Skip to Content
logo
  • Home
  • Quick start
    • FAQ
      • Billing
      • Integrations
      • Platform
      • Scanner
      • Ask our pentesters to explain a vulnerability
      • Fix code with gen AI from the IDE
      • See safe dependency versions
      • Import repositories to test
      • Invite team members to sign up
      • Billing for the Advanced plan
      • Continuous Hacking free trial, plans and pricing
      • Continuous Hacking methodology
      • Continuous Hacking PoV
      • CVSSF metric
      • Glossary
      • Main website
      • Platform demo
      • Tutorial videos
      • What is DAST?
      • What is SAST?
      • What is SCA?
      • Assign vulnerability remediation to a team member
      • See details of the reported security vulnerabilities
    • Sign up to Fluid Attacks
      • Break the build
      • Install CI Gate to break the build
      • Verify whether a fix was successful
  • Find and fix
    • Use the platform
        • Sign-up and login
        • Interface and sections
        • Create and delete groups
        • Create another organization
        • Know your Groups section
        • Manage a group's configuration
        • Register payment information
        • See the target of evaluation's status and SBOM
        • Sort groups into portfolios
        • Invite contributing developers
        • Manage members
        • Manage your organization's authors
        • Understand roles
        • Import repositories fast and safely with OAuth
        • Manage environments
        • Manage repositories
        • Manage your credentials
        • Resolve events impeding tests
        • See retrieved repositories not yet added to any group
        • Analyze your supply chain security
        • Assign treatments
        • Correlate your threat model to vulnerabilities
        • CVSS score adjustment
        • Examine the evidence of exploitability
        • Find reachable dependency vulnerabilities
        • Request a vulnerability be dismissed as Zero Risk
        • See vulnerabilities assigned to you
        • See where vulnerabilities are and more details
        • Verify fixes with reattacks
        • Vulnerability signature update
        • Ask the AI Agent
        • Ask via chat
        • Post comments
        • Send Fluid Attacks an email
        • Talk to a Pentester
        • Watch certifiable tutorial videos or get a demo
        • Access recent downloads
        • Check your compliance with standards
        • View analytics common to orgs, groups and portfolios
        • Download a report of detected vulnerabilities
        • View analytics for the group level only
        • View analytics for the portfolio level only
        • Use analytics charts options
        • View and download logs
        • Accept vulnerabilities
        • Manage fix prioritization policies
        • Manage security gates
        • Prevent the deployment of builds with vulnerabilities
        • View details of the security of your builds
        • Explore the user menu
        • Enable and disable notifications
        • Subscribe to News
        • Leave a group
      • Manage repositories
      • See vulnerabilities
        • Fluid Attacks' scanners
        • OWASP Benchmark results
        • Your feedback
      • Use the scanners
        • Local run
        • CI/CD integration
        • Understanding outputs
        • Findings exclusion
      • Use a configuration file
        • SAST scanner
        • SCA scanner
        • DAST scanner
        • APK scanner
      • Automatic remediation
      • Custom remediation guides
      • Introduction to Sorts
      • Sorts user guide
      • Connection mechanisms
      • Cloud connection
      • Egress connection
      • Connector connection
      • Types of authentication
      • AWS CodeCommit
    • Service-level agreement
      • Availability SLA
      • Response SLA
      • Accuracy SLA
      • False negatives
      • False positives
      • Scope
    • Support information
      • Changelog
        • 2023
        • 2024
        • 2025
        • 2026
      • Roadmap
      • AI functions
      • Attack surfaces
      • Binaries
      • Browsers
      • CI/CD
      • Clouds
      • CVEs for reachability
      • Evidence formats
      • Frameworks
      • IDE functionalities
      • Languages
      • Languages for fixes
      • Package managers
      • Remediation
      • SCM systems
      • Secrets
      • Standards
      • Ticketing systems
      • Documentation sections
  • Integrations
      • Local tools
      • Access Talk to a Pentester and help from Jira issues
      • Automate Jira issue creation
      • Create Jira issues for vulnerabilities
      • Go to vulnerability evidence and more from Jira issues
      • Install the Fluid Attacks app for Jira Cloud
      • Link vulnerabilities to Jira issues or unlink them
      • Request reattacks from Jira issues
      • Set up the Jira integration
      • Set up the Azure DevOps integration
      • Set up the GitLab integration
      • Install the VS Code extension
      • View vulnerable lines, use fix options and more
      • VS Code extension error and solution catalog
      • Identify and address vulnerabilities from IntelliJ
      • Install the IntelliJ plugin
      • Identify and address vulnerabilities from Cursor
      • Install the Cursor extension
      • AWS Marketplace integration
    • MCP server
      • Installation
      • Capabilities and use cases
      • Docker installation
      • Excluding files from analysis
      • Integrate with Azure DevOps Peer Reviewer Assistant
      • Integrate with GitLab Peer Reviewer Assistant
      • Troubleshooting
      • Introduction
      • Use the API
      • Learn the basics of the Fluid Attacks API
      • Things to know before using the API
  • Stack
      • Bash
      • Python
      • Terraform
      • TypeScript
      • Ariadne
      • Commitlint
      • D3
      • Docker
      • ESLint
      • GraphQL
      • Hypercorn
      • Kubernetes
      • Labels
      • Mypy
      • Nix Flakes
      • Platform audit logs
      • Platform authentication
      • Platform authorization
      • Pydantic AI
      • React
      • Ruff
      • Sops
      • Starlette
      • Tree-sitter
      • Visual Studio Code
      • AWS
      • Batch
      • Bedrock
      • BigCodeBench
      • BugSnag
      • Checkly
      • Claude 3.5 Sonnet
      • Cloudflare
      • CloudWatch
      • Cost Management
      • Datadog
      • dbt
      • DynamoDB
      • EBS
      • EC2
      • EKS
      • ELB
      • Engineering metrics
      • ePayco
      • EventBridge
      • GitLab
      • GitLab CI
      • Google Workspace
      • IAM
      • Jamf
      • KMS
      • Lambda
      • LogRocket
      • Okta
      • OpenAI
      • OpenSearch
      • Organizations
      • QuickSight
      • S3
      • SageMaker
      • Snowflake
      • Statuspage
      • Step Functions
      • Stripe
      • Treli
      • Ubiquiti
      • Vanta
      • Voyage AI
      • VPC
      • VPN
      • Zoho One
      • Zoho Sign
    • Pentesting tools
  • Compliance
    • Authentication
      • Clients
      • Password policies
      • Staff
    • Authorization
      • Access revocation
      • Clients
      • Employee termination
      • Endpoints
      • Secret rotation
      • Sessions
      • Staff
    • Availability
      • Distributed apps
      • Distributed firewall
      • Everything backed up
      • Multiple zones
      • Recovery objective
    • Confidentiality
      • Device (re)enrolling
      • Direct hiring
      • Encryption at rest
      • Encryption in transit
      • No personal gain
      • Personnel NDA
      • Secure deletion
    • Integrity
      • Applicant evaluation
      • Awareness
      • Certification Hub
      • Certified cloud provider
      • Certified security analysts
      • Comprehensive reporting
      • Developing for integrity
      • Monitoring
      • Production data isolation
      • Secure emails
      • SLSA compliance
      • Standard timezone
      • Static website
      • Training plan
    • Non-repudiation
      • Everything as code
      • Extensive logs
    • Privacy
      • Data privacy policy
      • Data retention policy
      • Data use policy
      • Email obfuscation
      • Time tracking
      • Manual for the NDR
      • OTR messaging
      • Polygraph tests
      • Project pseudonymization
      • Data transmission
      • Unsubscribe email
      • Use of cookies
    • Resilience
      • Continuity and recovery
      • Equipment and telecommuting
      • Everything is decentralized
      • Redundant roles
    • Transparency
      • Complaint management
      • Data leakage policy
      • Ethics hotline
      • Help channel
      • Incident management
      • Information security responsibility
      • Open source
      • Quality policy
      • Status page
      • Testing our technology
      • Vulnerability releasing
  • Compare
    • 42Crunch
    • 7 Way Security
    • Aikido
    • Anvil Secure
    • Apiiro
    • AppCheck
    • Appdome
    • Appknox
    • Aqua
    • ArmorCode
    • Arnica
    • Astra
    • Base4
    • Bishop Fox
    • Black Duck
    • Black Hills
    • Breachlock
    • Bright Security
    • Burp Suite
    • Checkmarx
    • CloudGuard
    • Cobalt
    • Codacy
    • Conviso
    • Cure53
    • Cycode
    • Cyver
    • Data Theorem
    • DataDog
    • DeepSource
    • DefectDojo
    • Detectify
    • Devel
    • Dynatrace
    • Edgescan
    • Endor Labs
    • Escape
    • Evolve Security
    • Faraday Security
    • FortiDevSec
    • Fortify
    • GitHub Advanced Security (GHAS)
    • GitLab Ultimate
    • GuardRails
    • HackerOne
    • Hackmetrix
    • Hadrian
    • HCL AppScan
    • Heeler
    • Hopper Security
    • ImmuniWeb
    • Inspectiv
    • Intigriti
    • Intruder
    • Invicti
    • JFrog
    • Jit
    • Kiuwan
    • Legit Security
    • Mandiant
    • Mend
    • Mindgard
    • Moderne
    • NetSPI
    • NowSecure
    • Nucleus Security
    • Oligo Security
    • Orca Security
    • Oversecured
    • OX Security
    • Phoenix Security
    • PlexTrac
    • Praetorian
    • Prancer
    • Prisma Cloud
    • Probely
    • Prowler
    • ReversingLabs
    • RunSybil
    • Safety
    • Securitum
    • Seemplicity
    • Semgrep
    • Snyk
    • Socket
    • SonarQube
    • Sonatype
    • SOOS
    • StackHawk
    • Strike
    • Synacktiv
    • Tenable Nessus
    • ThreatModeler
    • Veracode
    • White Jaguars
    • Wiz
    • Xygeni
    • ZAP
    • ZeroPath
  • Log in to the platform 
  • Home
  • Quick start
    • FAQ
      • Billing
      • Integrations
      • Platform
      • Scanner
      • Ask our pentesters to explain a vulnerability
      • Fix code with gen AI from the IDE
      • See safe dependency versions
      • Import repositories to test
      • Invite team members to sign up
      • Billing for the Advanced plan
      • Continuous Hacking free trial, plans and pricing
      • Continuous Hacking methodology
      • Continuous Hacking PoV
      • CVSSF metric
      • Glossary
      • Main website
      • Platform demo
      • Tutorial videos
      • What is DAST?
      • What is SAST?
      • What is SCA?
      • Assign vulnerability remediation to a team member
      • See details of the reported security vulnerabilities
    • Sign up to Fluid Attacks
      • Break the build
      • Install CI Gate to break the build
      • Verify whether a fix was successful
  • Find and fix
    • Use the platform
        • Sign-up and login
        • Interface and sections
        • Create and delete groups
        • Create another organization
        • Know your Groups section
        • Manage a group's configuration
        • Register payment information
        • See the target of evaluation's status and SBOM
        • Sort groups into portfolios
        • Invite contributing developers
        • Manage members
        • Manage your organization's authors
        • Understand roles
        • Import repositories fast and safely with OAuth
        • Manage environments
        • Manage repositories
        • Manage your credentials
        • Resolve events impeding tests
        • See retrieved repositories not yet added to any group
        • Analyze your supply chain security
        • Assign treatments
        • Correlate your threat model to vulnerabilities
        • CVSS score adjustment
        • Examine the evidence of exploitability
        • Find reachable dependency vulnerabilities
        • Request a vulnerability be dismissed as Zero Risk
        • See vulnerabilities assigned to you
        • See where vulnerabilities are and more details
        • Verify fixes with reattacks
        • Vulnerability signature update
        • Ask the AI Agent
        • Ask via chat
        • Post comments
        • Send Fluid Attacks an email
        • Talk to a Pentester
        • Watch certifiable tutorial videos or get a demo
        • Access recent downloads
        • Check your compliance with standards
        • View analytics common to orgs, groups and portfolios
        • Download a report of detected vulnerabilities
        • View analytics for the group level only
        • View analytics for the portfolio level only
        • Use analytics charts options
        • View and download logs
        • Accept vulnerabilities
        • Manage fix prioritization policies
        • Manage security gates
        • Prevent the deployment of builds with vulnerabilities
        • View details of the security of your builds
        • Explore the user menu
        • Enable and disable notifications
        • Subscribe to News
        • Leave a group
      • Manage repositories
      • See vulnerabilities
        • Fluid Attacks' scanners
        • OWASP Benchmark results
        • Your feedback
      • Use the scanners
        • Local run
        • CI/CD integration
        • Understanding outputs
        • Findings exclusion
      • Use a configuration file
        • SAST scanner
        • SCA scanner
        • DAST scanner
        • APK scanner
      • Automatic remediation
      • Custom remediation guides
      • Introduction to Sorts
      • Sorts user guide
      • Connection mechanisms
      • Cloud connection
      • Egress connection
      • Connector connection
      • Types of authentication
      • AWS CodeCommit
    • Service-level agreement
      • Availability SLA
      • Response SLA
      • Accuracy SLA
      • False negatives
      • False positives
      • Scope
    • Support information
      • Changelog
        • 2023
        • 2024
        • 2025
        • 2026
      • Roadmap
      • AI functions
      • Attack surfaces
      • Binaries
      • Browsers
      • CI/CD
      • Clouds
      • CVEs for reachability
      • Evidence formats
      • Frameworks
      • IDE functionalities
      • Languages
      • Languages for fixes
      • Package managers
      • Remediation
      • SCM systems
      • Secrets
      • Standards
      • Ticketing systems
      • Documentation sections
  • Integrations
      • Local tools
      • Access Talk to a Pentester and help from Jira issues
      • Automate Jira issue creation
      • Create Jira issues for vulnerabilities
      • Go to vulnerability evidence and more from Jira issues
      • Install the Fluid Attacks app for Jira Cloud
      • Link vulnerabilities to Jira issues or unlink them
      • Request reattacks from Jira issues
      • Set up the Jira integration
      • Set up the Azure DevOps integration
      • Set up the GitLab integration
      • Install the VS Code extension
      • View vulnerable lines, use fix options and more
      • VS Code extension error and solution catalog
      • Identify and address vulnerabilities from IntelliJ
      • Install the IntelliJ plugin
      • Identify and address vulnerabilities from Cursor
      • Install the Cursor extension
      • AWS Marketplace integration
    • MCP server
      • Installation
      • Capabilities and use cases
      • Docker installation
      • Excluding files from analysis
      • Integrate with Azure DevOps Peer Reviewer Assistant
      • Integrate with GitLab Peer Reviewer Assistant
      • Troubleshooting
      • Introduction
      • Use the API
      • Learn the basics of the Fluid Attacks API
      • Things to know before using the API
  • Stack
      • Bash
      • Python
      • Terraform
      • TypeScript
      • Ariadne
      • Commitlint
      • D3
      • Docker
      • ESLint
      • GraphQL
      • Hypercorn
      • Kubernetes
      • Labels
      • Mypy
      • Nix Flakes
      • Platform audit logs
      • Platform authentication
      • Platform authorization
      • Pydantic AI
      • React
      • Ruff
      • Sops
      • Starlette
      • Tree-sitter
      • Visual Studio Code
      • AWS
      • Batch
      • Bedrock
      • BigCodeBench
      • BugSnag
      • Checkly
      • Claude 3.5 Sonnet
      • Cloudflare
      • CloudWatch
      • Cost Management
      • Datadog
      • dbt
      • DynamoDB
      • EBS
      • EC2
      • EKS
      • ELB
      • Engineering metrics
      • ePayco
      • EventBridge
      • GitLab
      • GitLab CI
      • Google Workspace
      • IAM
      • Jamf
      • KMS
      • Lambda
      • LogRocket
      • Okta
      • OpenAI
      • OpenSearch
      • Organizations
      • QuickSight
      • S3
      • SageMaker
      • Snowflake
      • Statuspage
      • Step Functions
      • Stripe
      • Treli
      • Ubiquiti
      • Vanta
      • Voyage AI
      • VPC
      • VPN
      • Zoho One
      • Zoho Sign
    • Pentesting tools
  • Compliance
    • Authentication
      • Clients
      • Password policies
      • Staff
    • Authorization
      • Access revocation
      • Clients
      • Employee termination
      • Endpoints
      • Secret rotation
      • Sessions
      • Staff
    • Availability
      • Distributed apps
      • Distributed firewall
      • Everything backed up
      • Multiple zones
      • Recovery objective
    • Confidentiality
      • Device (re)enrolling
      • Direct hiring
      • Encryption at rest
      • Encryption in transit
      • No personal gain
      • Personnel NDA
      • Secure deletion
    • Integrity
      • Applicant evaluation
      • Awareness
      • Certification Hub
      • Certified cloud provider
      • Certified security analysts
      • Comprehensive reporting
      • Developing for integrity
      • Monitoring
      • Production data isolation
      • Secure emails
      • SLSA compliance
      • Standard timezone
      • Static website
      • Training plan
    • Non-repudiation
      • Everything as code
      • Extensive logs
    • Privacy
      • Data privacy policy
      • Data retention policy
      • Data use policy
      • Email obfuscation
      • Time tracking
      • Manual for the NDR
      • OTR messaging
      • Polygraph tests
      • Project pseudonymization
      • Data transmission
      • Unsubscribe email
      • Use of cookies
    • Resilience
      • Continuity and recovery
      • Equipment and telecommuting
      • Everything is decentralized
      • Redundant roles
    • Transparency
      • Complaint management
      • Data leakage policy
      • Ethics hotline
      • Help channel
      • Incident management
      • Information security responsibility
      • Open source
      • Quality policy
      • Status page
      • Testing our technology
      • Vulnerability releasing
  • Compare
    • 42Crunch
    • 7 Way Security
    • Aikido
    • Anvil Secure
    • Apiiro
    • AppCheck
    • Appdome
    • Appknox
    • Aqua
    • ArmorCode
    • Arnica
    • Astra
    • Base4
    • Bishop Fox
    • Black Duck
    • Black Hills
    • Breachlock
    • Bright Security
    • Burp Suite
    • Checkmarx
    • CloudGuard
    • Cobalt
    • Codacy
    • Conviso
    • Cure53
    • Cycode
    • Cyver
    • Data Theorem
    • DataDog
    • DeepSource
    • DefectDojo
    • Detectify
    • Devel
    • Dynatrace
    • Edgescan
    • Endor Labs
    • Escape
    • Evolve Security
    • Faraday Security
    • FortiDevSec
    • Fortify
    • GitHub Advanced Security (GHAS)
    • GitLab Ultimate
    • GuardRails
    • HackerOne
    • Hackmetrix
    • Hadrian
    • HCL AppScan
    • Heeler
    • Hopper Security
    • ImmuniWeb
    • Inspectiv
    • Intigriti
    • Intruder
    • Invicti
    • JFrog
    • Jit
    • Kiuwan
    • Legit Security
    • Mandiant
    • Mend
    • Mindgard
    • Moderne
    • NetSPI
    • NowSecure
    • Nucleus Security
    • Oligo Security
    • Orca Security
    • Oversecured
    • OX Security
    • Phoenix Security
    • PlexTrac
    • Praetorian
    • Prancer
    • Prisma Cloud
    • Probely
    • Prowler
    • ReversingLabs
    • RunSybil
    • Safety
    • Securitum
    • Seemplicity
    • Semgrep
    • Snyk
    • Socket
    • SonarQube
    • Sonatype
    • SOOS
    • StackHawk
    • Strike
    • Synacktiv
    • Tenable Nessus
    • ThreatModeler
    • Veracode
    • White Jaguars
    • Wiz
    • Xygeni
    • ZAP
    • ZeroPath
  • Log in to the platform 

On This Page

  • December
  • Release 52
  • Release 51
  • Release 50
  • Release 49
  • November
  • Release 48
  • Release 47
  • Release 46
  • Release 45
  • October
  • Release 44
  • Release 43
  • Release 42
  • Release 41
  • September
  • Release 40
  • Release 39
  • Release 38
  • Release 37
  • August
  • Release 36
  • Release 35
  • Release 34
  • Release 33
  • Release 32
  • July
  • Release 31
  • Release 30
  • Release 29
  • Release 28
  • Release 27
  • June
  • Release 26
  • Release 25
  • Release 24
  • Release 23
  • May
  • Release 22
  • Release 21
  • Release 20
  • Release 19
  • April
  • Release 18
  • Release 17
  • Release 16
  • Release 15
  • Release 14
  • March
  • Release 13
  • Release 12
  • Release 11
  • Release 10
  • February
  • Release 9
  • Release 8
  • Release 7
  • Release 6
  • January
  • Release 5
  • Release 4
  • Release 3
  • Release 2
  • Release 1
Find and fixSupport informationChangelog2023

2023

December

Release 52

  • (SCA) Improved clarity of the Skims SCA output logs, including CVE details and safer versions.
  • (SCA) Integrated OSV vulnerability database as a new source for SCA.

Release 51

(CSPM) Updated CSPM configuration to comply with AWS cross-account role requirements.

Release 50

  • (ASPM) Improved snippet processing for reports.
  • (CSPM) New rules:
    • AWS RDS cluster not inside a DB subnet group
    • AWS RDS has a public cluster

Release 49

No features were delivered during this iteration.

November

Release 48

No features were delivered during this iteration.

Release 47

No features were delivered during this iteration.

Release 46

(SCA) New rule: Npm missing package lock

Release 45

(SAST) New rule: Java accepts any mimetype obj

October

Release 44

  • (SCA) SCA support was expanded to report malware cases.
  • (SAST) New rule: Go insecure query

Release 43

Implemented exclusion of vulnerabilities for Skims using NOFLUID directives.

Release 42

(CSPM) New rule: AWS EC2 has a modify attribute

Release 41

  • (SCA) Added SCA support for .NET exe.config files.
  • (ASPM) Improved Skims usability by allowing execution without mandatory configuration.
  • (SCA) New rule: Net framework config
  • (SAST) New rules:
    • Cfn s3 buckets allow unauthorized public access
    • Tfm public buckets acl
    • TFM S3 buckets allow unauthorized public access

September

Release 40

  • (ASPM) Updated Boto3 for AWS CSPM module in Skims.
  • (ASPM) Introduced handling for disputed SCA advisories in Skims.

Release 39

  • (ASPM) Ensured Skims compliance with the SARIF 2.1 format.
  • (ASPM) Optimized CSPM module processing of ARN, URI, and ID values.
  • (SAST) New rules:
    • Cs stored password
    • Swift HC secret JWT

Release 38

  • (CSPM) New rules:
    • AWS CloudTrail is not logging
    • Azure storage account not enforcing latest tls
    • Azure storage account not enforcing https
    • Azure storage account geo replication disabled
    • Azure storage account allows public traffic
  • (DAST) New rules:
    • Http x backend server header leaked
    • Http x aspnet mvc version header leaked
    • Http x aspnet version header leaked
    • Http permissions policy header not present
  • (SAST) New rule: Dotnetconfig asp version enabled

Release 37

  • (CSPM) New rules:
    • AWS s3 private buckets not blocking public acls
    • GCP storage object versioning is not enabled
    • GCP storage uniform bucket level access is disabled
    • GCP storage retention policy is not configured
    • GCP storage logging is not enabled on storage bucket
    • AWS apigateway allows anonymous access
  • (DAST) New rules:
    • HTTP access control allow methods insecure
    • HTTP x powered by header leaked
  • (SAST) New rules:
    • Cs override auth modifier
    • Cs has public cache header

August

Release 36

  • (CSPM) Standardized cloud security checks across CloudFormation, Terraform, and DAST AWS methods.
  • (CSPM) Enhanced readability of CSPM DAST method reports.
  • (SAST) Optimized Skims by ignoring node_modules during scans of Node.js projects.
  • (CSPM) New rules:
    • AWS iam policies attached to users
    • AWS ec2 vpc without flowlog
    • AWS iam admin policy attached
    • AWS s3 public buckets
    • Azure blob containers are public
    • Gcp storage public buckets
    • AWS iam allows priv escalation by attach policy
    • AWS cloudfront insecure protocols
    • AWS ec2 anyone admin ports
    • AWS ec2 unrestricted cidrs
    • AWS ec2 unrestricted ip protocols
    • AWS ec2 sec groups rfc1918
    • AWS ec2 unrestricted dns access
    • AWS ec2 unrestricted ftp access
    • AWS ec2 open all ports to the public
    • AWS ec2 default all traffic
    • AWS ec2 insecure port range
    • AWS ec2 acl allow egress traffic
    • AWS ec2 acl allow all ingress traffic
    • AWS ec2 vpc endpoints exposed
    • AWS iam group with inline policy
    • AWS iam user with inline policy
    • AWS iam open passrole
    • AWS iam has permissive role policy
    • AWS iam full access ssm
    • AWS iam negative statement
    • AWS elb2 insecure security policy
    • AWS rds has public instances
    • AWS s3 bucket policy encryption disable
    • AWS rds not inside a db subnet group
    • AWS iam user with multiple access keys
    • AWS ec2 has default security groups in use
    • AWS ec2 default security group
    • AWS s3 acl public buckets
    • AWS iam permissive policy
    • AWS iam min password len unsafe
    • AWS cloudtrail is trail bucket logging disabled
  • (DAST) New rules:
    • Http server header leaked
    • Http x xss protection enabled
  • (SAST) New rules:
    • Dotnetconfig anon auth enabled
    • Kt hc secret alg instance
    • Tfm redshift has encryption disabled
    • Cfn redshift has encryption disabled
    • Go hardcoded symmetric key
  • (SCA) New rules:
    • Poetry lock deps
    • Maven gradle kts

Release 35

  • (SCA) Added support for Erlang and Swift package managers in Skims SCA.
  • (CSPM) Implemented a unified workflow for adding GCP accounts.
  • (SCA) Added SCA vulnerability reporting for dependencies in GitHub Actions YAML files.
  • (SCA) Introduced support for Rust’s Cargo package manager in Skims.
  • (SAST) New rules:
    • Python insecure jwt key
    • Cfn sqs has encryption disabled
    • Tfm sqs has encryption disabled
    • Tfm sns has server-side encryption disabled
    • Cfn SNS has server-side encryption disabled
    • Cs hardcoded symmetric key
  • (SCA) New rules:
    • Swift packages dev
    • Erlang mix deps dev
    • GitHub actions deps
    • Erlang mix lock deps
    • Erlang mix deps
    • Cargo toml deps dev

Release 34

  • (SCA) Added support for pnpm-lock.yaml in dependency analysis.
  • (SAST) New rules:
    • Cfn redshift has user activity log disabled
    • Tfm redshift has user activity log disabled
    • Tfm elasticache transit encryption disabled
    • Cfn elasticache transit encryption disabled
    • Tfm elasticache uses default port
    • Cfn aws elb listener on http
    • Cfn elasticache uses default port
    • Cfn redshift not requires ssl
    • Tfm redshift not requires ssl
    • Tfm redshift has public clusters
    • Cfn redshift has public clusters
    • Tfm aws elb listener on http
    • Tfm rds not uses IAM authentication
    • Cfn rds not uses IAM authentication
    • Tfm eks has endpoints publicly accessible
    • Cfn Eks has endpoints publicly accessible
  • (SCA) New rules:
    • Cargo lock deps
    • Cargo toml deps
    • HTML script dependencies
    • Pnpm package lock dev
    • Pnpm package lock

Release 33

  • (CSPM) Defined the foundational structure for GCP DAST checks.
  • (SAST) New rules:
    • Cfn redshift has audit logs disabled
    • Tfm redshift has audit logs disabled
    • Java JWT unsafe decode
    • Java JWT without proper sign
    • Tfm cognito has mfa disabled
    • Cfn cognito has mfa disabled
    • Cfn sqs is public
    • Python insecure cipher mode
    • Tfm sqs is public
    • Java hostname verification off
    • Java insecure cipher mode
    • Kt insecure cipher mode
    • JS regex injection
    • TS regex injection
    • Python regex injection
    • Cfn allows priv escalation by attach policy

Release 32

(SAST) New rules:

  • Cfn allows priv escalation by policies versions
  • Tfm allows priv escalation by policies versions
  • Tfm allows priv escalation by attach policy

July

Release 31

No features were delivered during this iteration.

Release 30

(SAST) New rule: Python exposed auth token

Release 29

(SAST) New rules:

  • Kubernetes uses HTTP server
  • Kubernetes uses HTTP
  • K8s check host pid
  • K8s check if sys admin exists
  • Python insecure authentication

Release 28

(SAST) New rule: K8s check if capability exists

Release 27

(SAST) New rules:

  • Cfn aws sec group using tcp
  • Tfm s3 versioning disabled
  • Tfm iam trust policy wildcard action

June

Release 26

  • (SCA) Added support for Conan.
  • (SAST) New rules:
    • Tfm iam policy apply to users
    • Cfn iam policy apply to users
    • Tfm iam permissions policy not resource
    • Tfm iam permissions policy not action
    • Tfm iam trust policy not principal
    • Tfm iam trust policy not action
    • Tfm policy server encryp disabled
    • Tfm rds pub accessible
    • Tfm api all HTTP methods enabled
    • Cfn http methods enabled
    • Tfm http methods enabled
    • Cfn iam excessive role policy
  • (SCA) New methods:
    • Conan lock dev
    • Conan lock

Release 25

No features were delivered during this iteration.

Release 24

No features were delivered during this iteration.

Release 23

  • (ASPM) Implemented severity and CWE reporting at the location level.
  • (SCA) Added support for SCA in Go.

May

Release 22

No features were delivered during this iteration.

Release 21

(SAST) New rule: Tfm aws sec group using tcp

Release 20

No features were delivered during this iteration.

Release 19

  • (ASPM) Implemented exit codes in CLI to indicate vulnerability detection status.
  • (ASPM) Added CVSS 3.1 Exploit Code Maturity metric to vulnerability reports.
  • (ASPM) Started documentation for scanner (Skims) output to clarify results interpretation.

April

Release 18

No features were delivered during this iteration.

Release 17

  • (ASPM) Integrated documentation URLs in vulnerability reports for better understanding.
  • (ASPM) Updated standalone scanner configuration file syntax for better usability.

Release 16

  • (ASPM) Created official Skims documentation to explain usage as a SAST scanner.
  • (SAST) New rule: XML header allows dangerous methods
  • (CSPM) New rule: AWS SNS can anyone subscribe

Release 15

  • (CSPM) New rules:
    • AWS SNS can anyone publish
    • AWS sqs is public
    • AWS sqs has encryption disabled
    • AWS SNS has server-side encryption disabled
  • (SAST) New rules:
    • Cfn server SSL disabled
    • Java insec sign algorithm
    • Python insec hash library
    • Kotlin accepts any mime type

Release 14

  • (SAST) Enhanced Dart’s SAST flow to enable more sophisticated logic analysis.
  • (SAST) New rules:
    • Container disabled SSL
    • Go accepts any mime type
    • Java basic authentication
    • Cfn insecure certificate
  • (CSPM) New rules:
    • AWS Elasticache rest encryption disabled
    • AWS Elasticache transit encryption disabled

March

Release 13

  • (SAST) Enhanced infrastructure files analysis (HCL and YAML).
  • (CSPM) New rules:
    • AWS Redshift not requires ssl
    • AWS Redshift has audit logs disabled
    • AWS Redshift has user activity log disabled
    • AWS Redshift has encryption disabled
    • AWS Elasticache uses default port
    • AWS dynamodb not del protec
  • (SAST) New rules:
    • Kotlin vuln regex
    • Dotnetconfig excessive auth privileges
    • Kt xml parser
    • Python accepts any mime
    • Python http only cookie
    • JS debugger enabled
    • TS debugger enabled
    • Python secure cookie

Release 12

  • (SAST) Extended secret detection to analyze more configuration files.
  • (SAST) New rules:
    • Kotlin secure cookie
    • Kt default http client deprecated
    • C Sharp plain text keys
    • Cs insecure authentication
    • Kt remote command execution
    • Kt anonymous ldap
  • (CSPM) New rules:
    • AWS secrets has automatic rotation disabled
    • AWS Redshift has public clusters

Release 11

  • (SAST) New rules:
    • Kotlin http only cookie
    • Tfm dynamo not del protec
    • JavaScript accepts any mime default
    • Typescript accepts any mime default
    • Java secure cookie
    • Python unsafe certificate validation
    • Java HTTP only cookie
    • Python unsafe ssl hostname
    • Kt insecure encryption key
    • JavaScript accepts any mime method
    • Typescript accepts any mime method
    • Kt insecure key pair gen
  • (CSPM) New rules:
    • AWS RDS unrestricted db security groups
    • AWS RDS not uses iam authentication
    • AWS RDS has public snapshots

Release 10

(SAST) New rules:

  • Kt insecure parameter spec
  • Cfn dynamo not del protec
  • Kt insecure key gen
  • Kt insecure certificate validation
  • Kt insecure host verification
  • C Sharp accepts any mimetype
  • Kt insecure init vector

February

Release 9

  • (SCA) Enhanced support for Pub (Dart) and Packagist (PHP) package managers.
  • (SAST) New rules:
    • Java accepts any mimetype chain
    • Python unsafe cipher
    • Java xml parser
    • Python regex dos
    • Python LDAP conn auth
    • Java HTTP req accepts any mimetype
    • Python unsafe temp file
    • Kt weak random
    • Python remote command execution
    • Swift insecure cryptor
    • Swift insecure cipher
  • (CSPM) New rule: AWS EKS has endpoints publicly accessible

Release 8

  • (SAST) Added support for analyzing Python files in Skims.
  • (SAST) New rules:
    • Python io path traversal
    • Python session fixation
    • JS JWT insec sign algo async
    • TS jwt insec sign algo async
    • JS insec msg auth mechanism
    • TS insec msg auth mechanism
    • Cs cert validation disabled
    • Python ldap injection
    • Python deserialization injection
  • (CSPM) New rules:
    • AWS ELBv2 insecure SSL cipher
    • AWS DynamoDB encrypted with AWS master keys

Release 7

  • (SAST) Improved Symbolic Evaluation logic for better accuracy in detecting vulnerabilities.
  • (SAST) New rules:
    • JS salt is hardcoded
    • TS salt is hardcoded
    • Java salt is hardcoded
    • Kotlin salt is hardcoded
    • Go salt is hardcoded
    • Dart salt is hardcoded
    • XML allows all domains
    • JS jwt insec sign algorithm
    • TS jwt insec sign algorithm
    • Yml serverless cors
    • Dart insecure logging
    • Python xml parser
  • (CSPM) New rules:
    • AWS elbv2 insecure protocols
    • AWS cognito has mfa disabled
  • (SCA) New rules:
    • Conan conanfile py dev
    • Conan conanfile txt dev

Release 6

(SAST) New rules:

  • JSx lack of validation event listener
  • JS local storage sens data assignment
  • TS local storage sens data assignment
  • XML header allow all methods

January

Release 5

  • (CSPM) New rules:
    • AWS IAM users with password and access keys
    • AWS IAM MFA disabled for users with console passwd
  • (SCA) New rules:
    • Conan conanfile py
    • Conan conanfile txt

Release 4

  • Improved support for Go and Kotlin.
  • (CSPM) New rules:
    • AWS IAM has root active signing certificates
    • AWS IAM has old ssh public keys
    • AWS has publicly shared AMIs
    • AWS IAM allows privilege escalation by policy versions
  • (SAST) New rules:
    • TSx lack of validation event listener
    • JS JSON parse unvalidated data
    • TS json parse unvalidated data

Release 3

  • (CSPM) New rules:
    • AWS IAM has old creds enabled
    • AWS IAM has old access keys
    • AWS IAM root has access keys
  • (SAST) New rules:
    • JS local storage with sensitive data
    • TS local storage with sensitive data

Release 2

  • (ASPM) Use colors to identify vulnerabilities’ criticality : Add colored markers based on the severity of the vulnerability to facilitate identification.
  • (ASPM) Add risk exposure (CVSSF) to our platform : Add a new column called ”% Risk Exposure” that ranges from 0% to 100% in the findings and vulnerabilities tables.
  • (ASPM) Update of the statuses in ARM reports : Update the technical report’s status column by changing the words “open” and “closed” to “safe” and “vulnerable”.
  • (ASPM) Update treatment status : Replace the treatment status “New” with “Untreated” to improve clarity for users.
  • (ASPM) Organize vulnerabilities by risk exposure (CVSSF) : Organize vulnerabilities by default according to CVSSF and status “vulnerable”.
  • (CSPM) New rule: AWS IAM root has mfa disabled
  • (SAST) New rules:
    • Cfn iam permissions policy not resource
    • Cfn iam permissions policy not action
    • Cfn iam trust policy not principal
    • Cfn iam trust policy not action
    • Cfn iam permissions policy wildcard resources
    • Cfn iam permissions policy wildcard actions
    • Cfn iam trust policy wildcard action
    • JS insecure compression algorithm
    • TS insecure compression algorithm
  • (SCA) New rules:
    • Pub pubspec yaml dev
    • Pub pubspec yaml

Release 1

  • (ASPM) Delete inactive users after 90 days : Automatically delete users from our platform after 90 days of inactivity.
  • (ASPM) Talk to a Hacker modal improvements : Add a new field named “ARM Group Name” with autofill to request only unknown information from users.
  • (ASPM) Congratulations message in compliance report : Add a congratulatory message in the compliance report if the group does not have unfulfilled standards.
  • (CSPM) New rules:
    • AWS IAM has mfa disabled
    • AWS IAM does not require uppercase
    • AWS IAM does not require lowercase
    • AWS IAM does not require symbols
    • AWS IAM does not require numbers
    • AWS IAM password reuse unsafe
    • AWS IAM password expiration unsafe
  • (SCA) New rules:
    • Composer lock dev
    • Composer lock
    • Composer JSON dev
  • (SAST) New rule: Tfm admin managed policies
Tip

Free trial: Search for vulnerabilities in your apps for free with Fluid Attacks’ automated security testing! Start your 21-day free trial  and discover the benefits of the Continuous Hacking  Essential plan . If you prefer the Advanced plan, which includes the expertise of Fluid Attacks’ hacking team, fill out this contact form .

Last updated on February 13, 2026
Changelog2024
Fluid Attacks 2026. All rights reserved.