0 filters active
Skip to Content
logo
  • Home
  • Quick start
      • Billing
      • Integrations
      • Platform
      • Scanner
      • Ask our pentesters to explain a vulnerability
      • Fix code with gen AI from the IDE
      • See safe dependency versions
      • Import repositories to test
      • Invite team members to sign up
      • Billing for the Advanced plan
      • Continuous Hacking free trial, plans and pricing
      • Continuous Hacking methodology
      • Continuous Hacking PoV
      • CVSSF metric
      • Glossary
      • Main website
      • Platform demo
      • Tutorial videos
      • What is DAST?
      • What is SAST?
      • Assign vulnerability remediation to a team member
      • See details of the reported security vulnerabilities
    • Sign up to Fluid Attacks
      • Break the build
      • Install CI Gate to break the build
      • Verify whether a fix was successful
  • Find and fix
    • Access to your assets
      • Cloud
      • Connector
      • Egress
      • Set up an AWS IAM role
      • Summary of mechanisms used to access assets
      • Types of authentication used
      • Fix code automatically with gen AI
      • Get AI-generated guides for remediation
      • Contribute to enhancing the scanners
      • Fluid Attacks' scanners
      • Know and reproduce the scanner’s OWASP Benchmark results
      • Pentesters' tools
    • Machine
      • Configure and use Sorts on your own
      • Introduction to Fluid Attacks' AI tool
      • Accuracy SLA
      • Availability SLA
      • False negatives
      • False positives
      • Response SLA
      • Scope
      • Service-level agreement summary
        • 2023
        • 2024
        • 2025
        • 2026
      • Documentation sections
      • Roadmap
      • Supported AI functions
      • Supported attack surfaces
      • Supported binaries
      • Supported browsers
      • Supported CI/CD
      • Supported clouds
      • Supported CVEs for reachability analysis
      • Supported evidence formats
      • Supported frameworks
      • Supported IDE functionalities
      • Supported languages
      • Supported languages for vulnerability fixes
      • Supported package managers
      • Supported remediation
      • Supported SCM systems
      • Supported secrets
      • Supported standards
      • Supported ticketing systems
      • CVSS score adjustment
      • Find reachable dependency vulnerabilities
      • Vulnerability signature update
      • What is SCA?
      • APK scanner configuration file
      • DAST scanner configuration file
      • SAST scanner configuration file
      • SCA scanner configuration file
      • Scan with a configuration file
    • Use the Platform
        • Platform sections and header items
        • Sign-up and login authentication
        • Create and delete groups
        • Create another organization
        • Know your Groups section
        • Manage a group's configuration
        • Register payment information
        • See the target of evaluation's status and SBOM
        • Sort groups into portfolios
        • Invite contributing developers
        • Manage members
        • Manage your organization's authors
        • Understand roles
        • Import repositories fast and safely with OAuth
        • Manage environments
        • Manage repositories
        • Manage your credentials
        • Resolve events impeding tests
        • See retrieved repositories not yet added to any group
        • Analyze your supply chain security
        • Assign treatments
        • Correlate your threat model to vulnerabilities
        • Examine the evidence of exploitability
        • Request a vulnerability be dismissed as Zero Risk
        • See vulnerabilities assigned to you
        • See where vulnerabilities are and more details
        • Verify fixes with reattacks
        • Ask the AI Agent
        • Ask via chat
        • Post comments
        • Send Fluid Attacks an email
        • Talk to a Pentester
        • Watch certifiable tutorial videos or get a demo
        • Access recent downloads
        • Check your compliance with standards
        • View analytics common to orgs, groups and portfolios
        • Download a report of detected vulnerabilities
        • View analytics for the group level only
        • View analytics for the portfolio level only
        • Use analytics charts options
        • View and download logs
        • Accept vulnerabilities
        • Manage fix prioritization policies
        • Manage security gates
        • Prevent the deployment of builds with vulnerabilities
        • View details of the security of your builds
        • Enable and disable notifications
        • Explore the user menu
        • Leave group
        • Subscribe to news
      • Manage repositories
      • See vulnerabilities
      • Exclude findings from scan reports
      • Run scans locally
      • Understand the scanner output
      • Use standalone scanners
      • Use the scanners in CI/CD
  • Integrations
      • Local tools
      • Access Talk to a Pentester and help from Jira issues
      • Automate Jira issue creation
      • Create Jira issues for vulnerabilities
      • Go to vulnerability evidence and more from Jira issues
      • Install the Fluid Attacks app for Jira Cloud
      • Link vulnerabilities to Jira issues or unlink them
      • Request reattacks from Jira issues
      • Set up the Jira integration
      • Set up the Azure DevOps integration
      • Set up the GitLab integration
      • Install the VS Code extension
      • View vulnerable lines, use fix options and more
      • VS Code extension error and solution catalog
      • Identify and address vulnerabilities from IntelliJ
      • Install the IntelliJ plugin
      • Identify and address vulnerabilities from Cursor
      • Install the Cursor extension
      • AWS Marketplace integration
    • MCP server
      • Installation
      • Capabilities and use cases
      • Docker installation
      • Excluding files from analysis
      • Integrate with Azure DevOps Peer Reviewer Assistant
      • Integrate with GitLab Peer Reviewer Assistant
      • Troubleshooting
      • Introduction
      • Use the API
      • Learn the basics of the Fluid Attacks API
      • Things to know before using the API
  • Stack
      • Bash
      • Python
      • Terraform
      • TypeScript
      • Ariadne
      • Commitlint
      • Docker
      • ESLint
      • GraphQL
      • Hypercorn
      • Kubernetes
      • Labels
      • Mypy
      • Nix Flakes
      • Platform audit logs
      • Platform authentication
      • Platform authorization
      • Pydantic AI
      • React
      • Ruff
      • Sops
      • Starlette
      • Tree-sitter
      • Visual Studio Code
      • AWS
      • Batch
      • Bedrock
      • BigCodeBench
      • BugSnag
      • Checkly
      • Claude 3.5 Sonnet
      • Cloudflare
      • CloudWatch
      • Cost Management
      • Datadog
      • dbt
      • DynamoDB
      • EBS
      • EC2
      • EKS
      • ELB
      • Engineering metrics
      • ePayco
      • EventBridge
      • GitLab
      • GitLab CI
      • Google Workspace
      • IAM
      • Jamf
      • KMS
      • Lambda
      • LogRocket
      • Okta
      • OpenAI
      • OpenSearch
      • Organizations
      • QuickSight
      • S3
      • SageMaker
      • Snowflake
      • Statuspage
      • Step Functions
      • Stripe
      • Treli
      • Ubiquiti
      • Vanta
      • Voyage AI
      • VPC
      • VPN
      • Zoho One
      • Zoho Sign
  • Compliance
      • Clients
      • Password policies
      • Staff
      • Access revocation
      • Endpoint
      • Authorization for clients
      • Authorization for Fluid Attacks staff
      • Secret rotation
      • Secure employee termination
      • Session management
      • Distributed apps
      • Distributed firewall
      • Everything backed up
      • Multiple zones
      • Recovery objective
      • Device (re)enrolling
      • Direct hiring
      • Encryption at rest
      • Encryption in transit
      • No personal gain
      • Personnel NDA
      • Secure deletion
      • Awareness
      • Certification Hub
      • Certified cloud provider
      • Certified security analysts
      • Comprehensive reporting
      • Developing for integrity
      • Extensive hiring process
      • Monitoring
      • Production data not used for dev or test
      • Secure emails
      • Software Artifacts SLSA levels
      • Static website
      • Training plan
      • Everything as code
      • Extensive logs
      • Data privacy policy
      • Data policies
      • Email obfuscation
      • Employee time tracking software
      • Manual for the National Database Registry (NDR)
      • OTR messaging
      • Polygraph tests
      • Project pseudonymization
      • Retention
      • Secure delivery of sensitive data
      • Transparent use of cookies
      • Unsubscribe email
      • Continuity and recovery
      • Equipment and telecommuting
      • Everything is decentralized
      • Redundant roles
      • Complaint management
      • Data leakage policy
      • Ethics hotline
      • Help channel
      • Incident management
      • Information security responsibility
      • Open source
      • Quality policy
      • Status page
      • Testing our technology
      • Vulnerability releasing
  • Compare
    • 42Crunch
    • 7 Way Security
    • Aikido
    • Anvil Secure
    • Apiiro
    • AppCheck
    • Appdome
    • Appknox
    • Aqua
    • ArmorCode
    • Arnica
    • Astra
    • Base4
    • Bishop Fox
    • Black Duck
    • Black Hills
    • Breachlock
    • Bright Security
    • Burp Suite
    • Checkmarx
    • CloudGuard
    • Cobalt
    • Codacy
    • Conviso
    • Cure53
    • Cycode
    • Cyver
    • Data Theorem
    • DataDog
    • DeepSource
    • DefectDojo
    • Detectify
    • Devel
    • Dryrun Security
    • Dynatrace
    • Edgescan
    • Endor Labs
    • Escape
    • Evolve Security
    • Faraday Security
    • FortiDevSec
    • Fortify
    • GitHub Advanced Security
    • GitLab Ultimate
    • GuardRails
    • HackerOne
    • Hackmetrix
    • Hadrian
    • HCL AppScan
    • Heeler
    • Hopper Security
    • ImmuniWeb
    • Inspectiv
    • Intigriti
    • Intruder
    • Invicti
    • JFrog
    • Jit
    • Kiuwan
    • Legit Security
    • Mandiant
    • Mend
    • Mindgard
    • Moderne
    • NetSPI
    • NowSecure
    • Nucleus Security
    • Oligo Security
    • Orca Security
    • Oversecured
    • OX Security
    • Phoenix Security
    • PlexTrac
    • Praetorian
    • Prancer
    • Prisma Cloud
    • Probely
    • Prowler
    • ReversingLabs
    • RunSybil
    • Safety
    • Securitum
    • Seemplicity
    • Semgrep
    • Snyk
    • Socket
    • SonarQube
    • Sonatype
    • SOOS
    • StackHawk
    • Strike
    • Synacktiv
    • Tenable Nessus
    • ThreatModeler
    • Veracode
    • White Jaguars
    • Wiz
    • Xygeni
    • ZAP
    • ZeroPath
  • Log in to the platform 
  • Home
  • Quick start
      • Billing
      • Integrations
      • Platform
      • Scanner
      • Ask our pentesters to explain a vulnerability
      • Fix code with gen AI from the IDE
      • See safe dependency versions
      • Import repositories to test
      • Invite team members to sign up
      • Billing for the Advanced plan
      • Continuous Hacking free trial, plans and pricing
      • Continuous Hacking methodology
      • Continuous Hacking PoV
      • CVSSF metric
      • Glossary
      • Main website
      • Platform demo
      • Tutorial videos
      • What is DAST?
      • What is SAST?
      • Assign vulnerability remediation to a team member
      • See details of the reported security vulnerabilities
    • Sign up to Fluid Attacks
      • Break the build
      • Install CI Gate to break the build
      • Verify whether a fix was successful
  • Find and fix
    • Access to your assets
      • Cloud
      • Connector
      • Egress
      • Set up an AWS IAM role
      • Summary of mechanisms used to access assets
      • Types of authentication used
      • Fix code automatically with gen AI
      • Get AI-generated guides for remediation
      • Contribute to enhancing the scanners
      • Fluid Attacks' scanners
      • Know and reproduce the scanner’s OWASP Benchmark results
      • Pentesters' tools
    • Machine
      • Configure and use Sorts on your own
      • Introduction to Fluid Attacks' AI tool
      • Accuracy SLA
      • Availability SLA
      • False negatives
      • False positives
      • Response SLA
      • Scope
      • Service-level agreement summary
        • 2023
        • 2024
        • 2025
        • 2026
      • Documentation sections
      • Roadmap
      • Supported AI functions
      • Supported attack surfaces
      • Supported binaries
      • Supported browsers
      • Supported CI/CD
      • Supported clouds
      • Supported CVEs for reachability analysis
      • Supported evidence formats
      • Supported frameworks
      • Supported IDE functionalities
      • Supported languages
      • Supported languages for vulnerability fixes
      • Supported package managers
      • Supported remediation
      • Supported SCM systems
      • Supported secrets
      • Supported standards
      • Supported ticketing systems
      • CVSS score adjustment
      • Find reachable dependency vulnerabilities
      • Vulnerability signature update
      • What is SCA?
      • APK scanner configuration file
      • DAST scanner configuration file
      • SAST scanner configuration file
      • SCA scanner configuration file
      • Scan with a configuration file
    • Use the Platform
        • Platform sections and header items
        • Sign-up and login authentication
        • Create and delete groups
        • Create another organization
        • Know your Groups section
        • Manage a group's configuration
        • Register payment information
        • See the target of evaluation's status and SBOM
        • Sort groups into portfolios
        • Invite contributing developers
        • Manage members
        • Manage your organization's authors
        • Understand roles
        • Import repositories fast and safely with OAuth
        • Manage environments
        • Manage repositories
        • Manage your credentials
        • Resolve events impeding tests
        • See retrieved repositories not yet added to any group
        • Analyze your supply chain security
        • Assign treatments
        • Correlate your threat model to vulnerabilities
        • Examine the evidence of exploitability
        • Request a vulnerability be dismissed as Zero Risk
        • See vulnerabilities assigned to you
        • See where vulnerabilities are and more details
        • Verify fixes with reattacks
        • Ask the AI Agent
        • Ask via chat
        • Post comments
        • Send Fluid Attacks an email
        • Talk to a Pentester
        • Watch certifiable tutorial videos or get a demo
        • Access recent downloads
        • Check your compliance with standards
        • View analytics common to orgs, groups and portfolios
        • Download a report of detected vulnerabilities
        • View analytics for the group level only
        • View analytics for the portfolio level only
        • Use analytics charts options
        • View and download logs
        • Accept vulnerabilities
        • Manage fix prioritization policies
        • Manage security gates
        • Prevent the deployment of builds with vulnerabilities
        • View details of the security of your builds
        • Enable and disable notifications
        • Explore the user menu
        • Leave group
        • Subscribe to news
      • Manage repositories
      • See vulnerabilities
      • Exclude findings from scan reports
      • Run scans locally
      • Understand the scanner output
      • Use standalone scanners
      • Use the scanners in CI/CD
  • Integrations
      • Local tools
      • Access Talk to a Pentester and help from Jira issues
      • Automate Jira issue creation
      • Create Jira issues for vulnerabilities
      • Go to vulnerability evidence and more from Jira issues
      • Install the Fluid Attacks app for Jira Cloud
      • Link vulnerabilities to Jira issues or unlink them
      • Request reattacks from Jira issues
      • Set up the Jira integration
      • Set up the Azure DevOps integration
      • Set up the GitLab integration
      • Install the VS Code extension
      • View vulnerable lines, use fix options and more
      • VS Code extension error and solution catalog
      • Identify and address vulnerabilities from IntelliJ
      • Install the IntelliJ plugin
      • Identify and address vulnerabilities from Cursor
      • Install the Cursor extension
      • AWS Marketplace integration
    • MCP server
      • Installation
      • Capabilities and use cases
      • Docker installation
      • Excluding files from analysis
      • Integrate with Azure DevOps Peer Reviewer Assistant
      • Integrate with GitLab Peer Reviewer Assistant
      • Troubleshooting
      • Introduction
      • Use the API
      • Learn the basics of the Fluid Attacks API
      • Things to know before using the API
  • Stack
      • Bash
      • Python
      • Terraform
      • TypeScript
      • Ariadne
      • Commitlint
      • Docker
      • ESLint
      • GraphQL
      • Hypercorn
      • Kubernetes
      • Labels
      • Mypy
      • Nix Flakes
      • Platform audit logs
      • Platform authentication
      • Platform authorization
      • Pydantic AI
      • React
      • Ruff
      • Sops
      • Starlette
      • Tree-sitter
      • Visual Studio Code
      • AWS
      • Batch
      • Bedrock
      • BigCodeBench
      • BugSnag
      • Checkly
      • Claude 3.5 Sonnet
      • Cloudflare
      • CloudWatch
      • Cost Management
      • Datadog
      • dbt
      • DynamoDB
      • EBS
      • EC2
      • EKS
      • ELB
      • Engineering metrics
      • ePayco
      • EventBridge
      • GitLab
      • GitLab CI
      • Google Workspace
      • IAM
      • Jamf
      • KMS
      • Lambda
      • LogRocket
      • Okta
      • OpenAI
      • OpenSearch
      • Organizations
      • QuickSight
      • S3
      • SageMaker
      • Snowflake
      • Statuspage
      • Step Functions
      • Stripe
      • Treli
      • Ubiquiti
      • Vanta
      • Voyage AI
      • VPC
      • VPN
      • Zoho One
      • Zoho Sign
  • Compliance
      • Clients
      • Password policies
      • Staff
      • Access revocation
      • Endpoint
      • Authorization for clients
      • Authorization for Fluid Attacks staff
      • Secret rotation
      • Secure employee termination
      • Session management
      • Distributed apps
      • Distributed firewall
      • Everything backed up
      • Multiple zones
      • Recovery objective
      • Device (re)enrolling
      • Direct hiring
      • Encryption at rest
      • Encryption in transit
      • No personal gain
      • Personnel NDA
      • Secure deletion
      • Awareness
      • Certification Hub
      • Certified cloud provider
      • Certified security analysts
      • Comprehensive reporting
      • Developing for integrity
      • Extensive hiring process
      • Monitoring
      • Production data not used for dev or test
      • Secure emails
      • Software Artifacts SLSA levels
      • Static website
      • Training plan
      • Everything as code
      • Extensive logs
      • Data privacy policy
      • Data policies
      • Email obfuscation
      • Employee time tracking software
      • Manual for the National Database Registry (NDR)
      • OTR messaging
      • Polygraph tests
      • Project pseudonymization
      • Retention
      • Secure delivery of sensitive data
      • Transparent use of cookies
      • Unsubscribe email
      • Continuity and recovery
      • Equipment and telecommuting
      • Everything is decentralized
      • Redundant roles
      • Complaint management
      • Data leakage policy
      • Ethics hotline
      • Help channel
      • Incident management
      • Information security responsibility
      • Open source
      • Quality policy
      • Status page
      • Testing our technology
      • Vulnerability releasing
  • Compare
    • 42Crunch
    • 7 Way Security
    • Aikido
    • Anvil Secure
    • Apiiro
    • AppCheck
    • Appdome
    • Appknox
    • Aqua
    • ArmorCode
    • Arnica
    • Astra
    • Base4
    • Bishop Fox
    • Black Duck
    • Black Hills
    • Breachlock
    • Bright Security
    • Burp Suite
    • Checkmarx
    • CloudGuard
    • Cobalt
    • Codacy
    • Conviso
    • Cure53
    • Cycode
    • Cyver
    • Data Theorem
    • DataDog
    • DeepSource
    • DefectDojo
    • Detectify
    • Devel
    • Dryrun Security
    • Dynatrace
    • Edgescan
    • Endor Labs
    • Escape
    • Evolve Security
    • Faraday Security
    • FortiDevSec
    • Fortify
    • GitHub Advanced Security
    • GitLab Ultimate
    • GuardRails
    • HackerOne
    • Hackmetrix
    • Hadrian
    • HCL AppScan
    • Heeler
    • Hopper Security
    • ImmuniWeb
    • Inspectiv
    • Intigriti
    • Intruder
    • Invicti
    • JFrog
    • Jit
    • Kiuwan
    • Legit Security
    • Mandiant
    • Mend
    • Mindgard
    • Moderne
    • NetSPI
    • NowSecure
    • Nucleus Security
    • Oligo Security
    • Orca Security
    • Oversecured
    • OX Security
    • Phoenix Security
    • PlexTrac
    • Praetorian
    • Prancer
    • Prisma Cloud
    • Probely
    • Prowler
    • ReversingLabs
    • RunSybil
    • Safety
    • Securitum
    • Seemplicity
    • Semgrep
    • Snyk
    • Socket
    • SonarQube
    • Sonatype
    • SOOS
    • StackHawk
    • Strike
    • Synacktiv
    • Tenable Nessus
    • ThreatModeler
    • Veracode
    • White Jaguars
    • Wiz
    • Xygeni
    • ZAP
    • ZeroPath
  • Log in to the platform 

On This Page

  • December
  • Release 52
  • Release 51
  • Release 50
  • Release 49
  • November
  • Release 48
  • Release 47
  • Release 46
  • Release 45
  • October
  • Release 44
  • Release 43
  • Release 42
  • Release 41
  • September
  • Release 40
  • Release 39
  • Release 38
  • Release 37
  • August
  • Release 36
  • Release 35
  • Release 34
  • Release 33
  • Release 32
  • July
  • Release 31
  • Release 30
  • Release 29
  • Release 28
  • Release 27
  • June
  • Release 26
  • Release 25
  • Release 24
  • Release 23
  • May
  • Release 22
  • Release 21
  • Release 20
  • Release 19
  • April
  • Release 18
  • Release 17
  • Release 16
  • Release 15
  • Release 14
  • March
  • Release 13
  • Release 12
  • Release 11
  • Release 10
  • February
  • Release 9
  • Release 8
  • Release 7
  • Release 6
  • January
  • Release 5
  • Release 4
  • Release 3
  • Release 2
  • Release 1
Find and fixSupport InformationChangelog2023

2023

December

Release 52

  • (SCA) Improved clarity of the Skims SCA output logs, including CVE details and safer versions.
  • (SCA) Integrated OSV vulnerability database as a new source for SCA.

Release 51

(CSPM) Updated CSPM configuration to comply with AWS cross-account role requirements.

Release 50

  • (ASPM) Improved snippet processing for reports.
  • (CSPM) New methods:
    • AWS RDS cluster not inside a DB subnet group
    • AWS RDS has a public cluster

Release 49

No features were delivered during this iteration.

November

Release 48

No features were delivered during this iteration.

Release 47

No features were delivered during this iteration.

Release 46

(SCA) New method: Npm missing package lock

Release 45

(SAST) New method: Java accepts any mimetype obj

October

Release 44

  • (SCA) SCA support was expanded to report malware cases.
  • (SAST) New method: Go insecure query

Release 43

Implemented exclusion of vulnerabilities for Skims using NOFLUID directives.

Release 42

(CSPM) New method: AWS EC2 has a modify attribute

Release 41

  • (SCA) Added SCA support for .NET exe.config files.
  • (ASPM) Improved Skims usability by allowing execution without mandatory configuration.
  • (SCA) New method: Net framework config
  • (SAST) New methods:
    • Cfn s3 buckets allow unauthorized public access
    • Tfm public buckets acl
    • TFM S3 buckets allow unauthorized public access

September

Release 40

  • (ASPM) Updated Boto3 for AWS CSPM module in Skims.
  • (ASPM) Introduced handling for disputed SCA advisories in Skims.

Release 39

  • (ASPM) Ensured Skims compliance with the SARIF 2.1 format.
  • (ASPM) Optimized CSPM module processing of ARN, URI, and ID values.
  • (SAST) New methods:
    • Cs stored password
    • Swift HC secret JWT

Release 38

  • (CSPM) New methods:
    • AWS CloudTrail is not logging
    • Azure storage account not enforcing latest tls
    • Azure storage account not enforcing https
    • Azure storage account geo replication disabled
    • Azure storage account allows public traffic
  • (DAST) New methods:
    • Http x backend server header leaked
    • Http x aspnet mvc version header leaked
    • Http x aspnet version header leaked
    • Http permissions policy header not present
  • (SAST) New method: Dotnetconfig asp version enabled

Release 37

  • (CSPM) New methods:
    • AWS s3 private buckets not blocking public acls
    • GCP storage object versioning is not enabled
    • GCP storage uniform bucket level access is disabled
    • GCP storage retention policy is not configured
    • GCP storage logging is not enabled on storage bucket
    • AWS apigateway allows anonymous access
  • (DAST) New methods:
    • HTTP access control allow methods insecure
    • HTTP x powered by header leaked
  • (SAST) New methods:
    • Cs override auth modifier
    • Cs has public cache header

August

Release 36

  • (CSPM) Standardized cloud security checks across CloudFormation, Terraform, and DAST AWS methods.
  • (CSPM) Enhanced readability of CSPM DAST method reports.
  • (SAST) Optimized Skims by ignoring node_modules during scans of Node.js projects.
  • (CSPM) New methods:
    • AWS iam policies attached to users
    • AWS ec2 vpc without flowlog
    • AWS iam admin policy attached
    • AWS s3 public buckets
    • Azure blob containers are public
    • Gcp storage public buckets
    • AWS iam allows priv escalation by attach policy
    • AWS cloudfront insecure protocols
    • AWS ec2 anyone admin ports
    • AWS ec2 unrestricted cidrs
    • AWS ec2 unrestricted ip protocols
    • AWS ec2 sec groups rfc1918
    • AWS ec2 unrestricted dns access
    • AWS ec2 unrestricted ftp access
    • AWS ec2 open all ports to the public
    • AWS ec2 default all traffic
    • AWS ec2 insecure port range
    • AWS ec2 acl allow egress traffic
    • AWS ec2 acl allow all ingress traffic
    • AWS ec2 vpc endpoints exposed
    • AWS iam group with inline policy
    • AWS iam user with inline policy
    • AWS iam open passrole
    • AWS iam has permissive role policy
    • AWS iam full access ssm
    • AWS iam negative statement
    • AWS elb2 insecure security policy
    • AWS rds has public instances
    • AWS s3 bucket policy encryption disable
    • AWS rds not inside a db subnet group
    • AWS iam user with multiple access keys
    • AWS ec2 has default security groups in use
    • AWS ec2 default security group
    • AWS s3 acl public buckets
    • AWS iam permissive policy
    • AWS iam min password len unsafe
    • AWS cloudtrail is trail bucket logging disabled
  • (DAST) New methods:
    • Http server header leaked
    • Http x xss protection enabled
  • (SAST) New methods:
    • Dotnetconfig anon auth enabled
    • Kt hc secret alg instance
    • Tfm redshift has encryption disabled
    • Cfn redshift has encryption disabled
    • Go hardcoded symmetric key
  • (SCA) New methods:
    • Poetry lock deps
    • Maven gradle kts

Release 35

  • (SCA) Added support for Erlang and Swift package managers in Skims SCA.
  • (CSPM) Implemented a unified workflow for adding GCP accounts.
  • (SCA) Added SCA vulnerability reporting for dependencies in GitHub Actions YAML files.
  • (SCA) Introduced support for Rust’s Cargo package manager in Skims.
  • (SAST) New methods:
    • Python insecure jwt key
    • Cfn sqs has encryption disabled
    • Tfm sqs has encryption disabled
    • Tfm sns has server-side encryption disabled
    • Cfn SNS has server-side encryption disabled
    • Cs hardcoded symmetric key
  • (SCA) New methods:
    • Swift packages dev
    • Erlang mix deps dev
    • GitHub actions deps
    • Erlang mix lock deps
    • Erlang mix deps
    • Cargo toml deps dev

Release 34

  • (SCA) Added support for pnpm-lock.yaml in dependency analysis.
  • (SAST) New methods:
    • Cfn redshift has user activity log disabled
    • Tfm redshift has user activity log disabled
    • Tfm elasticache transit encryption disabled
    • Cfn elasticache transit encryption disabled
    • Tfm elasticache uses default port
    • Cfn aws elb listener on http
    • Cfn elasticache uses default port
    • Cfn redshift not requires ssl
    • Tfm redshift not requires ssl
    • Tfm redshift has public clusters
    • Cfn redshift has public clusters
    • Tfm aws elb listener on http
    • Tfm rds not uses IAM authentication
    • Cfn rds not uses IAM authentication
    • Tfm eks has endpoints publicly accessible
    • Cfn Eks has endpoints publicly accessible
  • (SCA) New methods:
    • Cargo lock deps
    • Cargo toml deps
    • HTML script dependencies
    • Pnpm package lock dev
    • Pnpm package lock

Release 33

  • (CSPM) Defined the foundational structure for GCP DAST checks.
  • (SAST) New methods:
    • Cfn redshift has audit logs disabled
    • Tfm redshift has audit logs disabled
    • Java JWT unsafe decode
    • Java JWT without proper sign
    • Tfm cognito has mfa disabled
    • Cfn cognito has mfa disabled
    • Cfn sqs is public
    • Python insecure cipher mode
    • Tfm sqs is public
    • Java hostname verification off
    • Java insecure cipher mode
    • Kt insecure cipher mode
    • JS regex injection
    • TS regex injection
    • Python regex injection
    • Cfn allows priv escalation by attach policy

Release 32

(SAST) New methods:

  • Cfn allows priv escalation by policies versions
  • Tfm allows priv escalation by policies versions
  • Tfm allows priv escalation by attach policy

July

Release 31

No features were delivered during this iteration.

Release 30

(SAST) New method: Python exposed auth token

Release 29

(SAST) New methods:

  • Kubernetes uses HTTP server
  • Kubernetes uses HTTP
  • K8s check host pid
  • K8s check if sys admin exists
  • Python insecure authentication

Release 28

(SAST) New method: K8s check if capability exists

Release 27

(SAST) New methods:

  • Cfn aws sec group using tcp
  • Tfm s3 versioning disabled
  • Tfm iam trust policy wildcard action

June

Release 26

  • (SCA) Added support for Conan.
  • (SAST) New methods:
    • Tfm iam policy apply to users
    • Cfn iam policy apply to users
    • Tfm iam permissions policy not resource
    • Tfm iam permissions policy not action
    • Tfm iam trust policy not principal
    • Tfm iam trust policy not action
    • Tfm policy server encryp disabled
    • Tfm rds pub accessible
    • Tfm api all HTTP methods enabled
    • Cfn http methods enabled
    • Tfm http methods enabled
    • Cfn iam excessive role policy
  • (SCA) New methods:
    • Conan lock dev
    • Conan lock

Release 25

No features were delivered during this iteration.

Release 24

No features were delivered during this iteration.

Release 23

  • (ASPM) Implemented severity and CWE reporting at the location level.
  • (SCA) Added support for SCA in Go.

May

Release 22

No features were delivered during this iteration.

Release 21

(SAST) New method: Tfm aws sec group using tcp

Release 20

No features were delivered during this iteration.

Release 19

  • (ASPM) Implemented exit codes in CLI to indicate vulnerability detection status.
  • (ASPM) Added CVSS 3.1 Exploit Code Maturity metric to vulnerability reports.
  • (ASPM) Started documentation for scanner (Skims) output to clarify results interpretation.

April

Release 18

No features were delivered during this iteration.

Release 17

  • (ASPM) Integrated documentation URLs in vulnerability reports for better understanding.
  • (ASPM) Updated standalone scanner configuration file syntax for better usability.

Release 16

  • (ASPM) Created official Skims documentation to explain usage as a SAST scanner.
  • (SAST) New method: XML header allows dangerous methods
  • (CSPM) New method: AWS SNS can anyone subscribe

Release 15

  • (CSPM) New methods:
    • AWS SNS can anyone publish
    • AWS sqs is public
    • AWS sqs has encryption disabled
    • AWS SNS has server-side encryption disabled
  • (SAST) New methods:
    • Cfn server SSL disabled
    • Java insec sign algorithm
    • Python insec hash library
    • Kotlin accepts any mime type

Release 14

  • (SAST) Enhanced Dart’s SAST flow to enable more sophisticated logic analysis.
  • (SAST) New methods:
    • Container disabled SSL
    • Go accepts any mime type
    • Java basic authentication
    • Cfn insecure certificate
  • (CSPM) New methods:
    • AWS Elasticache rest encryption disabled
    • AWS Elasticache transit encryption disabled

March

Release 13

  • (SAST) Enhanced infrastructure files analysis (HCL and YAML).
  • (CSPM) New methods:
    • AWS Redshift not requires ssl
    • AWS Redshift has audit logs disabled
    • AWS Redshift has user activity log disabled
    • AWS Redshift has encryption disabled
    • AWS Elasticache uses default port
    • AWS dynamodb not del protec
  • (SAST) New methods:
    • Kotlin vuln regex
    • Dotnetconfig excessive auth privileges
    • Kt xml parser
    • Python accepts any mime
    • Python http only cookie
    • JS debugger enabled
    • TS debugger enabled
    • Python secure cookie

Release 12

  • (SAST) Extended secret detection to analyze more configuration files.
  • (SAST) New methods:
    • Kotlin secure cookie
    • Kt default http client deprecated
    • C Sharp plain text keys
    • Cs insecure authentication
    • Kt remote command execution
    • Kt anonymous ldap
  • (CSPM) New methods:
    • AWS secrets has automatic rotation disabled
    • AWS Redshift has public clusters

Release 11

  • (SAST) New methods:
    • Kotlin http only cookie
    • Tfm dynamo not del protec
    • JavaScript accepts any mime default
    • Typescript accepts any mime default
    • Java secure cookie
    • Python unsafe certificate validation
    • Java HTTP only cookie
    • Python unsafe ssl hostname
    • Kt insecure encryption key
    • JavaScript accepts any mime method
    • Typescript accepts any mime method
    • Kt insecure key pair gen
  • (CSPM) New methods:
    • AWS RDS unrestricted db security groups
    • AWS RDS not uses iam authentication
    • AWS RDS has public snapshots

Release 10

(SAST) New methods:

  • Kt insecure parameter spec
  • Cfn dynamo not del protec
  • Kt insecure key gen
  • Kt insecure certificate validation
  • Kt insecure host verification
  • C Sharp accepts any mimetype
  • Kt insecure init vector

February

Release 9

  • (SCA) Enhanced support for Pub (Dart) and Packagist (PHP) package managers.
  • (SAST) New methods:
    • Java accepts any mimetype chain
    • Python unsafe cipher
    • Java xml parser
    • Python regex dos
    • Python LDAP conn auth
    • Java HTTP req accepts any mimetype
    • Python unsafe temp file
    • Kt weak random
    • Python remote command execution
    • Swift insecure cryptor
    • Swift insecure cipher
  • (CSPM) New method: AWS EKS has endpoints publicly accessible

Release 8

  • (SAST) Added support for analyzing Python files in Skims.
  • (SAST) New methods:
    • Python io path traversal
    • Python session fixation
    • JS JWT insec sign algo async
    • TS jwt insec sign algo async
    • JS insec msg auth mechanism
    • TS insec msg auth mechanism
    • Cs cert validation disabled
    • Python ldap injection
    • Python deserialization injection
  • (CSPM) New methods:
    • AWS ELBv2 insecure SSL cipher
    • AWS DynamoDB encrypted with AWS master keys

Release 7

  • (SAST) Improved Symbolic Evaluation logic for better accuracy in detecting vulnerabilities.
  • (SAST) New methods:
    • JS salt is hardcoded
    • TS salt is hardcoded
    • Java salt is hardcoded
    • Kotlin salt is hardcoded
    • Go salt is hardcoded
    • Dart salt is hardcoded
    • XML allows all domains
    • JS jwt insec sign algorithm
    • TS jwt insec sign algorithm
    • Yml serverless cors
    • Dart insecure logging
    • Python xml parser
  • (CSPM) New methods:
    • AWS elbv2 insecure protocols
    • AWS cognito has mfa disabled
  • (SCA) New methods:
    • Conan conanfile py dev
    • Conan conanfile txt dev

Release 6

(SAST) New methods:

  • JSx lack of validation event listener
  • JS local storage sens data assignment
  • TS local storage sens data assignment
  • XML header allow all methods

January

Release 5

  • (CSPM) New methods:
    • AWS IAM users with password and access keys
    • AWS IAM MFA disabled for users with console passwd
  • (SCA) New methods:
    • Conan conanfile py
    • Conan conanfile txt

Release 4

  • Improved support for Go and Kotlin.
  • (CSPM) New methods:
    • AWS IAM has root active signing certificates
    • AWS IAM has old ssh public keys
    • AWS has publicly shared AMIs
    • AWS IAM allows privilege escalation by policy versions
  • (SAST) New methods:
    • TSx lack of validation event listener
    • JS JSON parse unvalidated data
    • TS json parse unvalidated data

Release 3

  • (CSPM) New methods:
    • AWS IAM has old creds enabled
    • AWS IAM has old access keys
    • AWS IAM root has access keys
  • (SAST) New methods:
    • JS local storage with sensitive data
    • TS local storage with sensitive data

Release 2

  • (ASPM) Use colors to identify vulnerabilities’ criticality : Add colored markers based on the severity of the vulnerability to facilitate identification.
  • (ASPM) Add risk exposure (CVSSF) to our platform : Add a new column called ”% Risk Exposure” that ranges from 0% to 100% in the findings and vulnerabilities tables.
  • (ASPM) Update of the statuses in ARM reports : Update the technical report’s status column by changing the words “open” and “closed” to “safe” and “vulnerable”.
  • (ASPM) Update treatment status : Replace the treatment status “New” with “Untreated” to improve clarity for users.
  • (ASPM) Organize vulnerabilities by risk exposure (CVSSF) : Organize vulnerabilities by default according to CVSSF and status “vulnerable”.
  • (CSPM) New method: AWS IAM root has mfa disabled
  • (SAST) New methods:
    • Cfn iam permissions policy not resource
    • Cfn iam permissions policy not action
    • Cfn iam trust policy not principal
    • Cfn iam trust policy not action
    • Cfn iam permissions policy wildcard resources
    • Cfn iam permissions policy wildcard actions
    • Cfn iam trust policy wildcard action
    • JS insecure compression algorithm
    • TS insecure compression algorithm
  • (SCA) New methods:
    • Pub pubspec yaml dev
    • Pub pubspec yaml

Release 1

  • (ASPM) Delete inactive users after 90 days : Automatically delete users from our platform after 90 days of inactivity.
  • (ASPM) Talk to a Hacker modal improvements : Add a new field named “ARM Group Name” with autofill to request only unknown information from users.
  • (ASPM) Congratulations message in compliance report : Add a congratulatory message in the compliance report if the group does not have unfulfilled standards.
  • (CSPM) New methods:
    • AWS IAM has mfa disabled
    • AWS IAM does not require uppercase
    • AWS IAM does not require lowercase
    • AWS IAM does not require symbols
    • AWS IAM does not require numbers
    • AWS IAM password reuse unsafe
    • AWS IAM password expiration unsafe
  • (SCA) New methods:
    • Composer lock dev
    • Composer lock
    • Composer JSON dev
  • (SAST) New method: Tfm admin managed policies
Tip

Free trial: Search for vulnerabilities in your apps for free with Fluid Attacks’ automated security testing! Start your 21-day free trial  and discover the benefits of the Continuous Hacking  Essential plan . If you prefer the Advanced plan, which includes the expertise of Fluid Attacks’ hacking team, fill out this contact form .

Last updated on February 14, 2026
Service-level agreement summary2024
Fluid Attacks 2026. All rights reserved.