Every security team is dealing with the same pressures: vulnerabilities arriving faster than teams can triage them, a growing catalog of confirmed active exploits, and development pipelines that can't afford to slow down. The latest Black Duck Polaris™ Platform release addresses these issues directly, equipping teams with the intelligence to cut through the noise, the automation to act at AI speed, and the coverage to eliminate the security oversights that well-resourced adversaries exploit first. This release delivers issue risk scoring, AI-assisted triage, container analysis, policy inheritance, Azure DevOps (ADO) CI onboarding, and significant scanner depth advances across the platform.


Risk prioritization and noise reduction: Moving beyond severity to address genuine organizational risk

Issue risk scoring: Focus remediation on the issues that truly put your business at risk

CVSS scores communicate worst-case severity, but they don’t identify which issues in your specific applications are actually threatening your organization right now. Issue risk scoring combines vulnerability severity with real-world context—exploitability, application reachability, and CISA Known Exploited Vulnerability (KEV) status—into a single, transparent score per finding. Scores are updated dynamically as new intelligence arrives and integrate directly into policies, enabling automated responses including notification, ticket creation, and build blocking for any issue that crosses a defined risk threshold.

Polaris KEV status screenshot

Key capabilities

  • Composite risk scoring beyond raw severity: The scores combine severity with exploitability, reachability, and CISA KEV status data into a single score. This helps teams quickly identify the small set of issues that represent genuine organizational risk amid thousands of findings.
  • Transparent, explainable scores: Every score identifies the specific factors that raised or lowered it, enabling defensible triage decisions and building confidence in the prioritization model across teams.
  • Dynamic rescoring as new intelligence arrives: Risk scores are updated automatically when new signals become available—KEV additions, updated reachability data, revised exploitability assessments—keeping prioritization accurate without manual intervention.
  • Risk-based policy enforcement: Configure policies to notify teams, create tickets, or break builds when issues exceed a defined risk score threshold, closing the loop between intelligent scoring and automated governance action.

AI-driven security and automation: Delegating triage work so every team focuses on what matters

AI-assisted triage: Smarter SAST triage keeps developers moving and AppSec teams in control

Even when using the market's most accurate SAST engine, some false positives are inevitable. Further, not every finding is a priority for every team or project. At enterprise scale, manual triage is time-consuming, inconsistent across reviewers, and a bottleneck on developer velocity. Polaris uses AI to accelerate triage workflows, recommend actions, define confidence levels, and explain the reasoning behind each suggestion, so teams can make faster, more consistent decisions while staying fully in control. It also focuses on hardcoded secrets, where the AI delivers its highest-confidence recommendations. Every suggestion requires your acceptance before it's applied, keeping a human in the loop to ensure AI recommendations align with your organization's triage standards, while eliminating the manual investigation work that slows teams down today. To enable AI-assisted triage, reach out to your designated account manager—it is not enabled by default.

Black Duck Polaris AI assisted triage image

Key capabilities

  • AI triage recommendations with confidence levels: Polaris uses AI to recommend a triage response for each finding, including a confidence indicator, so teams can prioritize high-confidence/high-risk findings while ensuring that all results of the scanner, whether the AI considers it high confidence or not, remain accessible to the team.
  • Explainable AI reasoning: Every recommendation details the rationale behind it. Developers and AppSec admins see exactly why a finding was assessed as a false positive or low-risk, enabling informed review.
  • Flexible, admin-governed enablement: AI-assisted triage is not enabled by default and controlled by administrators. It can be enabled at the tenant, application, or project level with inherited or customized settings for incremental, policy-aligned AI adoption.
  • Full audit trail and triage history: AI recommendations, confidence levels, and acceptance or rejection decisions are captured in triage history and audit logs, maintaining accountability across the security program.

 

Polaris fAST Dynamic AI autoannotation: Automated BOLA/IDOR detection for APIs

Broken object-level authorization (BOLA) is the #1 risk on the OWASP API Security Top 10 list, and detecting it requires understanding the business logic behind every API endpoint. Polaris fAST Dynamic has long supported OpenAPI/Swagger spec annotation for this purpose, but manual annotation is time-consuming and error-prone. Polaris now uses an LLM to automatically analyze and annotate API specifications with the authorization intent needed to detect BOLA and insecure direct object reference (IDOR) vulnerabilities, and it includes a review and edit workflow that enables teams to verify accuracy before scans run.

Key capabilities

  • LLM-powered automatic annotation: Polaris analyzes OpenAPI/Swagger specs and generates the custom extensions needed to capture authorization intent automatically, without requiring manual effort from security teams or developers.
  • Automated BOLA/IDOR detection at scale: fAST Dynamic can now test for the #1 OWASP API risk across the full API portfolio, removing the manual bottleneck that previously limited coverage.

Policy, governance, and compliance: Security policy that scales with your portfolio automatically

Policy inheritance: Consistent security governance across every branch, automatically

Security policies are only effective when consistently applied—and consistency breaks down as portfolios scale. New branches are created, new projects are onboarded, and the operational burden of per-branch policy assignment grows beyond what anyone can sustain manually. Policy inheritance addresses this structurally: Organizations establish coverage at the org level and it cascades automatically through the application and project hierarchy down to every branch. All existing policy configurations migrate seamlessly into the inheritance model without disruption.

Key capabilities

  • Inheritance across the full org hierarchy: Policy coverage established at the org level cascades automatically to applications, projects, and branches, providing consistent enforcement without per-level configuration.
  • Org, app, project, and branch-level modification: Each level of the hierarchy can modify inherited policies for its specific requirements, maintaining the organization-wide baseline while preserving flexibility.
  • Seamless migration of existing policies: Current policy configurations automatically migrate into the inheritance model, retaining existing assignments without disrupting workflows.


Service account enhancements: Enterprise-grade management for the automation that runs your security program

Managing service accounts at scale is now easier and more efficient in Polaris. Security admins can search, find, edit, and govern service accounts directly from the Polaris UI. They can modify roles and application assignments without recreating accounts, receive clear warnings before tokens expire, and regenerate tokens quickly when needed.

Key capabilities

  • Searchable service account management: Search for service accounts by name in the Polaris UI, enabling straightforward auditing across large organizations with hundreds of service accounts.
  • Service account modifications: Edit role or application assignments without recreating accounts, eliminating the disruptive workaround that previously made configuration changes costly.
  • Token expiration warnings and easy regeneration: Proactive expiration warnings and one-click token regeneration reduce the window between warning and resolution, minimizing automation downtime risk.

Developer-first workflow and integrations: Completing four-platform CI coverage

Azure DevOps support for Black Duck security scan setup: CI-based AppSec onboarding across CI/CD integrations

The Black Duck security scan setup, which launched for GitHub and then extended to GitLab and Bitbucket, now supports ADO pipelines, providing CI/CD coverage. DevSecOps teams can connect ADO repositories to Polaris through the same guided onboarding flow, with single-repository and bulk onboarding supported, findings pushed to PR comments, and Azure Advanced Security dashboard integration for native portfolio-level visibility in ADO. The same onboarding flow also supports Coverity® Static Analysis and Black Duck® SCA configurations.

Black Duck security setup configuration screen

Key capabilities

  • Guided onboarding for Azure DevOps pipelines: Connect ADO repositories to Polaris with the same consistent flow available for GitHub, GitLab, and Bitbucket—single or bulk onboarding, with SAST and SCA configured by default.
  • Azure advanced security integration: Polaris findings push directly to Azure Advanced Security dashboards, providing native portfolio-level security visibility inside ADO without platform switching.
  • Bulk onboarding at enterprise scale: Onboard dozens or hundreds of ADO repositories in a single session with Polaris handling repository mapping, scan configuration, and automation setup.


Binary scanning CI support for Azure DevOps, Bitbucket, and Jenkins: Automate binary analysis across your entire CI/CD ecosystem

Polaris now supports automated binary scanning through Azure DevOps pipelines, Bitbucket pipelines, and Jenkins, joining GitLab templates and GitHub Actions to complete integration coverage across all five major CI/CD platforms. Teams can invoke the Bridge CLI directly within existing pipeline workflows to automatically submit compiled artifacts for analysis as part of every build, with no manual uploads and no developer process changes required.

Key capabilities

  • Complete five-platform CI coverage: ADO, Bitbucket, Jenkins, GitLab, and GitHub Actions are all supported, providing consistent automated binary analysis across every major CI/CD environment.
  • No changes to developer processes: The pipeline builds the artifact and Bridge handles the rest. Security analysis integrates into existing workflows without developer-facing friction.
  • Centralized findings in Polaris: Binary scan results flow into Polaris alongside SAST, SCA, and dynamic findings, ensuring unified dashboards, policies, and triage regardless of which CI/CD platform triggered the scan.

Comprehensive scanning that scales: Closing the container layer oversight

Container analysis: Open source risk detection that follows the container all the way through

Container images frequently incorporate components that never appear in source-level package manager manifests—base image layers, runtime packages, and dependencies pulled in during image builds. For organizations shipping containerized software, this is a structural gap in open source risk coverage. Container analysis closes it: Container findings flow into the same unified component inventory as binary, package manager, and signature scan results. They are now visible in the same reports, dashboards, and policies as every other scan type.

Key capabilities

  • Flexible container scan execution: Container image analysis fits into however your team works—run it as a scheduled scan, trigger it automatically as part of a CI workflow, or manually submit container files for analysis. Results appear in Polaris reports and dashboards alongside SAST, DAST, binary, and SCA findings without requiring separate tooling.
  • Unified component inventory across all artifact types: Open source components from container, binary, package manager, and signature scans are consolidated into a single component inventory, providing a complete view of open source usage across reports and dashboards regardless of how components were introduced.
  • More complete SBOMs: Container scan results are included in Polaris-generated SBOMs, ensuring completeness for compliance, procurement, and supply chain risk workflows.


Rapid Scan Static updates: Expanded coverage and improved detection accuracy

Polaris Rapid Scan Static now expands hardcoded secrets detection; adds new Micronaut, CORS, TLS, and mobile security checkers; validates Dart 3.12 support; and reduces Kotlin test-code noise, broadening coverage while improving finding relevance.

Key capabilities

  • Language and scan updates: Rapid Scan Static validates Dart 3.12 support and excludes Kotlin test code from secrets, API, and dataflow checks, reducing noise in production-focused results.
  • New and updated checkers: It also expands Java, Kotlin, Python, and mobile coverage for authentication, as well as CORS, TLS, password handling, notebook-based secrets, and Android mobile ID misuse.
  • Eleven new hardcoded secrets patterns: It adds coverage for FirebaseAuth, Steel Crypt, httplib2, flutter_inappwebview, and other credential types common in modern web and mobile stacks.


Full Static Scan updates: Expanded language support and improved detection accuracy

Polaris Full Static Scan adds support for Java 26, Go 1.26, Scala 3.8, and Visual Studio 2026 while improving Spring Framework coverage, URL manipulation classification, and SQL injection detection accuracy.

Key capabilities

  • Modern platform support: Full Static Scan validates Java 26, Go 1.26, Scala 3.8, and Visual Studio 2026 for accurate analysis of current development stacks.
  • Enhanced SQL injection detection: It also improves SQL-related checkers to reduce false negatives and deliver cleaner results for data-driven applications.
  • Improved URL manipulation coverage: It updates detection and CWE mapping so URL manipulation findings are more accurately classified and actionable.
  • Modern Spring Framework support: It also improves coverage for current Spring implementations across enterprise Java applications.

Visibility that proves ROI and risk posture: Portfolio organization that keeps reporting accurate

Project portability: Reorganize your portfolio without losing history or context

As organizations evolve—teams merge, orgs restructure, M&A activity reshapes ownership—portfolio structure drifts from organizational reality, making dashboards harder to trust and governance reporting less accurate. Polaris now makes it straightforward to move projects between applications without losing any history, context, or decisions. Issues, scans, components, policies, branches, and triage state all travel with the project.

Key capabilities

  • Full data portability across applications: Move projects with everything intact—issues, scans, policies, branches, and triage decisions—so teams never have to rebuild context or lose historical risk data.
  • Flexible inheritance controls: Choose whether a moved project inherits settings from its destination application or retains its existing configuration, ensuring safe reorganization at your own pace.
  • No disruption to CI/CD or integrations: Existing pipeline connections and integrations remain intact after a move, so development workflows continue without reconfiguration.

The VulnOps strategy: Building a security program that holds up under AI-speed pressure

These updates move Polaris further along the VulnOps trajectory to where security programs are staffed and automated to discover, prioritize, and remediate vulnerabilities at the pace the threat landscape demands. Issue risk scoring and AI-assisted triage address the prioritization bottleneck, while policy inheritance and service account enhancements help governance scale consistently. ADO onboarding, expanded binary scanning CI support, and project move capabilities streamline developer workflows and portfolio management. Container analysis closes the artifact-level coverage gap, and Rapid Scan Static and Full Static Scan updates deepen detection accuracy, language support, and scan engine coverage. Together, these updates give security and development teams the intelligence, automation, governance, and coverage to stay ahead of adversaries operating at AI speed.

Ready to explore these enhancements? Log into Polaris today to see what's new. For more details, check out our full release documentation or visit our Polaris YouTube channel.
 

Demo Polaris today

Continue Reading

Explore Topics