GuardRails SaaS and GuardRails Enterprise Improvements

Dashboard:

  • Improved UI to add install button in the account drop-down
  • Added Filter Actions
  • Added Repository Insights
  • Improvement to showing vulnerable libraries
  • Bug fixes

Worker:

  • Integration of git-cloner helper engine to allow cloning with .git directory
  • Fix scan dates
  • Filter actions
  • Bug fixes

API:

  • Change queryVulnerabilitiesForScan for better performance
  • Fix order of checking for params and ACL in controllers
  • Fix list by time (Insights)
  • Fix validation erroring on empty docs string
  • Create missing BitBucket repositories in repositories list controller
  • Filter Actions
  • Repository Insights
  • Bug fixes

Probot:

  • Add β€˜useGitClone’ into config validation
  • Bug fixes

Core-Api:

  • Several bug-fixes and performance improvements

GuardRails SaaS and GuardRails Enterprise Improvements

This release comes with several bug-fixes, stability improvements and features.

  • Bug-fix handling GitLab repos path rename
  • Fix for enabling/disabling GitLab repos
  • Prevent fetching GitLab group members for user accounts
  • PDF Export improvements
  • API improvements
  • Improved error logging for engines
  • Improved false positive filtering
  • Fix old website links to new docs
  • Several bug-fixes in the dashboard

GuardRails Enterprise Improvements

This release includes:

  • Full support for clustered deployments
  • A complete re-factor of core components with lots of performance and stability improvements
  • False positive detection improvements

Lots of fixes, improvements and new features!

We have been a bit quiet with our change logs, but not because we were idle. On the contrary, our growing team has been hard at work to release lots of fixes, improvements and new features! πŸš€

Security Engines:

  • Introduction of new engine: ossindex (improved SCA for Java)
  • Nancy (Golang SCA)
  • Improvements for spotbugs
  • Improvements to false positive detection to several engines

Bug Fixes:

  • Fix of scan time is being shown incorrectly
  • Several bug fixes to the new way of doing scans
  • Several bug fixes for SaaS and On-Premise versions

Improvements:

  • Added IPv6 support for On-Premise
  • New authentication for both SaaS and On-Premise
  • A lot of improvements under the hood of GuardRails

Features:

  • We have added full support for GitLab
  • New data structure that unlocks a range of new exciting features (stay tuned)
  • Introduction of paranoid mode
  • New dashboard with a host of new features and UI/UX improvements (more screens and features coming soon)

Improvements to False Positives Detection

πŸ“‰ We have also tuned our Secret detection and PHP engines to be more accurate with detecting false positives.

As always, a big thanks to all of our users that take the time to report false positives and false negatives and help make GuardRails better for everyone!

GitHub/GitLab Webhook Handlers

We have improved our Webhook handlers for GitHub and GitLab to ensure we cover all relevant events such as changing repository names, their visibility and many more.

Slack Integration

We have fixed a bug in the Slack Integration and updated our documentation to be more clear on how to set it up.

More information can be found here:

GitLab Integration

We have improved our GitLab Integration which made it very stable and easier to onboard.

Improved Language Detection

We have standarized our language detection capabilities and no longer rely on the ones provided by GitHub and GitLab. This unlocks some interesting future features where we have more control over detecting languages and frameworks being used in a repository.

GitHub Checks Status Appears to be Stuck

Dear GuardRails users,

While always following rigorous testing practices, we have introduced a bug that was live for about 24 hours. The bug affects the GitHub status of branch-based GuardRails scans and they appear to be stuck.

Stuck GuardRails Scan Status

All scans were still completed as expected, and the dashboard contains all results. The old check status will remain stuck but the bug has since been fixed and all new checks will have the correct status.

We apologize for any inconvenience that was caused by this.

Move fast, be safe!

GitLab Support - Beta

We are proud to announce that GuardRails now supports GitLab.

The feature has soft-launched and is available via the login screen of the dashboard!

GitLab support is currently free of charge while we complete the beta-testing.

Improvements to False Positives/Negative Detection

πŸ“ˆ We have tuned our Python engines to detect more security issues.
πŸ“‰ We have also tuned our Secret detection engines to be more accurate with detecting false positives.

As always, a big thanks to all of our users that take the time to report false positives and false negatives and help make GuardRails better for everyone!

Improvements to Ruby Scanning Engines

πŸ“ˆ We have tuned our Ruby scanning engines to detect more security issues, specifically related to Cross-Site-Scripting.

Improvements to False Positives/Negative Detection

πŸ“ˆ We have tuned our Javascript and PHP engines to detect more security issues and overall cover more rules.
πŸ“‰ We have also tuned our Secret detection engines to be more accurate with detecting false positives.

As always, a big thanks to all of our users that take the time to report false positives and false negatives and help make GuardRails better for everyone!

On-demand Scans🌀

We are super excited about this feature!

Now you are able to trigger an on-demand scan of the default branch of an enabled repository, straight from the dashboard.

Just click the πŸ”Ž button and it will immediately start a scan.

Export PR and Branch views as PDF

πŸ“„ We are happy to announce the release of our PDF export feature.
You can now browse to the Pull Request, and for paid plans, the Branch, tabs and export the view as PDF!

Login Errors

πŸ› A bug was fixed in our local caching, which was responsible for login errors.

Updates to Python Scanning and False Positives Detection

πŸ”Ž We have included a new rule into our python security scanning engine and further improved the false positive detection of our engines.

πŸ™ A big thanks to all of our users that report these issues and improvements. GuardRails is continuously getting better because of your valuable feedback.

False Positive Detection Improvements

Thanks to all our users who keep reporting false positives, GuardRails has been updated and got even more accurate.

The main improvements were made to the secret detection engines. Some improvements affected the go, python and c engines as well.

Still finding false positives, or false negatives - issues that should be reported, but are not - please send us a report or mark the findings via the dashboard.

Monorepo support for Ruby repositories

We are now supporting Ruby on Rails applications that follow the monorepo software development strategy.

That means β™Ύ continuous security verification, no matter how you structure your projects!

A plethora of improvements to GuardRails

πŸŽ‰ The following improvements have been shipped:

  • Update to all scanning engines, except Java and Solidity
  • Improved error handling of all scanning engines
  • More accurate scan duration timing
  • Improved encoding to make scan processing more reliable
  • Fixed rendering errors related to some use-cases in Pull Request comments

Bug Fixes and Performance Improvements

πŸ“ˆ We have re-factored our entire architecture in order to be able to fulfill the ever-growing scans requests that are processed by GuardRails.

⚑ This release results in much faster scans of your repositories.

Improvements to Ruby Engines

GuardRails supports finding more relevant security bugs in your Ruby and Rails now applications now!

The GuardRails Changelog is now managed via AppVoice

The old changelog has been ported to AppVoice.

Improvements to the Java documentation

The updated Java documentation can be viewed here:

  • https://www.guardrails.io/docs/en/vulnerabilities/java/

Note:

Our Java engines require byte-code to perform their security analysis. At the moment, GuardRails attempts to build Maven projects automatically. This only succeeds if no private registries are referenced.

New Engine: MythX

We are proud to announce that we have further improved our support for Solidity by adding the MythX engine in collaboration with our partners at Consensys.

Improvements to the Solidity documentation

The updated Solidity documentation can be viewed here:

  • https://www.guardrails.io/docs/en/vulnerabilities/solidity/

General improvements to the documentation

To ensure consistent fonts and layout.

Improvements to the Java engines

Stability and performance improvements.

Bug fixes and improvements to the dashboard

Several bug fixes and improvements have been shipped to our dashboard.

PHP Engines Improvements

The error handling of our PHP engines has been improved and the engines have been updated to the latest version.

Several improvements to the Dashboard UI.

We have shipped several improvements to the UI of our GuardRails dashboard.

Migrated to native GitHub App integration

We are happy to announce that we have migrated from the GitHub oAuth app to the native GitHub app integration in our dashboard.

This unlocks several improvements in how we manage permissions and the integration between the GitHub app and the Dashboard login.

Stability Improvements to the Ruby Engines

We have shipped several improvements to improve the stability and reliability of the Ruby engines.

JavaScript Engine Improvements

We have shipped new security rules for the JavaScript engines.

Dashboard Improvements

Several improvements have been deployed to the dashboard including features that are required for the GitHub Marketplace verification.

Improvements to the Secrets Engine

Several improvements have been shipped to reduce the amount of false positives detected by our secrets engine.

Improvements to Ruby Engines

Improved Bundler-Audit engine reporting and rendering of results.

Ruby Engines Mono Repo Support

Improved Ruby Engines to support monorepos.

Engine Improvements

  • Improved experimental Spotbugs support
  • Improved Retire.js error handling

Improvements to the Go Engines

Shipped several enhancements to the Go engines and how results are rendered.

Added support for Slack

We have added support for Slack that allows showing the GuardRails scan results on PRs and branches right in your Slack workflow.

More information on how to configure the Slack integration can be found here.

Monorepo support for JavaScript engines

We have added monorepo support for all our JavaScript scanning engines.

Released the new GuardRails Dashboard

We proudly announce the release of our new and improved GuardRails dashboard.

Improvements to the JavaScript Engines

Roses are red, Violets are blue and we have just shipped enhancements to the npm-audit JavaScript engine.

Several Improvements to Configuration

Enhancements to the GuardRails configuration have been deployed.

Improvements to engines and documentation

Improvements to Java and Python engines as well as updates to the documentation on how to fix them.

Experimental Java Support

πŸŽ‰ Added support for detecting known security vulnerabilities in Java dependencies thanks to Dependency-Check.

Improvement to the False Positives detection of the secrets engines

The detection logic of false alarms in our secrets engine has been improved.

General Bug Fixes

Deployed several bug fixes to improve stability.

Python Scanning Engines

Improved de-duplication of Python issues and added monorepo support.

Detection of Known Vulnerabilities in Python

Added support for detecting known security vulnerabilities in open source Python libraries thanks to Safety.

New Secrets Detection Engine

  • πŸŽ‰ Improved secrets engine to identify API tokens for:
    Mailgun, Paypal, Stripe, Dropbox, Mailchimp, Twilio, Google Cloud Platform, Slack, Heroku, AWS, Facebook, Twitter, Github, and more.
  • Improved false positives detection for the secrets engine, by removing results for git SHAs in Gemfile.

GuardRails Configuration Options

Added configuration option to ignore lines with // guardrails-disable-line.

Adding Support for PHP

πŸŽ‰ GuardRails now supports detecting vulnerabilities in PHP.

Improving False Alert Detection

Improving false alert detection across languages:

  • Remove results for common test files and folders for all languages.
  • Remove results for secure properties in travis.yml.
  • Remove results for third party code or static assets.

General Improvements

Published the following improvements:

  • Added GuardRails config file validation.
  • Established language-wide de-duplication of findings.
  • Performance improvements.

Added Configuration Options

It’s now possible to configure Guardrails to alert on issues that occured in changed lines only.

Added Go Support

πŸŽ‰ GuardRails now supports detecting security vulnerabilities in the language Go.

Overall Improvements

Adding support for ignore file.

Enhancing the Mythril Solidity Engine:

  • Ability to analyze all .sol files (even in the root directory).
  • Excluding Migrations.sol from analysis.
  • Setting β€”max-transaction-count 1.
  • Improved error handling.
  • Update to Mythril 0.18.13.

Added Documentation

Improvement to the GuardRails docs.

Added documentation for:

General Improvements

  • Removed initial pull request in favur of an initial issue.
  • Deployed Performance improvements.
  • Deduplicate findings for the Python engines.

Several New Features

This was a big release, we shipped some great new features:

  • πŸŽ‰ Released Solidity support.
  • Only showing newly introduced security issues in the pull request.
  • We updated the status we set on GitHub.
  • ❌ Builds are now failing when we detect any new issues.
  • Stability improvements.

Added Support for Python

πŸŽ‰ Released Python support (including Django and Flask apps).

Added Secrets Documentation

Added Several New Features

  • Add new engine to detect secrets in the codebase. The secrets engine is language agnostic and will run on every repository enabled.
  • Slim down the GitHub pull request comment to reduce the noise.
  • Improve the eval ruleset for the JavaScript engine to be more accurate.
  • Reduced the permission needed on GitHub when installing the GitHub App.
  • Fix removed installations still showing up on the dashboard.
  • Improved stability when installing on a large amount of repositories at the same time.

General Improvements

  • Incorporated feedback from first users.
  • Remove dependency on CI systems,
  • Add support for forked repositories.
  • Improve the experience for the initial pull request.

First Release of GuardRails

πŸš€ Alpha release with JavaScript / Secrets support.

Launch Docs

Released initial documentation.