Table of Contents

AI-powered development is accelerating the pace of both software creation and vulnerability discovery—and attackers are evolving just as fast. The organizations staying ahead are those building toward a VulnOps model: security programs that can operate detection, prioritization, and remediation with enough automation and intelligence to keep pace with today's threat landscape. This Black Duck Polaris™ Platform release addresses three interconnected challenges: closing AST coverage gaps, cutting through the growing volume of vulnerability disclosures to focus on what actually matters, and automating remediation to minimize MTTR across the full security life cycle.

Developer-first workflow and integrations: Automating remediation to minimize MTTR at VulnOps speed

Automated fix pull requests: Remediation delivered directly to your SCM

Finding a vulnerable open source component takes seconds. Getting it fixed can take weeks. Polaris fAST SCA now automatically creates fix pull requests for vulnerable open source dependencies across GitHub, GitLab, Bitbucket, and Azure DevOps. This turns security findings into actionable code changes without manual investigation or developer back-and-forth, while keeping the human in the loop for approval prior to merge.

Key capabilities

  • Policy-driven fix PR automation: Define policies that trigger fix PRs automatically based on component risk rating—critical, high, medium, or any combination—so Polaris can deliver remediation as part of every scan without manual intervention.
  • On-demand fix PR creation: Create fix PRs one at a time or in bulk from the issue summary, so teams have the flexibility to act on findings at their own pace.
  • Flexible upgrade guidance: Choose short-term, long-term, or best-available upgrade guidance at the organization level to align with your team's upgrade strategy.
  • PR volume controls and duplicate prevention: Set per-branch limits to keep developer queues manageable. Polaris automatically prevents duplicate fix PRs for the same component and branch.

 

Fail pull requests for static and SCA issues: Block vulnerable code before it reaches your protected branches

Every vulnerability discovered after code is merged is exponentially more expensive to fix. Polaris enforces security gates at the pull request—across GitHub, GitLab, Azure DevOps, and Bitbucket—blocking vulnerable code from reaching protected branches before it's ever an issue. Teams can configure a PR policy defining which severity levels trigger a scan failure. When a scan fails, Polaris publishes in-PR comments identifying exactly what needs to be remediated. Two enforcement modes let teams roll out progressively or enforce hard compliance from day one.

Add Shadow to Top Layers - 1

Key capabilities

  • Warn mode for progressive rollout: Flag failing PR scans without blocking the merge. Developers are informed of issues and can choose to fix before merging, building security awareness without hard enforcement.
  • Block mode for strict enforcement: Prevent merging until the PR scan passes, keeping vulnerable code out of protected branches, with an authorized override available for urgent situations.
  • Automatic rescan on fix: When a developer addresses flagged issues, Polaris automatically rescans and unblocks the merge as soon as the check passes—no manual intervention required.
  • In-PR remediation guidance: Polaris publishes comments directly to the pull request, identifying which issues were introduced and what needs to be fixed, so developers can stay in their existing workflow.

 

Bridge CLI 4.3.0: Richer SARIF output and DAST tunnel support

Bridge CLI 4.3.0 enhances Polaris integrations with richer SARIF reporting—surfacing SCA issue locations and signature scan results in SARIF output—and adds DAST tunnel name support for teams running scans in secured or complex network environments.

Key capabilities

  • Richer SARIF output: SCA issue locations and signature scan results are now included in SARIF export, making findings more complete and easier to consume in downstream CI/CD pipelines and code-scanning tools.
  • DAST tunnel name support: Pass tunnel names directly in DAST test configurations to handle complex or secured network setups without manual workarounds.
  • Stronger downstream integration: Improved SARIF fidelity ensures Polaris findings flow cleanly into ticket creation, policy gates, and reporting systems.

 

On-premises GitHub support for Polaris SCM integrations: Enterprise SCM coverage that meets your network where it lives

Polaris now supports secure tunnel configurations, extending SCM onboarding and scanning workflows to self-hosted GitHub and GitHub Enterprise Server (GHES) environments. Organizations in regulated or restricted environments can maintain full control over their source code while leveraging Polaris's SAST, SCA, and policy enforcement capabilities. And just as continuous SCM monitoring helps cloud teams surface shadow AI repositories—projects spun up outside formal security oversight—that same visibility now extends to on-premises environments, where untracked internal repositories can be an equally significant oversight. On-premises GitHub is also supported through the GitHub app and GitHub Actions. Currently supported GHES versions: 3.16, 3.17, and 3.18.

new applications from SCM Import

Key capabilities

  • Bulk onboarding for on-prem GitHub repositories: Onboard hundreds of repositories from a self-hosted GHES instance in bulk—the same experience available for cloud-hosted SCMs, extended to internal deployments.
  • Event-based scanning on push and pull requests: Automated scans can be triggered by push and pull request events, surfacing findings directly in PR comments without platform-switching.
  • Continuous repository monitoring: Polaris continuously monitors on-premises GitHub repositories and surfaces new issues directly in the Polaris dashboard, including shadow AI projects spun up outside formal security oversight that would otherwise go undetected and unscanned.
  • Consistent policy and governance: The same policy assignment and reporting available for cloud SCMs now can be applied to on-premises GitHub repositories.

Risk prioritization and noise reduction: Cutting through the AI vulnerability flood with context that matters

Reachability analysis: Prioritize the open source vulnerabilities that are actually reachable

CVSS scores alone no longer provide sufficient context for prioritization—not every high-severity finding represents an equal level of real-world risk. Polaris now extends reachability analysis into policy evaluation and portfolio-level dashboards to identify whether vulnerable component methods are actually invoked by your application. It then surfaces that context consistently across all reporting layers so teams can focus remediation on exploitable risk, not every issue in a dependency.

Key capabilities

  • Reachability-aware policy evaluation: Policies distinguish between vulnerabilities in methods that are actually invoked and those that exist in unused code paths, ensuring that policy violations reflect real, exploitable risk.
  • Portfolio dashboards with accurate risk metrics: Risk calculations integrate reachability signals, giving security leaders accurate risk posture data without inflated numbers from unreachable vulnerabilities.
  • Consistent reachability across reporting layers: Reachability context flows from individual issues through policy evaluation, dashboards, and reports, ensuring consistent decision-making across the platform.

 

CISA KEV support: Act on confirmed threats, not just theoretical severity

Severity scores tell you how bad a vulnerability could be. The CISA Known Exploited Vulnerabilities (KEV) catalog tells you which ones are already being used against real organizations. Polaris surfaces KEV status directly in the platform—in the issue view, dashboards, reports, APIs, and policies—giving security teams an immediate, confirmed signal for urgent action without waiting for a new scan. Combined with reachability analysis, KEV status delivers a powerful two-factor prioritization signal: confirmed exploitation in the wild plus verified reachability in your application.

CISA KEV support

Key capabilities

  • In-product KEV indicators: Clear, in-platform indicators identify vulnerabilities on the CISA KEV list—confirmed exploited in the wild, not just scored as severe.
  • Policy automation for KEV issues: Configure policies to notify teams, auto-create tickets, or break builds when KEV-listed vulnerabilities are detected.
  • Continuously updated intelligence: KEV catalog updates are delivered asynchronously—new scans aren’t needed to gain visibility as the catalog evolves.

Visibility that proves ROI and risk posture: Transparency that drives accountability

Enhanced test logging: Diagnose scan failures without escalation

When a scan fails, teams typically have little visibility into what went wrong—which can trigger support escalations and days of waiting. With enhanced test logging, Polaris users can now view and download relevant test logs directly from the UI for SAST, SCA, DAST, and Bridge-based scans, enabling self-service diagnosis without assessor access or external intervention.

Key capabilities

  • Direct log access from the Polaris UI: View and download relevant test logs from the scan results view—no support ticket, no escalation wait.
  • Relevant log files surfaced automatically: See the most relevant log information per scan type rather than raw unfiltered output, accelerating root cause identification.
  • Foundation for future intelligent error guidance: Establish the platform foundation for upcoming error description summaries and fix guidance.

 

Black Duck SCA issue data in Polaris: See your Black Duck SCA findings in a unified security view

If your organization relies on Black Duck® SCA, this enhancement is built for you. Black Duck SCA issue data now flows directly into Polaris, so you can continue running the scanner your teams trust while gaining the aggregation, visualization, and cross-tool risk context that Polaris delivers. Polaris becomes the single place where Black Duck SCA results sit alongside SAST, DAST, and other scan types—normalized into one issue model, visible in shared dashboards, and actionable through unified policies.

Key capabilities

  • Black Duck SCA findings in the Polaris dashboard: Get consolidated visibility across all scan types without switching between tools.
  • Normalized issue model and unified reporting: SCA issues integrate with consistent severity ratings, policy evaluation, and life cycle management across your entire security program.
  • Policy coverage across all findings: Polaris policies apply to Black Duck SCA data alongside all other tools—escalation, ticket creation, and build-gate automation work consistently across your full scan portfolio.

Comprehensive scanning that scales: Closing the AST gaps that AI-powered attacks are built to exploit

Binary scanning: Detect open source risk in compiled artifacts—no source code required

Most SCA tools only scan source code. But modern applications increasingly include compiled components, third-party libraries, and repackaged artifacts for which source code simply isn't available. Polaris binary scanning closes that gap—running open source risk detection directly against compiled artifacts as part of standard project scans, with results consolidated into a unified component inventory alongside package manager, and signature scan findings.

Untitled design - 1

Key capabilities

  • Source code–free open source risk detection: Identify OSS components and license obligations in compiled artifacts, extending SCA coverage to the full application surface area.
  • More complete SBOMs: Binary scan contributions improve SBOM completeness and application visibility across the portfolio.
  • Unified component inventory: Binary, package manager, and signature scan results are consolidated into one definitive view of all software components in use.

 

Rapid Scan Static updates: Expanded language coverage, compliance checker sets, and improved accuracy

Rapid Scan Static (Sigma 2026.5.0) delivers expanded detection across Scala, Go, Kotlin, Java, JavaScript, and XML; adds compliance checker sets aligned to CWE Top 25 2025 and the EU Cyber Resilience Act; and improves false positive rates for JWT and hardcoded secrets detection. This helps teams spend less time triaging noise and more time addressing real risk. All updates apply automatically; no configuration changes are required.

Key capabilities

  • New CWE Top 25 2025 and EU-CRA checker sets: Detection coverage is aligned to the latest industry-recognized weaknesses list and EU compliance requirements, and they are automatically applied without manual rule configuration.
  • Six new security checks and expanded secrets detection: New checks are available across Java, Kotlin, Go, Android, and XML, plus a new Hashicorp vault unseal key secrets pattern.
  • Improved false positive rates: Bug fixes resolve JWT and hardcoded secrets false positives, reducing triage burden for teams following secure development practices.

 

fAST Dynamic on-premises enhancements: Enterprise-scale tunnel sharing for internal DAST

Polaris on-premises DAST now runs on the same secure tunnel infrastructure introduced for SCM on-prem integrations—delivering meaningful improvements to how teams scan internal web apps, staging environments, and applications behind firewalls or VPNs. The key operational advancement is tunnel sharing. Previously, teams had to run a separate tunnel executable for each project; now, a single tunnel agent handles multiple DAST scans across projects simultaneously. Start it once, manage it from Polaris org settings, and all projects can use it without additional setup.

AC-dast menu

Key capabilities

  • Tunnel sharing across projects: A single Polaris secure tunnel serves multiple DAST scans simultaneously—eliminating per-project setup overhead and making on-prem DAST practical at enterprise scale.
  • Internal application scanning: Run fAST Dynamic scans against applications on private networks, behind firewalls, or in environments not publicly accessible.
  • Consistent Polaris platform integration: On-premises DAST results flow into the same issue model, dashboards, policies, and reports as cloud-based scans.

Building the security program that AI-powered attacks demand

Together, these capabilities help security and development teams ensure the software they deliver is thoroughly tested. Vulnerability triage keeps pace with the accelerating disclosure rate, and remediation workflows are automated so they can close gaps before attackers find them. Ready to explore these enhancements? Log into Polaris to see what's new, or check out our full release documentation and Polaris YouTube channel.

Learn more about Polaris

Continue Reading

Explore Topics

Agile, CI/CD
AppSec Best Practices
AI Code Security
Build Security into DevOps
Cloud Security
Compliance
Container Security
CyRC
DevSecOps
DAST
Fuzzing
IAST
M&A
Manage Security Risks
OSS License Compliance
SAST
SCA
Secure the Software Supply Chain
Security News & Trends
Web Application Security