You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Includes product update to be announced in the next stable release notes
What does this PR do?
snyk-linux and snyk-linux-arm64 binaries are now statically linked instead of dynamically linked.
This PR promotes the statically linked binaries for Linux amd64/arm64 that were previously available on the experimental distribution channel.
Where should the reviewer start?
See related linuxstatic epic
How should this be manually tested?
Validating the binary is statically linked
Download the snyk-linux and snyk-linux-arm64 binaries from the feat/linuxstatic-e2e branch
Rename them snyk-linuxstatic and snyk-linuxstatic-arm64 respectively
Download the latest snyk-linux and snyk-linux-arm64 binaries from downloads.snyk.io
Make the binaries executable via chmod +x
Move the binaries into a folder snyk
docker pull ubuntu:18.04 to get a Linux image with an unsupported glibc library
Run your docker image and mount the binaries: docker run --rm -it -v ./snyk/.:/mnt/. -w /mnt ubuntu:18.04 bash
For each binary in the container, run snyk-[OS]-[ARCH] -v
Additional testing
mount the CLI project into the docker container
Run the acceptance testing: TEST_SNYK_COMMAND=./snyk-linuxstatic npx jest test/jest/acceptance
Expected output:
What's the product update that needs to be communicated to CLI users?
Linux binaries are now statically linked
Risk assessment - Medium?
To reduce risk, a slow rollout has been ongoing, and currently ~30-35% of Linux users are already using the statically linked binaries. This PR rolls it out to 100% of users.
j-luong
changed the title
feat: Linux ARM64 and AMD64 binaries are now statically linked
feat: Linux ARM64 and Linux AMD64 binaries are now statically linked
May 12, 2026
🧪 No relevant tests
🔒 No security concerns identified
⚡ Recommended focus areas for review
Possible path mismatch 🟡 [minor]
The Makefile now forces V1_BINARY_SUBFOLDER to experimental/ whenever STATIC_NODE_BINARY is true. If this PR intends to promote static binaries to the primary distribution channel (as stated in the description), hardcoding them to the 'experimental/' subfolder in the build logic may result in artifacts being placed in the wrong directory during the final packaging phase, potentially conflicting with the StaticFiles list in upload-artifacts.sh which expects them at the root of the release folder.
The logic introduced to set V1_BINARY_SUBFOLDER = experimental/ when STATIC_NODE_BINARY is true will cause the main Linux binaries (which are being promoted to static in this PR) to be placed in the experimental sub-directory. This contradicts the PR's goal of promoting these to the main distribution. Downstream jobs like acceptance-tests linux amd64 expect the binary at the root (./binary-releases/snyk-linux), and the upload-artifacts.sh script (see cross-file context) will fail to include the new static binaries in the primary release bundle as it also looks in the root directory.
Line 98 appears to use a leading tab for the variable assignment V1_BINARY_SUBFOLDER = experimental/. In a Makefile, a leading tab at the start of a line is reserved for recipe commands. Since this assignment is located at the top level and not part of a target rule, it will likely cause a 'commands commence before first target' error, preventing the build from running.
V1_BINARY_SUBFOLDER = experimental/
📚 Repository Context Analyzed
This review considered 5 relevant code sections from 4 files (average relevance: 0.79)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
j-luong
changed the title
PeterSchafer
force-pushed
the
feat/cli-1440_defaultToLinuxStatic
branch
from
Pull Request Submission Checklist
are release-note ready, emphasizing
what was changed, not how.
What does this PR do?
snyk-linuxandsnyk-linux-arm64binaries are now statically linked instead of dynamically linked.This PR promotes the statically linked binaries for Linux amd64/arm64 that were previously available on the
experimentaldistribution channel.Where should the reviewer start?
See related linuxstatic epic
How should this be manually tested?
Validating the binary is statically linked
snyk-linuxandsnyk-linux-arm64binaries from thefeat/linuxstatic-e2ebranchsnyk-linuxstaticandsnyk-linuxstatic-arm64respectivelysnyk-linuxandsnyk-linux-arm64binaries fromdownloads.snyk.iochmod +xsnykdocker pull ubuntu:18.04to get a Linux image with an unsupportedglibclibrarydocker run --rm -it -v ./snyk/.:/mnt/. -w /mnt ubuntu:18.04 bashsnyk-[OS]-[ARCH] -vAdditional testing
TEST_SNYK_COMMAND=./snyk-linuxstatic npx jest test/jest/acceptanceExpected output:
What's the product update that needs to be communicated to CLI users?
Linux binaries are now statically linked
Risk assessment - Medium?
To reduce risk, a slow rollout has been ongoing, and currently ~30-35% of Linux users are already using the statically linked binaries. This PR rolls it out to 100% of users.