Skip to main content
2026-03
Reachability analysis, investigations, CI/CD scanning, and more
  • SAST: On-demand investigation allows deeper AI re-evaluation of findings, available from the issue detail view, in bulk, and via the API and MCP server.
  • SAST: Each confirmed finding now includes step-by-step attack exploitation steps and a mandatory data flow path for exploitable vulnerabilities.
  • SAST: Secondary AI validation pass reviews all true-positive findings before recording, filtering non-exploitable results and correcting inaccurate details.
  • SAST: Three-tier regression detection pipeline uses deterministic fast-path, structured diff review, and deep-agent escalation for faster and more accurate rescans.
  • SAST: Smart rescans now resolve issues by exact line range per file, preventing incorrect resolution of findings that are still present.
  • SAST: Findings where exploitability cannot be determined are now categorized as “Informational” instead of “Non-Exploitable.”
  • SAST: AL (Business Central) added to supported languages.
  • SCA: Reachability analysis determines whether vulnerable code paths are actually called in your application, with per-package reachability status and filtering. Reachability defaults to “unknown” until analysis completes, preventing false “reachable” statuses.
  • SCA: Findings now link back to the original manifest file and line number where a dependency was declared, rather than the lockfile.
  • SCA: Compiled asset scanning detects packages embedded in JARs, WARs, Python wheels, and other binary artifacts.
  • SCA: Haskell (Hackage) and R (CRAN) ecosystems added; CocoaPods removed.
  • SCA: New filters for ecosystem, package reachability, source type (manifest vs. compiled), and info severity level.
  • SCA: Multi-hop transitive dependency resolution walks up to 5 hops to find the nearest upgradable direct dependency.
  • SCA: Remediation instructions provided for unpatchable findings when no safe version exists.
  • SCA: Gradle version catalog support with line-level tracking in build files, PEP 621 pyproject.toml, and Poetry 1.2+ group dependencies now parsed.
  • SCA: SBOM generation no longer requires a prior SCA scan.
  • Secrets: Multi-engine secrets detection with automatic cross-engine deduplication for broader coverage.
  • IaC: GitHub Actions workflow security scanning for CI/CD pipeline misconfigurations.
  • Platform: Integrations settings page redesigned with a master-detail sidebar layout.
  • Platform: Differential scanning mode uses AI-powered analysis for small code changes instead of re-running the full pipeline.
  • Platform: Identical-commit carry-forward skips re-scanning when the commit and settings are unchanged.
  • Platform: PR scans can now auto-resolve previously reported issues determined to be false positives.
  • Platform: PR comment visibility threshold renamed and shown conditionally when PR comments are enabled.
  • Platform: History cutoff setting allows a clean baseline by ignoring scan history before a configured date. Now also applies during dependency analysis and deduplication.
  • Platform: Issue statuses like Reviewing and Backlog are now preserved across scan refreshes instead of being reset.
  • Platform: Custom rules only mode is now available at the repository level in addition to organization and tag levels.
  • Platform: Scans now surface specific error messages instead of generic failures, and partial results are cleaned up on retry to prevent duplicates.
  • Platform: SCA fix PRs now automatically resolve merge conflicts by regenerating lock files on the latest base.
  • Platform: Team repository selector now supports search and pagination for large organizations.
  • Platform: Unmatched contributors can be searched and linked individually.
  • Platform: Report history auto-refreshes while reports are processing.
  • Platform: Automatic GitHub repository sync for rename, transfer, archive, and delete events.
  • Integrations: Jira and Linear now support bulk export of multiple findings at once.
  • Integrations: Linear custom templates with title, description, labels, and priority fields for auto-ticketing.
  • Integrations: Linear integration can now be connected at the organization level.
  • Integrations: Slack notification management moved inline to the new detail panel.
  • API: New Code Inspection API endpoints for searching, reading, and listing files in connected repositories.
  • API: New investigation API endpoints for requesting and tracking on-demand finding re-evaluation.
  • API: New INFORMATIONAL issue status and CICD detection type added across v1 and v2 APIs.
  • API: VULNERABILITY_PATCHED webhook now fires per-vulnerability for multi-fix PRs.
  • Developer Tools: MCP server updated with code inspection tools and investigation tools.
  • CLI: Scan polling now has a ~50-minute timeout to prevent CI/CD pipelines from hanging indefinitely.
  • Bug Fixes: Improved error messages for scan failures, CLI upload errors, and SBOM generation issues with specific failure categories (artifact download failed, artifact missing, generation failed, timeout).
  • Bug Fixes: IaC findings are now consistently categorized under the IaC finding type.
  • Bug Fixes: Monorepo patch PRs now correctly update all linked vulnerabilities when merged.
  • Bug Fixes: GitLab pipeline webhooks now handle pipelines not associated with a merge request.
Join our Discord community to get notified about new releases and features, or subscribe to our RSS feed for automatic updates.