src/lib/plugins/uv/ @snyk/codesec_unify @snyk/open-source_unify @snyk/productinfra_cli @snyk/developer-experience_cli

.github/workflows/check-dependencies.yml

@@ -11,7 +11,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions/setup-node@v4
         with:
-          node-version: '16.16.0'
+          node-version-file: '.nvmrc'
           cache: 'npm'
       - run: npm ci
       - run: npx ts-node ./scripts/check-dependencies.ts

.github/workflows/danger-zone.yml

@@ -12,7 +12,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions/setup-node@v4
         with:
-          node-version: '18.19.1'
+          node-version-file: '.nvmrc'
           cache: 'npm'
       - run: npm ci
       - run: npx danger ci

.github/workflows/snyk-protect-production-smoke-tests.yml

@@ -14,7 +14,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu, macos, windows]
-        node_version: [16, 18, 20]
+        node_version: [16, 18, 20, 22]
     runs-on: ${{ matrix.os }}-latest
     steps:
       # Avoid modifying line endings in fixtures.

.nvmrc

@@ -1 +1 @@
-20.11.1
+22.22.2

Makefile

@@ -230,6 +230,11 @@ test-binary-wrapper: build-binary-wrapper
 	@echo "-- Testing binary wrapper"
 	@cd $(BINARY_WRAPPER_DIR); npm run test
 
+.PHONY: test-release-scripts
+test-release-scripts:
+	@echo "-- Testing release scripts"
+	@cd release-scripts; go test ./...
+
 
 # targets responsible for the complete CLI build
 .PHONY: pre-build

README.md

@@ -1,16 +1,14 @@
 # Getting started with the Snyk CLI
 
-## Introduction to Snyk and the Snyk CLI
+## Introduction to the Snyk CLI
 
-[Snyk](https://snyk.io/) is a developer-first, cloud-native security tool to scan and monitor your software development projects for security vulnerabilities. Snyk scans multiple content types for security issues:
+Snyk is a developer-first, cloud-native security tool to scan and monitor your software development projects for security vulnerabilities. Snyk scans multiple content types for security issues:
 
 - [Snyk Open Source](https://docs.snyk.io/scan-with-snyk/snyk-open-source): Find and automatically fix open-source vulnerabilities
 - [Snyk Code](https://docs.snyk.io/scan-with-snyk/snyk-code): Find and fix vulnerabilities in your application code in real time
 - [Snyk Container](https://docs.snyk.io/scan-with-snyk/snyk-container): Find and fix vulnerabilities in container images and Kubernetes applications
 - [Snyk IaC](https://docs.snyk.io/scan-with-snyk/snyk-iac): Find and fix insecure configurations in Terraform and Kubernetes code
 
-[Learn more about what Snyk can do and sign up for a free account](https://snyk.io/).
-
 The Snyk CLI brings the functionality of Snyk into your development workflow. You can run the CLI locally from the command line or in an IDE. You can also run the CLI in your CI/CD pipeline. The following shows an example of Snyk CLI test command output.
 
 <figure><img src="../https://github.com/snyk/user-docs/raw/HEAD/docs/.gitbook/assets/snyk-cli-screenshot.png" alt=""><figcaption><p>Snyk CLI test command output example</p></figcaption></figure>
@@ -27,7 +25,9 @@ This page explains how to install, authenticate, and start scanning using the CL
 
 To use the CLI, you must install it and authenticate your machine. See [Install or update the Snyk CLI](https://docs.snyk.io/snyk-cli/install-or-update-the-snyk-cli) and [Authenticate the CLI with your account](authenticate-to-use-the-cli.md). You can refer to the [release notes](https://github.com/snyk/cli/releases) for a summary of changes in each release. Before scanning your code, review the [Code execution warning for Snyk CLI](https://docs.snyk.io/snyk-cli/code-execution-warning-for-snyk-cli).
 
-**Note:** Before you can use the CLI for Open Source scanning, you must install your package manager. The needed third-party tools, such as Gradle or Maven, must be in the `PATH`.
+{% hint style="info" %}
+Before you can use the CLI for Open Source scanning, you must install your package manager. The needed third-party tools, such as Gradle or Maven, must be in the `PATH`.
+{% endhint %}
 
 You can also install the CLI in your IDE or CI/CD environment. For details, see the [IDE and CI/CD documentation](https://docs.snyk.io/scm-ide-and-ci-cd-integrations) for instructions for each integration.
 
@@ -41,17 +41,17 @@ Look at the `test` command report in your terminal. The report shows the vulnera
 
 ## Scan your development Project
 
-**Note:** Before using the Snyk CLI to test your Open Source Project for vulnerabilities, with limited exceptions, you must **build your Project**. For details, see [Open Source Projects that must be built before testing](https://docs.snyk.io/snyk-cli/scan-and-maintain-projects-using-the-cli/snyk-cli-for-open-source/open-source-projects-that-must-be-built-before-testing-with-the-snyk-cli).
+Before using the Snyk CLI to test your Open Source Project for vulnerabilities, with limited exceptions, you must build your Project. For details, see [Open Source Projects that must be built before testing](https://docs.snyk.io/snyk-cli/scan-and-maintain-projects-using-the-cli/snyk-cli-for-open-source/open-source-projects-that-must-be-built-before-testing-with-the-snyk-cli).
 
-In addition, depending on the language of your open-source Project, you may need to **set up your language environment** before using the Snyk CLI. For details, refer to [Supported languages, package managers, and frameworks](https://docs.snyk.io/supported-languages-package-managers-and-frameworks).
+In addition, depending on the language of your open-source Project, you may need to set up your language environment before using the Snyk CLI. For details, refer to [Supported languages, package managers, and frameworks](https://docs.snyk.io/supported-languages-package-managers-and-frameworks).
 
 After you have installed the CLI and authenticated your machine, to **scan an open-source Project**, use `cd /my/project/` to change the current directory to a folder containing a supported package manifest file, such as `package.json`, `pom.xml`, or `composer.lock`. Then run `snyk test`. All vulnerabilities identified are listed, including their path and fix guidance.
 
-To scan your **source code,** run `snyk code test`.
+To scan your source code, run `snyk code test`.
 
-You can **scan a Docker image** by its tag running, for example: `snyk container test ubuntu:18.04`.
+You can scan a Docker image by its tag running, for example: `snyk container test ubuntu:18.04`.
 
-To scan a **Kubernetes (K8s) file,** run the following:\
+To scan a Kubernetes (K8s) file, run the following:\
 `snyk iac test /path/to/kubernetes_file.yaml`
 
 For details about using the Snyk CLI to scan each content type, see the following:
@@ -87,13 +87,13 @@ For more information, see [Monitor your Projects at regular intervals](https://d
 
 ## Running out of tests
 
-Snyk allows unlimited tests for public repositories. If you are on the Free plan, you have a limited number of tests per month. Paid plans have unlimited tests on private and public repositories. If you are on the Free plan and notice that your test count is quickly being used, even with public repositories, you can remedy this by telling Snyk the public URL of the repository that is being scanned by the Snyk CLI. This ensures that Snyk does not count a public repository towards the test limits.
+Test limits do not apply to public repositories. If you notice that the test limits related to your private repositories (where applicable) are being used by tests on public repositories, you can remedy this by telling Snyk the public URL of the repository that is being scanned by the Snyk CLI. This ensures that Snyk does not count a public repository towards the test limits.
 
 If you run out of tests on an open-source Project, follow these steps:
 
 - Run `snyk monitor`.
-- Open the Snyk UI and navigate to the **settings** of the Project.
-- Enter the URL of your open-source repository in **Git remote URL**.
+- In the Snyk Web UI, navigate to the **Settings** of the Project.
+- Enter the URL of your open-source repository under **Git remote URL**.
 
 ## Additional information about the Snyk CLI
 

binary-releases/RELEASE_NOTES.md

@@ -1,12 +1,20 @@
-## [1.1304.3](https://github.com/snyk/snyk/compare/v1.1304.2...v1.1304.3) (2026-05-13)
-
+## [1.1305.0](https://github.com/snyk/snyk/compare/v1.1304.3...v1.1305.0) (2026-05-20)
 
 The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see [this documentation](https://docs.snyk.io/snyk-cli/releases-and-channels-for-the-snyk-cli)
 
+### Features
+
+* **sbom**: Introduces the `--allow-incomplete-sbom` flag for `snyk sbom`, allowing the SBOM to be generated even when individual projects fail to resolve. Failed projects are surfaced as per-project errors alongside the successful results. ([29ba128](https://github.com/snyk/snyk/commit/29ba128c55afd9f41cfd0ffabe667c013b10a544))
+* **container**: Speed up `snyk container monitor` by sending dependency requests in parallel, configurable via the `SNYK_REQUEST_CONCURRENCY` environment variable. ([186c5fb](https://github.com/snyk/snyk/commit/186c5fb6b7c074d94bb9e5d4094f1909671c6f88), [6764f65](https://github.com/snyk/snyk/commit/6764f65247bb3c1c82ad5d8d3d331ba21f7c4a97))
+* **general**: Linux ARM64 and AMD64 binaries are now statically linked by default. ([f02b850](https://github.com/snyk/snyk/commit/f02b850ac8a4b6f527448874d5408ab1cfffeaab))
+* **mcp**: Adds an experimental breakability evaluation tool to the Snyk MCP Server. ([69806f5](https://github.com/snyk/snyk/commit/69806f5634b06551d46debb070553e454cf9ed54))
+
+
 ### Bug Fixes
 
-* **dependencies**: Updates dependencies to fix vulnerabilities:
-  - CVE-2026-45022 ([aa226a9](https://github.com/snyk/cli/commit/aa226a97b87572d87e81b6080dd2d291af8cfbfb))
-  - CVE-2026-33814 ([1691c3b](https://github.com/snyk/cli/commit/1691c3be1b2f681767bfeac5d9b694992e122a20))
-  - CVE-2026-33811 ([1691c3b](https://github.com/snyk/cli/commit/1691c3be1b2f681767bfeac5d9b694992e122a20))
-  - CVE-2026-39836 ([1691c3b](https://github.com/snyk/cli/commit/1691c3be1b2f681767bfeac5d9b694992e122a20))
+* **test**: Fixes resolution of aliased npm packages so the alias from the lockfile is used instead of the target package name. ([9b0e4d9](https://github.com/snyk/snyk/commit/9b0e4d913af096aa1c5a8ce46e3ed1bd5d211e8f))
+* **test**: Fixes parsing of Python `.whl` files when scanning projects with `--all-projects`. ([12ac0db](https://github.com/snyk/snyk/commit/12ac0dbb46b64526c584a13892317c80111a1d1a))
+* **deps**: Updates dependencies to fix vulnerabilities:
+  - CVE-2026-34165 ([1eec8f8](https://github.com/snyk/snyk/commit/1eec8f81e4738985a92dd8e9823e1ab846713fe7))
+  - CVE-2026-33762 ([1eec8f8](https://github.com/snyk/snyk/commit/1eec8f81e4738985a92dd8e9823e1ab846713fe7))
+  - CVE-2025-62718 ([0c4bdcc](https://github.com/snyk/snyk/commit/0c4bdcc0936bf3ba05e985895d7b44e9a1fcc962))