2026

Last updated: Mar 28, 2026

---

March

Release 13

• (IDE Plugins) Remove redundant repository selection pop-up when project is already open in IDE: Now our VSCode and Cursor extensions auto-detect the active repository when a project is already open, eliminating the repository selection pop-up.
• (ASPM) Standardize file input experience in Add File modal: Processing is now indicated via the Upload button loading state, with the modal closing on completion and feedback shown through global notifications.
• (ASPM) Minimum privilege for organizations and groups: Introduced per-organization and group activity tracking to replace the global last-activity check, enforcing least privilege by revoking access only for inactive orgs/groups while preserving access where the user remains active.
• (ASPM) Restrict environment and repository exclusion to privileged roles only: Restricted scope exclusion permissions to group managers only, preventing users and vulnerability managers from excluding environments or repositories and reinforcing least-privilege governance.
• (DB) Improve detail panel structure to show Base vs Adjusted CVSS + vectors: Scope now shows both Base (source) and Adjusted CVSS (Fluid) with vectors, clearly differentiating them to improve traceability and clarity.
• (SAST) New rules:
  • Dart Get Storage Insecure Data Storage
  • Php Hardcoded Cryptographic Key
  • Scala Hardcoded Salt In Hash
  • Scala Hash Without Salt
  • Php Hardcoded Salt In Hash
  • Php Weak Encryption Size
  • Python Httpx Cleartext Sensitive Information
  • Dart Insecure Storage Of Sensitive Data
  • Go Path Traversal Open File
  • Php Hardcoded Cryptographic Iv
  • Dart File Storage Of Sensitive Data
  • Php Insufficiently Protected Credentials
  • Python Aiohttp Cleartext Sensitive Information
  • Python Urllib3 Cleartext Sensitive Information

Release 12

• (ASPM) Add supported and tested columns to Lines table: Added language support and Machine testing status columns to the Lines table for file-level visibility.
• (ASPM) Improve Groups filters: Updated Groups section filters to be functional and aligned with the target registration flow improvements.
• (ASPM) Add Cursor to Integrations: Added Cursor as an available option in the platform Integrations section.
• (ASPM) Restrict environment exclusion toggle to authorized roles: Limited the environment URL exclusion toggle to authorized roles, preventing unauthorized scope changes and vulnerability closures.
• (CI Gate) Show EPSS and reachability in SCA execution logs: Added EPSS score and reachability status to execution logs for SCA vulnerabilities.
• (SAST) New rules:
  • Scala Logging Of Sensitive Data
  • Swift Sensitive Data In External Storage
  • Swift Sensitive Data In Keyboard Logging
  • C Sharp User Input Generate Improper Output
  • C Sharp User Input In Content
  • Python Unencrypted Ftp Connection
  • Scala Redos With Untrusted Input
  • Scala Spring Session Fixation
  • Php Unlink Path Traversal
  • Python Insecure Snmp Connection
  • Python Unencrypted Telnet Connection
  • Scala Hardcoded Password In Connection
  • Scala Unsafe Parameter Tampering
  • Php Sensitive Information In Jwt
  • Php Syslog Log Injection
  • Php Use Of Hardcoded Password
  • Php User Input Storage Sensitive Data
  • Python Requests Cleartext Sensitive Information

Release 11

• (MCP) SCA remediation with AI agents: Added repository context configuration to the MCP server, enabling autonomous SCA vulnerability remediation via AI agents.
• (ASPM) Display 'No fix available' guidance: Added actionable guidance when vulnerabilities have no remediation path (EOL packages, abandonware, pending fixes).
• (ASPM) Improve Location filter with selector and search options: Replaced free-text Location filter with a selector supporting nickname, base URL, prefix matching, and full-text search.
• (ASPM) Improve 'New Group' modal for target registration: Added target type and target evaluation stage fields to the New Group creation flow.
• (DB) Dynamic filter options: Filter options are now generated dynamically based on available results, preventing empty result combinations.
• (IDE plugin) IDE SCA remediation options: Added multiple SCA remediation options to GenAI-powered fixes in the VSCode extension.
• (Docs) Add fix guide for transitive dependency vulnerabilities: Added guide covering lockfile refresh, overrides, and shrinkwrap removal strategies.
• (Docs) Add SAST and SCA GitHub Actions to CLI docs: Documented the new SAST and SCA GitHub Actions with auto-detected scan modes.
• (SAST) New rules:
  • Scala Ssl Hostname Verification Bypass
  • Scala Unsafe Xquery Injection
  • Scala Unsafe Xpath Injection
  • Scala Insecure Random Key Generation
  • Scala Cookie Missing Httponly
  • Scala Logging Of Sensitive Data
  • Swift Sensitive Data In Keyboard Logging
  • Swift Sensitive Data In External Storage

Release 10

(SAST) New rules:

• Python Django Open Redirect
• Python Fastapi Open Redirect
• Python Starlette Open Redirect
• Scala Use Unvalidated Forwards
• Swift User Input In Regular Expression
• Swift Information Exposure In Query String
• Python Fastapi Uncontrolled Format String
• Python Starlette Uncontrolled Format String
• Python Fastapi Sensitive Data Logging
• Python Starlette Sensitive Data Logging
• Scala Spring Unsafe Open Redirect
• Scala Spring Use Unvalidated Forwards
• Python Logging Config Insecure Listen
• Scala Secure Flag Not Set
• Swift Webview Xss Injection
• Javascript Unsafe Input Resource Injection
• Typescript Unsafe Input Resource Injection

February

Release 9

• (SCA) Add support for new package managers: Added support for CocoaPods (Podfile parser), Bun, and RubyGems (.gemspec) package managers.
• (SCA) Add SCA remediation options to vulnerability details: Added remediation options (closest min fix, safe fix, complete fix) for direct and transitive dependencies.
• (Docs & DB) Standardize central layout and sidebar widths: Constrained main content and sidebar widths on large screens to improve readability and layout consistency.
• (ASPM) Update Groups table to match new group modal: Updated the Groups section structure to align with the new group creation flow and target registration improvements.
• (ASPM) Allow editing environment authentication field: Enabled editing of the "Requires Authentication" field on existing environment records.
• (ASPM) Relocate CI Gate token and installation guide: Moved CI Gate token management and installation guide from Scope to DevSecOps section.
• (SAST) New rules:
  • Dart Unsafe Input Path Traversal Relative
  • Ruby Insufficiently Protected Credentials
  • Javascript Weak Password Encoding Base64
  • Python Boto3 Ssl Verification Bypass
  • Python Ssl Certificate Verification Bypass
  • Typescript Weak Password Encoding Base64
  • Python Aiohttp Ssl Verification Bypass
  • Python Websocket Ssl Verification Bypass
  • Ruby Hardcoded Session Secret Token
  • Scala Hardcoded Initialization Vector
  • Swift Hardcoded Password In Urlcredentials
  • Config Files Misconfiguration In Impersonation
  • Config Files Disabled Session Id Regeneration
  • Ruby Short Session Key
  • Scala Play Plaintext Storage Sensitive Data
  • Dart Tempfile Unencrypted Sensitive Information
  • Dart Native Language Cmd Injection
  • Scala Spring Plaintext Storage Sensitive Data
  • Scala Unsafe Open Redirect

Release 8

(SAST) New rules:

• Python Http Uncontrolled Cors Origin
• Python Wsgiref Uncontrolled Cors Origin
• C Sharp Sensitive Information In Logs
• C Sharp Jwt Sensitive Information Exposure
• Python Django Sensitive Data Logging
• Ruby Ssl Certificate Verification Bypass
• Scala Jwt Sensitive Information Exposure
• C Sharp CSRF Protection Disabled
• Python Django Uncontrolled Cors Origin
• Ruby Unsafe Open Redirect
• Config Files Insecure Cookieless Configuration
• Python Urllib3 Ssl Verification Bypass
• Python Hardcoded Password In Connection
• Ruby Sensitive Cookie Without Httponly
• C Sharp Hardcoded Credentials In Directory
• C Sharp Parameter Tampering In Email
• Python Httpx Ssl Verification Bypass

Release 7

• (DAST) Update scanner technique to MAST: Update APK scanner to replace DAST with MAST across the entire flow, including Docker image (mast scan config.yaml).
• (DB) Make general search bar index vulnerabilities: Extend the main search bar indexing to include vulnerabilities (e.g., CVE identifiers) for direct discovery and navigation.
• (DB) Add "View JSON" link to vulnerability's detail page: Add a "View JSON" link to vulnerability detail pages, pointing to the data.json endpoint and opening in a new tab.
• (DB) Improve Log in: Rename "Get started" to "Try for free" and add a clear ghost "Log in" button in the top bar. Align flow with design system, including avatar dropdown with user info and ghost "Log out."
• (DB) Scalable filter UX for Database: Group multiple vulnerability filters under the default Filter dropdown and remove highlighted filters. Reserve the highlighted filter for a single dominant case to ensure scalability and a clean hierarchy.
• (DB) LLMs.txt: Add an llms.txt endpoint to improve consumption of DB pages by LLMs.
• (IDE plugin) Enhance IntelliJ sidebar: Add severity icons to the IntelliJ plugin sidebar, categorized by typology, to improve visual context and prioritization of weaknesses.
• (MCP) Add output file configuration to MCP scanner tool prompts: Add a default output section to YAML examples in MCP scanner tools to generate Fluid-Attacks-Results.csv instead of stdout-only results.
• (SAST) New rules:
  • C Sharp Session Cookie Injection
  • C Sharp Api Use Hardcoded Password
  • Ruby Sensitive Information Weak Sha1
  • Ruby Sensitive Information Weak Md5
  • Ruby Hardcoded Encryption Key
  • Ruby Weak Cipher Encryption
  • Ruby Weak Cipher Encryption Blowfish
  • Ruby Hardcoded Password In Connection
  • Ruby Unsafe Hardcoded Password
  • Python Flask Sensitive Data Logging
  • C Sharp Hardcoded Cryptographic Key

Release 6

• (Docs & DB) Add multiple authentication methods: Added Google, Microsoft, LinkedIn, Bitbucket, and internal login as authentication options.
• (DB) Add detection status to vulnerabilities: Added a flag indicating whether each vulnerability has been detected at least once.
• (ASPM) Add KEV and EPSS metrics to Package Details: Added KEV and EPSS metrics to the Package Details view to provide better vulnerability context for clients.
• (SAST) New rules:
  • JavaScript Dom Open Redirect
  • JavaScript Express Open Redirect
  • Typescript Dom Open Redirect
  • Typescript Express Open Redirect
  • Java Insufficiently Protected Credentials
  • Python Flask Uncontrolled Cors Origin
  • Java User Input Xquery Injection
  • Java Unsafe Parameter Tampering

January

Release 5

• (ASPM) Azure integration now supports Bug as a work item type: Our integration can create work items of type 'Bug', which is useful for users or clients whose projects do not have the 'Issue' type available.
• (SAST) New rules:
  • Java Uncontrolled Memory Allocation
  • JavaScript Kony Hardcoded Encryption Key
  • JavaScript Hardcoded Password In Connection
  • Typescript Kony Hardcoded Encryption Key
  • Typescript Hardcoded Password In Connection
  • Java Intent Sensitive Communication
  • JavaScript React Native Missing Masking
  • Typescript React Native Missing Masking
  • Python Django Uncontrolled Format String
  • Python Flask Uncontrolled Format String
  • Python Tornado Uncontrolled Format String
  • JavaScript Cordova Open Redirect
  • JavaScript Kony Url Injection
  • JavaScript SSL Verification Bypass
  • Typescript Cordova Open Redirect
  • Typescript Kony Url Injection
  • Typescript Ssl Verification Bypass
  • Java Unsafe Object Binding
  • Java Insecure Storage Sensitive Information
  • JavaScript Cordova File Manipulation
  • Typescript Cordova File Manipulation

Release 4

• (ASPM) Prevent accidental rejection of access invitations: An extra confirmation step was added to the platform's invitation flow to avoid accidental rejections caused by automated email link scanning.
• (SAST) New rules:
  • Go Insecure Temp File Creation
  • Java Unrestricted File Upload Spring
  • Java Ognl Expression Injection
  • Java Observable Time Discrepancy
  • Java Denial Of Service By Sleep
  • JavaScript Httponly Flag Not Set
  • JavaScript Insecure Samesite Cookie Attribute
  • Typescript Httponly Flag Not Set
  • Typescript Insecure Samesite Cookie Attribute
  • Java One Way Hash Without Salt
  • JavaScript Sensitive Information Weak Sha1
  • JavaScript Sensitive Information Weak Md5
  • Typescript Sensitive Information Weak Sha1
  • Typescript Sensitive Information Weak Md5
  • Java Cookie Without Validation

Release 3

• (ASPM) Warn users about potential additional costs when changing branches: A warning and checkboxes were added when users modify branches from a repository under the scope section to clarify that this action can impact the cost of the service.
• (SAST) New rules:
  • Go Unencrypted Ftp Connection
  • Go Unencrypted Telnet Connection
  • Java Use Of Hardcoded Password
  • JavaScript Insecure Sce Configuration
  • Java Spring Session Fixation
  • Java Empty Password Connection
  • JavaScript Client CSS Injection
  • Typescript Client CSS Injection
  • Go Zip Slip Path Traversal
  • Java Unvalidated Forwards Use
  • JavaScript Email Headers Forgery
  • Typescript Email Headers Forgery

Release 2

• (ASPM) Mark AI-detected vulnerabilities (AI SAST): Added a visual AI indicator to AI SAST findings to highlight the new technique.
• (SAST) New rules:
  • Js Dom Stored Xss
  • Ts Dom Stored Xss
  • Js Client Dom Xss
  • Ts Client Dom Xss
  • Js Unsafe Deserialization Untrusted Data
  • Js Unsafe Module Inclusion
  • Js Unsafe Require Module Inclusion
  • Ts Unsafe Deserialization Untrusted Data
  • Ts Unsafe Module Inclusion
  • Ts Unsafe Require Module Inclusion
  • Go Insecure Http Server
  • Go Cleartext Sensitive Information

Release 1

(SAST) New rules:

• F064 Java session id not regenerated
• F014 Dart mirrors unsafe reflection