What's new in AppScan on Cloud
Discover upcoming and recently added features.
Updates: AppScan on Cloud announcements, including advance notice
of planned changes and scheduled maintenance that might affect your
workflow, can be found on AppScan News. To be
notified when there is an announcement, you can subscribe to AppScan
News.
Translations: If you are
reading this page in translation, please be aware that it may not
include the latest additions. To see the latest version of this
page, switch to the English version, using the "Change Language"
option at the top right of the menu bar.
New on April 19, 2026
- User experience updates
- Redesigned user menu.
The API key page is moved to Account settings, located in the user menu.
- New arrangement of the side navigation menu, aligning with recent product improvements.
- Custom Issue fields:
- Custom Issue fields can be updated for multiple issues at once directly from the grid.
- Enable or disable including custom fields in security reports.
- Application page: Highlight applications with stars for easier identification.
- Redesigned user menu.
- Dynamic analysis (DAST)
- Edit a scan that originally was created from an uploaded scan file.
- Static Analysis (SAST)
- RapidFix: Improved user experience
- Software Composition Analysis (SCA)
- SCA policies
Define custom policies for open-source libraries based on license and license attributes. Policies are evaluated on the latest scan execution, helping teams monitor and enforce open-source compliance requirements.
- SCA download logs
Download scan log files directly from the Manage scan menu. Logs include information from the IRX generation and data collection phase and are available for 60 days.
- CycloneDX support for SBOM reports.
Generate SBOM reports using the popular CycloneDX format, in XML or JSON.
- SCA policies
New on April 16, 2026
- Static analysis (SAST)
- Static analysis client updated to 8.0.1709
- Version 8.0.1708 contained a bug that caused uploads to fail in some circumstances; it is corrected in 8.0.1709.
- Static analysis client updated to 8.0.1708.
- Improved secrets scanning performance.
New on April 8, 2026
New on April 07, 2026
- IAST for Kubernetes (1.0.13)
- Explicitly state the
readOnlyRootFilesystemandautomountServiceAccountTokenconfiguration. - Enable installation into a pre-existing Secagent namespace for restricted or managed Kubernetes environments.
- Explicitly state the
- New IAST Node.js agent (1.14.3)
- Dependency version updates.
New on March 23, 2026
- DAST engine update: Dynamic analysis engine
updated to version 10.11.0. This update includes:
- AppScan flags legacy encryption protocols that fail to meet post-quantum security standards.
- Automatic login improvements, including support for the Vue JS framework.
- An Informational alert will be raised upon the discovery of a Swagger/OpenAPI definition file to ensure API visibility.
- New and updated security rules.
New on March 15, 2026
-
Custom issue fields:
- Custom fields provide a more granular, tailored view to support your workflows and decision-making. This capability gives you more flexibility in how you categorize, filter, and tag issues. Add attributes to issues to streamline your workflows and improve communication between teams.
- Custom application fields enhancements:
- Added filtering options to help you find applications that include custom fields.
- Platform updates:
- New scan description field added. Use this field to add more context to your scans. It provides additional granularity and helps you find specific scans more easily.
- Compliance reports and policies:
- New compliance report:
- OWASP Top 10 2025
- New compliance report:
- Plugins:
- New integration for Azure DevOps Boards is now available. This integration lets you import security issues from AppScan on Cloud directly into Azure Boards.
- Rapidfix improvements:
- Remediate issues more easily. Fix guidance is now visible immediately without expanding a panel, and Markdown rendering makes complex instructions much easier to read.
New on March 12, 2026
- Static analysis (SAST):
- Static analysis client updated to 8.0.1689.
- Support for F#
.fsprojfiles for SCA analysis (bug fix).
New on February 24, 2026
- Interactive analysis
- New IAST Node.js agent (1.14.2)
- Support for customers using LangChain framework for building LLM-powered applications. For more information, see LLM-Aware IAST: Security at the Point of Impact.
- Dependency update
- Bug fix
- New IAST Node.js agent (1.14.2)
New on February 10, 2026
- Static analysis (SAST):
- Static analysis client updated to 8.0.1685.
- Support for SBOM and SARIF reports using get_report.
- Support for Java 25.
-
scan.manifestandscan.manifest.jsonfiles now capture options used during IRGen. - Updates to rules.
New on February 08, 2026
- Platform updates
- Email notifications: You can now configure email preferences centrally. Users can opt in to alerts for specific applications or entire Asset groups. Customize triggers for scan start, completion, and failure so you receive only relevant updates. Proactive monitoring also notifies users automatically when new CVEs are found in previously scanned libraries. This feature replaces the previous per-scan configuration. The updated notifications deliver a concise HTML scan summary directly to users' inboxes, including severity counts and status details.
- Correlation IAST-SAST source code scanners
- The correlation feature has been updated to identify correlations between IAST findings and SAST findings from source code scans.
- Interactive analysis
- IAST Key only: A new option is available to quickly create an IAST session without the need to download a new agent. This update simplifies the setup process, especially for users integrating with environments like the IAST .NET Core Site Extension for Azure App Services, or when utilizing an existing agent. This option is available across all IAST agents for various languages.
- Software Composition Analysis (SCA)
- Malicious libraries now appear when generating an Open source license report.
- Deprecation notice
- The OWASP Top 10 2017 report will be deprecated at the end of March 2026.
New on February 5, 2026
- AppScan Go!
- AppScan Go! updated to version 2.3.1
- Application and SCM repository branch drop-downs are searchable.
- Improvements to error handling for ease-of-use.
- Newer SAClientUtil version prompts for a user decision on an untrusted certificate at startup.
New on February 05, 2026
- Interactive analysis
- IAST for Kubernetes (1.0.11)
- Automated mutation sync: The webhook server
now automatically syncs
MutatingWebhookConfigurationduring rollouts and Helm upgrades with the updated namespace configuration.
- Automated mutation sync: The webhook server
now automatically syncs
- IAST for Kubernetes (1.0.11)
New on February 04, 2026
- Interactive analysis: The IAST agent detects
insecure usage of LLM outputs when generative AI
responses are used in security-sensitive contexts
without proper validation or controls. Support is
available for common OpenAI APIs in Java, .NET, and
Node.js, with more languages and libraries planned
in future releases.
- New IAST .NET agent (1.16.0)
- Support generative AI monitoring for applications using openai-dotnet library.
- Support communication with ASoC through proxy.
- Support RabbitMQ while monitoring Kubernetes issues with Analyzer.
- New IAST Node.js agent (1.14.1)
- Support generative AI monitoring for applications using openai library.
- Dependency update.
- New IAST Java agent (1.22.0)
- Support generative AI monitoring for applications using openai-java library.
- New IAST .NET agent (1.16.0)
New on January 12, 2026
- Software Composition Analysis (SCA)
- SCA vulnerability issues now display links to the relevant GitHub repository instead of cve.org, providing a more actively maintained source of information.
New on January 11, 2026
- AppScan Model Context Protocol (MCP) server is now available for use with your LLM to securely access your security data in ASoC. By accessing it through your IDE, you can get insights about your data, connect it with other MCPs for integrations, and use LLM capabilities to suggest triage and code remediation using the context of the results from ASoC.
- Software Composition Analysis (SCA)
- Proactive monitoring: SCA scans can now be continuously monitored for newly published CVEs affecting the open-source packages you’ve already scanned. Monitoring is enabled by default, this can be toggled per scan (including existing scans).
- Interactive analysis
- You can now download the Node.js agent as a self-contained tarball directly from ASoC for air-gapped or restricted environments without access to the public npm registry.
- General updates
- Scans and sessions page: UX improvements including a new table view for easier filtering and sorting, and a unified view for all scan technologies.
- User management enhancement: You can now edit asset groups per user through the user management page.
- Functional user: Added the ability to create a service account to facilitate automated tasks and system integrations. Available through API only.
- API & Automation:
- API Key authentication: Direct API key authentication via a custom HTTP header eliminates the need for session tokens, making automation scripts and CI/CD integrations simpler and more efficient.
- Create Scan API: The boolean parameter "MultiStep" is deprecated and will be removed in a future release. Update your API calls now to use the "TrafficType" parameter instead, in preparation for the removal of "MultiStep". For more information, see the Swagger page.