Polaris release update: Streamlined workflows, stronger governance, smarter detection

Developer-first workflow and integrations: Security that stays in sync with development

Automated bug-tracker updates: Auto-close dismissed, absent tickets in Jira and Azure boards

With the latest enhancements to Polaris issue-tracking integrations, teams can now automatically close resolved security tickets and flexibly manage issue-to-ticket relationships in Jira and Azure boards—ensuring bug-trackers always reflect what truly needs attention.

Polaris continuously monitors scan results and provides the option to automatically close tickets based on issue dismissal and absent statuses, while also giving teams the freedom to export, unlink, or modify ticket associations as needed. The result: cleaner boards, less manual effort, and greater trust in security workflows.

Key capabilities

• Scan-verified closure: When a follow-up scan confirms that a vulnerability has been remediated, Polaris automatically closes the associated ticket—eliminating manual status updates and administrative overhead.
• Flexible relationship management: Edit, reorganize, or unlink issue-to-ticket relationships as findings are dismissed or reprioritized, without being locked into rigid mappings.
• Trust through verification: Tickets are only closed when Polaris confirms—through scanning or triaging—that the issue no longer exists or is dismissed, avoiding premature or incorrect closure.
• Scalability with continuous remediation: As teams fix issues through pull requests and ongoing development, Polaris automatically reflects progress without requiring constant manual follow-up.
  

Figure 1. Export multiple issues as one ticket or create one ticket per issue

Figure 2. Reassign a bug-tracking ID to a different ticket

Policy, governance, and compliance: License intelligence without the overhead

Centralized license workflows: Understand, manage, govern open source obligations

License workflows bring license intelligence directly into Polaris, providing visibility into terms, notice files, and copyrights. This helps organizations understand, manage, and govern open source licensing obligations with greater confidence and less operational overhead.

Key capabilities

• Centralized compliance information: Access license terms, notice files, and copyright data in one place instead of relying on disconnected tools or manual documentation.
• Reduced legal and compliance risk: Early visibility into restrictive or high-risk license obligations helps teams avoid downstream issues, rework, and release delays.
• Faster evaluation and approval: Clearly categorized license terms (required, forbidden, permitted) make it easier to assess compliance impact at decision time.
• Simpler notice file management: Generate and configure notice files with license text, component lists, and copyright information across branches, projects, or applications.
• Improved cross-team collaboration: Shared visibility between developers, security, and legal teams reduces back-and-forth and shortens review cycles.

Figure 3. View copyright text and component origins

Figure 4. Create a notice file with copyright text and license details

AI-driven security and automation: Intelligence that accelerates security

AI-assisted DAST authentication: Screenshot to security in seconds

AI-assisted authentication for Polaris fAST Dynamic eliminates tedious manual configuration. Users simply select AI-assisted authentication from the drop-down in the Polaris UI, submit a screenshot of their application’s login page, and Polaris uses Black Duck’s internally hosted AI to automatically generate the authentication script.

Key capabilities

• No script writing: Configure authentication directly in the UI without writing scripts or creating brittle browser recordings.
• Reduced configuration time: Automatically generate authentication logic from a login page screenshot, speeding up scan readiness.
• Improved scan reliability: Avoid fragile authentication recordings that can easily break as applications change.
• Lower barrier to deeper testing: Help more teams run authenticated scans, increasing coverage of real application behavior.

Figure 5. Setting up AI-assisted authentication for fAST Dynamic

Polaris MCP server: Security intelligence in your AI workflow

The Polaris issue management MCP server is a secure, read-only integration that uses model context protocol (MCP) to bring Polaris findings and Black Duck’s curated security knowledge into customer-selected AI tools—like Claude and GitHub Copilot—for analysis, reasoning, and insights. Then from within the coding assistant, users can pull up issue details, summarize risk by project or portfolio, identify recurring vulnerability patterns, and get remediation guidance that can be translated into next steps for developers and stakeholders.

Key capabilities

• No context switching: Security investigation and remediation happen in the same environment where code is written—developers get instant answers without navigating separate platforms.
• Accelerated remediation: Use commands like "Show me all critical SQL injection issues" or "What’s the most at-risk project?" to get fast, contextual answers.
• AI-grounded in security expertise: MCP grounds AI responses in authoritative Polaris data and Black Duck’s curated knowledge base (ContextAI™) for more accurate guidance than generic LLM output.
• Cross-application reasoning: Combined with other customer data sources, MCP helps AI tools correlate related issues, highlight recurring patterns, and suggest likely root causes.
• Secure read-only access: Keeps Polaris data as the source of truth while enabling AI to understand it.
• Developer-friendly explanations: Turns security data into explainable narratives—what it is, why it matters, what to do next.

Comprehensive scanning that scales: Efficient scanning with better detection and less noise

Upgraded SAST engine: Smarter detection across modern languages

Polaris now includes an upgraded Rapid Scan Static (SAST) engine, powered by Sigma 2026.3.0, delivering improved accuracy, expanded language and checker support, and more precise remediation guidance—without slowing down fast-moving development workflows.

This release introduces targeted enhancements and bug fixes that strengthen scan quality and signal fidelity, while maintaining compatibility for customers using recommended multiversion configurations. By advancing the underlying Sigma engine used for Rapid Scan Static, Polaris helps teams detect real issues more reliably across modern languages and frameworks—with less noise and greater confidence in results.

Key capabilities

• Improved accuracy and signal quality: Refinements to existing checks reduce false positives and eliminate noise (such as findings on empty files), helping teams focus on real, actionable security issues.
• Expanded language support: Validated support for Go 1.26, Dart 3.11, and expanded Scala, Java, and Kotlin coverage ensures rapid scans keep pace with evolving technology stacks.
• Clearer remediation guidance: Updated remediation advice—such as corrected version guidance for OS-related checks—helps developers resolve issues faster and with greater confidence.
• Better coverage for high-impact risks: Enhanced and new checks improve detection across authentication, configuration, and secrets risks—including JWT handling, CORS configuration, TLS enforcement, security headers, and hard-coded secrets.
• Strengthened hardcoded secrets coverage: The expanded hard-coded secrets detection includes 10 new checkers.
• Extended Scala support: Multiple existing JWT and configuration checks have been expanded to support Scala, alongside new Scala-specific checks for CORS policies, TLS usage, OAuth flows, and security headers.
• Continuous engine innovation: Regular engine updates ensure Rapid Scan Static continues to benefit from the latest research, improvements, and fixes—without added operational burden.

Risk prioritization and noise reduction: Focus on what actually matters

Custom severities: Risk classification while triaging on your terms

With custom severities, organizations can now override default severities and classify issues based on their own risk tolerance and internal guidelines. This gives AppSec teams greater control over how findings are prioritized—directly within Polaris—without relying on downstream tools or manual reclassification.

Key capabilities

• Alignment with internal policies: Customize severity ratings to reflect how your organization defines risk, rather than relying on one-size-fits-all defaults.
• Better prioritization accuracy: Ensure that vulnerabilities are ranked based on what actually matters most to your business and security posture.
• Centralized control and governance: AppSec teams can centrally manage and govern how severities are applied across teams, applications, and environments.
• No downstream rework: No need to reclassify issues in external tools like ticketing systems just to match internal metrics.
• Enterprise-scale support: Get consistent, scalable severity customization across large organizations with diverse applications and risk profiles.
  

Unified DAST management: One application, multiple scans, zero sprawl

Organizations can now associate multiple DAST projects with a single application, aligning DAST management with existing SAST and SCA workflows. Polaris fAST Dynamic allows teams to consolidate related dynamic scans under one application without creating unnecessary application sprawl.

Key capabilities

• Efficient license allocation: Allocate multiple DAST licenses to one application, making it easier to use purchased capacity efficiently.
• Consistency across testing types: Align DAST behavior with SAST and SCA, which already support multiple projects per application.
• Improved visibility: Roll up related DAST scans—such as multiple sites or environments—under one application for easier tracking and analysis.
• Scalability with web portfolios: Ideal for teams managing multiple web apps, domains, or environments that need to be secured together.

Visibility that proves ROI and risk posture: Transparency that drives accountability

Triage Approval dashboard: A single source of truth for security decisions

The Triage Approval dashboard provides a centralized view of all triage approval activity in Polaris, making it easier to manage, track, and audit security decisions both at the organization level or down to specific applications or projects. With high-level metrics and a detailed, drill-down table, teams gain clarity and accountability across the entire triage approval process including issues still requiring approval.

Key capabilities

• Centralized approval management: View pending, approved, and rejected triage requests across applications and projects in one dashboard.
• Improved visibility into workload: High-level metrics quickly show how many approvals are pending or completed, helping teams prioritize action.
• Stronger accountability: Clear attribution to requestors and approvers ensures everyone knows who submitted, reviewed, and approved each decision.
• Auditable decision-making: Approval status, dismissal reasons, comments, and timestamps create a clear record for audits and future reference.
• Informed prioritization: Detailed issue, application, and project context helps security teams make consistent, data-driven triage decisions.
• Scalability across portfolios: Designed to support organizations managing approvals across many applications, projects, and stakeholders.
  

Operational status and reliability

Unified status view across Black Duck products

Black Duck now has a new centralized status page that provides live performance updates across several Black Duck products. New status page: status.blackduck.com.

Key capabilities

• Centralized view across Black Duck hosted platforms: Access live status for Black Duck® SCA, Black Duck Binary Analysis SaaS, and Polaris in a single view.
• Regional updates: Get personalized status for specific regions most relevant to you.
• Subscribe for updates: Subscribe to get alerts via email.