Polaris release update: Expanded integrations, deeper detection, complete license governance

Developer-first workflows and integrations: Security scanning where development already happens

Bridge CLI 4.1.2 and 4.2.1: Signal in Polaris, automated fix PRs, and language detection in CI workflows

Bridge CLI 4.1.2 and 4.2.1 extend support for Polaris into CI workflows by importing Black Duck Signal™ results as External Analysis issues, enabling automated SCA  PRs, and displaying language detection data in CI logs.

Signal is Black Duck’s agentic AI AppSec scanner, purpose-built to secure AI-generated code. Signal uses a coordinated system of specialized AI security agents powered by ContextAI™ to analyze code, assess exploitability, and guide remediation in real time.  It is designed for the speed and scale of AI-driven development workflows. Unlike fAST Static, fAST SCA, and fAST Dynamic—which are native Polaris scan engines—Signal operates independently as an agentic scanner and its findings flow into Polaris via External Analysis. Polaris serves as the management and visibility layer; it is where Signal findings are triaged, evaluated against policies, and reported on alongside all other AppSec data.

With Bridge 4.2.1, teams with a Polaris External Analysis entitlement can import Signal scans directly into Polaris for centralized triage, policy evaluation, and reporting. Bridge 4.1.2 adds automated SCA Fix PRs and SAST language detection in CI logs, improving remediation speed and scan transparency.

Key capabilities

• Signal AI scan results in Polaris: Import Signal findings into Polaris for centralized triage, policy evaluation, and reporting. Signal’s agentic AI scanning runs independently and displays its data in Polaris via External Analysis—making Polaris the single pane of glass for managing Signal results across your AppSec program. (Signal and Polaris External Analysis entitlements are required.)
• Automated SCA in PRs: Create remediation pull requests directly from CI pipelines to reduce manual effort and speed resolution.
• Language detection in CI logs: See detected languages and code composition in CI logs for earlier scan coverage visibility.
• Improved version locking: Lock Full Static Scan and Rapid Scan Static together to manage SAST upgrades without disrupting release cycles or deployments. See the “Static Analysis Version Selection section” below for details.

Black Duck Security Scan bulk CI onboarding: Now supporting GitLab and Bitbucket

Black Duck offers two complementary approaches to embedding security scanning into development workflows, each designed for a different entry point and persona, and both now available across all major SCM platforms.

The Polaris SCM integration is a security-led approach for bulk onboarding, continuous repository monitoring, and event-based scanning from the Polaris UI. It tracks new repositories, renamed projects, and branch changes across GitHub, GitLab, Azure DevOps, and Bitbucket, so coverage stays current with minimal manual effort. For a full overview of these platform-level capabilities, see the February 2026 announcement.

Black Duck Security Scan bulk CI onboarding is a CI-led approach for DevSecOps teams that manages bulk onboarding and scanning through pipeline configuration. Following the release of the Black Duck Security GitHub app, Black Duck now extends this CI-based onboarding experience to GitLab CI and Bitbucket pipelines. DevSecOps teams use a guided flow at integration.blackduck.com/onboard (or the Bitbucket app on the Atlassian Marketplace) to inject Security Scan steps directly into existing pipeline configurations, and generate pull or merge requests with the necessary changes for team review before anything is merged.

Each approach improves coverage and automation, but they differ in how teams implement and manage them.

Key capabilities of the Black Duck Security Scan setup for GitLab and Bitbucket

• Bulk onboarding: Add many repositories in one guided flow instead of configuring each project individually.
• Flexible scan engine selection: Configure Polaris fAST SAST and fAST SCA by default, with options for Black Duck® SCA or Coverity® Static Analysis scans (based on licensing and requirements) to support diverse security workflows from a single onboarding experience.
• Fix PRs and policy enforcement: Generate remediation PRs and apply build-fail policies from the start.
• SARIF and native dashboards: Deliver findings as SARIF, with GitLab results also available in the GitLab Vulnerability report.
• Coming soon: Azure DevOps support is on the roadmap for the next release, extending the same CI-based onboarding experience to ADO pipelines.

License governance that scales from project to policy

Expanded SCA license capabilities: Deep License Data and License Manager

Polaris expands license compliance by providing deeper, evidence-backed insights and a unified, organizational view of license usage and governance.

Deep License Data adds visibility at the global, application, and project levels, with supporting evidence available at the project and branch level. Deeper license information is included in notice files. Our License Manager complements this with a centralized view of licenses in use, license terms, organizational fields, usage across projects and applications, and status displayed in dashboards and project views.

Visibility that proves ROI and risk posture: Reports shaped for every stakeholder

Flexible report modules: Customizable reports that deliver exactly the insights stakeholders need

Flexible report modules let teams tailor out-of-the-box reports for different audiences by including only relevant modules and customizing content as needed.

Teams can edit text, fields, filters, and time ranges, and then save configurations for reuse, making it easier to produce consistent executive, technical, and compliance reports with less manual work.

AI-driven security and automation: Scanning built for the era of AI-generated code

Rapid Scan Static: Native detection for the AI-expanded attack surface

AI services are no longer peripheral to application code—they’re embedded in it. And as development teams integrate LLM APIs into their applications, a new category of credential risk has emerged: hardcoded API keys for AI providers left exposed in source code. A breach doesn’t just compromise an application—it hands attackers access to AI infrastructure, usage credits, and potentially the data those services process.

The latest Rapid Scan Static (Sigma) enhancements add native detection of hardcoded API keys from major LLM providers including OpenAI, Anthropic, Perplexity AI, and Gemini—catching exposed AI credentials at scan time, before they reach production. This capability runs automatically as part of every Rapid Scan Static scan in Polaris, requiring no configuration changes or rule updates to activate.

This release also complements Black Duck’s broader AI security strategy. Signal—Black Duck’s agentic AI scanner purpose-built for securing AI-generated code—gives teams a dedicated tool for analyzing AI-authored software at speed and scale. For teams running Signal, Polaris serves as the management and visibility layer: Signal findings flow into Polaris via External Analysis, where they’re triaged, evaluated against policies, and reported alongside all other application security findings. Together, Rapid Scan Static’s AI credential exposure detection and Signal’s agentic scanning address two distinct and growing dimensions of AI-era application security.

Key capabilities included with Rapid Scan Static

• AI credential exposure detection: Detect hardcoded API keys from OpenAI, Anthropic, Perplexity AI, and Gemini, catching exposed LLM credentials at scan time before they become a costly breach or enable unauthorized usage of AI infrastructure.
• Automatic availability for AI credential exposure detection: All Rapid Scan Static enhancements are automatically applied to scans in Polaris—no rule updates, configuration changes, or tool upgrades required.

Key capabilities that require Signal

• Agentic AI analysis for AI-generated code: Teams can run agentic AI-powered scans on AI-generated code using Signal’s coordinated system of specialized AI security agents—powered by ContextAI—to analyze code, validate exploitability, and guide remediation in real time. Signal findings are displayed in Polaris via External Analysis, in the same triage, policy evaluation, and reporting workflows as all other Polaris data.
• Broader coverage across languages, frameworks, and AI-authored patterns: Signal analyzes code continuously across languages, frameworks, and architectures—including code patterns common in AI-generated output that may not follow conventional structures. Acting like an expert code reviewer, Signal identifies security defects, validates whether they are exploitable, and displays only what requires action—reducing the noise that comes with analyzing AI-authored code at scale.
• Unified security posture across AI-generated and human-written code: Signal findings in Polaris give security teams a consolidated view of risk across the full codebase—enabling consistent policy enforcement, cross-portfolio reporting, and holistic AppSec management from a single platform without a separate toolchain.
  

Comprehensive scanning that scales: Broader language coverage, deeper detection, and stability when it matters

Full Static Scan engine updates: Expanded platform support, deeper detection, lower false positive rates

Recent Full Static Scan enhancements strengthen support for modern development environments while improving analysis quality and overall detection breadth across Polaris.

Full Static Scan adds support for Windows Server 2025, .NET 10 with C# 14, FreeBSD 15, Bazel 9 for C/C++, and Kotlin 2.3.0, plus new checkers for Java and C++. Teams also get Go and Scala coverage, new injection-focused dataflow analysis, and lower false positive rates. Teams scanning Go or Scala should review results after upgrading—improved detection may discover new findings.

Key capabilities

• Updated platform and language support: Adds support for current platforms and languages including Windows Server 2025, .NET 10 with C# 14, FreeBSD 15, Bazel 9 (C/C++), and Kotlin 2.3.0.
• Expanded Go detection: Adds new Go checkers and initial dataflow analysis for higher-impact injection vulnerabilities.
• Broader Scala coverage: Adds new Scala and HSS checkers across common application security scenarios including session management, cross-site request forgery, transport layer security (TLS) enforcement, and OAuth.
• Lower false positives: Reduces noise in Go and Scala results, so teams can focus on real issues.
• Deprecations and removals: Retires several legacy checkers and older language support including .NET 9, SpotBugs, Detekt, and Kotlin quality checkers. Teams should plan migrations accordingly.
  
  

Rapid Scan Static updates: Broader JVM coverage, TLS enforcement, and expanded secrets detection

Recent Rapid Scan Static updates expand detection coverage across JVM languages and close gaps in credential exposure detection for Spring-based applications, adding 37 new and modified checks across Go, Java, Kotlin, Scala, and Java configuration files. These updates also include AI credential exposure detection for hardcoded LLM provider API keys (discussed above in the “AI-driven security and automation” section).

Key capabilities

• 37 new and modified checks: Includes 2 new Go checks, 14 new Java/Kotlin/Scala checks, 3 new Scala checks, 1 new properties check, and 16 modified checks extending existing detection to additional languages and expanding security coverage across the full JVM and Go ecosystems.
• Extended TLS coverage for Kotlin and Scala: Includes 14 Java TLS checks for Spring Boot, Spring Data, Apache Commons, and MongoDB now support Kotlin and Scala, ensuring consistent TLS policy enforcement across polyglot JVM codebases without separate tools or custom configurations.
• Expanded hardcoded secrets patterns: Provides 5 new patterns—including generic application key, Spring OAuth2 password grant request, Spring OAuth2 Token introspector, Spring security refresh token, and Spring security token—to close critical gaps in credential exposure detection for Spring-based applications.
• Automatic rollout: New Rapid Scan Static coverage applies to all scans with no setup required.
  
  

Static Analysis Version Selection: Consistent version locking for full scan and Rapid Scan Static

During active release cycles, teams often need stable scan behavior. Version locking helps prevent scanner updates from introducing unexpected findings at the wrong time—giving teams the stability to ship on schedule while preserving the ability to adopt updated engines when the timing is right.

Previously, locking into the recommended SAST version fixed the full scan but allowed Rapid Scan Static to update independently. With Static Analysis Version Selection, locking any static analysis version now locks both together for consistent, reproducible scan results.

Key capabilities

• Unified version locking: Lock the full scan and Rapid Scan Static together across all static analysis version scenarios.
• Predictable scan behavior: Get the same locking behavior whether you pin to a recommended or older release.
• Release-cycle stability: Avoid net-new findings from engine updates during active product releases.
• No config changes required: Existing version locks automatically inherit the new behavior.
   

Generate and display language metadata: Transparent scan coverage with intelligent workflow routing

Polaris now displays which languages and package managers it detects in a codebase and whether the selected scan type fully supports them, helping teams understand coverage and choose the right workflow.

Language metadata appears directly in the UI, with alerts when a scan type does not fully support a dominant build-required language. The result is clearer scan coverage, less guesswork, and more confidence in the findings teams act on.

Key capabilities

• Automatic language detection: Identifies languages and package managers automatically and displays code composition in results.
• Scan workflow guidance: Highlights coverage gaps and points teams to the right scan workflow for the codebase.
• Focused compatibility alerts: Warns only when unsupported build-required languages represent 90% or more of the codebase—focusing attention on gaps that materially affect coverage.
• Build requirement notifications: Alerts teams when a scan appears complete but required build steps are missing.
• Build transparency for compiled languages: Clarifies when languages such as C and C++ need build capture for full analysis.
• No setup required: Detection, alerts, and guidance run automatically for every scan.