🌳 Extended Custom Fix in IDE for vulnerable dependencies: In our VS Code extension, from the Custom Fix panel, you have two types of update suggestions for third-party software packages to address vulnerabilities identified by our SCA:

• Safe update: Implements the next available version of the package that fixes the reported vulnerability without introducing new ones.
• Complete fix: Implements the next available version of the package with no known vulnerabilities.

📡 Percentage of attack surface coverage: At the top of your organization’s groups section on our platform, you can see what percentage of your repositories are being covered in our assessments, how many are out of scope, and a summary of vulnerabilities reported across all your groups.

🗃️ Improvements to the Lines table: The Lines table in the Inventory section now includes two new columns: “Supported” and “Tested.” The former lets you know whether Fluid Attacks supports the language of the file in question, and the latter indicates whether that file has already passed any of our automated tests.

🔙 Two rolled-back deprecations: We had previously announced that Docker image scanning and CSPM testing for all cloud providers would be deprecated. However, we ultimately decided not to proceed with the former and to keep CSPM available only for AWS. Therefore, you can resubmit these types of assets for our security assessment.

❌ Redundancy elimination in VS Code: Our VS Code and Cursor plugins automatically detect the active repository, so they do not display a pop-up window asking you to select the repository to scan.

🌱 New documentation site: All Fluid Attacks documentation is now available in one place: docs.fluidattacks.com.

⚠️Fluid Attacks call notice⚠️

Our sales team may be calling your team members to offer onboarding and adoption support for new features on our platform. This is a reliable procedure in which we will never seek to discuss your software's vulnerabilities. However, if you have any questions, please contact us at help@fluidattacks.com.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link! Remember, your review can also be in Spanish.

Implemented

🔧 Smarter package update recommendations: We used to show you a single fix per package. Now you get three options so you can pick the right trade-off for your situation:

• Minimal fix: Patches the reported vulnerable part but may introduce new vulnerabilities.
• Safe update: Patches the vulnerable part without introducing new ones.
• Complete fix: Is the closest version that is entirely free of known vulnerabilities.

This works for both direct and transitive dependencies. For the latter, we show you which direct package pulls in the vulnerable dependency, along with the three remediation versions regarding the transitive dependency, so all you need to do is verify parent compatibility or bump it to the minimum supported version.

Need help understanding this and other features we're bringing? Meet with our Education Specialists for guidance.

✨ Already enjoying AI SAST? Our AI-powered scanner is already finding critical vulnerabilities in groups subscribed to the Advanced plan, with over 90% precision. It does multi-file analysis and works for all our supported languages. Now is the time to update to this plan and start getting those reports!

🤖 Remember to use our Peer Reviewer Assistant: Get it now to comment on GitLab or Azure DevOps merge/pull requests, right on the lines that need attention. This way your team can quickly understand how secure your contribution is. Also, if your team requires all comments to be resolved before merging, it becomes a security gate. 

📦 New package managers supported: We added support for CocoaPods (Podfile parser), Bun, and RubyGems (.gemspec).

🧭 CI Gate setup moved to DevSecOps: The CI Gate token management and installation guide have been relocated from Scope to DevSecOps.

📱 MAST technique in the platform: Findings in mobile apps that were previously marked as 'DAST' are now reported as 'MAST'.

🎨 Severity icons in IntelliJ sidebar (IDE plugin): The IntelliJ plugin sidebar now shows severity icons next to the name of reported weaknesses, so you can compare them more easily.

🔐 More login options for docs and DB: You can now sign in to these websites with Google, Microsoft, LinkedIn, and Bitbucket.

Upcoming

🛠️ New package update options in your IDE: The three fix options we just shipped on the platform will soon be available directly from your IDE.

📚 Embedded library excluded: Our SCA scans depend on libraries being versioned through package managers. If a library's source code is embedded directly in your codebase (i.e., copy-pasted rather than installed as a dependency), it falls outside SCA's detection scope. We'll be reaching out to affected clients to coordinate the necessary adjustments.

Upcoming deprecations

🐳 Docker image scanning: Read the rationale here.

Key info:

• Final deprecation date: March 31
• No action required.

☁️ CSPM (AWS, Azure, GCP): Read the rationale here.

Key info:

• Final deprecation date: March 31
• No action required.

📱 Move now from APK to MAST image: Read the rationale here.

Key info:

• Final deprecation date: April 30
• Use MAST image instead of APK image.

⚠️Fluid Attacks call notice⚠️

Our sales team may be calling your team members to offer them onboarding and adoption of new features on our platform. This is a reliable procedure in which we will never seek to discuss your software's vulnerabilities. However, if you have any questions, please contact us at help@fluidattacks.com.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link! Remember your review can also be in Spanish.

Catching vulnerabilities after a merge is no fun. We have developed a new way to prevent you from injecting them in the first place. Fluid Attacks' Peer Reviewer Assistant spots vulnerabilities during code review and posts SAST and SCA findings as inline comments on your MR/PR, right on the lines that need attention. Reviewers see exactly what vulnerabilities a change would inject, so they can approve or reject with full context. Our Assistant won't block merges on its own, but if your team requires all comments be resolved before merging, it effectively becomes a security gate.

Comments show the security vulnerabilities with a link to our docs, which include recommendations. No separate dashboard to check: The alerts land where you're already at.

What it catches and how:

• SAST scans the changed files for vulnerabilities in your own code.
• SCA checks your dependencies in the same diff.
• Each finding tells you where (file path), what (suggested weakness title), and which line, so reviewers can make informed calls on whether the code should be merged.
• Want to exclude paths? Read our docs to learn how.

Setup takes a minute:

1. Go to the Integrations section on the Fluid Attacks platform.
2. Scroll to the Peer Reviewer Assistant cards.
3. Click Use integration on either the Azure DevOps or GitLab card.

For GitLab, you'll need a Project Access Token per request. For Azure DevOps, it uses OAuth2 Client Credentials (tenant ID + client ID/secret). 

The Peer Reviewer Assistant is a complementary feature, exclusively included in the Advanced plan. Currently available for Azure DevOps and GitLab integrations.

Security feedback, right where code gets reviewed. Set it up now.

Implemented

🤖 Peer Reviewer Assistant: We're bringing tighter security before you go live! This complementary feature adds comments directly to your pull requests with alerts and actionable recommendations, having scanned your would-be contribution with SAST and SCA. This way, it helps reviewers to assess risk before code is merged.

Currently available for Azure DevOps and GitLab integrations. Advanced plan exclusive.

📚 New documentation site is live: All Knowledge Base articles have been migrated to docs.fluidattacks.com. The new website gives us more configuration options that result in a more comfortable browsing experience.

☑️ Prevent accidental rejection of access invitations: We added an extra confirmation step to the platform's invitation flow. This avoids accidental rejections caused by automated email link scanning.

⚠️ Cost warning when changing branches: When you modify branches from a repository in the Scope section, you'll now see a warning and checkboxes clarifying that this action can impact the cost of the service.

Upcoming deprecations

🐳 Docker image scanning: Read the rationale here.

Key info:

• Final deprecation date: March 31
• No action required.

☁️ CSPM (AWS, Azure, GCP): Read the rationale here.

Key info:

• Final deprecation date: March 31
• No action required.

📱 Move now from APK to MAST image: Our mobile app testing image was named "apk," but it also tests .ipa files. Of course, this confused you. We renamed it to MAST (meaning mobile application security testing), in line with industry terminology. Start using the new image from here, as the old one will be deprecated.

Key info:

• Final deprecation date: April 30
• Use MAST image instead of APK image.

Additional information

🤝 New sub-processors: As part of our commitment to transparency in customer data management, we want to inform you that we have engaged new sub-processors. We added Rudol and Logfire, and removed Langchain. For a full picture, visit our Trust Center.

🍪 Cookie policy update: We've expanded our cookie policy. Check it out and reach out to help@fluidattacks.com if you have questions.

⚠️Fluid Attacks call notice⚠️

Our sales team may be calling your team members to offer them onboarding and adoption of new features on our platform. This is a reliable procedure in which we will never seek to discuss your software's vulnerabilities. However, if you have any questions, please contact us at help@fluidattacks.com.

✨Your review would take only 10-15 minutes✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link! Remember your review can also be in Spanish.

Implemented

✨ AI SAST: Advanced plan clients, this one's for you: Our biggest detection upgrade in a while. The new AI-powered scanner is already finding critical vulnerabilities across your code, such as SQL injections and XSS. Multi-file analysis, all supported languages, 90% precision. It's already in your reports, look for the AI SAST technique. More details here.

🔍 Scanner in the MCP: Our MCP already let you query vulnerability info and our Knowledge Base from tools like VS Code, Cursor, and Claude. Now it also runs our SAST and SCA scanners locally. Devs can ask the MCP to scan and fix their code before committing—catching vulnerabilities instantly without switching tools. Prevent issues before they hit your repo and stay in your flow.

📦 Dependency risk mitigation info in our Database: Vulnerabilities found by our SCA now display patch impact details, letting you know when updates might introduce new issues or breaking changes.

🌳 Dependency paths visualization: Sometimes we report vulnerabilities in packages you didn't install directly. The reason is these security issues are inherited automatically by packages you did install. Now we show you the full chain from your direct dependency down to the vulnerable one. Go to the Packages section and try it.

🗑️ All roles can delete files in Design Map: Users, Group Managers, and Vulnerability Managers can now delete threat model files.

🗃️ Filters for Environments and Files: These sections in Scope now have filters for faster search. Additionally, today you can hide and reorder columns of the Environments table.

Upcoming deprecations

🐳 Docker image scanning: We're retiring Docker image scanning from our solution. In practice, it generated high alert volumes with limited remediation options. As you may know, mitigating risk posed by third-party images usually requires replacing the entire image.

Key info:

• Final deprecation date: March 31
• No action required.

☁️ CSPM (AWS, Azure, GCP): We're deprecating the CSPM technique. Many CSPM findings overlap with misconfigurations detected through IaC analysis, leading to duplicated alerts and noise. This simplifies results so teams can focus on what matters.

Key info:

• Final deprecation date: March 31
• No action required.

Additional information

📜 Privacy policy update: We've expanded our privacy policy. Check it out and reach out to help@fluidattacks.com if you have questions.

⚠️Fluid Attacks call notice⚠️

Our sales team may be calling your team members to offer them onboarding and adoption of new features on our platform. This is a reliable procedure in which we will never seek to discuss your software's vulnerabilities. However, if you have any questions, please contact us at help@fluidattacks.com.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link! Remember your review can also be in Spanish.

Big news for Advanced plan clients: AI SAST is now live.

We built an AI-powered vulnerability scanner that does a lot of what was previously only possible through manual analysis—and does it fast.

Before this, finding SQL injections, XSS, and other critical flaws without false positives typically required human review. Now, AI SAST delivers over 90% precision at automation speed.

How it works:

• Automation speed, expert precision
• Multi-file analysis that understands your entire app
• Works across all our supported languages
• Only real vulnerabilities; no noise

It's already in production. Head to your reports to see the AI SAST technique in action.

Implemented

📱 Smoother mobile app uploads are here: We keep improving the flow to manage your mobile apps! As you may know, we need two versions of your app: one with RASP controls on, one without. Now we remind you of this during upload, and you can specify right there which is which.

📄 Prettier, easier-to-read Executive reports: Executive summary reports just didn't feel like 'Fluid Attacks'. We changed this for a sharper look and readability.

🧩 Reattacks from IntelliJ: We know you have been waiting for this, and we've delivered. You can go and request reattacks from your IDE now! Don't have the plugin yet? Get it.

Upcoming

📦 More detailed dependency update suggestions: Soon, when you open How to fix for a vulnerable dependency, you'll be shown details like how many vulnerabilities are fixed in newer versions, what update options you have, and their impact.

🤖 Dependency Autofix and Custom Fix in your IDE: We know you want to update your dependencies without switching tools. We're developing these features for VS Code, Cursor, and IntelliJ IDEA.

🗃️ Filters for Environments and Files: These subsections in Scope would benefit from some filters. We're on it.

🧩 Autofix on IntelliJ: Thank you for your patience as we work on bringing our AI-powered Autofix to this IDE.

⚠️Fluid Attacks call notice⚠️

Our sales team may be calling your team members to offer them onboarding and adoption of new features on our platform. This is a reliable procedure in which we will never seek to discuss your software's vulnerabilities. However, if you have any questions, please contact us at help@fluidattacks.com.

✨Your review would take only 10-15 minutes✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link! Remember your review can also be in Spanish.

Implemented

🗃️ More filters for vulnerability prioritization: In the weaknesses table, you now have a filter to immediately see the Top 20 vulnerabilities to be remediated according to your prioritization algorithm settings. Additionally, we offer filters for Exploit Prediction Scoring System (EPSS), Known Exploited Vulnerabilities (KEV), and reachability, among others.

🩺 Vulnerability treatments record: For all vulnerabilities that your team has already remediated, you can see the label "Treated" in the Treatment column. Those that appear as "Untreated" are those that have yet to be defined as either accepted or remediated, which you can also see in one of the pie charts in the Analytics section.

📱 Better asset management experience: To evaluate your mobile applications, in addition to uploading binary files (.ipa or .apk), you can give us access to the applications through TestFlight, Firebase, App Store Connect, or Google Play Store. This new option means you don't have to manually modify binaries on the platform every time there is an update; we will always be checking and testing the latest versions.

📉 New condition for plan downgrade: Now, when you switch from the Advanced to the Essential plan, not only will you no longer be able to reattack vulnerabilities that we detected manually (i.e., through PTaaS, secure code review, or reverse engineering), but those vulnerabilities will also automatically disappear from your records on our platform.

Deprecations

• We removed CVSS 3.1 from our API.
• We removed our scanners' old Docker images.

Upcoming

🗄️ Improvements to the asset management: We will continue to enhance the usability of the Scope section of our platform.

🧩 Enhancements to our IDE integrations: Soon, you will be able to use general Autofix and reattacks from IntelliJ. In addition, for both this extension and the VS Code plugin, you will be able to use Autofix for vulnerabilities detected through SCA.

⚠️Fluid Attacks call notice⚠️

Recently, our sales team may have called your team members to offer them onboarding and adoption of new features on our platform. This is a reliable procedure in which we will never seek to discuss your software's vulnerabilities. However, if you have any questions, please contact us at help@fluidattacks.com.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link! Now, you can also do it in Spanish:

Implemented

💯 New priority score: We have defined a new version of our vulnerability prioritization model. It is still based on CVSS and CVSSF scores, but now you can easily customize which of the following criteria have greater weight than others: fixing cost, dependency usage (in build or run), transitivity, EPSS, and KEV.

The Priority column in the weaknesses and vulnerabilities tables shows values in percentiles: the higher the percentile, the higher the remediation priority. For more details, check out these articles on prioritization policy management and vulnerability reporting in our Knowledge Base.

🪾 Safe dependency version: Now, in addition to reporting every vulnerable third-party software component you are using in your application, we show you which of its closest versions is free of known vulnerabilities. Soon, you will also be able to use Autofix from compatible IDEs to apply patches and minor fixes to your dependencies.

🌿 Enhancements to our IntelliJ plugin: We have already enabled Custom Fix—one of our GenAI-based vulnerability remediation support channels—for those who use our extension in IntelliJ IDEA. Soon, we will facilitate Autofix and reattacks features for the same IDE.

⛓️ Identify your vulnerable packages more easily: We continue to improve the user experience in the Inventory section of our platform so that you can make a more intuitive connection between the packages used in your application and their vulnerabilities. Remember that you can also get to know the dependency trees and map component licenses right there.

🏛️ Criteria has been moved: We now have the Fluid Attacks Database site, where you can access all our technical documentation (formerly known as “Criteria” in our Knowledge Base) related to security vulnerabilities, requirements, standards, and fixes. There, you can also stay up to date with all the advisories we collect and disclose.

Upcoming

🔝 Top 20 vulnerabilities: Coming soon, from the Vulnerabilities section on our platform, you will be able to quickly filter the top 20 vulnerabilities to be remediated according to their priority in the group.

⚠️Fluid Attacks call notice⚠️

A few months ago, our sales team may have been calling your team members to offer them onboarding and adoption of new features on our platform. This is a reliable procedure in which we will never seek to discuss your software's vulnerabilities. However, if you have any questions, please contact us at help@fluidattacks.com.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link! Now, you can also do it in Spanish:

Implemented

🤖 Added "Fix with AI" filter: Now you can prioritize the assignment and remediation of vulnerabilities based on the availability of AI-generated fixes. Within the Vulnerabilities table for each of your groups, in the filter menu, we have included the option “Fix with AI.” This allows you to list the vulnerabilities for which we can help you reduce remediation efforts with our GenAI-powered solutions.

🏗️ Redesigning the Surface section: We have started restructuring the Surface section, now renamed "Inventory" (a concept more aligned with our industry terminology). This section is now divided into two tabs:

• Packages: It shows open-source software components or third-party dependencies and Docker images in use within your repositories, as well as licenses and vulnerabilities associated with them. Here you can also generate SBOMs in a couple of clicks.
• Surface: It provides a technical overview of the target, including languages, lines, inputs, and ports.

Upcoming

🪸 Autofix for SCA results: We will start allowing this automatic remediation option for vulnerabilities found through SCA. Specifically, for those security issues that, in line with Semantic Versioning (SemVer), represent only "minor" changes.

📐 New priority score: We identified some errors to fix in the current mathematical model of our priority score. The new version of the priority model will be based on CVSS, but will incorporate additional criteria such as CVSSF, fixing cost, dependency usage (in build or runtime), transitivity, EPSS, KEV, and reachability. We will remove criteria related to the importance of the repository, detection technique, attack vector, and location impact.

🔩 Enhancements to our IntelliJ integration: Pending modifications for this IDE plugin include integrating it with our Autofix and Custom Fix remediation support, and allowing users to view descriptions of their vulnerabilities and be directed to our platform from there.

Deprecations

📈 "Severity" tab at the weakness level: For years, we have calculated severity for vulnerabilities (weaknesses in specific locations) and not just for general weaknesses (ignoring their location in the software under evaluation). The latter calculation is now obsolete and inaccurate, so we have decided to remove the Severity section from the weakness level and keep it only for the vulnerability level. This will take effect on October 1.

Additional information

💬 On our subprocessors: For Fluid Attacks, transparency is a fundamental principle of security. That is why, in the area of customer data management, we would like to inform you that we have now subscribed to the cloud monitoring subprocessor DataDog and are no longer using Coralogix and Mixpanel. For more information about our subprocessors, please visit our Trust Center.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link! Now, you can also do it in Spanish: