How Snyk incorporates generative AI into the platform
Snyk’s AI Trust Platform uses generative AI to enhance automation, efficiency, and innovation for developers and security teams. Snyk uses a mix of solutions, including proprietary, self-hosted models and third-party large language models (LLMs).
This document explains what generative AI technologies Snyk uses and how data flows through our systems. It also describes the measures we take to protect your data. The field of AI is changing quickly. As a result, the AI technologies we use may change when we introduce new features or update existing ones.
Core principles
Snyk places the utmost importance on data security and integrity.
No training on customer code: Snyk does not use customer proprietary software code to train, optimize, fine tune or improve any of its AI models, and does not use or incorporate any third-party AI models into the platform unless they make the same commitments.
Contractual protection: all of the AI functionality described in this document forms part of Snyk’s services. Your use of this functionality is governed by your existing agreements with Snyk and benefits from the same contractual protections. No separate in-service terms, addenda, or amendments to your existing agreements with Snyk are required.
AI models
Snyk uses multiple AI deployment strategies to balance performance, security, and data protection:
Proprietary / self-hosted models: Snyk’s core generative AI model is proprietary and maintained entirely within our controlled environment. This model runs on dedicated infrastructure and powers our fundamental product functionality of identifying issues and proposing fixes to those issues.
Hybrid models: For certain products or features, Snyk uses both its proprietary self-hosted model and open-source model/s. In this case, these open-source models are hosted and maintained entirely within our controlled environment.
Third-party LLMs: For certain products or features, Snyk uses LLMs from established AI providers, including OpenAI and Anthropic, through secure API connections and cloud services like AWS Bedrock and GCP Vertex.
Product-specific AI implementations
Agent Fix & Explain
Attribute
Details
Purpose
Designed to help developers:
Fix their code faster by suggesting fixes to vulnerabilities identified by Snyk Code; and
Better understand findings and suggestions returned by Snyk by providing detailed explanations on demand.
AI models / deployment
A combination of Snyk’s proprietary DeepCode AI engine and other open-source models that may be fine-tuned on Snyk’s existing datasets (which do not include any customer proprietary software code) and which are maintained and hosted entirely within our controlled environment.
Data processed
Code snippets containing only the relevant scope of the vulnerability.
Data retention
Because these models are entirely Snyk hosted, no customer proprietary software code is retained by them.
Additional information
More information about Agent Fix is available.
Snyk Assist for Snyk Learn
Attribute
Details
Purpose
AI powered chat assistant designed to help developers and Snyk users:
Obtain contextually relevant assistance when navigating the information and resources available within Snyk Learn; and
Get immediate customized answers to specific application security, secure coding and Snyk product usage questions.
AI models / deployment
OpenAI’s GPT-4o model, accessed via secure API connections.
Data Processed
User input, in the form of chat-based questions submitted by developers and Snyk users.
Safeguards
Snyk has implemented:
Technical safeguards designed to check for code in user input; if found, code is not sent to the AI model or stored by Snyk; and
Measures designed to handle inappropriate user input, for your safety and that of Snyk.
Data retention
Anonymized user inputs are retained by Snyk for a reasonable period for monitoring and managing service performance, after which they are permanently deleted.
Training
In addition to the training restriction described above, the content of any Snyk Assist prompts are not used to train OpenAI’s models.
Additional information
More information about Snyk Assist is available here.
Snyk API & Web (False Positive Reduction (FPR))
Attribute
Details
Purpose
Designed to help classify findings to reduce manual review and improve efficiency.
AI models / deployment
Anthropic’s Claude models through AWS Bedrock.
Data Processed
Parts of HTTP requests and responses (i.e. components of web communications that are analyzed to detect and classify vulnerabilities).
Data retention
Customer proprietary software code is not passed to or retained by the provider of these AI models.
Additional information
More information about Snyk API & Web is available here.
Additional AI safeguards and controls
Snyk has taken a proactive approach to AI governance by implementing robust policies, procedures and technical controls to encompass AI-specific considerations. In addition to Snyk's internal policies and controls, we maintain an overarching AI Governance Program managed by our cross-functional AI Advisory Board.
Snyk does not develop general-purpose AI models. Our proprietary AI is purpose-built to support the same functionality as our underlying platform: identifying vulnerabilities in code, proposing fixes to those vulnerabilities, and promoting security within the software development lifecycle. Additionally, our AI governance incorporates key principles of emerging AI regulations. This includes validating our training datasets for quality and copyright compliance, and ongoing testing of output quality. Snyk's AI capabilities are designed to enable our customers' to assess AI-related risks and vulnerabilities, including governance mechanisms, transparency measures, and security controls.
How Snyk handles data generally
View How Snyk handles your data for more general information about Snyk’s data management practices.
Last updated
Was this helpful?