Every security team is dealing with the same pressures: vulnerabilities arriving faster than teams can triage them, a growing catalog of confirmed active exploits, and development pipelines that can't afford to slow down. The latest Black Duck Polaris™ Platform release addresses these issues directly, equipping teams with the intelligence to cut through the noise, the automation to act at AI speed, and the coverage to eliminate the security oversights that well-resourced adversaries exploit first. This release delivers issue risk scoring, AI-assisted triage, container analysis, policy inheritance, Azure DevOps (ADO) CI onboarding, and significant scanner depth advances across the platform.
CVSS scores communicate worst-case severity, but they don’t identify which issues in your specific applications are actually threatening your organization right now. Issue risk scoring combines vulnerability severity with real-world context—exploitability, application reachability, and CISA Known Exploited Vulnerability (KEV) status—into a single, transparent score per finding. Scores are updated dynamically as new intelligence arrives and integrate directly into policies, enabling automated responses including notification, ticket creation, and build blocking for any issue that crosses a defined risk threshold.
Even when using the market's most accurate SAST engine, some false positives are inevitable. Further, not every finding is a priority for every team or project. At enterprise scale, manual triage is time-consuming, inconsistent across reviewers, and a bottleneck on developer velocity. Polaris uses AI to accelerate triage workflows, recommend actions, define confidence levels, and explain the reasoning behind each suggestion, so teams can make faster, more consistent decisions while staying fully in control. It also focuses on hardcoded secrets, where the AI delivers its highest-confidence recommendations. Every suggestion requires your acceptance before it's applied, keeping a human in the loop to ensure AI recommendations align with your organization's triage standards, while eliminating the manual investigation work that slows teams down today. To enable AI-assisted triage, reach out to your designated account manager—it is not enabled by default.
Broken object-level authorization (BOLA) is the #1 risk on the OWASP API Security Top 10 list, and detecting it requires understanding the business logic behind every API endpoint. Polaris fAST Dynamic has long supported OpenAPI/Swagger spec annotation for this purpose, but manual annotation is time-consuming and error-prone. Polaris now uses an LLM to automatically analyze and annotate API specifications with the authorization intent needed to detect BOLA and insecure direct object reference (IDOR) vulnerabilities, and it includes a review and edit workflow that enables teams to verify accuracy before scans run.
Security policies are only effective when consistently applied—and consistency breaks down as portfolios scale. New branches are created, new projects are onboarded, and the operational burden of per-branch policy assignment grows beyond what anyone can sustain manually. Policy inheritance addresses this structurally: Organizations establish coverage at the org level and it cascades automatically through the application and project hierarchy down to every branch. All existing policy configurations migrate seamlessly into the inheritance model without disruption.
Managing service accounts at scale is now easier and more efficient in Polaris. Security admins can search, find, edit, and govern service accounts directly from the Polaris UI. They can modify roles and application assignments without recreating accounts, receive clear warnings before tokens expire, and regenerate tokens quickly when needed.
The Black Duck security scan setup, which launched for GitHub and then extended to GitLab and Bitbucket, now supports ADO pipelines, providing CI/CD coverage. DevSecOps teams can connect ADO repositories to Polaris through the same guided onboarding flow, with single-repository and bulk onboarding supported, findings pushed to PR comments, and Azure Advanced Security dashboard integration for native portfolio-level visibility in ADO. The same onboarding flow also supports Coverity® Static Analysis and Black Duck® SCA configurations.
Polaris now supports automated binary scanning through Azure DevOps pipelines, Bitbucket pipelines, and Jenkins, joining GitLab templates and GitHub Actions to complete integration coverage across all five major CI/CD platforms. Teams can invoke the Bridge CLI directly within existing pipeline workflows to automatically submit compiled artifacts for analysis as part of every build, with no manual uploads and no developer process changes required.
Container images frequently incorporate components that never appear in source-level package manager manifests—base image layers, runtime packages, and dependencies pulled in during image builds. For organizations shipping containerized software, this is a structural gap in open source risk coverage. Container analysis closes it: Container findings flow into the same unified component inventory as binary, package manager, and signature scan results. They are now visible in the same reports, dashboards, and policies as every other scan type.
Polaris Rapid Scan Static now expands hardcoded secrets detection; adds new Micronaut, CORS, TLS, and mobile security checkers; validates Dart 3.12 support; and reduces Kotlin test-code noise, broadening coverage while improving finding relevance.
Polaris Full Static Scan adds support for Java 26, Go 1.26, Scala 3.8, and Visual Studio 2026 while improving Spring Framework coverage, URL manipulation classification, and SQL injection detection accuracy.
As organizations evolve—teams merge, orgs restructure, M&A activity reshapes ownership—portfolio structure drifts from organizational reality, making dashboards harder to trust and governance reporting less accurate. Polaris now makes it straightforward to move projects between applications without losing any history, context, or decisions. Issues, scans, components, policies, branches, and triage state all travel with the project.
These updates move Polaris further along the VulnOps trajectory to where security programs are staffed and automated to discover, prioritize, and remediate vulnerabilities at the pace the threat landscape demands. Issue risk scoring and AI-assisted triage address the prioritization bottleneck, while policy inheritance and service account enhancements help governance scale consistently. ADO onboarding, expanded binary scanning CI support, and project move capabilities streamline developer workflows and portfolio management. Container analysis closes the artifact-level coverage gap, and Rapid Scan Static and Full Static Scan updates deepen detection accuracy, language support, and scan engine coverage. Together, these updates give security and development teams the intelligence, automation, governance, and coverage to stay ahead of adversaries operating at AI speed.
Ready to explore these enhancements? Log into Polaris today to see what's new. For more details, check out our full release documentation or visit our Polaris YouTube channel.
Apr 14, 2026 | 8 min read
Mar 31, 2026 | 4 min read
Feb 05, 2026 | 6 min read
Jan 22, 2026 | 3 min read
Dec 16, 2025 | 4 min read
Oct 08, 2025 | 6 min read