Skip to content

What's New 🚀🚀

2024-07-21

Support for GitHub Action Vulnerabilities

  • GitHub Action Vulnerabilities are now available to view in the Boost dashboard. This inventory provides awareness into serious threats that might exist in your build pipeline, a historically overlooked place of exploitation. Keeping a close eye on the vulnerabilities in your organization's build pipeline and remediating them is an important component of keeping your organization protected.

Expanded Reachability Analysis -- Now Supports GitLab

  • If you are using the Golang programming language and GitLab, Boost provides reachability insights for vulnerabilities that might exist within your organization's Golang source code. This additional context is paramount in reducing the amount of false positives in your account. Now you can improve your focus of remediating vulnerabilities by excluding the vulnerabilities that have little chance of being exploited.

Kubernetes (K8s) Visibility At Your Fingertips

  • Improving upon Boost's support for Kubernetes (K8s), all of the Kubernetes assets that Boost has collected is now visible in the dashboard. Practitioners no longer have to adventure on scavenger hunts to identify what Kubernetes assets they need to protect -- all of that information is in one place.

Add Developer Fixes to Email Digest

  • One of the key metrics within the Boost dashboard is the number of findings that Boost identified and were resolved during the pull request process, what is known in Boost as Developer Fixes. Boost is now surfacing this metric to you in the email digest, providing you with a more convenient method of viewing this important piece of information.

UI Improvements

  • The default channel is automatically selected for you when creating a rule to send notifications to a chat integration (e.g. Slack, Teams).
  • When sending a notification in the policy engine, the list of connected channels is now shown to you in the notification modal. Previously, you had to type in the specific channel, but now it is a dropdown of connected channels.
  • On the Scanner Coverage page, the modal showing the list of provisioned scanners has been reduced to only the scanners that have been provisioned. Previously, all provisionable scanners were shown.
  • Gitleaks configuration tuning now available in the UI. Gitleaks configuration previously needed to happen outside of the dashboard, but now can be edited directly on the Scanner Coverage page and different configurations can be applied to specific repositories.
  • Template update notifications will now be shown on the Scanner Coverage page. This change will give you awareness when a template update is needed. Template updates are done when enhancements are made to the ZTP process and the updates can be completed by reviewing and merging the change in your boost repository.
  • Error messaging has improved when connections between scanners and SCMs (e.g. GitLab, BitBucket, GitHub, etc.) have been severed. Now you will have acute awareness into when connections need to be revised to continue coverage.
  • When removing a chat integration (e.g. Slack, Teams) that is connected to a policy rule, you are now warned that removing the integration will affect your Boost experience.
  • You are now able to view the code languages of repositories that are housed in Azure DevOps (ADO) projects.

2024-06-30

Runtime Visibility into your Kubernetes Environment

  • Identify and manage your high-risk vulnerabilities more effectively by enhancing your vulnerability data with runtime context. This approach provides comprehensive traceability from runtime services back to code owners and vulnerabilities detected during development, enabling you to:

    • Gain visibility into the highest-risk vulnerabilities in production.
    • Identify the developers responsible for specific services within Kubernetes.

Dependency Vulnerability Reachability Detection for Go and Rust

  • Prioritize your top violations by focusing on SCA vulnerabilities verified as reachable by our scanning technologies. While reachability assessments can sometimes miss vulnerabilities (false negatives), they are valuable for identifying exploitable vulnerabilities. This allows you to allocate your resources effectively to reduce risk.

2024-06-09

Expand Supply Chain Inventory Support

  • Building on our GitHub and Circle CI detection, Boost has now added support for Gitlab Pipelines, and BuildKite! Now wherever you manage your build and deployment, Boost will show you what tools you have employed, what access they’ve been granted, and which repositories they can touch!
  • Your supply chain inventory now reports on configured webhooks within GitHub so you have insight into where your team has registered webhooks into your SCM and CI environments. NOTE: Existing GitHub users will need to grant one additional permission to the Boostsecurity GitHub application to enable the webhooks feature. Please follow the link in the email you receive from GitHub to grant this permission

Enhanced SCA

  • The SCA finding details are now more actionable and informative, providing direct guidance to developers about the offending dependency. This includes whether the dependency is being used directly or transitively, and which version updates will resolve the findings. Additionally, detailed context is provided around CVSS, EPSS, and other vulnerability enrichment, enabling your development team to quickly understand and resolve the problem with minimal time and effort.
  • Detection of missing lockfiles helping you gain visibility into where unexpected gaps may exist in your SBOM and highlight blindspots for detecting vulnerable components.

Monorepository Support

  • Monorepository Support is now natively available in Boost, enabling users to define sub-repository structures of their monorepos directly within the application. This will provide unprecedented flexibility and visibility on your security posture within each sub repo, as well as significantly decrease scanning time when changes are committed within your monorepo.
    • User-interface enabled view and management of your Monorepository structure.
    • Repository structure as code supported enabling bulk definition of subrepos via file upload.
    • Subrepo-specific policy and provisioning supported, treating your subrepos as first-class citizen assets.

Scanner Run Configurations

  • Global scanner configuration settings for timeouts, throttling, and Main vs. Pull Request scanning can now be controlled via the Boost user interface. Per-repository configurations coming very soon!

Usability Enhancements

  • Additional sorting capabilities in the Findings page to make it easier to organize the data to prioritize and take action on.
  • Improvements to permissions checks within ADO and Gitlab to proactively inform the user if they may be missing some visibility into their risk due to insufficient permissions.
  • Scanner Coverage page now remembers your page state as you change filter sets or navigate around the application.

2024-05-17

Enhanced SCA

  • PR time Boost SCA, giving you greater flexibility to inject PR comments or fail builds based on vulnerable packages or use of unapproved licenses in your source code.

New ZTP Scanner Support

  • OSV-Scanner is now natively bundled and provisionable via Zero Touch Provisioning (ZTP) within BoostSecurity. OSV is an incredibly versatile SCA scanning solution. It natively supports almost a dozen languages and provides a means to support custom lockfiles or other languages with a simple interchange format. OSV can become your sole SCA scanning solution across a broad and varied portfolio of source code! Stay tuned to the upcoming reachability analysis support from OSV as well!

Asset Management

  • A new data management page to view orphaned assets and clean up data within BoostSecurity to give you the most focused and targeted view of your portfolio and risks.

2024-04-16

Data Cleanup

  • There is now more flexibility in managing your scanner coverage data. If you decide to remove scanning tools from your assets, you will have the option to delete any data in the system that came from those scanners. This makes it easier for you to evaluate new findings without worrying about old data.

Supply Chain Inventory

  • Expanded support for GitHub applications showing not only the applications you have enabled within your organizations but also the permissions those applications have been granted, enabling you to identify what exposure you have to those GitHub applications.

Enhanced Built-in SCA

  • BoostSecurity SCA scanner has added some very useful capabilities, giving you:
    • SBOM Malware detection highlighting known malware within the packages you include in your applications
    • Policy enhancements to support automation based on detected Malware in your open-source components, even allowing you to detect malicious packages in pull requests and immediately inform your development team
    • Policy enhancements to support automation based on Direct or Transitive dependency vulnerabilities, allowing you to put different priority or alerting on those Violations in Direct dependencies vs those that exist only in Transitive dependencies.

2024-03-29

Supply Chain Inventory

  • BoostSecurity now natively supports the generation of a comprehensive and searchable list of the components used to build your software. With this feature, you can easily identify third-party components, such as GitHub actions and CircleCI orbs, which can potentially pose a security risk to your build pipeline. This feature provides end-to-end visibility of your entire supply chain, allowing you to quickly and effectively respond to new risks as they are detected.

User Management Improvements

  • Enhancements to user creation and management to allow you to grant administrator access to new users from the BoostSecurity UI as well as review all user account access.

2024-03-07

Scanner Configurations

  • Simplify your scanner configuration by creating global and easy-to-use rule sets for your configurable scanners. You streamline the provisioning process and better enable central control of how your scanners run within Boost.

Improved CI/CD Scanner Provisioning

  • All SCMs can now provision the CI/CD scanner as defualt scanner protection for all new Organizations and Repositories on the scanner coverage page, rather than on the integrations view as before.

Scanner Coverage

  • At-a-glance scanner coverage! Gain insight into where your portfolio has coverage, from static analysis to secrets detection to third-party dependencies and much more!
  • Immediately highlight coverage gaps in your program and fill them with a 1-click deployment of built-in scanning and detection technologies to gain up-to-the-minute insights into all areas of your application risk.
  • Mass-provision catered scanning for your repositories, with built-in filters to find all repositories of a specific language or framework, allows you to quickly assign the best scanning technology for that language in one action!

2024-02-16

Policy Improvements

  • Policy changes now can be processed instantly allowing users to globally adjust the Findings and Violations reported within their boostsecurity.io instance without requiring a new set of scans to update your data.

  • Open Source Security Foundation (OSSF) scoring can now be a part of your policy definition, enabling you to get violation alerts when your 3rd party dependencies represent a greater risk to your organization.

SCA Findings

  • SCA findings now directly inform you if they are Transitive or Direct from within the Finding view

2024-01-27

Policy UI Improvements

  • Improved the experience of creating Policies with significantly reduced page load times.

Super-fast Findings

  • Findings page now loads in a fraction of the time for larger datasets giving a much more responsive and engaging feel to the page.

Suppression By Policy

  • Users can now apply auto-suppression by policy enabling greater freedom to automatically hide lower risk findings but still be able to quickly call them up for review during triage or audit efforts.

Scan History

  • Scan history shows applied policy now providing more readily available insight into how individual scans were processed to create the Finding and Violation counts you see with your scans.

2023-11-12

ZTP for ADO and Bitbucket

  • ADO and BitBucket now enjoy the same guided simplicity in scanner provisioning that GitHub and GitLab received previously.

Findings Grouping

  • Created “Group By” view in the Findings page. Findings and Violations can now be grouped together by Rules, Repositories, Images, or Categories, allowing for more robust insights into your current risk exposure.

Security Events

  • Security Events now persist independently of open findings so you never miss a potential gap in your build security.

2023-10-23

Dashboard Improvements

  • Dashboard now provides policy filtering giving you the same system-wide overview metrics you’re used to, but with the ability to narrow that analysis down to specific policies you’ve defined.

Scans View Improvement

  • One-click filtering from scan list page to the findings they produced.

SBOM License Alerts

  • License policies and management capabilities have been added to enable at-a-glance filtering for prohibited licenses, license details within finding and violation information, and most importantly, the ability to define policy restrictions around certain licenses so you can always be automatically notified if a component has been added that carries a forbidden policy.

Zero Touch Provisioning (ZTP) Becomes Turn-key

  • Massive ZTP usability updates starting with GitHub and GitLab, we’ve now taken the guesswork and frustration out of provisioning new scanning tools into your code bases. Significant improvements to user guidance in our ZTP wizard to provide specific instruction, statusing, and automation around the provisioning process from start to finish.

  • ZTP scan execution throttling is now supported, giving you the control and flexibility to run scans less frequently based on your own criteria to help control costs within your cloud CI environment.

Findings Groupings

  • The “Group By” capability has been added in the findings view. THis enables you to group findings by rule id, repository, category and container image when reviewing findings.

SBOM Licenses

  • Expanded SBOM to check for license details and support policy definitions for license types

2023-10-09

Top Repository Contributors

  • The top contributors to a code repository has been added as part of the details of related findings.

OSSF Scorecard SBOM

  • Added OSSF Scorecard enrichment to SBOM data.

Security Events

  • The Security Events page is now a standalone page.

2023-10-05

PDF Reports

  • A column picker was added for the feature related to sending PDF reports from the scan history. With that change, you can select which columns from the scan history should be included in the report.

SBOM Packages Filter

  • We updated the image displayed in the SBOM service when the filters selected yield no packages to display.

2023-09-27

ADO SCM Integration

  • Expanded ADO SCM integration to allow for full account connection in addition to the previous project-specific connections.

Bitbucket CI/CD

  • Added additional CI/CD checks to BitBucket

GitLab SCA Findings

  • GitLab now generates SCA Findings.

SCA Findings generation from SBOM

  • We added the ability to generate SCA findings from SBOM.
  • We also improved the generation of SCA via SBOM.

Black Duck Connector

  • The Black Duck connector integration is added.
  • Black Duck suppressions are now supported.

Findings view: Violations and Findings tab

  • The Findings view is now splitted into two tabs, one for violations and one for findings.

Project Risk Scoring

  • Each project (resource) now have a risk scoring card.

2023-09-25

Export Findings in a CSV File

  • Get a detailed list of your findings in a structured manner via a .CSV file.

Policy Updated At Column Addition

  • We added the Updated At column to policies to give you a detailed view into when a policy was updated.

Checkmarx Integration

  • Checkmarx has been added to the list of integrations to BoostSecurity.
  • Import of Checkmarx scans can now be triggered by webhooks.

Sonarqube Integration

  • A new integration, SonarQube has been added.
  • Import of SonarQube scans can now be triggered by webhooks.

Synk Connector Integration

  • The connection between the security software Synk and BoostSecurity has been achieved.

Added support for Semgrep commercial scanner.

2023-08-09

GitLab Account-Wide Integration

  • Introducing GitLab account-wide integration with a convenient "Select All" option for GitLab in ZTP. To enhance your workflow, make sure to remove existing GitLab installations before proceeding.

  • A Personal Access Token (PAT) with API privileges and access to all organizations is now required for seamless integration.

SAST-Related Findings Deduplication

  • The latest update to the SAST tool includes a new deduplication feature for easier management of related findings.

2023-07-27

ZTP Provisioning for Azure DevOps

  • Zero Touch Provisioning now supports Azure DevOps, offering a streamlined experience for you.

Projects View Optimization

  • The projects page is now optimized to give a centralized overview of the security exposures identified in your projects.

2023-07-10

Policy Version 2 UI

  • Embrace the future of policy management with the all-new Policy UI version 2. Gain unprecedented control and granularity over policy decisions and actions.

  • For new policies, experience the power of the new UI (V2) while retaining visibility and editing capabilities for existing policies created with the old UI.

Checkov Rule Curation

OSV Integration Added

MobSF Integration Added

2023-06-17

Manual Trigger for ZTP Scans

  • ZTP scans can now be triggered manually on the scans page.

**SBOM Filtering

  • Filter for SBOM on the SBOM page.

Scanner Provisioning

  • Resolved duplicate entry when using UI to provision scanner

2023-06-13

Scan History PDF Report

  • Generate and send PDF reports for your scan history effortlessly, enhancing your documentation and reporting capabilities.

Webhook Integration Visibility

  • The Webhook integration is now visible to all users, providing enhanced transparency and ease of use.

Jira Integration

  • The JIRA integration was added to enable defect creation.

2023-06-08

SCA Enrichment Improvements

  • Improve your Software Composition Analysis (SCA) with enriched SCA data. Discover the new Fixable filter and delve into enhanced findings details for SCA and Container-related issues.

Repository PII Information Indication

  • Safeguard sensitive data by adding repository attributes indicating the presence of Personally Identifiable Information (PII).

  • Dive into comprehensive details of findings, now including a dedicated filter and section for PII information, providing better visibility and control.

2023-05-15

  • The CWE Rules database was improved.

2023-05-11

Zero Touch Provisioning for Various Platforms

  • Experience Zero Touch Provisioning on multiple platforms, including Github, Bitbucket, and both SaaS and On-Prem versions of GitLab.

2023-05-03

Checkov Scanner for Ansible

  • Improve your Ansible security with the new Checkov scanner module, now available to fortify your projects.

2023-04-21

Microsoft Teams Outbound Notifications

  • Seamlessly integrate BoostSecurity with Microsoft Teams for outbound notifications, ensuring you easily stay in the loop.

2023-04-20

Azure SCM Integration

  • Boost your productivity by connecting your workflow to the Azure SCM integration.

2023-04-12

SBOM Licenses Filter

  • Gain greater control over your Software Bill of Materials (SBOM) with the new licenses filter, providing enhanced insights into your projects.

Findings Snoozing Support

  • Take charge of your Findings management with the new support for snoozing findings. Customize snooze duration and provide justifications for more efficient workflow.

2023-04-06

Security Events Support

  • Security Events are findings that may indicate a potential breach. These events require manual review to ensure no malicious activity has occurred.

2023-03-31

Single-Commit Pull Requests in CircleCI

  • Simplify your development cycle by integrating single-commit pull requests into your CircleCI workflow.

2023-03-30

GitLab Integration

  • Elevate your workflow with our GitLab integration. Seamlessly connect BoostSecurity to GitLab for enhanced protection measures, collaboration, and streamlined workflows.

2023-03-24

Findings View Enhancements

  • Boost your Findings management with bulk suppression capabilities and comprehensive information, including CVE IDs and advisory links.
  • Visualize resources in the Policies > Resources view with easy-to-identify SCM icons.

2023-03-22

Findings View Filters Improvement

  • Enjoy a smooth interface with improved findings view filters that collapse inactive filters by default, ensuring a seamless experience.

Policies Attributes Filter

  • Experience better resource management with the introduction of the attributes filter and attribute display in the Policies > Resources section.
  • Additional attributes include repository visibility, language, and origin for customized policies.

2023-03-20

GitLab Sign-In Feature

  • Simplify your access with the GitLab sign-in feature, allowing you to use your GitLab credentials seamlessly.

2023-03-15

Bitbucket Sign-In Feature

  • Sign in effortlessly using your Bitbucket credentials, streamlining your access to BoostSecurity.

2023-03-14

JIRA Auto-Close Feature

  • Enhance your JIRA integration with the new auto-close feature, enabling seamless closure of JIRA tickets upon resolution or suppression in code/UI.

2023-03-10

Azure DevOps Extension Live

  • Dive into the world of Azure DevOps with our new extension.

2023-03-09

Findings Viewer Filters

  • Empower the analysis of your findings with new EPSS and CVSS score filters, ensuring you focus on what truly matters.

Insight Graph for Violations/Findings

  • The insights page provides an all-new graph describing violations and findings per scanner.

2023-02-28

CVE Information in SBOM

  • Improve your vulnerability analysis with added visibility into CVE information within your SBOM.

2023-02-23

New Dashboard Landing Page

  • The improved landing page summarizes important trends in the state of your software's security.

2023-02-22

Bitbucket Integration

  • Integrate BoostSecurity with Bitbucket, unlocking new features, including support for Main and PR flow, PR comments, check failures, and more.

2022-11-10

New SCA Scanner Module for Golang

  • Introducing a cutting-edge SCA scanner module for Golang, powered by the Nancy scanner.

2022-11-08

New SCA Scanner Module for Python

  • Improve your Python project security with our new SCA scanner module powered by the safety scanner.

2022-11-04

Insight Violations and Findings Statistics

  • Insight violations and findings statistics now exclude suppressed findings and violations.

2022-11-03

npm-audit Scanner Support

  • Improve your package security with support for the npm-audit scanner.

2022-11-02

Source Scanning with Checkov Scanner

  • Discover enhanced source scanning capabilities with our new Checkov scanner module.

Source Scanning with CodeQL Scanner

  • Empower your source code analysis with our new CodeQL scanner module.

2022-11-01

New SCA Scanner Module for Ruby

  • Improve your Ruby projects with our new SCA scanner module powered by bundler-audit.

2022-10-31

Container Image SBOM Scanner

  • Experience seamless container image analysis with our new scanner module, generating component inventories for container images based on Trivy.

2022-10-28

Container Image Scanning with Trivy

  • Streamline your container image security with our new scanner module, providing enhanced container image scanning capabilities.

2022-10-21

New Source Code Scanner Modules

  • Improve your source code analysis with new modules based on Brakeman for Ruby and Gitleaks, ensuring comprehensive security coverage.

2022-10-20

Source Code Scanner for Go

  • Unlock the potential of Go code security with our new source code scanner powered by Gosec.

2022-10-07

Software Build of Materials (SBOM) Service

  • Introducing our SBOM service and scanner module to provide comprehensive inventory and vulnerability reporting for repositories.