How Snyk incorporates generative AI into the platform

Purpose

Designed to help developers:

• Fix their code faster by suggesting fixes to vulnerabilities identified by Snyk Code; and

• Better understand findings and suggestions returned by Snyk by providing detailed explanations on demand.

AI models / deployment

Anthropic’s Claude models through AWS Bedrock or GCP Vertex.

Data processed

Code snippets containing only the relevant scope of the vulnerability.

Data retention

Customer proprietary software code is not retained by the provider of these AI models.

Additional information

More information about Agent Fix is available here.

Purpose

AI powered chat assistant designed to help developers and Snyk users:

• Obtain contextually relevant assistance when navigating the information and resources available within Snyk Learn; and

• Get immediate customized answers to specific application security, secure coding and Snyk product usage questions.

AI models / deployment

Anthropic's Claude models through GCP Vertex.

Data Processed

User input, in the form of chat-based questions submitted by developers and Snyk users.

Safeguards

Snyk has implemented:

• Technical safeguards designed to check for code in user input — if found, code is not sent to the AI model or stored by Snyk.

• Measures designed to handle inappropriate user input, for your safety and that of Snyk.

Data retention

Anonymized user inputs are retained by Snyk for a reasonable period for monitoring and managing service performance, after which they are permanently deleted.

Additional information

More information about Snyk Assist for Learn is available here.

Purpose

AI-powered assistant designed to help users obtain support through the enterprise search and virtual agent capabilities within the Snyk support portal.

AI models / deployment

OpenAI, accessed through secure API connections, for question moderation only; Anthropic's models through GCP Vertex for answer generation.

Data Processed

• For question moderation: User input in the form of chat-based questions (i.e. question text only); and

• For answer generation: User input in the form of chat-based questions, and limited user context including user email, account name, account type, and group name.

Data retention

• OpenAI: Snyk has enabled OpenAI’s Zero Data Retention control;

• GCP Vertex: Data may be cached in-memory for up to 24 hours to reduce latency; no data is stored at rest. Prompts may be logged for up to 30 days where automated safety classifiers detect suspicious activity requiring investigation into potential policy violations.

Additional information

Snyk Assist for Support is available here.

Purpose

Designed to help classify findings to reduce manual review and improve efficiency.

AI models / deployment

Anthropic’s Claude models through AWS Bedrock.

Data Processed

Parts of HTTP requests and responses (i.e. components of web communications that are analyzed to detect and classify vulnerabilities).

Data retention

Customer proprietary software code is not passed to or retained by the provider of these AI models.

Additional information

More information about Snyk API & Web is available here.

Purpose

Designed to help identify authorization vulnerabilities in APIs, including Broken Object Level Authorization.

AI models / deployment

Anthropic’s Claude models through AWS Bedrock.

Data processed

Parts of HTTP requests and responses (i.e. components of web communications that are analyzed to detect vulnerabilities and classify content).

Data retention

HTTP requests and responses are not retained by the provider of these AI models.

Additional information

More information about Snyk API & Web is available here.

Purpose

Designed to correlate Snyk Code and Snyk API & Web findings by highlighting the source code that triggered a given API & Web Vulnerability.

AI models / deployment

Google’s Gemini and Anthropic’s Claude models through AWS Bedrock and GCP Vertex.

Data Processed

Customer source code; DAST scan information (for example, vulnerability types, endpoints, and parameters); and SAST scan information (for example, vulnerability types, file names, and code locations), to help correlate source code with runtime vulnerabilities.

Data retention

Customer proprietary software code is not retained by the provider of these AI models.

Additional information

More information about Snyk API & Web is available here.

Purpose

AI-powered security assistant designed to help users explore the data available to them as part of AI-SPM (e.g. understanding AI assets, policy results, creating and updated policies, generating basic reporting).

AI models / deployment

Google’s Gemini and Anthropic’s Claude models through GCP Vertex and AWS Bedrock (depending on the deployment region).

Data processed

• User context (user ID, tenant ID, and authentication token) used to scope requests and authorise downstream API calls.

• User chat messages and agent responses within a session.

• AI asset metadata (e.g. model name, type, vendor, repository, organisation), asset relationships, security policies, and policy violation issues.

Data retention

AWS Bedrock: Prompts and completions are not retained;

Google Vertex: Data may be cached in-memory for up to 24 hours to reduce latency; no data is stored at rest. Prompts may be logged for up to 30 days where automated safety classifiers detect suspicious activity requiring investigation into potential policy violations.

Additional information

More information about Evo Chat Agent is available via the Customer portal.

Purpose

Allows the EVO AI-BOM to detect customer-specific AI assets, such as fine-tuned models.

AI models / deployment

Anthropic’s Claude models through GCP Vertex or AWS Bedrock.

Data processed

Code snippets used to label whether patterns are AI assets.

Data retention

Customer proprietary software code is not retained by the provider of these AI models.

Additional information

More information about Evo AI-BOM Pattern Detection is available via the Customer portal.