We implement a new way to query all the information through the API for the agent; using this improvement, we will get only the locations in a vulnerable state, omitting unnecessary information such as vulnerabilities that are in a safe state or with temporarily accepted, permanently accepted, or zero risk treatment. You will be able to get the same information that this field gives us by running the agent and getting faster reports. You will be able to see this from Monday, April 10th.

With the Report Technique, you can see all reported vulnerabilities; what is the percentage distribution of these according to the types of security tests (SAST, DAST, and SCA).

This chart will be helpful to see which type of security test has the highest vulnerability detection sensitivity. Write to us at help@fluidattacks.com if you have questions about this chart or the Analytics section.

In the Authors section of your groups, you can see the lists of authors who have contributed to your repositories. If you need to download any of them at any time, you must select the list and click on the Export button at the top right. It will immediately download to your system as a CSV (comma-separated values) file with all its contents. 

How often do you download this data? Do you find it helpful? Remember that you can give us your opinion in the comments. We invite you not to miss these updates by subscribing to our News channel.

We are pleased to announce the enhancement of the agent when executing the policy: "DevSecOps: Minimum CVSS 3.1 score of vulnerable spots for the agent to break the build in Strict Mode" where passing the CLI value as an argument in --breaking will take into account the minimum severity value for breaking the build. 

Thanks to this improvement, you can be sure that any value you stipulate will not be higher than the policy; it will be equal to or lower than it, so the agent breaks the build according to the metrics specified in your organization or group, avoiding vulnerabilities with a higher CVSS score from passing the check.

When you run the agent in the container, there are times when you need to remember the parameters that you can use. We invite you to use the following two commands: docker run --rm -ti fluidattacks/forces:new forces --help or docker run --rm -ti fluidattacks/forces:new forces, where you can view the list of parameters that you can use when you run the agent. Thanks to this help, you can quickly see the information you need in one place without entering the documentation. Also note that you will also have the link to the documentation and the email help@fluidattacks.com, in case you need more information or write us if you have any questions or concerns.

We are pleased to announce that we have implemented two new reasons when deleting a group in the ARM platform. These are PoC Over and Testing Request Cancelled, having more options when you want to delete a group being more explicit and clear.

You can enter here if you want to know more about it. Your opinion is important to us, so we invite you to comment on this post or write to us at help@fluidattacks.com, with your questions, comments, or suggestions.

We are pleased to announce a future improvement in the Forces verbosity parameter, which helps you have better control over the amount of information in the report when executing our agent. This parameter's allowed values will be reduced to -v and -vv. You will be able to use them to include in the report only vulnerabilities that break or could break the build (-v) or all open vulnerabilities (-vv). Such information is relevant and timely to learn which vulnerabilities would affect the release into production. Remember that the two values to be removed will be -vvv and -vvvv, whose function will be replaced by -vv.

As you know, on the ARM platform, your organization has an Analytics section, which, through charts and indicators, provides you with information related to all the groups belonging to it. 

Thanks to this data, you can be aware of the changes in your vulnerabilities and carry out comparisons that are useful for your decision-making. 

We are excited to announce the security standards we apply in Fluid Attacks. This standard is the Common Weakness Enumeration (CWE) is a community-developed list of software and hardware weakness types. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts. 

You can find this and other standards we apply at Fluid Attacks in the Compliance section of our Documentation. The version used in this section is CWE List v4.10.

Do you already know what the new Update credential owner notification is about? This notification will notify us when a credential has changed its owner because the one who created it is no longer an active user of the ARM platform since he left the platform for 90 days or no longer has access to the organization.