Skip to Content
logo
  • Home
  • Quick start
    • FAQ
      • Billing
      • Integrations
      • Platform
      • Scanner
      • Ask our pentesters to explain a vulnerability
      • Fix code with gen AI from the IDE
      • See safe dependency versions
      • Import repositories to test
      • Invite team members to sign up
      • Billing for the Advanced plan
      • Continuous Hacking free trial, plans and pricing
      • Continuous Hacking methodology
      • Continuous Hacking PoV
      • CVSSF metric
      • Glossary
      • Main website
      • Platform demo
      • Tutorial videos
      • What is DAST?
      • What is SAST?
      • What is SCA?
      • Assign vulnerability remediation to a team member
      • See details of the reported security vulnerabilities
    • Sign up to Fluid Attacks
      • Break the build
      • Install CI Gate to break the build
      • Verify whether a fix was successful
  • Find and fix
    • Use the platform
        • Sign-up and login
        • Interface and sections
        • Create and delete groups
        • Create another organization
        • Know your Groups section
        • Manage a group's configuration
        • Register payment information
        • See the target of evaluation's status and SBOM
        • Sort groups into portfolios
        • Invite contributing developers
        • Manage members
        • Manage your organization's authors
        • Understand roles
        • Import repositories fast and safely with OAuth
        • Manage environments
        • Manage repositories
        • Manage your credentials
        • Resolve events impeding tests
        • See retrieved repositories not yet added to any group
        • Analyze your supply chain security
        • Assign treatments
        • Correlate your threat model to vulnerabilities
        • CVSS score adjustment
        • Examine the evidence of exploitability
        • Find reachable dependency vulnerabilities
        • Request a vulnerability be dismissed as Zero Risk
        • See vulnerabilities assigned to you
        • See where vulnerabilities are and more details
        • Verify fixes with reattacks
        • Vulnerability signature update
        • Ask the AI Agent
        • Ask via chat
        • Post comments
        • Send Fluid Attacks an email
        • Talk to a Pentester
        • Watch certifiable tutorial videos or get a demo
        • Access recent downloads
        • Check your compliance with standards
        • View analytics common to orgs, groups and portfolios
        • Download a report of detected vulnerabilities
        • View analytics for the group level only
        • View analytics for the portfolio level only
        • Use analytics charts options
        • View and download logs
        • Accept vulnerabilities
        • Manage fix prioritization policies
        • Manage security gates
        • Prevent the deployment of builds with vulnerabilities
        • View details of the security of your builds
        • Explore the user menu
        • Enable and disable notifications
        • Subscribe to News
        • Leave a group
      • Manage repositories
      • See vulnerabilities
        • Fluid Attacks' scanners
        • OWASP Benchmark results
        • Your feedback
      • Use the scanners
        • Local run
        • CI/CD integration
        • Understanding outputs
        • Findings exclusion
      • Use a configuration file
        • SAST scanner
        • SCA scanner
        • DAST scanner
        • APK scanner
      • Automatic remediation
      • Custom remediation guides
      • Introduction to Sorts
      • Sorts user guide
      • Connection mechanisms
      • Cloud connection
      • Egress connection
      • Connector connection
      • Types of authentication
      • AWS CodeCommit
    • Service-level agreement
      • Availability SLA
      • Response SLA
      • Accuracy SLA
      • False negatives
      • False positives
      • Scope
    • Support information
      • Changelog
        • 2023
        • 2024
        • 2025
        • 2026
      • Roadmap
      • AI functions
      • Attack surfaces
      • Binaries
      • Browsers
      • CI/CD
      • Clouds
      • CVEs for reachability
      • Evidence formats
      • Frameworks
      • IDE functionalities
      • Languages
      • Languages for fixes
      • Package managers
      • Remediation
      • SCM systems
      • Secrets
      • Standards
      • Ticketing systems
      • Documentation sections
  • Integrations
      • Local tools
      • Access Talk to a Pentester and help from Jira issues
      • Automate Jira issue creation
      • Create Jira issues for vulnerabilities
      • Go to vulnerability evidence and more from Jira issues
      • Install the Fluid Attacks app for Jira Cloud
      • Link vulnerabilities to Jira issues or unlink them
      • Request reattacks from Jira issues
      • Set up the Jira integration
      • Set up the Azure DevOps integration
      • Set up the GitLab integration
      • Install the VS Code extension
      • View vulnerable lines, use fix options and more
      • VS Code extension error and solution catalog
      • Identify and address vulnerabilities from IntelliJ
      • Install the IntelliJ plugin
      • Identify and address vulnerabilities from Cursor
      • Install the Cursor extension
      • AWS Marketplace integration
    • MCP server
      • Installation
      • Capabilities and use cases
      • Docker installation
      • Excluding files from analysis
      • Integrate with Azure DevOps Peer Reviewer Assistant
      • Integrate with GitLab Peer Reviewer Assistant
      • Troubleshooting
      • Introduction
      • Use the API
      • Learn the basics of the Fluid Attacks API
      • Things to know before using the API
  • Stack
      • Bash
      • Python
      • Terraform
      • TypeScript
      • Ariadne
      • Commitlint
      • D3
      • Docker
      • ESLint
      • GraphQL
      • Hypercorn
      • Kubernetes
      • Labels
      • Mypy
      • Nix Flakes
      • Platform audit logs
      • Platform authentication
      • Platform authorization
      • Pydantic AI
      • React
      • Ruff
      • Sops
      • Starlette
      • Tree-sitter
      • Visual Studio Code
      • AWS
      • Batch
      • Bedrock
      • BigCodeBench
      • BugSnag
      • Checkly
      • Claude 3.5 Sonnet
      • Cloudflare
      • CloudWatch
      • Cost Management
      • Datadog
      • dbt
      • DynamoDB
      • EBS
      • EC2
      • EKS
      • ELB
      • Engineering metrics
      • ePayco
      • EventBridge
      • GitLab
      • GitLab CI
      • Google Workspace
      • IAM
      • Jamf
      • KMS
      • Lambda
      • LogRocket
      • Okta
      • OpenAI
      • OpenSearch
      • Organizations
      • QuickSight
      • S3
      • SageMaker
      • Snowflake
      • Statuspage
      • Step Functions
      • Stripe
      • Treli
      • Ubiquiti
      • Vanta
      • Voyage AI
      • VPC
      • VPN
      • Zoho One
      • Zoho Sign
    • Pentesting tools
  • Compliance
    • Authentication
      • Clients
      • Password policies
      • Staff
    • Authorization
      • Access revocation
      • Clients
      • Employee termination
      • Endpoints
      • Secret rotation
      • Sessions
      • Staff
    • Availability
      • Distributed apps
      • Distributed firewall
      • Everything backed up
      • Multiple zones
      • Recovery objective
    • Confidentiality
      • Device (re)enrolling
      • Direct hiring
      • Encryption at rest
      • Encryption in transit
      • No personal gain
      • Personnel NDA
      • Secure deletion
    • Integrity
      • Applicant evaluation
      • Awareness
      • Certification Hub
      • Certified cloud provider
      • Certified security analysts
      • Comprehensive reporting
      • Developing for integrity
      • Monitoring
      • Production data isolation
      • Secure emails
      • SLSA compliance
      • Standard timezone
      • Static website
      • Training plan
    • Non-repudiation
      • Everything as code
      • Extensive logs
    • Privacy
      • Data privacy policy
      • Data retention policy
      • Data use policy
      • Email obfuscation
      • Time tracking
      • Manual for the NDR
      • OTR messaging
      • Polygraph tests
      • Project pseudonymization
      • Data transmission
      • Unsubscribe email
      • Use of cookies
    • Resilience
      • Continuity and recovery
      • Equipment and telecommuting
      • Everything is decentralized
      • Redundant roles
    • Transparency
      • Complaint management
      • Data leakage policy
      • Ethics hotline
      • Help channel
      • Incident management
      • Information security responsibility
      • Open source
      • Quality policy
      • Status page
      • Testing our technology
      • Vulnerability releasing
  • Compare
    • 42Crunch
    • 7 Way Security
    • Aikido
    • Anvil Secure
    • Apiiro
    • AppCheck
    • Appdome
    • Appknox
    • Aqua
    • ArmorCode
    • Arnica
    • Astra
    • Base4
    • Bishop Fox
    • Black Duck
    • Black Hills
    • Breachlock
    • Bright Security
    • Burp Suite
    • Checkmarx
    • CloudGuard
    • Cobalt
    • Codacy
    • Conviso
    • Cure53
    • Cycode
    • Cyver
    • Data Theorem
    • DataDog
    • DeepSource
    • DefectDojo
    • Detectify
    • Devel
    • Dynatrace
    • Edgescan
    • Endor Labs
    • Escape
    • Evolve Security
    • Faraday Security
    • FortiDevSec
    • Fortify
    • GitHub Advanced Security (GHAS)
    • GitLab Ultimate
    • GuardRails
    • HackerOne
    • Hackmetrix
    • Hadrian
    • HCL AppScan
    • Heeler
    • Hopper Security
    • ImmuniWeb
    • Inspectiv
    • Intigriti
    • Intruder
    • Invicti
    • JFrog
    • Jit
    • Kiuwan
    • Legit Security
    • Mandiant
    • Mend
    • Mindgard
    • Moderne
    • NetSPI
    • NowSecure
    • Nucleus Security
    • Oligo Security
    • Orca Security
    • Oversecured
    • OX Security
    • Phoenix Security
    • PlexTrac
    • Praetorian
    • Prancer
    • Prisma Cloud
    • Probely
    • Prowler
    • ReversingLabs
    • RunSybil
    • Safety
    • Securitum
    • Seemplicity
    • Semgrep
    • Snyk
    • Socket
    • SonarQube
    • Sonatype
    • SOOS
    • StackHawk
    • Strike
    • Synacktiv
    • Tenable Nessus
    • ThreatModeler
    • Veracode
    • White Jaguars
    • Wiz
    • Xygeni
    • ZAP
    • ZeroPath
  • Log in to the platform 
  • Home
  • Quick start
    • FAQ
      • Billing
      • Integrations
      • Platform
      • Scanner
      • Ask our pentesters to explain a vulnerability
      • Fix code with gen AI from the IDE
      • See safe dependency versions
      • Import repositories to test
      • Invite team members to sign up
      • Billing for the Advanced plan
      • Continuous Hacking free trial, plans and pricing
      • Continuous Hacking methodology
      • Continuous Hacking PoV
      • CVSSF metric
      • Glossary
      • Main website
      • Platform demo
      • Tutorial videos
      • What is DAST?
      • What is SAST?
      • What is SCA?
      • Assign vulnerability remediation to a team member
      • See details of the reported security vulnerabilities
    • Sign up to Fluid Attacks
      • Break the build
      • Install CI Gate to break the build
      • Verify whether a fix was successful
  • Find and fix
    • Use the platform
        • Sign-up and login
        • Interface and sections
        • Create and delete groups
        • Create another organization
        • Know your Groups section
        • Manage a group's configuration
        • Register payment information
        • See the target of evaluation's status and SBOM
        • Sort groups into portfolios
        • Invite contributing developers
        • Manage members
        • Manage your organization's authors
        • Understand roles
        • Import repositories fast and safely with OAuth
        • Manage environments
        • Manage repositories
        • Manage your credentials
        • Resolve events impeding tests
        • See retrieved repositories not yet added to any group
        • Analyze your supply chain security
        • Assign treatments
        • Correlate your threat model to vulnerabilities
        • CVSS score adjustment
        • Examine the evidence of exploitability
        • Find reachable dependency vulnerabilities
        • Request a vulnerability be dismissed as Zero Risk
        • See vulnerabilities assigned to you
        • See where vulnerabilities are and more details
        • Verify fixes with reattacks
        • Vulnerability signature update
        • Ask the AI Agent
        • Ask via chat
        • Post comments
        • Send Fluid Attacks an email
        • Talk to a Pentester
        • Watch certifiable tutorial videos or get a demo
        • Access recent downloads
        • Check your compliance with standards
        • View analytics common to orgs, groups and portfolios
        • Download a report of detected vulnerabilities
        • View analytics for the group level only
        • View analytics for the portfolio level only
        • Use analytics charts options
        • View and download logs
        • Accept vulnerabilities
        • Manage fix prioritization policies
        • Manage security gates
        • Prevent the deployment of builds with vulnerabilities
        • View details of the security of your builds
        • Explore the user menu
        • Enable and disable notifications
        • Subscribe to News
        • Leave a group
      • Manage repositories
      • See vulnerabilities
        • Fluid Attacks' scanners
        • OWASP Benchmark results
        • Your feedback
      • Use the scanners
        • Local run
        • CI/CD integration
        • Understanding outputs
        • Findings exclusion
      • Use a configuration file
        • SAST scanner
        • SCA scanner
        • DAST scanner
        • APK scanner
      • Automatic remediation
      • Custom remediation guides
      • Introduction to Sorts
      • Sorts user guide
      • Connection mechanisms
      • Cloud connection
      • Egress connection
      • Connector connection
      • Types of authentication
      • AWS CodeCommit
    • Service-level agreement
      • Availability SLA
      • Response SLA
      • Accuracy SLA
      • False negatives
      • False positives
      • Scope
    • Support information
      • Changelog
        • 2023
        • 2024
        • 2025
        • 2026
      • Roadmap
      • AI functions
      • Attack surfaces
      • Binaries
      • Browsers
      • CI/CD
      • Clouds
      • CVEs for reachability
      • Evidence formats
      • Frameworks
      • IDE functionalities
      • Languages
      • Languages for fixes
      • Package managers
      • Remediation
      • SCM systems
      • Secrets
      • Standards
      • Ticketing systems
      • Documentation sections
  • Integrations
      • Local tools
      • Access Talk to a Pentester and help from Jira issues
      • Automate Jira issue creation
      • Create Jira issues for vulnerabilities
      • Go to vulnerability evidence and more from Jira issues
      • Install the Fluid Attacks app for Jira Cloud
      • Link vulnerabilities to Jira issues or unlink them
      • Request reattacks from Jira issues
      • Set up the Jira integration
      • Set up the Azure DevOps integration
      • Set up the GitLab integration
      • Install the VS Code extension
      • View vulnerable lines, use fix options and more
      • VS Code extension error and solution catalog
      • Identify and address vulnerabilities from IntelliJ
      • Install the IntelliJ plugin
      • Identify and address vulnerabilities from Cursor
      • Install the Cursor extension
      • AWS Marketplace integration
    • MCP server
      • Installation
      • Capabilities and use cases
      • Docker installation
      • Excluding files from analysis
      • Integrate with Azure DevOps Peer Reviewer Assistant
      • Integrate with GitLab Peer Reviewer Assistant
      • Troubleshooting
      • Introduction
      • Use the API
      • Learn the basics of the Fluid Attacks API
      • Things to know before using the API
  • Stack
      • Bash
      • Python
      • Terraform
      • TypeScript
      • Ariadne
      • Commitlint
      • D3
      • Docker
      • ESLint
      • GraphQL
      • Hypercorn
      • Kubernetes
      • Labels
      • Mypy
      • Nix Flakes
      • Platform audit logs
      • Platform authentication
      • Platform authorization
      • Pydantic AI
      • React
      • Ruff
      • Sops
      • Starlette
      • Tree-sitter
      • Visual Studio Code
      • AWS
      • Batch
      • Bedrock
      • BigCodeBench
      • BugSnag
      • Checkly
      • Claude 3.5 Sonnet
      • Cloudflare
      • CloudWatch
      • Cost Management
      • Datadog
      • dbt
      • DynamoDB
      • EBS
      • EC2
      • EKS
      • ELB
      • Engineering metrics
      • ePayco
      • EventBridge
      • GitLab
      • GitLab CI
      • Google Workspace
      • IAM
      • Jamf
      • KMS
      • Lambda
      • LogRocket
      • Okta
      • OpenAI
      • OpenSearch
      • Organizations
      • QuickSight
      • S3
      • SageMaker
      • Snowflake
      • Statuspage
      • Step Functions
      • Stripe
      • Treli
      • Ubiquiti
      • Vanta
      • Voyage AI
      • VPC
      • VPN
      • Zoho One
      • Zoho Sign
    • Pentesting tools
  • Compliance
    • Authentication
      • Clients
      • Password policies
      • Staff
    • Authorization
      • Access revocation
      • Clients
      • Employee termination
      • Endpoints
      • Secret rotation
      • Sessions
      • Staff
    • Availability
      • Distributed apps
      • Distributed firewall
      • Everything backed up
      • Multiple zones
      • Recovery objective
    • Confidentiality
      • Device (re)enrolling
      • Direct hiring
      • Encryption at rest
      • Encryption in transit
      • No personal gain
      • Personnel NDA
      • Secure deletion
    • Integrity
      • Applicant evaluation
      • Awareness
      • Certification Hub
      • Certified cloud provider
      • Certified security analysts
      • Comprehensive reporting
      • Developing for integrity
      • Monitoring
      • Production data isolation
      • Secure emails
      • SLSA compliance
      • Standard timezone
      • Static website
      • Training plan
    • Non-repudiation
      • Everything as code
      • Extensive logs
    • Privacy
      • Data privacy policy
      • Data retention policy
      • Data use policy
      • Email obfuscation
      • Time tracking
      • Manual for the NDR
      • OTR messaging
      • Polygraph tests
      • Project pseudonymization
      • Data transmission
      • Unsubscribe email
      • Use of cookies
    • Resilience
      • Continuity and recovery
      • Equipment and telecommuting
      • Everything is decentralized
      • Redundant roles
    • Transparency
      • Complaint management
      • Data leakage policy
      • Ethics hotline
      • Help channel
      • Incident management
      • Information security responsibility
      • Open source
      • Quality policy
      • Status page
      • Testing our technology
      • Vulnerability releasing
  • Compare
    • 42Crunch
    • 7 Way Security
    • Aikido
    • Anvil Secure
    • Apiiro
    • AppCheck
    • Appdome
    • Appknox
    • Aqua
    • ArmorCode
    • Arnica
    • Astra
    • Base4
    • Bishop Fox
    • Black Duck
    • Black Hills
    • Breachlock
    • Bright Security
    • Burp Suite
    • Checkmarx
    • CloudGuard
    • Cobalt
    • Codacy
    • Conviso
    • Cure53
    • Cycode
    • Cyver
    • Data Theorem
    • DataDog
    • DeepSource
    • DefectDojo
    • Detectify
    • Devel
    • Dynatrace
    • Edgescan
    • Endor Labs
    • Escape
    • Evolve Security
    • Faraday Security
    • FortiDevSec
    • Fortify
    • GitHub Advanced Security (GHAS)
    • GitLab Ultimate
    • GuardRails
    • HackerOne
    • Hackmetrix
    • Hadrian
    • HCL AppScan
    • Heeler
    • Hopper Security
    • ImmuniWeb
    • Inspectiv
    • Intigriti
    • Intruder
    • Invicti
    • JFrog
    • Jit
    • Kiuwan
    • Legit Security
    • Mandiant
    • Mend
    • Mindgard
    • Moderne
    • NetSPI
    • NowSecure
    • Nucleus Security
    • Oligo Security
    • Orca Security
    • Oversecured
    • OX Security
    • Phoenix Security
    • PlexTrac
    • Praetorian
    • Prancer
    • Prisma Cloud
    • Probely
    • Prowler
    • ReversingLabs
    • RunSybil
    • Safety
    • Securitum
    • Seemplicity
    • Semgrep
    • Snyk
    • Socket
    • SonarQube
    • Sonatype
    • SOOS
    • StackHawk
    • Strike
    • Synacktiv
    • Tenable Nessus
    • ThreatModeler
    • Veracode
    • White Jaguars
    • Wiz
    • Xygeni
    • ZAP
    • ZeroPath
  • Log in to the platform 

On This Page

  • December
  • Release 52
  • Release 51
  • Release 50
  • Release 49
  • November
  • Release 48
  • Release 47
  • Release 46
  • Release 45
  • October
  • Release 44
  • Release 43
  • Release 42
  • Release 41
  • September
  • Release 40
  • Release 39
  • Release 38
  • Release 37
  • August
  • Release 36
  • Release 35
  • Release 34
  • Release 33
  • Release 32
  • July
  • Release 31
  • Release 30
  • Release 29
  • Release 28
  • Release 27
  • June
  • Release 26
  • Release 25
  • Release 24
  • Release 23
  • May
  • Release 22
  • Release 21
  • Release 20
  • Release 19
  • April
  • Release 18
  • Release 17
  • Release 16
  • Release 15
  • Release 14
  • March
  • Release 13
  • Release 12
  • Release 11
  • Release 10
  • February
  • Release 9
  • Release 8
  • Release 7
  • Release 6
  • January
  • Release 5
  • Release 4
  • Release 3
  • Release 2
  • Release 1
Find and fixSupport informationChangelog2024

2024

December

Release 52

(SAST) New rules:

  • F359 Java MongoDB Hardcoded Secret
  • F359 Java MySQL Hardcoded Secret
  • F359 Java OkHttp Hardcoded Secret

Release 51

  • (SCA) Malware packages tagged : Packages in Supply chain with detected malware are tagged.
  • (SCA) Split environment dependencies : Identify whether dependencies are related to production or development environments.
  • (SCA) SBOM export : Include Docker packages in SBOM export file.
  • (ASPM) Environments migration : Migration modal has the option to look up the required root
  • (ASPM) Rename : change ‘Vulnerabilities’ to ‘Injected’ and ‘Supply chain’ to ‘Inherited’ for added clarity.

Release 50

  • (Integrations) Jira Security module : All the vulnerabilities are presented in the Security feature of Jira.
  • (SAST) New rules:
    • F332 Java Unsafe TLS Renegotiation
    • F151 Java Telnet Request
    • F372 Java Insecure HTTP Open Connection
    • F007 Java CSRF Unrestricted Request Mapping
    • F372 Java Insecure HTTP Request
    • F372 Java Insecure HTTP Components
  • (ASPM) Component improvements : Ghost buttons, section header, and tabs.
  • (SCA) Docker packages in SBOM : Docker packages are included in the SBOM file.
  • (ASPM) Zero risk column : An indicator of requested ZR is available in the Locations table.
  • (ASPM) Scope table : Show what Roots and Environments have active events.

Release 49

  • (ASPM) Improved table export names : Exported CSV files now have meaningful names, including organization or group name and timestamp.
  • (ASPM) Country is deprecated : The Country field is not required anymore to create an organization.
  • (SAST) New rules:
    • F016 Java Unsafe SSL/TLS Protocol
    • F148 Java Insecure FTP Client
    • F372 Java Insecure Spring HTTP Request
    • F007 Java Insecure FTP Session Factory

November

Release 48

  • (ASPM) Centralized report download : Access all your downloadable files through the new Downloads button in the platform header. This includes executive and technical vulnerability reports, with plans to add SBOMs and other resources soon. Track download progress and redownload files effortlessly.
  • (ASPM) Improved CSV repos import : Add connection method and priority in the CSV file, and get an example CSV file. Improved error messages.
  • (ASPM) Custom priority : Use reachability attribute as a prioritization criterion.
  • (Reachability) New rule: CSharp CVE-2021-43045 
  • (SAST) New rules:
    • Java insecure channel
    • Java null cipher
    • Python hc aes key
    • Java anonymous ldap bind

Release 47

  • (ASPM/CSPM) Status validation for cloud environments : A new Status column in the Environments table shows open events for AWS, Azure, or GCP environments, helping you address misconfigurations promptly.
  • (ASPM/SBOM) Updated labels for vulnerable components : The label ‘Issues identified’ in Supply chain has been updated to ‘Vulnerable’ to clarify the presence of security risks. Vulnerabilities will display the ‘Reachable’ label.
  • (SAST) New rule: Java unsafe default HTTP client.

Release 46

  • (SBOM/SAST) Reachability analysis : A feature is available that examines direct dependencies in the Supply chain section to identify exploitable vulnerabilities. This helps prioritize remediation efforts for dependency issues.
  • (ASPM) Custom vulnerability prioritization : Use the Priority feature in the Policies section to rank vulnerabilities by impact, exploitability, and more, tailored to your organization’s needs
  • (ASPM) Enhanced event reporting : Events now specify affected environments and feature improved root and environment tables for better prioritization.
  • (CSPM) New rules:
    • AWS Document DB Cluster TLS Disabled
    • AWS EKS Unrestricted CIDR
    • AWS DAX Cluster Without Encryption at Rest
    • AWS Unencrypted ECR Repository
    • AWS RDS Unencrypted DB Cluster Snapshot
    • AWS RDS Unencrypted DB Snapshot
    • AWS ALB Does Not Drop Invalid Header Fields
    • AWS Public Accessible DMS Replication
    • AWS CloudFront Distribution Viewer Policy Allows HTTP
    • AWS ALB HTTP Not Redirected to HTTPS
    • AWS Document DB Without Audit Logs
    • AWS RDS DB Cluster Logs Disabled
    • AWS RDS DB Instance Logs Disabled
    • AWS Global Accelerator Flow Logs Disabled
    • AWS Neptune DB Instance Logs Disabled
    • AWS MSK Cluster Logging Disabled
    • AWS Workspaces Has Volume Encryption Disabled
    • AWS Route53 Transfer Lock Disabled
    • AWS SageMaker Training Job Intercontainer Encryption
    • AWS SageMaker Notebook Instance Encryption
    • AWS Athena Workgroup Query Results Not Encrypted
  • (SAST) New rules:
    • Python flask log injection
    • JS express SSRF
    • TS express SSRF
    • Python insecure redirect
    • Python AWS hardcoded credentials
    • CSharp SQL conn hardcoded secret
    • CSharp insecure x509 cert 2
    • CSharp hardcoded credentials
    • Python flask hardcoded secret key
  • (Reachability) New rule: Java CVE-2021-37573 

Release 45

  • (SCA) Docker image scanning : Scan Docker images from any standard registry, generating detailed SBOMs with associated security issues in the Supply chain section
  • (ASPM) Vulnerability closing reasons : View detailed reasons for closed vulnerabilities in the Tracking and Analytics sections.
  • (ASPM) Expanded permissions for Events tab : User Managers and Vulnerability Managers now have access to the Events tab in the To do section, providing a comprehensive view of issues when managing multiple groups.
  • (ASPM) Automatic filename formatting : Upon file upload, filename is formatted to avoid issues and vulnerabilities in the platform.
  • (SAST) New rules:
    • CSharp insecure fspickler des
    • CSharp dir entry hardcoded secret

October

Release 44

  • (SCA) Improved SBOMs : CycloneDX and SPDX SBOM exports now include component details like location, latest version, and associated security issues.
  • (ASPM) New webhooks : Notifications added for closed events and vulnerabilities within groups.
  • (ASPM) From MPT to PTaaS : The former ‘MPT’ technique is clarified and changed to ‘PTaaS’.
  • (ASPM) Event tab in To do : Granted Events tab access for additional roles: User Managers and Vulnerability Managers.
  • (Reachability) New rules:
    • JS CVE-2020-8203 
    • TS CVE-2020-8203 
    • JS CVE-2019-10744 
    • TS CVE-2019-10744 
    • JS CVE-2018-16487 
    • JS CVE-2018-16487 
    • JS CVE-2017-18214 
    • TS CVE-2017-18214 
    • JS CVE-2023-42282 
    • TS CVE-2023-42282 
    • JS CVE-2021-26540 
    • TS CVE-2021-26540 
  • (SAST) New rules:
    • JS weak SSL/TLS protocol
    • TS weak SSL/TLS protocol
    • PHP insecure content policy
    • CSharp weak RSA encrypt padding
    • CSharp http listener wildcard
    • Java Spring concurrent sessions
    • PHP insecure referrer policy
    • CSharp insecure fastJSon des
    • CSharp memory marshal create span
    • JS express insec httponly
    • TS express insec httponly
    • JS express cookie secure
    • TS express cookie secure
    • Python Django insecure cors
    • Python fastapi insecure cors
    • Python Flask insecure cors
    • JS express debug mode enabled
    • Python Django debug mode enabled
    • Python fastapi starlette debug on
    • Python Flask debug mode enabled
    • TS express debug mode enabled
    • CSharp stacktrace disclosure
    • CSharp insecure ecb mode
    • Python Django SQL injection
    • Java hardcoded JWT secret
    • JS expressJS hardcoded sess secret
    • JS hardcoded JWT secret
    • Python Django hardcoded creds
    • TS express hardcoded sess secret
    • TS hardcoded JWT secret
    • CSharp hardcoded init vector

Release 43

  • (ASPM) Supply chain section : Separated affected and unaffected third-party dependencies from the Vulnerabilities section for easier prioritization. Users can filter components by repository under evaluation.
  • (ASPM) Temporary acceptance : Selected dates must comply with the established policies.
  • (ASPM) New events in webhooks : Events and vulnerabilities closed added to webhooks.
  • (CSPM) New rules:
    • AWS RDS Instance TLS Disabled
    • AWS RDS Cluster TLS Disabled
    • AWS OpenSearch Domain Insecure TLS Version
    • AWS MSK Client Broker TLS Disabled
    • AWS MSK Broker Broker TLS Disabled
    • AWS Unrestricted Access to MSK Brokers
    • AWS ECR Repository Exposed
    • AWS OpenSearch Domain Exposed
    • AWS RDS Instance Backup Retention Period
    • AWS RDS Cluster Backup Retention Period
    • AWS ElastiCache Replication Group WO Auto Backups
    • AWS ElastiCache Replication Backup Retention Period
    • RDS Unrestricted Cluster Groups
    • Backup Vault Policy Allow Delete Recovery Points
    • AWS Bedrock Guardrails No Sensitive Info Filter
    • AWS Event Bridge Default Event Bus Exposed
    • AWS Lambda URL Without Authentication
    • AWS Lambda Function Exposed
    • AWS Comprehend Analysis Without Encryption
    • AWS EBS Public Snapshot
    • AWS EKS Unencrypted Secrets
    • AWS EMR Has Not Config
    • AWS OpenSearch Without Encryption at Rest
    • AWS OpenSearch Domain Node to Node Encryption
    • AWS Glue Catalog Without Encryption at Rest
    • AWS Kinesis Stream Without Encryption at Rest
    • AWS MQ Broker Publicly Accessible
    • AWS MSK Cluster Is Publicly Accessible
    • AWS Neptune DB Instance Without Encryption at Rest
    • AWS CloudFront Traffic Allows HTTP
    • AWS OpenSearch Domain Allows HTTP
    • AWS CloudFront Is Not Protected With WAF
    • AWS Cloud Trail Delivery Failing
    • AWS Config Referencing Missing S3 Bucket
    • AWS EKS Cluster Logging Disabled
    • AWS Beanstalk Persistent Logs
    • AWS OpenSearch Without Audit Logs
    • AWS MQ Broker Logs Disabled
    • AWS Route53 DNS Query Logging Disabled.
  • (Reachability) New rules:
    • JS CVE-2021-23771 
    • TS CVE-2021-23771 
    • JS CVE-2021-23566 
    • TS CVE-2021-23566 
    • JS CVE-2019-10775 
    • TS CVE-2019-10775 
    • JS CVE-2019-1010266 
    • TS CVE-2019-1010266 
  • (SAST) New rules:
    • Apk unprotected exported receivers
    • Apk unprotected exported services
    • Docker insecure context directory

Release 42

  • (ASPM) Transition to CVSS v4.0 : CVSS v4.0 is now the default for Analytics data. A toggle is available for viewing data in CVSS v3.1.
  • (ASPM) Prevent file deletion : Restrictions prevent deleting application files linked to environments to maintain manageability.
  • (Reachability) New rules:
    • JS CVE-2018-3721 
    • TS CVE-2018-3721 
  • (SAST) New rule: CSharp CSRF.

Release 41

  • (IDE) IntelliJ IDEA extension : Developers can now identify reported vulnerabilities within IntelliJ IDEA, similar to existing support for VS Code
  • (ASPM) Improved unauthorized access message : Improved message, as users do not necessarily need to contact their administrator to access the platform.
  • (ASPM) Repositories deactivation : Included vulnerabilities of all techniques in repository deactivation notifications.
  • (Reachability) New rules:
    • JS CVE-2023-25813 
    • TS CVE-2023-25813 
    • JS CVE-2022-23540 
    • TS CVE-2022-23540 
    • JS CVE-2020-15084 
    • TS CVE-2020-15084 
    • JS CVE-2023-32314 
    • TS CVE-2023-32314 
    • JS CVE-2023-37466 
    • TS CVE-2023-37466 
    • JS CVE-2023-37903 
    • TS CVE-2023-37903 

September

Release 40

  • (ASPM) Branch and URL management : Update branches or URLs for repositories without losing existing findings, ensuring consistent reporting.
  • (ASPM) Vulnerabilities table : Added option to filter vulnerabilities by technique.
  • (Reachability) New rules:
    • JS CVE-2022-25881 
    • TS CVE-2022-25881 
    • JS CVE-2022-25887 
    • TS CVE-2022-25887 
    • JS CVE-2020-28500 
    • TS CVE-2020-28500 

Release 39

  • (IDE) Custom Fix and Autofix : Fluid Attacks’ GenAI-based vulnerability remediation now supports all languages scanned by the SAST tool.
  • (Reachability) New rules:
    • TS CVE-2017-16016 
    • JS CVE-2016-1000237 
    • TS CVE-2016-1000237 
    • JS CVE-2021-26539 
    • TS CVE-2021-26539 
    • JS CVE-2024-29415 
    • TS CVE-2024-29415 
    • JS CVE-2023-28155 
    • TS CVE-2023-28155 
  • (SAST) New rule: Docker debugging enabled.

Release 38

  • (ASPM) Mailmap management : Manage developer data directly within the platform to avoid billing issues.
  • (ASPM) Free trial restrictions : Users from existing client organizations can no longer initiate free trials to prevent confusion with reports.
  • (Reachability) New rule: Python CVE-2024-39303 
  • (SAST) New rule: Improper certificate validation default.

Release 37

  • (ASPM) Mobile environment updates : Update mobile environments  without losing dynamic findings from previous files, provided consistency validations are met.
  • (ASPM) Branch in technical report : Included repository branch names in technical reports.
  • (Reachability) New rules:
    • JS CVE-2021-3918 
    • TS CVE-2021-3918 
    • JS CVE-2021-23337 
    • TS CVE-2021-23337 
    • JS CVE-2022-31129 
    • TS CVE-2022-31129 
    • JS CVE-2017-16016 
  • (SAST) New rules:
    • TS express insecure rate limit
    • JS SQL injection in sequelize
    • TS SQL injection in sequelize
    • Docker hardcoded credentials
    • Docker downgrade protocol

August

Release 36

  • (ASPM) Free trial unavailable for clients : Unavailable free trial for current clients, preventing the creation of new groups and organizations.
  • (ASPM) Custom fix from the platform : Generate a custom fix inside the platform.
  • (ASPM) Enhanced reattack requests for multiple vulnerabilities : Improved the vulnerabilities verification request flow. This also includes some UX improvements .
  • (ASPM) Closing reasons : The reason why a vulnerability was closed is specified.
  • (ASPM) Show relevant files for mobile environments : Hide files not related to mobile type ones from the dropdown list on the Add environment screen.
  • (ASPM) Total types in Analytics : Enhanced information on total types of vulnerabilities in Analytics.
  • (ASPM) Onboarding notifications : Updated free trial enrollment and abandonment emails.
  • (ASPM) Mailmap management : Granted mailmap editing role to Customer Managers and view role to User Managers.
  • (SAST) New rule: TS XSS pug from file precompiled.

Release 35

  • (CSPM) New rules:
    • AWS API Gateway Insecure TLS Version
    • AWS ACM Certificate Expired
    • AWS API Gateway Cache Encryption Disabled
    • AWS App Mesh Virtual Gateway TLS Disabled
    • AWS App Mesh Virtual Gateway Access Logging Disabled
  • (SAST) New rules:
    • Java insecure cors web view
    • Java declare insecure trust manager
    • Java insecure biometric auth
    • TS sequelize injection
    • JS JWT secret insecure source
    • TS JWT secret insecure source
    • Docker weak SSL TLS
    • Docker insecure builder sandbox
    • Docker insecure cleartext protocol
    • Docker weak hash algorithm
    • Docker insecure network host

Release 34

  • (ASPM) First-letter search in dropdowns : Filter the available options of dropdown menus by typing the first letters of the name or identifier of the desired item.
  • (ASPM) Branch and URL change : Implemented branch and URL change in roots for specific cases.
  • (ASPM) Improved root moving notifications : Accurate messages to group members when roots are moved.
  • (ASPM) Enhanced mailmap management : Multiple enhancements to the mailmap to prevent errors and improve alias management.
  • (SAST) New rules:
    • TS XSS pug from file
    • TS unvalidated xml parsed in vm
    • TS file unauthorized access
    • CSharp XXE resolver
    • CSharp insecure cbc iv
    • Docker sensitive mount
    • Curl insecure certificates

Release 33

  • (ASPM) Compliance CSV export : New CSV report that shows the relationship between the unmet security requirement and the location where the non-compliance is occurring.
  • (SAST) New rules:
    • Android apk keyboard cache exposure
    • TS NoSQL injection ternary
    • JS NoSQL injection ternary
    • CSharp technical info leak
    • CSharp token validation checks
    • CSharp code injection

Release 32

(CSPM) New rule: Azure app service mutual TLS is disabled.

July

Release 31

  • (ASPM/SAST) Reattacking a machine vulnerability : Remove justification to request reattacks for automatically reported vulnerabilities.
  • (ASPM) Group consulting : Feature is deprecated.
  • (ASPM) Mobile environments : Preserve vulnerabilities for mobile apps, improving related environment(file) update.
  • (ASPM) Compliance report notifications : An alert is shown when the user does not have a mobile number registered.
  • (ASPM) SSH root cloning : Port configuration is required for non-standard ports.
  • (ASPM) Mailmap import : Add bulk import feature to mailmap.
  • (SAST) New rule: CSharp insec direct write.

Release 30

  • (ASPM) CVSS migration : Transition entirely to version 4.
  • (ASPM) AWS Marketplace : Enable integration in the AWS Marketplace.
  • (CSPM) New rules:
    • AWS S3 Log delivery write access
    • AWS EC2 Instance has multiple network interfaces
  • (SAST) New rules:
    • JS/TS cookie service sensitive info
    • CSharp log injection
    • CSharp insecure elliptic curve
    • PHP insecure elliptic curve

Release 29

  • (ASPM) CVSS Update : Transition from CVSS 3.1 to version 4 in policies.
  • (ASPM) Root removal option : Allow users to remove a new root without returning to the previous step.
  • (ASPM) Exposure column : Include “Exposure” in the Technical Report.
  • (ASPM) Branch flexibility : Allow the same repository with a different branch in a group if one is deactivated.
  • (CSPM) New rule: AWS EC2 Instance using IMDS V1.
  • (SAST) New rules:
    • PHP discloses server version
    • PHP insecure expiration time
    • PHP server leaks errors
    • PHP HTTP only disabled

Release 28

  • (ASPM) Access granted : Include the granted role in the notification.
  • (CSPM) New rules:
    • Azure SQL DB Transparent Encryption Is Disabled
    • Azure VM Scale Set Does Not Have Zonal Redundancy
  • (SAST) New rules:
    • TF K8s Host IPC Enabled
    • TF K8s Host Network Enabled
    • TF K8s HostPID Enabled
    • TF K8s Host Path Volumes
  • (DAST) New rule: X permitted cross-domain policies.

Release 27

  • (ASPM) Webhooks : Relocate to the Integrations Hub.
  • (ASPM) New ASPM : Launch the platform’s new design for external users.
  • (SAST) New rules:
    • TF K8s Container Without Context
    • TF K8s Host Process Enabled
  • (DAST) New rules:
    • Unsafe HTTP X-Frame options
    • CDN vulnerable element
    • Access control any origin
    • HTTP error in response

June

Release 26

  • (ASPM) Token management : Use SecretStorage to store tokens securely.
  • (CSPM) New rules:
    • Azure DB PSQL Flex Server Insecure TLS Version
    • Azure Redis Cache Allows Connections Without SSL
    • Azure DB PSQL Flex Server Firewall Allows Public Access
    • Azure DB PSQL Flex Server Connection Throttling Disabled
  • (SAST) New rules:
    • TF K8s Check Run as User
    • TF K8s Check Privileged Used
    • TF K8s Check If Sys Admin Exists
    • JS hardcoded key hmac
    • TS hardcoded key hmac
    • TF K8s host network enabled
    • TF K8s hostpid enabled
    • TF K8s host process enabled
    • TF K8s host path volumes
    • PHP insecure SSL/TLS stream
    • PHP sensitive HTTP sent
    • CSharp http only cookie

Release 25

(SAST) New rules:

  • TF K8s Check Add Capability
  • TF K8s Root Filesystem Read Only
  • TF K8s Check Seccomp Profile
  • TF K8s Check Drop Capability
  • TF K8s Check If Capability Exists
  • TF K8s SA Token Enabled
  • TF K8s SA Token Enabled
  • TF K8s Image Has Digest
  • TS NoSQL injection
  • JS NoSQL injection
  • PHP insecure SSL TLS HTTP

Release 24

  • (ASPM) Migrate authors : The authors’ data is available in the platform.
  • (ASPM) GitLab integration : Implement integration with GitLab.
  • (ASPM) Azure DevOps integration : Implement integration with Azure DevOps.
  • (CSPM) New rules:
    • Azure API Mgmt Uses the Triple DES Cipher Algorithm
    • Azure MongoDB NSG Allows Unrestricted Access
    • Azure MS SQL Server NSG Allows Unrestricted Access
    • Azure MySQL NSG Allows Unrestricted Access
    • Azure NetBIOS NSG Allows Unrestricted Access
    • Azure Oracle Database NSG Allows Unrestricted Access
    • Azure PostgreSQL DB NSG Allows Unrestricted Access
    • Azure VMs NSG Allows Unrestricted Access
    • Azure RPC NSG Allows Unrestricted Access
    • Azure SMTP NSG Allows Unrestricted Access
    • Azure SSH NSG Allows Unrestricted Access
    • Azure UDP Ports NSG Allows Unrestricted Access
  • (SAST) New rules:
    • TF K8s Allow Privilege Escalation Enabled
    • TF K8s Root Container
    • TF Kubernetes Insecure Port
  • (SCA) New rule: Poetry toml deps.
  • (DAST) New rules:
    • SSL certificate expired
    • SSL self-signed certificate
    • SSL wrong cn
    • SSL wildcard certificate

Release 23

  • (ASPM) Vulnerability remediation : Create a comprehensive guide for the remediation of vulnerabilities.
  • (ASPM) Token workflow : Update the process for creating and renewing DevSecOps tokens.
  • (CSPM) New rules:
    • Azure API Mgmt SVC Does Not Use a Managed Identity
    • Azure Key Vault Admin Permissions on Keys
    • Azure Search Service Public Network Access Is Enabled
  • (SAST) New rules:
    • PHP insecure mcrypt
    • PHP insecure OpenSSL

May

Release 22

  • (ASPM) Safe vulnerabilities tracking : Enable tracking for safe vulnerabilities and specify the cause of their closure.
  • (ASPM) VM permissions : Modify permissions assigned to vulnerability managers related to roots management.
  • (AGENT) Specific path argument : Add an argument to define and analyze specific paths within a repository.
  • (CSPM) New rules:
    • Azure DB PSQL Flexible Server SSL Disabled
    • Azure Data Lake Allows Access from Any Source
    • Azure Synapse Firewall Allows Public Access
    • Azure Cosmos DB Public Network Access Is Enabled
    • Azure DataFactory Public Network Access Is Enabled
    • Azure API Mgmt SVC Public Network Access Is Enabled
    • Azure Key Vault Public Network Access Is Enabled
  • (SAST) New rules:
    • C Sharp SQL injection request
    • PHP XML parser

Release 21

  • (ASPM) Table sorting : Enable sorting options for items listed in the Jira table.
  • (ASPM) Credentials table usage info : Indicate which credentials are currently in use within the credentials table.
  • (SAST) New rules:
    • PHP generates insecure token
    • PHP uses sha1 in query

Release 20

  • (ASPM) WhatsApp OTP : Enable OTP delivery via WhatsApp when users add or update their mobile number.
  • (CSPM) New rules:
    • Azure API Mgmt Front Insecure TLS Version
    • Azure Subscription Does Not Have a Locking Resource Manager
    • Azure App Service HTTP2 Is Disabled
    • Azure Subscription Has at Least Two Owners
    • Azure Search Service Does Not Use a Managed Identity
    • Azure Search Service Insufficient Replicas Configured
    • Azure Search Service Has Insufficient Replicas Configured
  • (SAST) New rules:
    • APK task hijacking
    • APK clear text traffic
    • PHP SQL leak errors
    • PHP insecure file upload
    • PHP unsafe path traversal
    • PHP excessive access mode
    • PHP technical info leak
    • PHP weak random
    • PHP insecure deserialization
  • (DAST) New rules:
    • Cont sec pol frame ancestors
    • Cont sec pol wild uri
    • Cont sec pol missing obj
    • Cont sec pol missing script
    • Cont sec pol unsafe line
    • Cont sec pol hosts jsonp
    • Missing referrer policy
    • Strict transport low max age
    • Strict transport includes subdomains
    • X content type options nosniff

Release 19

  • (ASPM) Expanded export columns : Add new columns to the DevSecOps view table and include them in the related CSV export.
  • (ASPM) Nickname edition : Allow customers to edit the nicknames of Git roots.
  • (ASPM) Vulnerability filters : Add filters to the API for sorting and categorizing vulnerabilities.
  • (ASPM) Grouped vulnerabilities : Show summary of vulnerabilities grouped by technique on result log.
  • (CSPM) New rule: Azure Dev Portal has Auth Methods Inactive.
  • (SAST) New rules:
    • JS hardcoded credentials in test
    • TS hardcoded credentials in test

April

Release 18

  • (SAST) CLI using parameters : Allow execution of the CLI using configurable parameters.
  • (SAST) New rules:
    • JS command injection serialize
    • JS exposed private key
    • TS exposed private key
    • JS sensitive info in endpoint
    • TS sensitive info in endpoint
    • TS xml parser inside context
    • PHP unsafe XSS content

Release 17

  • (ASPM/AGENT) Execution details : Include the final status indicating if the build was broken in the Execution details.
  • (ASPM) Secrets management : Allow permissions to be granted to other users for managing secrets in environment URLs.
  • (ASPM) Tables management : Add a marker to inform users when some columns are hidden.
  • (ASPM) Environments management : Automatically close vulnerabilities when the associated environment is deleted.
  • (CSPM) New rules:
    • Azure DB for MySQL Flex Servers Insecure TLS Version
    • Azure Role-Based Access Control on Key Vault Is Not Enabled
    • Azure Function App with Admin Privileges
    • Azure Role Actions Is a Wildcard
    • Azure App Service Allows HTTP Traffic
    • Azure API Not Enforce HTTPS
    • AZ Subscription Not Allowed Resource Types Policy
    • Azure App Service Does Not Use a Managed Identity
    • Azure Function App Logging Is Disabled
    • Azure Keys Expiration Date Is Not Enabled
    • Azure Secret Expiration Date Is Not Enabled
    • Azure App Service Always On Is Not Enabled
    • Azure Batch Jobs Runs in Admin Mode
    • Azure Function App Use Not Host Keys
    • Azure Publicly Exposed Funct App
  • (SAST) New rules:
    • TS express accepts any mime
    • JS express accepts any mime
    • JS insecure cors origin
    • TS insecure cors origin
    • GitHub actions without hash

Release 16

  • (ASPM) Warning message : Display a warning message indicating the existence of environments associated with a root when it is deactivated.
  • (CSPM) New rules:
    • Azure DB MySQL firewall allows public access
    • Azure DB MySQL SSL disabled
    • Storage lifecycle is not defined
    • Azure DB SQL insecure audit retention period
    • Azure DB SQL extended audit disabled
    • Azure DB SQL firewall allows public access
  • (SAST) New rules:
    • PHP hardcoded init vector
    • PHP hardcoded password
    • PHP insecure hash
    • TS local file inclusion
    • TS open redirect
    • JS hardcoded password
    • TS hardcoded password
    • TS sensitive info in params

Release 15

  • (IDE) Jira integration : Enable access to all vulnerability information directly within the IDE.
  • (ASPM) Require OTP for login : Implement a security measure to reduce associated risks.
  • (ASPM) Delete group : Send an email notification when a group is deleted.
  • (CSPM) New rules:
    • Azure DB PostgreSQL connection throttling disabled
    • Azure DB PostgreSQL SSL disabled
    • Azure DB PostgreSQL insecure TLS version
    • Azure DB PostgreSQL log settings disabled
    • Azure DB PostgreSQL log checkpoints disabled
    • Azure DB PostgreSQL firewall allows public access
    • Azure DB PostgreSQL insecure log retention
  • (SAST) New rules:
    • HTML uses innerhtml
    • JS file size limit missing
    • TS file size limit missing
    • JS directory listing
    • TS directory listing
    • JS error handler enabled
    • TS error handler enabled

Release 14

  • (ASPM) Simplify free trial : Reduce the steps required to start a free trial.
  • (ASPM) Notifications subjects : Update notification subjects for improved clarity.
  • (ASPM) Group created notifications : Add notifications to keep users updated on group creation events.
  • (SCA) SCA reports in lock files : Publish SBOMs for Fluid Attacks components.
  • (SCA) Fluid Attacks SBOMs : Publish SBOMs for Fluid Attacks components.
  • (CSPM) New rules:
    • Azure VM encryption at host disabled
    • Azure AKS has rbac disabled.
  • (SAST) New rules:
    • PHP insecure encrypt AES
    • PHP remote command execution
    • PHP has empty catch

March

Release 13

  • (ASPM/AGENT) Technical debt policy : Implement a grace period before the agent breaks the build due to new vulnerabilities.
  • (SAST) Analyze PHP code : Add support for analyzing PHP code with the scanner.
  • (CSPM) New rules:
    • Azure AKS API server allows public access
    • Azure AKS has kubernet network plugin
    • Azure storage not enabled infrastructure encryption
  • (SAST) New rule: PHP basic authentication.
  • (SCA) New rules:
    • Gradle wrapper properties
    • CycloneDX JSON deps
    • SPDX JSON deps

Release 12

  • (SCA) Standard format : Ensure compliance with Fluid SBOM format requirements.
  • (ASPM) Approve ZR : Address misuse of ZR requests by customers attempting to bypass build failures.
  • (CSPM) New rules:
    • Azure AKS has enable local accounts
    • Azure AKS is not using the latest version
    • Azure container registry is not using replication
  • (SAST) New rules:
    • PHP info leak errors
    • Java insecure engine cipher SSL
    • Docker compose ssh pass
  • (SCA) New rules:
    • Gemfile missing package lock
    • Erlang missing package lock
    • Cargo missing package lock
    • Conan missing package lock
    • Pipfile missing package lock
    • Composer missing package lock
    • Nuget missing package lock

Release 11

  • (ASPM) Plans’ names : Update and standardize the names of plans.
  • (ASPM) Videos on evidence : Add an additional field to upload video file evidence into findings.
  • (ASPM) Connector notifications : Send email alerts when a secure connector goes offline.
  • (ASPM) Environment secrets : Add an indicator to show the existence of secrets on the Environment URL.
  • (SCA) Lock files : Add support for lock files.
  • (SCA) Gradle wrapper : Enable SCA support for gradle-wrapper.properties.
  • (CSPM) New rules:
    • Azure blob soft deleted disabled
    • Azure network app gateway waf is disabled
    • Azure network watcher not enabled
    • Azure network flow log insecure retention period
    • Azure network group using port ranges
    • Azure firewall network rules unrestricted
    • Azure network firewall app rules unrestricted
    • Azure container registry admin user enabled
    • Azure network out of date OWASP rules
    • Azure insecure TLS version
    • Azure allows FTP deployments
    • Azure key vault soft delete retention
    • Azure remote debugging enabled
    • Azure authentication is not enabled.
  • (SAST) New rules:
    • PHP insecure cors
    • DB credentials exposed in code
    • Java credentials exposed in code
    • Swift credentials exposed in code
    • Python credentials exposed in code
  • (SCA) New rule: Nuget pkgs lock json.

Release 10

  • (ASPM) Org/group policy : Update policy to address temporary acceptance of vulnerabilities based on CVSS scores.
  • (ASPM) Vulnerabilities evidence : Increase the allowable size limit for supporting evidence submissions.
  • (ASPM) Events alert : Implement a color-coded circle indicator to flag groups with pending events.
  • (SCA) Vulnerabilities prioritization : Integrate EPSS scoring into SCA advisories and vulnerability assessments.
  • (CSPM) New rules:
    • TF allows priv escalation by policy versions
    • Azure network ftp ingress not restricted
    • Azure network dns ingress not restricted
    • Azure network cifs ingress not restricted
    • Azure network rdp ingress not restricted
    • Azure network ssh ingress not restricted
    • Azure network group allows public access
    • Azure network telnet ingress not restricted
    • Azure network icmp ingress not restricted
    • Azure network https ingress not restricted
    • Azure network http ingress not restricted
    • Azure disabled accidental purge
  • (SAST) New rule: PHP uses eval.
  • (SCA) New rules:
    • Pipfile lock
    • Pipfile deps

February

Release 9

  • (ASPM) Exclusions as Code : Enable EaC functionality for all SKIMS modules.
  • (ASPM) Organization analytics : Ensure downloaded CSV files from Analytics graphics include complete and relevant information for all groups within the organization.
  • (ASPM) Secrets modal : Replace the dropdown for “Secret Description” with a dedicated column inside the Secrets modal.
  • (ASPM) Reattacks overhaul : Implement checks to prevent reattack reviews on outdated locations or files.
  • (ASPM) Notifications : Update notification wording regarding resolved vulnerabilities for improved clarity.
  • (SAST) Multi-file scanning  for SAST rules.
  • (CSPM) New rules:
    • Azure storage account not enforcing latest TLS
    • Azure storage account allows public network access
    • Azure Redis public network access enabled
    • Azure Redis authnotrequired enable
    • Azure Redis insecure TLS version
    • Azure Redis insecure port
    • Azure storage account Microsoft bypass
    • Azure containers soft deleted disabled
    • Azure Redis firewall allows public access

Release 8

  • (ASPM) Closing date filter : Allow users to define a date range for closing dates when generating custom technical reports for groups.
  • (ASPM) Root nickname : Display the root nickname associated with a vulnerability.
  • (CSPM) New rules:
    • Azure blob containers are public
    • Azure storage account allows public blobs

Release 7

  • (ASPM) Webhooks : Enable integration with any application that supports the webhook standard.
  • (ASPM) Move roots in batch : Allow batch moving of roots to keep the ToE updated and organized.

Release 6

  • (ASPM) Vulnerabilities report : Ensure the vulnerabilities report is available 24/7.
  • (ASPM) AWS authentication for CodeCommit : Enable cloning of CodeCommit repositories using IAM credentials.
  • (ASPM) Import repositories : Allow importing multiple repositories into the platform using a CSV file.
  • (SAST/DAST/CSPM) Initialization time : Optimize CLI executions for improved speed.

January

Release 5

  • (IDE) Automatic extension restart : Automatically apply new changes without manual restarts.
  • (CSPM) GCP and Azure regions on CSPM module : Extend CSPM coverage to include more regions in GCP and Azure.
  • (ASPM) Display a cancel button when editing : Improve user experience by adding a cancel button when editing.
  • (ASPM) Organization column : Add an “Organization” column in the To Do and Events sections, including its export in the CSV file.
  • (CSPM) New rule: Azure VM SSH key authentication.

Release 4

  • (ASPM) New support platform : Implement a seamless process for customer support.
  • (ASPM) Checkly and Statuspage integration : Provide more detailed information about the Fluid Attacks service status.
  • (ASPM) Requirements descriptions : Add comprehensive descriptions for all requirements.
  • (ASPM) Improve Pop-ups : Display emergent messages for adding new API tokens and mobile numbers.
  • (CSPM) New rule: AWS report inspector lambda vulnerabilities.

Release 3

  • (ASPM) Implement new status page : Implement a live status page to monitor service availability.
  • (ASPM) Describe Help process : Describe and explain the support process in the documentation.
  • (ASPM) Update OWASP MASVS : Update to the latest OWASP MASVS standard version.
  • (ASPM) Add new standard compliance FISMA : Add FISMA as a new standard in the compliance documentation.
  • (ASPM) Replace field in events : Replace the “Client” field with “Root” (nickname) in Events.
  • (ASPM) Last requested reattack in technical reports : Display the last requested reattack date for each location in technical reports.
  • (ASPM) SBOM linking lines to vulnerabilities : Provide direct links to vulnerabilities for more detailed information.
  • (ASPM) Exposure management over time (%) : Add more decimal precision for improved understanding of percentages over time.
  • (CSPM) New rules:
    • AWS report inspector vulnerabilities
    • AWS report inspector ecr vulnerabilities

Release 2

  • (CSPM) Reducing F325 wildcards FP : Improve detection methods to reduce false positives for F325 wildcards.
  • (CSPM) AWS region in CSPM module : Run CSPM checks across all AWS regions.
  • (ASPM) Upgrade prices : Update and display the latest service prices on the platform.
  • (ASPM) Display secure connector logs : Make secure connector logs available for viewing on the platform.
  • (ASPM/SAST/DAST) Egress support : Add more connection methods to clone repositories and access environments.

Release 1

(ASPM) Add links to breadcrumbs : Add links to breadcrumbs for easier navigation within the documentation.

Tip

Free trial: Search for vulnerabilities in your apps for free with Fluid Attacks’ automated security testing! Start your 21-day free trial  and discover the benefits of the Continuous Hacking  Essential plan . If you prefer the Advanced plan, which includes the expertise of Fluid Attacks’ hacking team, fill out this contact form .

Last updated on February 13, 2026
20232025
Fluid Attacks 2026. All rights reserved.