What's new in AppScan on Cloud
Discover upcoming and recently added features.
Updates: AppScan on Cloud announcements, including advance notice
of planned changes and scheduled maintenance that might affect your
workflow, can be found on AppScan News. To be
notified when there is an announcement, you can subscribe to AppScan
News.
Translations: If you are
reading this page in translation, please be aware that it may not
include the latest additions. To see the latest version of this
page, switch to the English version, using the "Change Language"
option at the top right of the menu bar.
New on February 10, 2026
- Static analysis (SAST)
- Static analysis client updated to 8.0.1685.
- Support for SBOM and SARIF reports using get_report.
- Support for Java 25.
-
scan.manifestandscan.manifest.jsonfiles now capture options used during IRGen. - Updates to rules.
New on February 08, 2026
- Platform updates
- Email notifications: You can now configure email preferences centrally. Users can opt in to alerts for specific applications or entire Asset groups. Customize triggers for scan start, completion, and failure so you receive only relevant updates. Proactive monitoring also notifies users automatically when new CVEs are found in previously scanned libraries. This feature replaces the previous per-scan configuration. The updated notifications deliver a concise HTML scan summary directly to users' inboxes, including severity counts and status details.
- Correlation IAST-SAST source code scanners
- The correlation feature has been updated to identify correlations between IAST findings and SAST findings from source code scans.
- Interactive analysis
- IAST Key only: A new option is available to quickly create an IAST session without the need to download a new agent. This update simplifies the setup process, especially for users integrating with environments like the IAST .NET Core Site Extension for Azure App Services, or when utilizing an existing agent. This option is available across all IAST agents for various languages.
- Software Composition Analysis (SCA)
- Malicious libraries now appear when generating an Open source license report.
- Deprecation notice
- The OWASP Top 10 2017 report will be deprecated at the end of March 2026.
New on February 5, 2026
- AppScan Go!
- AppScan Go! updated to version 2.3.1
- Application and SCM repository branch drop-downs are searchable.
- Improvements to error handling for ease-of-use.
- Newer SAClientUtil version prompts for a user decision on an untrusted certificate at startup.
New on February 05, 2026
- Interactive analysis
- IAST for Kubernetes (1.0.11)
- Automated mutation sync: The webhook server
now automatically syncs
MutatingWebhookConfigurationduring rollouts and Helm upgrades with the updated namespace configuration.
- Automated mutation sync: The webhook server
now automatically syncs
- IAST for Kubernetes (1.0.11)
New on February 04, 2026
- Interactive analysis: The IAST agent detects insecure
usage of LLM outputs when generative AI responses
are used in security-sensitive contexts without
proper validation or controls. Support is available
for common OpenAI APIs in Java, .NET, and Node.js,
with more languages and libraries planned in future
releases.
- New IAST .NET agent (1.16.0)
- Support generative AI monitoring for applications using openai-dotnet library.
- Support communication with ASoC through proxy.
- Support RabbitMQ while monitoring Kubernetes issues with Analyzer.
- New IAST Node.js agent (1.14.1)
- Support generative AI monitoring for applications using openai library.
- Dependency update.
- New IAST Java agent (1.22.0)
- Support generative AI monitoring for applications using openai-java library.
- New IAST .NET agent (1.16.0)
New on January 12, 2026
- Software Composition Analysis (SCA)
- SCA vulnerability issues now display links to the relevant GitHub repository instead of cve.org, providing a more actively maintained source of information.
New on January 11, 2026
- AppScan Model Context Protocol (MCP) server is now available for use with your LLM to securely access your security data in ASoC. By accessing it through your IDE, you can get insights about your data, connect it with other MCPs for integrations, and use LLM capabilities to suggest triage and code remediation using the context of the results from ASoC.
- Software Composition Analysis (SCA)
- Proactive monitoring: SCA scans can now be continuously monitored for newly published CVEs affecting the open-source packages you’ve already scanned. Monitoring is enabled by default, this can be toggled per scan (including existing scans).
- Interactive analysis
- You can now download the Node.js agent as a self-contained tarball directly from ASoC for air-gapped or restricted environments without access to the public npm registry.
- General updates
- Scans and sessions page: UX improvements including a new table view for easier filtering and sorting, and a unified view for all scan technologies.
- User management enhancement: You can now edit asset groups per user through the user management page.
- Functional user: Added the ability to create a service account to facilitate automated tasks and system integrations. Available through API only.
- API & Automation:
- API Key authentication: Direct API key authentication via a custom HTTP header eliminates the need for session tokens, making automation scripts and CI/CD integrations simpler and more efficient.
- Create Scan API: The boolean parameter "MultiStep" is deprecated and will be removed in a future release. Update your API calls now to use the "TrafficType" parameter instead, in preparation for the removal of "MultiStep". For more information, see the Swagger page.