Skip to main content

Current Multi-Tenant Version | 3.44

New Features and Enhancements

New KPI in Analytics API: Full Vulnerability List with Severity Counters

A new KPI was added to the Analytics API to provide a full list of all vulnerabilities (queries) with counters broken down by severity. Unlike the existing mostCommonVulnerabilities KPI, which is limited to the top 100, this new KPI returns an exhaustive dataset.

Query Editor: Edit Overridden and New Queries

GA: August 24, 2025

The Query Editor now allows editing additional parameters for new and overridden queries. Previously, only the Severity field could be modified after creation. With this update, users can also edit:

  • Query name

  • Severity

  • Executable (Yes/No toggle)

  • CWE ID

  • Description ID

These changes can be made through the UI or via the API.

SCA

Improved Results for Package Usage and Exploitable Path

GA: August 24, 2025

  • In Package results, we now distinguish between packages for which no usage was detected (Not Used) as opposed to packages for which we were not able to calculate usage (Not Calculated). For Not Calculated results we provide the reason why it wasn’t calculated (e.g., unsupported language).

  • Similarly, in Risk results, we now distinguish between risks for which no Exploitable Path was detected (Not Found) as opposed to results for which we were not able to calculate whether or not there is an Exploitable Path (Not Calculated). For Not Calculated results we provide the reason why it wasn’t calculated (e.g., transitive dependencies are not supported).

Note

This info is shown in the scan results as well as in the Global Inventory.

This improvement will prevent users from mistakenly assuming that their project is safe, when in fact we don’t have enough information to draw that conclusion

IaC

Updated IaC Engine to version 2.1.12.

This version includes enhancements that resolve the following issues:

  • False Positives (FP)

    • ECS Cluster Not Encrypted At Rest (when using task definition ref).

    • Last User Is 'root'.

    • Trusted Microsoft Services Not Enabled.

    • API Gateway Method Does Not Contain an API Key.

    • Web App Not Using Latest TLS Version (ARM).

    • Image Version Not Explicit.

    • S3 Bucket Logging Disabled.

  • False Negatives (FN)

    • Ansible: CloudTrail Multi Region Disabled.

    • Terraform: S3 Bucket Without Restriction of Public Bucket.

    • SSH and RDP exposed to the internet.

  • Query Updates

    • Improved detection of inline rules.

    • Overrides to cloud provider common queries.

  • Performance and Stability

    • High response time and failures when updating multiple KICS results.

    • "Bad Gateway" errors when KICS_COMPUTE_NEW_SIMID feature flag is enabled.

    • Flaky compose tests in kics-results-handler.

    • Scan summary counters not applied to all platforms.

    • IaC scans displaying incorrect results in UI.

    • Files causing IaC scan failures.

    • Unexpected error in iac-runner-nv causing scan failures.

    • Incorrect results in UI.

  • Miscellaneous Fixes

    • Added type assertion verification to certificate element processing.

    • Updated Debian Dockerfile to use stable-slim version.

    • Fixed flaky TestCounter_Start unit test.

    • Updated Go version to address Grype vulnerabilities.

    • Improved symlink handling with early exit return statements.

Resolved issues

Ticket number

Description

AST-102556

A potential memory leak in ast-reports-processing.

AST-101367

Corrected issue where exporting CSV results from drill-down views included all vulnerabilities instead of only filtered ones.

AST-100775

Missing data in the container report.

AST-89801

Improved report generation to support large reports without failure.

SCA-23512

Scan results failed to save to the database after multiple retry attempts.

SCA-23493

Fixed a Windows-specific issue where ScaResolver failed to resolve Bower manifest files.

SCA-23402

Corrected SourceResolver to properly save the dependency name in ScanResults.

AST-107746

Scans were getting stuck in the scan queue.

AST-105998

Resolved a configuration issue causing private (CLI) DAST scans to fail report generation.

AST-105847

Fixed an issue preventing the ZAP recorder from working with public web targets.

AST-105206

The Environments page was creating an API Key on every open.

AST-105076

Authentication was failing due to session and verification mismatches.

AST-104811

Corrected handling of the default backslash (\) in DAST run commands for terminals where it was not interpreted correctly.

AST-100786

Updated KICS query to correctly identify inline rules.

AST-100634

DAST failed to upload scan results.

AST-100062

Fixed a false positive in KICS for "Image Version Not Explicit".

AST-98817

Fixed a false negative in KICS for terraform.S3 buckets missing public access restrictions.

AST-98792

Updated KICS query to correctly detect when a web app is not using the latest TLS version on ARM platforms.

AST-98286

Fixed false positive in KICS for "API Gateway Method Does Not Contain an API Key".

AST-95994

An error in iac-runner-nv was causing scans to fail unexpectedly.

AST-94816

Updated Audit Trail API documentation to include the optional parameters "From" and "To".

AST-94574

Fixed false positive in KICS for "S3 Bucket Logging Disabled".

AST-91007

Applied overrides to common KICS queries for cloud providers.

AST-105792

Fixed issue where tagging a project in the project list page cleared the primary branch setting.

AST-104964

Enabled opening SCA Results in a separate tab, aligning behavior with SAST Results.

AST-104482

Resolved issue where the app did not display results in the Risk Management tab in Singapore production.

AST-98340

Fixed issue where projects with assigned groups displayed an empty value in the "Groups" column on the Projects page.