Fix SCA issues at scale in your terminal with Snyk Remediation Agent in the CLI

Detection has raced ahead of remediation

Snyk is now detecting six vulnerabilities for every one remediated. NIST reported a 33% increase in CVE submissions in Q1 2026. According to Gartner, the average time to patch a high/critical vulnerability is 55 days (Gartner, "How to Respond to the 2026-2027 Threat Landscape," 28 May 2026). 

Fixes have to move faster because security backlogs are being hit from three directions at once: 

1. Frontier models can chain together previously-ignorable, low-severity findings into working, novel zero-day exploits. Issues your team could safely accept as risk six months ago are no longer safe to ignore. 

2. AI coding assistants are landing more code, faster: 65–70% of production code is now generated by AI, and nearly half of it contains exploitable vulnerabilities. The pace of new issue introduction is breakneck, and security teams can no longer manually triage.

3. AI-powered detection is surfacing unique issues at a volume that security and development teams are not equipped to remediate efficiently. 

The risk landscape is growing on the attack, supply, and detection sides simultaneously, which means detection isn’t the bottleneck. Security teams don’t need another tool to find risk; they need tools that act on what’s been found, and burn the backlog down. 

The obvious shortcut, piping scan results straight into a coding assistant and asking it to “fix the vulnerabilities”, turns out to be a trap. AI models can see what’s wrong, but they don’t know which version to upgrade to, whether it will break the build, whether the vulnerable code path is actually reachable, or if the package being upgraded to is still maintained. So you get fixes that compile but may not resolve the CVE, upgrades that break tests, or PRs that introduce more issues than they solve. “Autonomous” workflows that were supposed to save time are now costing developers even more time as they babysit AI’s every move. 

That’s the gap Snyk’s Remediation Agent is being built to close. By pairing the reasoning ability of frontier models with Snyk’s security intelligence, developers can fix more issues with higher confidence across more assessment types and with fewer tokens. Benchmarking shows a ~14% improvement in fix rates for SAST issues and a ~94% improvement in fix rates for SCA issues when embedding Snyk expertise into a frontier model’s context. 

Today, we’re releasing a new experimental CLI experience for the Snyk Remediation Agent for design partners. It’s our first step towards launching fully autonomous, intelligence-guided remediation at scale. 

Remediating with Snyk

Snyk pioneered developer-first security, and the Snyk Remediation Agent will be the next step of the journey. 

We started with Fix PRs. These are deterministic, rule-based suggestions to help developers fix supply chain issues by upgrading off of vulnerable versions. Millions of fixes are shipped this way each year, and they are not going away. But these do not keep pace in an era of AI and agentic development. 

Then Snyk Agent Fix brought AI-powered, validated SAST fixes to the IDE and PR. We recently upgraded Snyk Agent Fix’s architecture to improve the fix rate. On its own, Claude Sonnet 4.6 scores ~72% in terms of its ability to deliver SAST remediations that are both secure and functional. The same model with Agent Fix providing Snyk context delivers ~82% “merge-ready” fixes for developers. 

Launched earlier this month to design partners, the /snyk-fix command took the next step: an intelligence-guided remediation loop you can run from inside any Agentic Development Environment like Cursor, Claude Code, or Windsurf. Snyk scans and injects the right context into your LLM, which uses the proprietary data to produce a targeted fix. A developer reviews and merges. This human-in-the-loop approach allows for seamless, synchronous fixing. It also allows us to validate the efficacy of our fix guidance before building something that requires greater developer trust.

Today’s CLI release extends that remediation loop to your terminal. Snyk’s new Remediation Agent is available to run locally, using frontier or locally hosted models, to remediate issues en masse. Your agent is empowered by Snyk security intelligence and guidance, fixing more issues, more reliably and efficiently. 

What’s next: 

• An asynchronous Remediation Agent that runs without a developer prompt, against a backlog filter, that produces fully validated, mergeable PRs. 

• An AppSec user experience for security teams to trigger remediation campaigns without putting tickets on the developer’s plate

How Snyk customers are leveling up:

Our most successful customers have embraced a phased approach to burning down the backlog. They start with manual triage, move to AI-assisted with a human in the loop, and then lean into full async automation. This CLI release is intentionally in the middle. You stay in the loop and approve every change. As your development teams become more comfortable leveraging Snyk and LLMs to remediate, we’ll grow and adapt with you.

That’s why we believe this step is important to both our customers and us: we're using this phase to get the intelligence layer right before we ask anyone to trust an autonomous agent with a merge. 

What’s in the CLI today 

When you run the experimental CLI against a repo, here's what happens under the hood:

1. Snyk scans the project and produces a set of findings.

2. The intelligence layer is invoked. This is the layer that sits between the raw scan results and the LLM, and it's where most of Snyk's security data appears. For each finding, it provides:

   • The exact fixedIn target — which directs dependency to bump, to which version, across the manifest

   • Breakability analysis — how likely the upgrade is to break your build, and how to address it

   • Reachability — whether the vulnerable code path is actually called

   • Package health — is the target version maintained, adopted, trustworthy, or should you switch packages

   • Pre-scan context from security.snyk.io

   • Changelog deltas for the upgrade range

   • … structured for LLM reasoning, not as raw JSON dumps

3. Your LLM does the work. The agent runs an iterative loop — propose a fix, scan again, refine — with you reviewing each change. The current experience is LLM-agnostic, so you can bring your own model, although performance varies by model.

4. Snyk verifies. A fix only counts as a fix when a re-scan confirms the vulnerability is resolved. 

What the benchmarks show

We ran a controlled benchmark across public open source repos and found that adding Snyk tools and an intelligence layer to claude-haiku-4-5:

• Approximately doubled the fix rate (from ~23% to ~45% on average across ecosystems)

• Improved critical/high/medium severity fix rates, rising from ~44% to ~91%

• Reduced token cost per fix by around 61% 

With Snyk intelligence, the agent doesn’t need to discover the vulnerabilities or determine fix paths, and it is guided on which upgrades entail breaking changes.

A more complete write-up with methodology, per-ecosystem charts, the latest models, and the underlying data will be published soon. 

What “experimental” actually means 

We want to be honest about where Snyk’s Remediation Agent is today.

It works. We've run it against internal Snyk repos and the early design partner cohort, and the results have been strong enough that we're confident in putting it in your hands. But it's also early. The UI will change, and we’re still adding signals to our intelligence layer. Today's release covers SCA; SAST, Container, and IaC are in active development. Some ecosystems are sharper than others, and the asynchronous, PR-producing version isn't here yet.

We're calling it experimental because we'd rather you know that than discover it. And we're running this phase as a design partnership program specifically because the things we most want to fix next, like the UX, signal prioritization, ecosystem coverage, and the right LLM defaults, are things we want to get from real teams running it on real repos. It’s our commitment to iterate quickly and adapt as the industry and demands evolve.

Get involved

If you've got a backlog you'd like to put a dent in, and you're up for a recurring conversation about what's working and what isn't, reach out to your Snyk account team to be considered for the Remediation Agent design partnership program. There is no paid feature gate; you just need to be willing to try the CLI on your own code, give us honest feedback, and shape where this goes next. 

The full remediation arc, from intelligence-guided fixes today to fully autonomous, mergeable PRs tomorrow, is going to be built with our design partners. We'd love to have you in the room.