Catching vulnerabilities after a merge is no fun. We have developed a new way to prevent you from injecting them in the first place. Fluid Attacks' Peer Reviewer Assistant spots vulnerabilities during code review and posts SAST and SCA findings as inline comments on your MR/PR, right on the lines that need attention. Reviewers see exactly what vulnerabilities a change would inject, so they can approve or reject with full context. Our Assistant won't block merges on its own, but if your team requires all comments be resolved before merging, it effectively becomes a security gate.

Comments show the security vulnerabilities with a link to our docs, which include recommendations. No separate dashboard to check: The alerts land where you're already at.

What it catches and how:

• SAST scans the changed files for vulnerabilities in your own code.
• SCA checks your dependencies in the same diff.
• Each finding tells you where (file path), what (suggested weakness title), and which line, so reviewers can make informed calls on whether the code should be merged.
• Want to exclude paths? Read our docs to learn how.

Setup takes a minute:

1. Go to the Integrations section on the Fluid Attacks platform.
2. Scroll to the Peer Reviewer Assistant cards.
3. Click Use integration on either the Azure DevOps or GitLab card.

For GitLab, you'll need a Project Access Token per request. For Azure DevOps, it uses OAuth2 Client Credentials (tenant ID + client ID/secret). 

The Peer Reviewer Assistant is a complementary feature, exclusively included in the Advanced plan. Currently available for Azure DevOps and GitLab integrations.

Security feedback, right where code gets reviewed. Set it up now.

Implemented

🤖 Peer Reviewer Assistant: We're bringing tighter security before you go live! This complementary feature adds comments directly to your pull requests with alerts and actionable recommendations, having scanned your would-be contribution with SAST and SCA. This way, it helps reviewers to assess risk before code is merged.

Currently available for Azure DevOps and GitLab integrations. Advanced plan exclusive.

📚 New documentation site is live: All Knowledge Base articles have been migrated to docs.fluidattacks.com. The new website gives us more configuration options that result in a more comfortable browsing experience.

☑️ Prevent accidental rejection of access invitations: We added an extra confirmation step to the platform's invitation flow. This avoids accidental rejections caused by automated email link scanning.

⚠️ Cost warning when changing branches: When you modify branches from a repository in the Scope section, you'll now see a warning and checkboxes clarifying that this action can impact the cost of the service.

Upcoming deprecations

🐳 Docker image scanning: Read the rationale here.

Key info:

• Final deprecation date: March 31
• No action required.

☁️ CSPM (AWS, Azure, GCP): Read the rationale here.

Key info:

• Final deprecation date: March 31
• No action required.

📱 Move now from APK to MAST image: Our mobile app testing image was named "apk," but it also tests .ipa files. Of course, this confused you. We renamed it to MAST (meaning mobile application security testing), in line with industry terminology. Start using the new image from here, as the old one will be deprecated.

Key info:

• Final deprecation date: April 30
• Use MAST image instead of APK image.

Additional information

🤝 New sub-processors: As part of our commitment to transparency in customer data management, we want to inform you that we have engaged new sub-processors. We added Rudol and Logfire, and removed Langchain. For a full picture, visit our Trust Center.

🍪 Cookie policy update: We've expanded our cookie policy. Check it out and reach out to help@fluidattacks.com if you have questions.

⚠️Fluid Attacks call notice⚠️

Our sales team may be calling your team members to offer them onboarding and adoption of new features on our platform. This is a reliable procedure in which we will never seek to discuss your software's vulnerabilities. However, if you have any questions, please contact us at help@fluidattacks.com.

✨Your review would take only 10-15 minutes✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link! Remember your review can also be in Spanish.

Implemented

✨ AI SAST: Advanced plan clients, this one's for you: Our biggest detection upgrade in a while. The new AI-powered scanner is already finding critical vulnerabilities across your code, such as SQL injections and XSS. Multi-file analysis, all supported languages, 90% precision. It's already in your reports, look for the AI SAST technique. More details here.

🔍 Scanner in the MCP: Our MCP already let you query vulnerability info and our Knowledge Base from tools like VS Code, Cursor, and Claude. Now it also runs our SAST and SCA scanners locally. Devs can ask the MCP to scan and fix their code before committing—catching vulnerabilities instantly without switching tools. Prevent issues before they hit your repo and stay in your flow.

📦 Dependency risk mitigation info in our Database: Vulnerabilities found by our SCA now display patch impact details, letting you know when updates might introduce new issues or breaking changes.

🌳 Dependency paths visualization: Sometimes we report vulnerabilities in packages you didn't install directly. The reason is these security issues are inherited automatically by packages you did install. Now we show you the full chain from your direct dependency down to the vulnerable one. Go to the Packages section and try it.

🗑️ All roles can delete files in Design Map: Users, Group Managers, and Vulnerability Managers can now delete threat model files.

🗃️ Filters for Environments and Files: These sections in Scope now have filters for faster search. Additionally, today you can hide and reorder columns of the Environments table.

Upcoming deprecations

🐳 Docker image scanning: We're retiring Docker image scanning from our solution. In practice, it generated high alert volumes with limited remediation options. As you may know, mitigating risk posed by third-party images usually requires replacing the entire image.

Key info:

• Final deprecation date: March 31
• No action required.

☁️ CSPM (AWS, Azure, GCP): We're deprecating the CSPM technique. Many CSPM findings overlap with misconfigurations detected through IaC analysis, leading to duplicated alerts and noise. This simplifies results so teams can focus on what matters.

Key info:

• Final deprecation date: March 31
• No action required.

Additional information

📜 Privacy policy update: We've expanded our privacy policy. Check it out and reach out to help@fluidattacks.com if you have questions.

⚠️Fluid Attacks call notice⚠️

Our sales team may be calling your team members to offer them onboarding and adoption of new features on our platform. This is a reliable procedure in which we will never seek to discuss your software's vulnerabilities. However, if you have any questions, please contact us at help@fluidattacks.com.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link! Remember your review can also be in Spanish.

Big news for Advanced plan clients: AI SAST is now live.

We built an AI-powered vulnerability scanner that does a lot of what was previously only possible through manual analysis—and does it fast.

Before this, finding SQL injections, XSS, and other critical flaws without false positives typically required human review. Now, AI SAST delivers over 90% precision at automation speed.

How it works:

• Automation speed, expert precision
• Multi-file analysis that understands your entire app
• Works across all our supported languages
• Only real vulnerabilities; no noise

It's already in production. Head to your reports to see the AI SAST technique in action.

Implemented

📱 Smoother mobile app uploads are here: We keep improving the flow to manage your mobile apps! As you may know, we need two versions of your app: one with RASP controls on, one without. Now we remind you of this during upload, and you can specify right there which is which.

📄 Prettier, easier-to-read Executive reports: Executive summary reports just didn't feel like 'Fluid Attacks'. We changed this for a sharper look and readability.

🧩 Reattacks from IntelliJ: We know you have been waiting for this, and we've delivered. You can go and request reattacks from your IDE now! Don't have the plugin yet? Get it.

Upcoming

📦 More detailed dependency update suggestions: Soon, when you open How to fix for a vulnerable dependency, you'll be shown details like how many vulnerabilities are fixed in newer versions, what update options you have, and their impact.

🤖 Dependency Autofix and Custom Fix in your IDE: We know you want to update your dependencies without switching tools. We're developing these features for VS Code, Cursor, and IntelliJ IDEA.

🗃️ Filters for Environments and Files: These subsections in Scope would benefit from some filters. We're on it.

🧩 Autofix on IntelliJ: Thank you for your patience as we work on bringing our AI-powered Autofix to this IDE.

⚠️Fluid Attacks call notice⚠️

Our sales team may be calling your team members to offer them onboarding and adoption of new features on our platform. This is a reliable procedure in which we will never seek to discuss your software's vulnerabilities. However, if you have any questions, please contact us at help@fluidattacks.com.

✨Your review would take only 10-15 minutes✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link! Remember your review can also be in Spanish.

Implemented

🗃️ More filters for vulnerability prioritization: In the weaknesses table, you now have a filter to immediately see the Top 20 vulnerabilities to be remediated according to your prioritization algorithm settings. Additionally, we offer filters for Exploit Prediction Scoring System (EPSS), Known Exploited Vulnerabilities (KEV), and reachability, among others.

🩺 Vulnerability treatments record: For all vulnerabilities that your team has already remediated, you can see the label "Treated" in the Treatment column. Those that appear as "Untreated" are those that have yet to be defined as either accepted or remediated, which you can also see in one of the pie charts in the Analytics section.

📱 Better asset management experience: To evaluate your mobile applications, in addition to uploading binary files (.ipa or .apk), you can give us access to the applications through TestFlight, Firebase, App Store Connect, or Google Play Store. This new option means you don't have to manually modify binaries on the platform every time there is an update; we will always be checking and testing the latest versions.

📉 New condition for plan downgrade: Now, when you switch from the Advanced to the Essential plan, not only will you no longer be able to reattack vulnerabilities that we detected manually (i.e., through PTaaS, secure code review, or reverse engineering), but those vulnerabilities will also automatically disappear from your records on our platform.

Deprecations

• We removed CVSS 3.1 from our API.
• We removed our scanners' old Docker images.

Upcoming

🗄️ Improvements to the asset management: We will continue to enhance the usability of the Scope section of our platform.

🧩 Enhancements to our IDE integrations: Soon, you will be able to use general Autofix and reattacks from IntelliJ. In addition, for both this extension and the VS Code plugin, you will be able to use Autofix for vulnerabilities detected through SCA.

⚠️Fluid Attacks call notice⚠️

Recently, our sales team may have called your team members to offer them onboarding and adoption of new features on our platform. This is a reliable procedure in which we will never seek to discuss your software's vulnerabilities. However, if you have any questions, please contact us at help@fluidattacks.com.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link! Now, you can also do it in Spanish:

Implemented

💯 New priority score: We have defined a new version of our vulnerability prioritization model. It is still based on CVSS and CVSSF scores, but now you can easily customize which of the following criteria have greater weight than others: fixing cost, dependency usage (in build or run), transitivity, EPSS, and KEV.

The Priority column in the weaknesses and vulnerabilities tables shows values in percentiles: the higher the percentile, the higher the remediation priority. For more details, check out these articles on prioritization policy management and vulnerability reporting in our Knowledge Base.

🪾 Safe dependency version: Now, in addition to reporting every vulnerable third-party software component you are using in your application, we show you which of its closest versions is free of known vulnerabilities. Soon, you will also be able to use Autofix from compatible IDEs to apply patches and minor fixes to your dependencies.

🌿 Enhancements to our IntelliJ plugin: We have already enabled Custom Fix—one of our GenAI-based vulnerability remediation support channels—for those who use our extension in IntelliJ IDEA. Soon, we will facilitate Autofix and reattacks features for the same IDE.

⛓️ Identify your vulnerable packages more easily: We continue to improve the user experience in the Inventory section of our platform so that you can make a more intuitive connection between the packages used in your application and their vulnerabilities. Remember that you can also get to know the dependency trees and map component licenses right there.

🏛️ Criteria has been moved: We now have the Fluid Attacks Database site, where you can access all our technical documentation (formerly known as “Criteria” in our Knowledge Base) related to security vulnerabilities, requirements, standards, and fixes. There, you can also stay up to date with all the advisories we collect and disclose.

Upcoming

🔝 Top 20 vulnerabilities: Coming soon, from the Vulnerabilities section on our platform, you will be able to quickly filter the top 20 vulnerabilities to be remediated according to their priority in the group.

⚠️Fluid Attacks call notice⚠️

A few months ago, our sales team may have been calling your team members to offer them onboarding and adoption of new features on our platform. This is a reliable procedure in which we will never seek to discuss your software's vulnerabilities. However, if you have any questions, please contact us at help@fluidattacks.com.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link! Now, you can also do it in Spanish:

Implemented

🤖 Added "Fix with AI" filter: Now you can prioritize the assignment and remediation of vulnerabilities based on the availability of AI-generated fixes. Within the Vulnerabilities table for each of your groups, in the filter menu, we have included the option “Fix with AI.” This allows you to list the vulnerabilities for which we can help you reduce remediation efforts with our GenAI-powered solutions.

🏗️ Redesigning the Surface section: We have started restructuring the Surface section, now renamed "Inventory" (a concept more aligned with our industry terminology). This section is now divided into two tabs:

• Packages: It shows open-source software components or third-party dependencies and Docker images in use within your repositories, as well as licenses and vulnerabilities associated with them. Here you can also generate SBOMs in a couple of clicks.
• Surface: It provides a technical overview of the target, including languages, lines, inputs, and ports.

Upcoming

🪸 Autofix for SCA results: We will start allowing this automatic remediation option for vulnerabilities found through SCA. Specifically, for those security issues that, in line with Semantic Versioning (SemVer), represent only "minor" changes.

📐 New priority score: We identified some errors to fix in the current mathematical model of our priority score. The new version of the priority model will be based on CVSS, but will incorporate additional criteria such as CVSSF, fixing cost, dependency usage (in build or runtime), transitivity, EPSS, KEV, and reachability. We will remove criteria related to the importance of the repository, detection technique, attack vector, and location impact.

🔩 Enhancements to our IntelliJ integration: Pending modifications for this IDE plugin include integrating it with our Autofix and Custom Fix remediation support, and allowing users to view descriptions of their vulnerabilities and be directed to our platform from there.

Deprecations

📈 "Severity" tab at the weakness level: For years, we have calculated severity for vulnerabilities (weaknesses in specific locations) and not just for general weaknesses (ignoring their location in the software under evaluation). The latter calculation is now obsolete and inaccurate, so we have decided to remove the Severity section from the weakness level and keep it only for the vulnerability level. This will take effect on October 1.

Additional information

💬 On our subprocessors: For Fluid Attacks, transparency is a fundamental principle of security. That is why, in the area of customer data management, we would like to inform you that we have now subscribed to the cloud monitoring subprocessor DataDog and are no longer using Coralogix and Mixpanel. For more information about our subprocessors, please visit our Trust Center.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link! Now, you can also do it in Spanish:

Implemented

↔️ One image for each technique: To optimize the speed of our scans, both locally and in CI/CD pipelines, we decided to separate our tools, that is, to create a Docker image for each of our techniques. Each new image now displays CVSS 4.0 scores, and the SCA image provides details about the packages being evaluated, including the EPSS, the type of dependency, and the package version. On November 1, we will deprecate the current Docker image; therefore, we recommend that you initiate the transition soon.

⚠️ Improvements to the table of vulnerabilities: Above the table of vulnerabilities, you can now see a summary for each of your groups, including the number of weaknesses and vulnerabilities we have identified, how many of them you have already remediated, how many you can fix with the help of our GenAI, and how much risk exposure that group poses to your organization, among other things. Additionally, after right-clicking on each weakness in the table, you can open a new tab that will show all the vulnerabilities associated with it.

👩🏽‍🔧 Fixing support for all prioritized languages: Our GenAI features, Autofix and Custom Fix, now can work for all our prioritized supported languages.

🔧 Enhancements to Custom Fix from the platform: We have optimized the way we offer and present these AI-based vulnerability remediation guides to make your experience easier and more enjoyable.

🌳 Renewed IDE extension: Fluid Attacks' plugin for IntelliJ now supports the new version of this IDE.

❌ Zero risk notification: We introduced a new webhook event that notifies you when a vulnerability in your reports is marked as a true false positive (aka “true zero risk”).

Squashed bugs

✔️ Custom Fix broken: The Get Custom Fix button in our Visual Studio Code extension for generating vulnerability remediation guides was not working correctly.

✔️ Faulty root filter: The search bar in the Git Roots table did not filter when URL elements were entered into it.

✔️ Blank screen: In some cases, the platform ended up loading a blank screen instead of the expected content.

Promised but not implemented yet / Upcoming

🌿 Enhancements to our IntelliJ integration: Pending improvements for this IDE plugin include integrating it with our Autofix and Custom Fix remediation support, and allowing users to view descriptions of their vulnerabilities and be directed to our platform from there.

💯 New priority score: Several errors were identified that need to be corrected in the current mathematical model for this score. The new version of the priority model will be based on CVSS, but will incorporate additional criteria such as CVSSF, fixing cost, dependency usage (in build or runtime), transitivity, EPSS, KEV, and reachability. We will remove criteria related to the importance of the repository, detection technique, attack vector, and location impact.

🪾 Autofix for SCA results: We will begin enabling this automatic remediation option for vulnerabilities found through SCA. Specifically, for those flaws that, in line with Semantic Versioning (SemVer), represent only "minor" changes or updates.

🤖 Autofix filter: In the table of vulnerabilities, you will be able to easily filter security issues that have the automated remediation option provided by GenAI available.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link! Now, you can also do it in Spanish:

Implemented

🔝 OWASP Top 10 for LLM applications report: We have included this relatively recent OWASP list as security criteria in our security testing. While several of the vulnerabilities that LLM applications and GenAI may have were already reported by us, we introduce these new types to our radar:

• 452. Prompt injection
• 453. Data and model poisoning
• 454. Improper output handling
• 455. Excessive LLM agency
• 456. AI misinformation

It is worth mentioning that the detection of some of these types of vulnerabilities depends on the tests performed by our pentesters, offered only in our Advanced plan.

🤖 MCP answers based on the KB: Our newly implemented Model Context Protocol (MCP) server is now able to answer your questions by resorting to information we have stored within our Knowledge Base.

Squashed bugs

✔️ Faulty group filter: When trying to find a group in the table through the search engine, it was not taking into account the characters that were part of the description of each group to deliver results.

✔️ Invalid compliance metrics: At least one of the standards within the Compliance list was showing an incorrect percentage value, so a general readjustment was made.

Promised but not implemented yet / Upcoming

👩🏽‍🔧 Fixing support for all prioritized languages: At Fluid Attacks, we currently have a list of prioritized supported languages. What we are looking to achieve is for the GenAI features Autofix and Custom Fix to work for all of these languages (our Knowledge Base already has many more examples of vulnerability remediation).

🌳 Enhancements to our IntelliJ integration: Pending improvements for this IDE plugin include integrating it with our Autofix and Custom fix remediation support, making it compatible with newer versions, and allowing users to view descriptions of their vulnerabilities and be directed to our platform from there.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link! Now, you can also do it in Spanish: