Improvements to Ruby Scanning Engines

πŸ“ˆ We have tuned our Ruby scanning engines to detect more security issues, specifically related to Cross-Site-Scripting.

Improvements to False Positives/Negative Detection

πŸ“ˆ We have tuned our Javascript and PHP engines to detect more security issues and overall cover more rules.
πŸ“‰ We have also tuned our Secret detection engines to be more accurate with detecting false positives.

As always, a big thanks to all of our users that take the time to report false positives and false negatives and help make GuardRails better for everyone!

On-demand Scans🌀

We are super excited about this feature!

Now you are able to trigger an on-demand scan of the default branch of an enabled repository, straight from the dashboard.

Just click the πŸ”Ž button and it will immediately start a scan.

Export PR and Branch views as PDF

πŸ“„ We are happy to announce the release of our PDF export feature.
You can now browse to the Pull Request, and for paid plans, the Branch, tabs and export the view as PDF!

Login Errors

πŸ› A bug was fixed in our local caching, which was responsible for login errors.

Updates to Python Scanning and False Positives Detection

πŸ”Ž We have included a new rule into our python security scanning engine and further improved the false positive detection of our engines.

πŸ™ A big thanks to all of our users that report these issues and improvements. GuardRails is continuously getting better because of your valuable feedback.

False Positive Detection Improvements

Thanks to all our users who keep reporting false positives, GuardRails has been updated and got even more accurate.

The main improvements were made to the secret detection engines. Some improvements affected the go, python and c engines as well.

Still finding false positives, or false negatives - issues that should be reported, but are not - please send us a report or mark the findings via the dashboard.

Monorepo support for Ruby repositories

We are now supporting Ruby on Rails applications that follow the monorepo software development strategy.

That means β™Ύ continuous security verification, no matter how you structure your projects!

A plethora of improvements to GuardRails

πŸŽ‰ The following improvements have been shipped:

  • Update to all scanning engines, except Java and Solidity
  • Improved error handling of all scanning engines
  • More accurate scan duration timing
  • Improved encoding to make scan processing more reliable
  • Fixed rendering errors related to some use-cases in Pull Request comments

Bug Fixes and Performance Improvements

πŸ“ˆ We have re-factored our entire architecture in order to be able to fulfill the ever-growing scans requests that are processed by GuardRails.

⚑ This release results in much faster scans of your repositories.

Improvements to Ruby Engines

GuardRails supports finding more relevant security bugs in your Ruby and Rails now applications now!

The GuardRails Changelog is now managed via AppVoice

The old changelog has been ported to AppVoice.

Improvements to the Java documentation

The updated Java documentation can be viewed here:

  • https://www.guardrails.io/docs/en/vulnerabilities/java/

Note:

Our Java engines require byte-code to perform their security analysis. At the moment, GuardRails attempts to build Maven projects automatically. This only succeeds if no private registries are referenced.

New Engine: MythX

We are proud to announce that we have further improved our support for Solidity by adding the MythX engine in collaboration with our partners at Consensys.

Improvements to the Solidity documentation

The updated Solidity documentation can be viewed here:

  • https://www.guardrails.io/docs/en/vulnerabilities/solidity/

General improvements to the documentation

To ensure consistent fonts and layout.

Improvements to the Java engines

Stability and performance improvements.

Bug fixes and improvements to the dashboard

Several bug fixes and improvements have been shipped to our dashboard.

PHP Engines Improvements

The error handling of our PHP engines has been improved and the engines have been updated to the latest version.

Several improvements to the Dashboard UI.

We have shipped several improvements to the UI of our GuardRails dashboard.

Migrated to native GitHub App integration

We are happy to announce that we have migrated from the GitHub oAuth app to the native GitHub app integration in our dashboard.

This unlocks several improvements in how we manage permissions and the integration between the GitHub app and the Dashboard login.

Stability Improvements to the Ruby Engines

We have shipped several improvements to improve the stability and reliability of the Ruby engines.

JavaScript Engine Improvements

We have shipped new security rules for the JavaScript engines.

Dashboard Improvements

Several improvements have been deployed to the dashboard including features that are required for the GitHub Marketplace verification.

Improvements to the Secrets Engine

Several improvements have been shipped to reduce the amount of false positives detected by our secrets engine.

Improvements to Ruby Engines

Improved Bundler-Audit engine reporting and rendering of results.

Ruby Engines Mono Repo Support

Improved Ruby Engines to support monorepos.

Engine Improvements

  • Improved experimental Spotbugs support
  • Improved Retire.js error handling

Improvements to the Go Engines

Shipped several enhancements to the Go engines and how results are rendered.

Added support for Slack

We have added support for Slack that allows showing the GuardRails scan results on PRs and branches right in your Slack workflow.

More information on how to configure the Slack integration can be found here.

Monorepo support for JavaScript engines

We have added monorepo support for all our JavaScript scanning engines.

Released the new GuardRails Dashboard

We proudly announce the release of our new and improved GuardRails dashboard.

Improvements to the JavaScript Engines

Roses are red, Violets are blue and we have just shipped enhancements to the npm-audit JavaScript engine.

Several Improvements to Configuration

Enhancements to the GuardRails configuration have been deployed.

Improvements to engines and documentation

Improvements to Java and Python engines as well as updates to the documentation on how to fix them.

Experimental Java Support

πŸŽ‰ Added support for detecting known security vulnerabilities in Java dependencies thanks to Dependency-Check.

Improvement to the False Positives detection of the secrets engines

The detection logic of false alarms in our secrets engine has been improved.

General Bug Fixes

Deployed several bug fixes to improve stability.

Python Scanning Engines

Improved de-duplication of Python issues and added monorepo support.

Detection of Known Vulnerabilities in Python

Added support for detecting known security vulnerabilities in open source Python libraries thanks to Safety.

New Secrets Detection Engine

  • πŸŽ‰ Improved secrets engine to identify API tokens for:
    Mailgun, Paypal, Stripe, Dropbox, Mailchimp, Twilio, Google Cloud Platform, Slack, Heroku, AWS, Facebook, Twitter, Github, and more.
  • Improved false positives detection for the secrets engine, by removing results for git SHAs in Gemfile.

GuardRails Configuration Options

Added configuration option to ignore lines with // guardrails-disable-line.

Adding Support for PHP

πŸŽ‰ GuardRails now supports detecting vulnerabilities in PHP.

Improving False Alert Detection

Improving false alert detection across languages:

  • Remove results for common test files and folders for all languages.
  • Remove results for secure properties in travis.yml.
  • Remove results for third party code or static assets.

General Improvements

Published the following improvements:

  • Added GuardRails config file validation.
  • Established language-wide de-duplication of findings.
  • Performance improvements.

Added Configuration Options

It’s now possible to configure Guardrails to alert on issues that occured in changed lines only.

Added Go Support

πŸŽ‰ GuardRails now supports detecting security vulnerabilities in the language Go.

Overall Improvements

Adding support for ignore file.

Enhancing the Mythril Solidity Engine:

  • Ability to analyze all .sol files (even in the root directory).
  • Excluding Migrations.sol from analysis.
  • Setting β€”max-transaction-count 1.
  • Improved error handling.
  • Update to Mythril 0.18.13.

Added Documentation

Improvement to the GuardRails docs.

Added documentation for:

General Improvements

  • Removed initial pull request in favur of an initial issue.
  • Deployed Performance improvements.
  • Deduplicate findings for the Python engines.

Several New Features

This was a big release, we shipped some great new features:

  • πŸŽ‰ Released Solidity support.
  • Only showing newly introduced security issues in the pull request.
  • We updated the status we set on GitHub.
  • ❌ Builds are now failing when we detect any new issues.
  • Stability improvements.

Added Support for Python

πŸŽ‰ Released Python support (including Django and Flask apps).

Added Secrets Documentation

Added Several New Features

  • Add new engine to detect secrets in the codebase. The secrets engine is language agnostic and will run on every repository enabled.
  • Slim down the GitHub pull request comment to reduce the noise.
  • Improve the eval ruleset for the JavaScript engine to be more accurate.
  • Reduced the permission needed on GitHub when installing the GitHub App.
  • Fix removed installations still showing up on the dashboard.
  • Improved stability when installing on a large amount of repositories at the same time.

General Improvements

  • Incorporated feedback from first users.
  • Remove dependency on CI systems,
  • Add support for forked repositories.
  • Improve the experience for the initial pull request.

First Release of GuardRails

πŸš€ Alpha release with JavaScript / Secrets support.

Launch Docs

Released initial documentation.