Skip to content

What's New 🚀🚀


2024-12-05

BoostSecurity Scanner Evolved!

  • We’ve taken all the native scanning we’ve built over the years such as Supply Chain Inventory, CI/CD, SCA from Supply Chain, SCA from SBOM, and many others, and we’ve consolidated them into one powerhouse Supply Chain scanner with all the following features:

    • Automatically on for all new assets or connections
    • Seamlessly build and maintain your software supply chain inventory
    • Automatically enriches your SBOM data with SCA, license, malware, EPSS, and OpenSSF scorecard

All current clients should read our migration guide so you can take full advantage of this new comprehensive scanning solution!

2024-11-25

Enhanced Triage Support

  • Our clients have asked, and we’ve listened! This sprint has been largely about triage workflow improvements for our customers, from allowing manual overrides of severities, to providing far more actionable guidance in both the UI and in the downstream notification systems (Slack, Jira, Teams, etc.)

    • While our built-in rules for identifying the greatest risks in your application development code, pipeline, and runtime do the lion’s share of the work, and what’s left can usually be handled by your own automation and rules leveraging our industry leading policy engine, sometimes you just want to set your own severity on a specific item.

      Now you can, with individual and bulk severity and confidence override support!

    • Even more detailed remediation guidance in your defect trackers and notifications, so developers have everything they need in their existing tools.

    • Clear justifications explaining why our automatically flagged “Critical Risks” are considered so critical and risky.

Full Traceability to Direct Dependency

  • Our SCA results now provide you the specific direct dependency you need to update for all transitive dependency findings. No need to crawl the tree yourself, now you can look just at our Transitive Through information on the Findings and SBOM pages to know exactly what to target to remove your transitive vulnerabilities.

2024-11-12

Code to Cloud - Integration with Wiz

  • As one of the industry leaders in cloud security, Wiz is an excellent partner for Boost to enhance user experience through runtime enrichment. Boost now integrates with Wiz, allowing you to access all the runtime benefits you currently receive from our direct Kubernetes (K8s) connection—without needing to involve your K8s administrator!

Code to Cloud - Manual Mapping

  • Gain Runtime Enrichment of your risk picture even if you cannot enforce the use of OCI labels in your image build process! Now all users who have configured Runtime connections with Boost (either K8s or Wiz today), will have the ability to enrich their detected vulnerabilities with the knowledge of if and where they are in your runtime environment, as well as detection of if any services have public routes to the internet!

Code to Cloud - K8s Support for Istio

  • While we’re on a roll with giving you all the options to enrich your application findings with Runtime awareness, we’ve added support for Istio with our K8s connector.

Compliance reporting

  • Boost now supports viewing and managing your compliance with the CIS Software Supply Chain benchmark!
  • Automatic control mapping to the data within Boost enables you to review your compliance coverage directly within the platform.
  • View your coverage by control or by asset to quickly identify and resolve any instances of non-compliance within your portfolio.

Enhancements

2024-10-10

Automatic Detection of Personally Identifiable Information (PII)

  • Introducing PII detection within the platform enabling automatic labeling of findings associated with resources holding or interacting with PII Triage, filter, and build policy around risks associated with PII data.

Google Cloud Artifact Registry (GAR) Support - Code to Cloud Capability

  • Expanding our support for container registries, Boost now connects natively to Google’s Artifact Registry supporting Container metadata ingestion.
  • Enable Boost’s existing code-to-runtime capabilities with your Google Cloud containers.

ECR Quick Link Connection Support

  • Simplify your ECR connection process with CloudFormation using Quick Link. Just select your AWS region and check the defaults to get a rapid integration with Boost!

Triage Workflow Enhancements

  • Security professionals reviewing findings within Boost can now identify those findings that have been reviewed, removing the possibility of wasting time re-evaluating a finding that has already been reviewed.
  • Users can now filter on Organization from the findings details view.

2024-09-20

Critical Risk Issues

  • Some risks are too significant to ignore. Building on our class-leading policy engine and features such as code-to-runtime correlation and secrets validation, Boost now automatically distills for your AppSec program those detected risks that must take priority over all others. Automatically distilling tens of thousands of findings down to the handful that simply must be addressed today, our Issues feature puts your greatest risks right at your fingertips!

Automatic Scanner Provisioning

  • Boost now supports user configuration to automate the assignment of scanner coverage when new repositories are discovered. With this powerful automation, you can ensure that every created asset immediately and automatically receives the security coverage your program requires. Sit back and relax, safe in the knowledge that when new repositories are created, you will always know when unacceptable risks exist within them.

Secrets Detection Improvements

  • UI-driven customization of GitLeaks configuration to provide greater flexibility in what you prioritize and how you detect stored secrets Our secrets validation feature is now on by default for all users, ensuring that active secrets can automatically bubble up to the top of your priority list. If for any reason, you do not want Boost to validate your secrets, you can now disable this behavior from directly within the UI Further improvements to Secrets management provide developers with more actionable information within JIRA, Slack, Teams, and webhook notifications.

2024-08-30

Enhanced Provisioning Experience

  • Automated scanner coverage is now available across a broad range of coverage types! With the power to truly “set it and forget it”, Boost now allows its users to enable auto-provisioning. This means your static analysis, secrets detection, license checking, SBOM generation, SCA detection, Supply Chain Inventory, and SCM or CI/CD configurations! Turn it on, and know you always have the greatest visibility into areas of potential weakness in your application portfolio.

Enhanced Secrets Experience

  • Automated secrets validation helps to minimize unnecessary alerts related to stored secrets in your source code by identifying which secrets can actually provide access to the service they are meant for. This update reduces the number of false detections by highlighting known valid secrets!

  • Greater detail in secret classification now enables you to create policy and triage your secrets findings based on the type of secret we detected. Review all suspected Google API keys at once, or create a policy that specifically alerts around detected slack application tokens, and dozens more!

Enhanced AI Component Management

  • Asset Management asset filtering based on AI components used in your code.
  • Policy support for AI model detection.

Improved Dockerfile / Container Scan results Capabilities

  • More actionable container vulnerability reporting. Boost has improved the data shown for an Image's SCA vulnerability by providing the contents of the line of code that is responsible for introducing the vulnerability. This information will enable your team to triage issues more quickly because the source of the vulnerability is front and center, no longer requiring an investigation of an image's layer ID.

2024-08-09

Funnel Graph

  • Visually see how Boost reduces noise from your data, allowing you to focus on only the things that are important to your organization. With three separate funnel graphs for SCA, SAST, and Secret data, you’re equipped with the insight to understand what’s happening in your organization at the highest level.

Expanding Support for Top Contributors

  • Top repository contributors are very useful metadata values to determine whom to address a security concern. Until now, Boost would only show this information for GitHub repositories, but we’ve now expanded support to show who the top contributors are in ADO, BitBucket, and GitLab!

Enhanced Asset Management

  • Boost is adding significant enhancements to your asset management experience. Now you’re able to filter your asset data on code frameworks, the use of AI components, and use of Personal Identifiable Information (PII) giving you the ability to focus on the areas of your organization that matter most.

  • The Export API feature has been introduced.

Improve Your Gen AI and ML Defenses

  • Boost now collects information within your repositories to detect any associated AI components in your Supply Chain Inventory, the 3rd-party SaaS APIs being used, the APIs that are exposed, and the code frameworks that are being used.

  • Boost now allows you to provision the Modelscan scanner across your entire organization, giving you the ability to identify any vulnerabilities that might be present within any one of the machine learning (ML) models that your organization is using.

2024-07-21

Support for GitHub Action Vulnerabilities

  • GitHub Action Vulnerabilities are now available to view in the Boost dashboard. This inventory provides awareness into serious threats that might exist in your build pipeline, a historically overlooked place of exploitation. Keeping a close eye on the vulnerabilities in your organization's build pipeline and remediating them is an important component of keeping your organization protected.

Expanded Reachability Analysis -- Now Supports GitLab

  • If you are using the Golang programming language and GitLab, Boost provides reachability insights for vulnerabilities that might exist within your organization's Golang source code. This additional context is paramount in reducing the amount of false positives in your account. Now you can improve your focus of remediating vulnerabilities by excluding the vulnerabilities that have little chance of being exploited.

Kubernetes (K8s) Visibility At Your Fingertips

  • Improving upon Boost's support for Kubernetes (K8s), all of the Kubernetes assets that Boost has collected is now visible in the dashboard. Practitioners no longer have to adventure on scavenger hunts to identify what Kubernetes assets they need to protect -- all of that information is in one place.

Add Developer Fixes to Email Digest

  • One of the key metrics within the Boost dashboard is the number of findings that Boost identified and were resolved during the pull request process, what is known in Boost as Developer Fixes. Boost is now surfacing this metric to you in the email digest, providing you with a more convenient method of viewing this important piece of information.

UI Improvements

  • The default channel is automatically selected for you when creating a rule to send notifications to a chat integration (e.g. Slack, Teams).
  • When sending a notification in the policy engine, the list of connected channels is now shown to you in the notification modal. Previously, you had to type in the specific channel, but now it is a dropdown of connected channels.
  • On the Scanner Coverage page, the modal showing the list of provisioned scanners has been reduced to only the scanners that have been provisioned. Previously, all provisionable scanners were shown.
  • Gitleaks configuration tuning now available in the UI. Gitleaks configuration previously needed to happen outside of the dashboard, but now can be edited directly on the Scanner Coverage page and different configurations can be applied to specific repositories.
  • Template update notifications will now be shown on the Scanner Coverage page. This change will give you awareness when a template update is needed. Template updates are done when enhancements are made to the ZTP process and the updates can be completed by reviewing and merging the change in your boost repository.
  • Error messaging has improved when connections between scanners and SCMs (e.g. GitLab, BitBucket, GitHub, etc.) have been severed. Now you will have acute awareness into when connections need to be revised to continue coverage.
  • When removing a chat integration (e.g. Slack, Teams) that is connected to a policy rule, you are now warned that removing the integration will affect your Boost experience.
  • You are now able to view the code languages of repositories that are housed in Azure DevOps (ADO) projects.

2024-06-30

Runtime Visibility into your Kubernetes Environment

  • Identify and manage your high-risk vulnerabilities more effectively by enhancing your vulnerability data with runtime context. This approach provides comprehensive traceability from runtime services back to code owners and vulnerabilities detected during development, enabling you to:

    • Gain visibility into the highest-risk vulnerabilities in production.
    • Identify the developers responsible for specific services within Kubernetes.

Dependency Vulnerability Reachability Detection for Go and Rust

  • Prioritize your top violations by focusing on SCA vulnerabilities verified as reachable by our scanning technologies. While reachability assessments can sometimes miss vulnerabilities (false negatives), they are valuable for identifying exploitable vulnerabilities. This allows you to allocate your resources effectively to reduce risk.

2024-06-09

Expand Supply Chain Inventory Support

  • Building on our GitHub and Circle CI detection, Boost has now added support for Gitlab Pipelines, and BuildKite! Now wherever you manage your build and deployment, Boost will show you what tools you have employed, what access they’ve been granted, and which repositories they can touch!
  • Your supply chain inventory now reports on configured webhooks within GitHub so you have insight into where your team has registered webhooks into your SCM and CI environments. NOTE: Existing GitHub users will need to grant one additional permission to the Boostsecurity GitHub application to enable the webhooks feature. Please follow the link in the email you receive from GitHub to grant this permission

Enhanced SCA

  • The SCA finding details are now more actionable and informative, providing direct guidance to developers about the offending dependency. This includes whether the dependency is being used directly or transitively, and which version updates will resolve the findings. Additionally, detailed context is provided around CVSS, EPSS, and other vulnerability enrichment, enabling your development team to quickly understand and resolve the problem with minimal time and effort.
  • Detection of missing lockfiles helping you gain visibility into where unexpected gaps may exist in your SBOM and highlight blindspots for detecting vulnerable components.

Monorepository Support

  • Monorepository Support is now natively available in Boost, enabling users to define sub-repository structures of their monorepos directly within the application. This will provide unprecedented flexibility and visibility on your security posture within each sub repo, as well as significantly decrease scanning time when changes are committed within your monorepo.
    • User-interface enabled view and management of your Monorepository structure.
    • Repository structure as code supported enabling bulk definition of subrepos via file upload.
    • Subrepo-specific policy and provisioning supported, treating your subrepos as first-class citizen assets.

Scanner Run Configurations

  • Global scanner configuration settings for timeouts, throttling, and Main vs. Pull Request scanning can now be controlled via the Boost user interface. Per-repository configurations coming very soon!

Usability Enhancements

  • Additional sorting capabilities in the Findings page to make it easier to organize the data to prioritize and take action on.
  • Improvements to permissions checks within ADO and Gitlab to proactively inform the user if they may be missing some visibility into their risk due to insufficient permissions.
  • Scanner Coverage page now remembers your page state as you change filter sets or navigate around the application.

2024-05-17

Enhanced SCA

  • PR time Boost SCA, giving you greater flexibility to inject PR comments or fail builds based on vulnerable packages or use of unapproved licenses in your source code.

New ZTP Scanner Support

  • OSV-Scanner is now natively bundled and provisionable via Zero Touch Provisioning (ZTP) within BoostSecurity. OSV is an incredibly versatile SCA scanning solution. It natively supports almost a dozen languages and provides a means to support custom lockfiles or other languages with a simple interchange format. OSV can become your sole SCA scanning solution across a broad and varied portfolio of source code! Stay tuned to the upcoming reachability analysis support from OSV as well!

Asset Management

  • A new data management page to view orphaned assets and clean up data within BoostSecurity to give you the most focused and targeted view of your portfolio and risks.

2024-04-16

Data Cleanup

  • There is now more flexibility in managing your scanner coverage data. If you decide to remove scanning tools from your assets, you will have the option to delete any data in the system that came from those scanners. This makes it easier for you to evaluate new findings without worrying about old data.

Supply Chain Inventory

  • Expanded support for GitHub applications showing not only the applications you have enabled within your organizations but also the permissions those applications have been granted, enabling you to identify what exposure you have to those GitHub applications.

Enhanced Built-in SCA

  • BoostSecurity SCA scanner has added some very useful capabilities, giving you:
    • SBOM Malware detection highlighting known malware within the packages you include in your applications
    • Policy enhancements to support automation based on detected Malware in your open-source components, even allowing you to detect malicious packages in pull requests and immediately inform your development team
    • Policy enhancements to support automation based on Direct or Transitive dependency vulnerabilities, allowing you to put different priority or alerting on those Violations in Direct dependencies vs those that exist only in Transitive dependencies.

2024-03-29

Supply Chain Inventory

  • BoostSecurity now natively supports the generation of a comprehensive and searchable list of the components used to build your software. With this feature, you can easily identify third-party components, such as GitHub actions and CircleCI orbs, which can potentially pose a security risk to your build pipeline. This feature provides end-to-end visibility of your entire supply chain, allowing you to quickly and effectively respond to new risks as they are detected.

User Management Improvements

  • Enhancements to user creation and management to allow you to grant administrator access to new users from the BoostSecurity UI as well as review all user account access.

2024-03-07

Scanner Configurations

  • Simplify your scanner configuration by creating global and easy-to-use rule sets for your configurable scanners. You streamline the provisioning process and better enable central control of how your scanners run within Boost.

Improved CI/CD Scanner Provisioning

  • All SCMs can now provision the CI/CD scanner as defualt scanner protection for all new Organizations and Repositories on the scanner coverage page, rather than on the integrations view as before.

Scanner Coverage

  • At-a-glance scanner coverage! Gain insight into where your portfolio has coverage, from static analysis to secrets detection to third-party dependencies and much more!
  • Immediately highlight coverage gaps in your program and fill them with a 1-click deployment of built-in scanning and detection technologies to gain up-to-the-minute insights into all areas of your application risk.
  • Mass-provision catered scanning for your repositories, with built-in filters to find all repositories of a specific language or framework, allows you to quickly assign the best scanning technology for that language in one action!

2024-02-16

Policy Improvements

  • Policy changes now can be processed instantly allowing users to globally adjust the Findings and Violations reported within their boostsecurity.io instance without requiring a new set of scans to update your data.

  • Open Source Security Foundation (OSSF) scoring can now be a part of your policy definition, enabling you to get violation alerts when your 3rd party dependencies represent a greater risk to your organization.

SCA Findings

  • SCA findings now directly inform you if they are Transitive or Direct from within the Finding view

2024-01-27

Policy UI Improvements

  • Improved the experience of creating Policies with significantly reduced page load times.

Super-fast Findings

  • Findings page now loads in a fraction of the time for larger datasets giving a much more responsive and engaging feel to the page.

Suppression By Policy

  • Users can now apply auto-suppression by policy enabling greater freedom to automatically hide lower risk findings but still be able to quickly call them up for review during triage or audit efforts.

Scan History

  • Scan history shows applied policy now providing more readily available insight into how individual scans were processed to create the Finding and Violation counts you see with your scans.

2023

2022