We're pleased to announce a powerful new feature of our automated tool that becomes tangible in our platform's Supply chain section: Reachability.

The Supply chain section shows your application's affected and unaffected third-party dependencies. Now, you can more efficiently prioritize and address dependencies with security issues by knowing which ones have exploitable vulnerabilities.

Here's how it works:

• Focused analysis: Reachability, a feature working with SAST, analyzes your application's direct dependencies reported by our SCA to determine whether their known vulnerabilities are actually exploitable in your specific case.
• Clear prioritization: In the Supply Chain section, look for the "Reachable" tag in the Status column. If it's there, prioritize remediation efforts for those tagged dependencies.
• Detailed vulnerability insights: For each reachable security issue, you'll see the location of the vulnerability within your code and a link to the vulnerability table of the corresponding type. This will help you thoroughly understand the vulnerability and prioritize it effectively in relation to the other reported issues.
• Reduced noise: No more guessing games! Reachability cuts through the noise of potential vulnerabilities and highlights the ones that need immediate attention.

Currently supported languages:

• Javascript
• Typescript
• Python

Coming soon:

• Java
• C#

Start prioritizing your vulnerability remediation today!

Log in to our platform and explore the new Reachability feature in the Supply Chain section.

Implemented

⚠️ Date limit on calendar for vulnerability acceptance: Whenever you enter a date earlier than the current day or that exceeds the number of days allowed by your organization's temporary vulnerability acceptance policy, you will see a message reminding you of the permitted range.

📃 Improved downloadable SBOMs: The SBOMs you can export from our platform in CycloneDX and SPDX formats now have new information. Beyond the default fields, you can now see, for each third-party component: its location, the latest version, and the time since that release. In case of associated security issues, you can see: the affected version, CVEs, their severity, and EPSS.

✅ New webhooks: We have added a couple of webhooks that will notify you when an event or a vulnerability has been closed within one of your groups.

🎯 More accurate and eye-catching event reports: The events reported were only associated with roots. We now make these reports more precise by indicating which specific environments are affected by those events. Additionally, we have improved the presentation tables of roots and environments with visual elements that contribute to prioritizing the resolution of open events.

Upcoming

📡 Reachability analysis: We'll add a new feature to our automated tool to better understand the impact of vulnerabilities in your software supply chain. The reachability module will analyze the components and dependencies listed in the Supply chain section and determine if any reported vulnerabilities actually pose a risk to your application. Since vulnerabilities often only become a threat when specific functionalities are used in your code, this analysis will help you prioritize which issues need immediate attention.

⏩ From CVSS 3.1 to CVSS 4.0: Mark your calendars! From April 4, 2025, we'll only use CVSS v4.0 for all vulnerability reports. This change implies that the toggle switch for CVSS v3.1 will be removed, and all our platform's resources, including the CI Agent for breaking the build, will work merely according to the new CVSS version. The final step of this transition will be completed on October 4, 2025, when the API is fully updated.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link!

✨Make your voice heard in the AppSec world!✨

Share your thoughts on Fluid Attacks' solution on Gartner Peer Insights and get a $25 gift card! It will only take 10-15 minutes to help shape the future of the application security industry.

Implemented

📈 Custom vulnerability prioritization: In the Policies section of the platform, you have the Priority option to choose different criteria for prioritizing vulnerabilities. These criteria range from attack vectors and vulnerability exploitability to the various impacts that your systems could receive in a cyberattack. Each criterion can be rated according to its importance for your company, and this will be reflected in the values shown for each vulnerability reported in the new "Priority" column. This will allow your teams to promptly address the most significant risks.

⛓️ Supply chain section: This section shows your application's affected and unaffected third-party components and dependencies. Because some may pose a risk to your company while others may not, we decided to separate these elements and security issues from the rest of the findings to make it easier to prioritize them for treatment. Currently, you can view them as a complete list or filter them by repository under evaluation.

🔬 Docker image scanning and SBOM: No matter where you store your Docker images, our tool can scan them for security risks. As long as your registry supports standard authentication (username and password), you can easily import your images. Simply provide the registry URL and credentials, and our platform will report a detailed software bill of materials (SBOM) for each image in the Supply chain section, highlighting any known security issues.

☁️ CSPM environment role status: We recently implemented alerts for those cases where users revoke or delete access roles in the cloud (e.g., STS in AWS), roles that allow us to request tokens to scan their infrastructure resources with CSPM. Not having these alerts could mean mostly incomplete or delayed vulnerability scans. Now, for each CSPM environment within the Scope section that presents this problem, you will see the message “Role status: Error”.

Upcoming

📡 Reachability analysis: We'll soon implement a reachability module in our automated tool. It will analyze the components and dependencies we currently report to you in the Supply chain section to confirm whether their vulnerabilities are putting your application at risk. This is because many times vulnerabilities only pose risks when specific functions of such components or dependencies are used in your code. Therefore, this feature will significantly contribute to your prioritization of vulnerability remediation in third-party software.

⏩ From CVSS 3.1 to CVSS 4.0: Mark your calendars! From April 4, 2025, we'll exclusively use CVSS v4.0 for all vulnerability reports in the platform. This change implies that the toggle switch for CVSS v3.1 will be removed, and all our platform's resources, including the CI Agent for breaking the build, will work only according to this new CVSS version. The final stage of this transition will wrap up on October 4, 2025, when the API is fully updated.

Implemented

🤖 PHP security scanning: Our SAST tool has leveled up! It can now scan codebases containing PHP to identify vulnerabilities specific to this language. This enhancement expands our testing scope to help you deploy even more secure applications.

🔬 Docker image scanning and SBOM: Now, our automated tool can scan your Docker images, which you can import from any registry that supports username and password authentication with no specific registry restrictions. You only need to provide the registry URL and credentials. Then, you can see in the Supply chain section of our platform a detailed listing (SBOM) of each package contained in the Docker image, including security issues associated with them.

⛓️ Supply chain section: You can see your application's affected and unaffected third-party components and dependencies in this section. We separated these elements and security issues from the rest of the findings because some may pose a risk to your company while others may not, making it easier to prioritize them for treatment. Nowadays, you can view such components and dependencies as a complete list or filter them by repository under assessment.

Upcoming

🧩 Enhanced IntelliJ plugin: We recently implemented our IntelliJ IDEA extension and are improving some of its features. Currently, we are establishing links so your development team can go from the IDE to the platform to see specific findings or receive descriptions of vulnerabilities and suggestions for fixing them in IntelliJ.

⏩ From CVSS 3.1 to CVSS 4.0: Mark your calendars! From April 4, 2025, we'll only use CVSS v4.0 for all vulnerability reports. This change implies that the toggle switch for CVSS v3.1 will be removed, and all our platform's resources, including the CI Agent for breaking the build, will work merely according to the new CVSS version. The final step of this transition will be completed on October 4, 2025, when the API is fully updated.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link!

Implemented

🔄 Legacy filters: We are currently adding legacy filters in the Vulnerabilities section to align with attributes from the Locations section. The filters already implemented correspond to vulnerability locations and techniques with which we detect them. So, for example, from the first section, if you select the DAST option in the Technique filter, you will see all types of vulnerabilities that have at least one case identified using DAST. Consequently, when you access one of these types, the Locations section will display only those vulnerabilities detected with DAST.

🚯 Prevent file deletion: We have implemented a restriction to prevent the deletion of application files linked to specific environments. This allows us to avoid these environments from running out of valid files and becoming unmanageable. In cases where you want to delete files, you must delete the entire environment.

⛓️ Supply chain section: This new section shows your application's affected and unaffected third-party components and dependencies. Because some may pose a risk to your company while others may not, we decided to separate these elements and security issues from the rest of the findings to make it easier to prioritize them for treatment. Currently, you can view them as a complete list or filter them by repository under evaluation.

Upcoming

🔬 Docker image scanning: Very soon, our automated tool will be able to scan your Docker images. It will not only list the dependencies within the images but also notify the existing security issues, all in our new Supply chain section.

🧩 Enhanced IntelliJ extension: We recently implemented our IntelliJ IDEA plugin and are improving some of its features. Now, we are establishing links so developers can go from the IDE to the platform to view certain findings or receive descriptions of and remediation suggestions for vulnerabilities in IntelliJ.

⏩ From CVSS 3.1 to CVSS 4.0: Mark your calendars! From April 4, 2025, we'll exclusively use CVSS v4.0 for all vulnerability reports in the platform. This change implies that the toggle switch for CVSS v3.1 will be removed, and all our platform's resources, including the CI Agent for breaking the build, will work only according to this new CVSS version. The final stage of this transition will wrap up on October 4, 2025, when the API is fully updated.

Implemented

🧩 IntelliJ IDEA extension: Our IntelliJ IDEA plugin is now available for your developers. Thanks to it, they will be able to identify affected lines of code or vulnerabilities we report to them without leaving their IDE.

📈 Priority option in the Policies section: This option allows you to select diverse criteria for ranking vulnerabilities on their potential impact on your company. You can customize the values of several variables, which will be reflected (along with estimates such as EPSS) in the figures displayed in the new "Priority" column for each identified vulnerability. This feature helps your teams quickly recognize and address the most critical risks.

⛓️ Supply chain section: This new section highlights security issues related to your applications' third-party components. Separating these problems from other vulnerabilities reduces noise in reports, allowing easier prioritization. There, you can view affected and unaffected components in two ways: as a full list or filtered by root or repository under assessment.

Upcoming

🔬 Docker image scanning: Soon, our automated tool will be able to analyze your Docker images (.tar files). It will not only list the dependencies within the image but also report the existing security vulnerabilities.

⏩ From CVSS 3.1 to CVSS 4.0: The toggle switch we have enabled to view your vulnerabilities based on CVSS v3.1 and CVSS 4.0 will soon disappear. Please keep in mind that we intend to complete this version transition across all of our platform resources in the near future.

Implemented improvements

📈 Custom vulnerability prioritization: In the Policies section of the platform, you have the Priority option to choose different criteria for prioritizing vulnerabilities. These criteria range from attack vectors and vulnerability exploitability to the various impacts that your systems could receive in an attack. Each criterion can be rated according to its importance for your company, and this will be reflected in the values shown for each vulnerability reported in the new "Priority" column. This will allow your teams to promptly address the most significant risks.

⛓️ Supply chain security section: In the Supply chain section, you can see all those security issues associated with third-party software components and dependencies in your apps. These problems were separated from the other vulnerabilities because they often generated noise in the reports and made it difficult to prioritize them. Currently, you have two ways to view these component listings: (a) the complete list and (b) the list where you can separate packages by root or repository under assessment.

🔄 Transition from CVSS 3.1 to CVSS 4.0: We remind you that the toggle to switch from viewing your vulnerability data according to CVSS 3.1 to CVSS 4.0 is available for each of your groups within the platform (the latter is the default option). Remember that you can still run our CI Agent in both versions, but the data in the Analytics sections only appears in CVSS 4.0. We hope you become increasingly familiar with this transition, which we will try to finish soon.

Upcoming improvements

🧩  IntelliJ IDEA plugin: Very soon, you will have enabled our extension for IntelliJ IDEA, which will be available to all developers who use this IDE to manage vulnerabilities (including our GenAI support) reported by our tool and hacking team.

Implemented enhancements

🤖 Custom fix and Autofix support more and more languages: 100% of the programming languages that can be scanned with our SAST tool are currently supported by Custom fix and Autofix (our GenAI-based vulnerability remediation aids).

✅ Vulnerability filter by technique: In order to facilitate your vulnerability management, in the Locations section for each type of vulnerability, we have implemented a new option for you to filter the findings according to the detection techniques (e.g., SAST, SCA, SCR) that allowed us to report them to you.

⛓️ Supply chain security section: We have implemented the Supply chain section within the groups on the platform where you can see all those security issues associated with third-party software components and dependencies you use in your apps. These problems were separated from the other vulnerabilities because they often generated noise in the reports and made it challenging to prioritize other vulnerabilities for remediation. In this new section, you will be able to pay more attention to each of these issues to determine if they represent a significant risk exposure for your company that must be mitigated.

🔄 Transition from CVSS 3.1 to CVSS 4.0: We remind you that the toggle to switch from viewing your vulnerability data according to CVSS 3.1 to CVSS 4.0 is now available for each of your groups within the platform (the latter is the default option). In addition, please note that you can still run our CI Agent in both versions, but the data in the Analytics sections only appears in terms of CVSS 4.0. The idea is that you become increasingly familiar with this transition, which we will try to complete soon.

Upcoming enhancements

📈 Improved vulnerability prioritization: The platform will soon enable you to set specific values for vulnerability prioritization criteria within the Policies section. This will result in more accurate figures for each vulnerability —which you will see in the "Priority" column— that better reflect your company's unique needs and principles than a standard CVSS score. This enhanced prioritization will help you make informed decisions on which security issues require immediate attention.

🧩 New IDE plugin: Thanks to our upcoming extension, IntelliJ IDEA users will soon be able to leverage the vulnerability management benefits we offer directly within their IDE, just like those currently enjoyed by VS Code users.

Implemented enhancements

⛓️ Supply chain security section: We have implemented the Supply chain section within the groups on the platform where you can see all those security issues associated with third-party software components and dependencies you use in your apps. These problems were separated from the other vulnerabilities because they often generated noise in the reports and made it challenging to prioritize other vulnerabilities for remediation. In this new section, you will be able to pay more attention to each of these issues to determine if they represent a significant risk exposure for your company that must be mitigated.

In fact, you will soon see that the risk exposure charts in the Analytics sections will reflect substantial decreases because these types of vulnerabilities, we call "Use of software with known vulnerabilities" and "Use of software with known vulnerabilities in development," will be treated separately in the Supply chain section, which we hope you will get used to.

🔄 Transition from CVSS 3.1 to CVSS 4.0: We remind you that the toggle to switch from viewing your vulnerability data according to CVSS 3.1 to CVSS 4.0 is now available for each of your groups within the platform (the latter is the default option). In addition, please note that you can still run our CI Agent in both versions, but the data in the Analytics sections only appears in terms of CVSS 4.0. The idea is that you become increasingly familiar with this transition, which we will try to complete soon.

📮 Mailmap management from the platform: Fluid Attacks' Git mailmap was a plain text file used to organize and unify the names and email accounts of contributing developers or "authors" in Continuous Hacking projects, which was managed within GitLab for billing. Now, the information that was there is part of the database of our platform, where there is already a Mailmap section for easier, faster, and more comfortable management. Today, only Customer Managers can edit the mailmap, while User Managers can view it. However, the latter will soon have the opportunity to manage it on their own, which will also help avoid billing issues.

🧾 Vulnerability closing reasons: There are different reasons why vulnerabilities we report to our clients are considered resolved or "closed." Sometimes, we say a vulnerability was closed because our hackers or tools reevaluated it and determined its remediation was successful. In other cases, it may be due to moves, deactivation, or removal of environments or roots where they were detected. For these or other reasons, from now on, you can be aware of them in the Details and Tracking of each vulnerability location. In addition, in the Analytics section of your groups, you have a chart that shows the percentage distribution for these reasons.

🚫 Free trial account creation is unavailable for clients: Users from current client organizations are not allowed to start our free trial. This will avoid confusion with reports, new group creations, and extra work for both Fluid Attacks and clients. Furthermore, any attempt to do so will be reported to the organization's administrators.

Upcoming enhancements

🤖 Custom fix and Autofix increasingly support more languages: Currently, the GenAI-based vulnerability remediation support channel we offer (Custom fix and Autofix) supports about 70% of the programming languages that can be scanned by our SAST tool. We strive to reach 100% soon and assist you to the utmost possible extent through this valuable means, which you can enjoy in any of our Continuous Hacking plans.

📈 Enhanced vulnerability prioritization: You will soon have the opportunity to define concrete values in the Policies section of the platform for a list of vulnerability prioritization criteria. From this, you will get final values in the "Priority" column for each (type of) vulnerability, which, more tailored to your company's needs and principles than a mere CVSS score, will allow you to determine which security issues should be fixed before others.

🧩 New IDE extension: In the near future, we will add one more IDE plugin to our list of integrations with our platform. We are talking about an extension for IntelliJ IDEA, from which you will enjoy the same vulnerability management benefits that we offer for VS Code.

We've introduced a new feature that allows you to update branches or URLs of repositories under evaluation without affecting existing reports.

Now, you can make necessary updates while preserving all previous findings, as long as the code base remains consistent.

This enhancement ensures smoother processes and uninterrupted insights for your projects.

At Fluid Attacks, we're constantly improving our platform so our clients can benefit more and more.