2026

Last updated: Mar 16, 2026

March

Release 11

• (MCP) SCA remediation with AI agents : Added repository context configuration to the MCP server, enabling autonomous SCA vulnerability remediation via AI agents.
• (ASPM) Display ‘No fix available’ guidance : Added actionable guidance when vulnerabilities have no remediation path (EOL packages, abandonware, pending fixes).
• (ASPM) Improve Location filter with selector and search options : Replaced free-text Location filter with a selector supporting nickname, base URL, prefix matching, and full-text search.
• (ASPM) Improve ‘New Group’ modal for target registration : Added target type and target evaluation stage fields to the New Group creation flow.
• (DB) Dynamic filter options : Filter options are now generated dynamically based on available results, preventing empty result combinations.
• (IDE plugin) IDE SCA remediation options : Added multiple SCA remediation options to GenAI-powered fixes in the VSCode extension.
• (Docs) Add fix guide for transitive dependency vulnerabilities : Added guide covering lockfile refresh, overrides, and shrinkwrap removal strategies.
• (Docs) Add SAST and SCA GitHub Actions to CLI docs : Documented the new SAST and SCA GitHub Actions with auto-detected scan modes.
• (SAST) New rules:
  • Scala Ssl Hostname Verification Bypass 
  • Scala Unsafe Xquery Injection 
  • Scala Unsafe Xpath Injection 
  • Scala Insecure Random Key Generation 
  • Scala Cookie Missing Httponly 
  • Scala Logging Of Sensitive Data 
  • Swift Sensitive Data In Keyboard Logging 
  • Swift Sensitive Data In External Storage 

Release 10

(SAST) New rules:

• Python Django Open Redirect 
• Python Fastapi Open Redirect 
• Python Starlette Open Redirect 
• Scala Use Unvalidated Forwards 
• Swift User Input In Regular Expression 
• Swift Information Exposure In Query String 
• Python Fastapi Uncontrolled Format String 
• Python Starlette Uncontrolled Format String 
• Python Fastapi Sensitive Data Logging 
• Python Starlette Sensitive Data Logging 
• Scala Spring Unsafe Open Redirect 
• Scala Spring Use Unvalidated Forwards 
• Python Logging Config Insecure Listen 
• Scala Secure Flag Not Set 
• Swift Webview Xss Injection 
• Javascript Unsafe Input Resource Injection 
• Typescript Unsafe Input Resource Injection 

February

Release 9

• (SCA) Add support for new package managers : Added support for CocoaPods (Podfile parser), Bun, and RubyGems (.gemspec) package managers.
• (SCA) Add SCA remediation options to vulnerability details : Added remediation options (closest min fix, safe fix, complete fix) for direct and transitive dependencies.
• (Docs & DB) Standardize central layout and sidebar widths : Constrained main content and sidebar widths on large screens to improve readability and layout consistency.
• (ASPM) Update Groups table to match new group modal : Updated the Groups section structure to align with the new group creation flow and target registration improvements.
• (ASPM) Allow editing environment authentication field : Enabled editing of the “Requires Authentication” field on existing environment records.
• (ASPM) Relocate CI Gate token and installation guide : Moved CI Gate token management and installation guide from Scope to DevSecOps section.
• (SAST) New rules:
  • Dart Unsafe Input Path Traversal Relative 
  • Ruby Insufficiently Protected Credentials 
  • Javascript Weak Password Encoding Base64 
  • Python Boto3 Ssl Verification Bypass 
  • Python Ssl Certificate Verification Bypass 
  • Typescript Weak Password Encoding Base64 
  • Python Aiohttp Ssl Verification Bypass 
  • Python Websocket Ssl Verification Bypass 
  • Ruby Hardcoded Session Secret Token 
  • Scala Hardcoded Initialization Vector 
  • Swift Hardcoded Password In Urlcredentials 
  • Config Files Misconfiguration In Impersonation 
  • Config Files Disabled Session Id Regeneration 
  • Ruby Short Session Key 
  • Scala Play Plaintext Storage Sensitive Data 
  • Dart Tempfile Unencrypted Sensitive Information 
  • Dart Native Language Cmd Injection 
  • Scala Spring Plaintext Storage Sensitive Data 
  • Scala Unsafe Open Redirect 

Release 8

(SAST) New rules:

• Python Http Uncontrolled Cors Origin 
• Python Wsgiref Uncontrolled Cors Origin 
• C Sharp Sensitive Information In Logs 
• C Sharp Jwt Sensitive Information Exposure 
• Python Django Sensitive Data Logging 
• Ruby Ssl Certificate Verification Bypass 
• Scala Jwt Sensitive Information Exposure 
• C Sharp CSRF Protection Disabled 
• Python Django Uncontrolled Cors Origin 
• Ruby Unsafe Open Redirect 
• Config Files Insecure Cookieless Configuration 
• Python Urllib3 Ssl Verification Bypass 
• Python Hardcoded Password In Connection 
• Ruby Sensitive Cookie Without Httponly 
• C Sharp Hardcoded Credentials In Directory 
• C Sharp Parameter Tampering In Email 
• Python Httpx Ssl Verification Bypass 

Release 7

• (DAST) Update scanner technique to MAST : Update APK scanner to replace DAST with MAST across the entire flow, including Docker image (mast scan config.yaml).
• (DB) Make general search bar index vulnerabilities : Extend the main search bar indexing to include vulnerabilities (e.g., CVE identifiers) for direct discovery and navigation.
• (DB) Add “View JSON” link to vulnerability’s detail page : Add a “View JSON” link to vulnerability detail pages, pointing to the data.json endpoint and opening in a new tab.
• (DB) Improve Log in : Rename “Get started” to “Try for free” and add a clear ghost “Log in” button in the top bar. Align flow with design system, including avatar dropdown with user info and ghost “Log out.”
• (DB) Scalable filter UX for Database : Group multiple vulnerability filters under the default Filter dropdown and remove highlighted filters. Reserve the highlighted filter for a single dominant case to ensure scalability and a clean hierarchy.
• (DB) LLMs.txt : Add an llms.txt endpoint to improve consumption of DB pages by LLMs.
• (IDE plugin) Enhance IntelliJ sidebar : Add severity icons to the IntelliJ plugin sidebar, categorized by typology, to improve visual context and prioritization of weaknesses.
• (MCP) Add output file configuration to MCP scanner tool prompts : Add a default output section to YAML examples in MCP scanner tools to generate Fluid-Attacks-Results.csv instead of stdout-only results.
• (SAST) New rules:
  • C Sharp Session Cookie Injection 
  • C Sharp Api Use Hardcoded Password 
  • Ruby Sensitive Information Weak Sha1 
  • Ruby Sensitive Information Weak Md5 
  • Ruby Hardcoded Encryption Key 
  • Ruby Weak Cipher Encryption 
  • Ruby Weak Cipher Encryption Blowfish 
  • Ruby Hardcoded Password In Connection 
  • Ruby Unsafe Hardcoded Password 
  • Python Flask Sensitive Data Logging 
  • C Sharp Hardcoded Cryptographic Key 

Release 6

• (Docs & DB) Add multiple authentication methods : Added Google, Microsoft, LinkedIn, Bitbucket, and internal login as authentication options.
• (DB) Add detection status to vulnerabilities : Added a flag indicating whether each vulnerability has been detected at least once.
• (ASPM) Add KEV and EPSS metrics to Package Details : Added KEV and EPSS metrics to the Package Details view to provide better vulnerability context for clients.
• (SAST) New rules:
  • JavaScript Dom Open Redirect 
  • JavaScript Express Open Redirect 
  • Typescript Dom Open Redirect 
  • Typescript Express Open Redirect 
  • Java Insufficiently Protected Credentials 
  • Python Flask Uncontrolled Cors Origin 
  • Java User Input Xquery Injection 
  • Java Unsafe Parameter Tampering 

January

Release 5

• (ASPM) Azure integration now supports Bug as a work item type : Our integration can create work items of type ‘Bug’, which is useful for users or clients whose projects do not have the ‘Issue’ type available.
• (SAST) New rules:
  • Java Uncontrolled Memory Allocation 
  • JavaScript Kony Hardcoded Encryption Key 
  • JavaScript Hardcoded Password In Connection 
  • Typescript Kony Hardcoded Encryption Key 
  • Typescript Hardcoded Password In Connection 
  • Java Intent Sensitive Communication 
  • JavaScript React Native Missing Masking 
  • Typescript React Native Missing Masking 
  • Python Django Uncontrolled Format String 
  • Python Flask Uncontrolled Format String 
  • Python Tornado Uncontrolled Format String 
  • JavaScript Cordova Open Redirect 
  • JavaScript Kony Url Injection 
  • JavaScript SSL Verification Bypass 
  • Typescript Cordova Open Redirect 
  • Typescript Kony Url Injection 
  • Typescript Ssl Verification Bypass 
  • Java Unsafe Object Binding 
  • Java Insecure Storage Sensitive Information 
  • JavaScript Cordova File Manipulation 
  • Typescript Cordova File Manipulation 

Release 4

• (ASPM) Prevent accidental rejection of access invitations : An extra confirmation step was added to the platform’s invitation flow to avoid accidental rejections caused by automated email link scanning.
• (SAST) New rules:
  • Go Insecure Temp File Creation 
  • Java Unrestricted File Upload Spring 
  • Java Ognl Expression Injection 
  • Java Observable Time Discrepancy 
  • Java Denial Of Service By Sleep 
  • JavaScript Httponly Flag Not Set 
  • JavaScript Insecure Samesite Cookie Attribute 
  • Typescript Httponly Flag Not Set 
  • Typescript Insecure Samesite Cookie Attribute 
  • Java One Way Hash Without Salt 
  • JavaScript Sensitive Information Weak Sha1 
  • JavaScript Sensitive Information Weak Md5 
  • Typescript Sensitive Information Weak Sha1 
  • Typescript Sensitive Information Weak Md5 
  • Java Cookie Without Validation 

Release 3

• (ASPM) Warn users about potential additional costs when changing branches : A warning and checkboxes were added when users modify branches from a repository under the scope section to clarify that this action can impact the cost of the service.
• (SAST) New rules:
  • Go Unencrypted Ftp Connection 
  • Go Unencrypted Telnet Connection 
  • Java Use Of Hardcoded Password 
  • JavaScript Insecure Sce Configuration 
  • Java Spring Session Fixation 
  • Java Empty Password Connection 
  • JavaScript Client CSS Injection 
  • Typescript Client CSS Injection 
  • Go Zip Slip Path Traversal 
  • Java Unvalidated Forwards Use 
  • JavaScript Email Headers Forgery 
  • Typescript Email Headers Forgery 

Release 2

• (ASPM) Mark AI-detected vulnerabilities (AI SAST) : Added a visual AI indicator to AI SAST findings to highlight the new technique.
• (SAST) New rules:
  • Js Dom Stored Xss 
  • Ts Dom Stored Xss 
  • Js Client Dom Xss 
  • Ts Client Dom Xss 
  • Js Unsafe Deserialization Untrusted Data 
  • Js Unsafe Module Inclusion 
  • Js Unsafe Require Module Inclusion 
  • Ts Unsafe Deserialization Untrusted Data 
  • Ts Unsafe Module Inclusion 
  • Ts Unsafe Require Module Inclusion 
  • Go Insecure Http Server 
  • Go Cleartext Sensitive Information 

Release 1

(SAST) New rules:

• F064 Java session id not regenerated
• F014 Dart mirrors unsafe reflection