November 2024 Release Notes
Release November 7, 2024 v19.3.23 d
While this release does not come with an expansive set of notes, it contains substantial "behind the scenes" updates that ensure long-term stability and performance.
Scanner Algorithm Updates
We have made a number of refinements to our algorithm to address a number of use cases with SOQL injection. These improvements include cases where the statement runs AS USER; addressing False Negatives when running WITH SYSTEM MODE; improving analysis when evaluating string concatenation when using BIND variables; and excluding ID types as vulnerable to SOQL Injection.
More Vulnerability Detail
In our last release, we introduced more detail for Code Snippet vulnerability by adding a clickable control that would display the entire function that contained the line of code that was causing an Issue. We are adding "Category" as a column choice in the CSV/Excel spreadsheet. This datapoint refers to the type of scan that was used to identify the issue (SAST / SCA / CONFIG /IAST / 3RDPARTY / QUALITY).
We are also removing "Vulnerable Function" as a column choice in the CSV/Excel spreadsheet. Unfortunately, the formatting of the code snippet breaks the structure of the export file and renders it unusable. This data is still available via the JSON export.
Tighter Workspace Management
We have addressed an issue where certain Two Factor Authentication configurations interfered with the Workspace creation workflow preventing other Admins from being able to access the new workspace. The expected behavior should be that Admins have access to all Workspaces. We have also modified our UI experience for managing Workspace Assignments in the Setup→ Users screens. We now display the last four characters of the Workspace ID that will help differentiate Workspaces with similar names.
Minor Bug Fixes and Improvements
We have restored the display of the data visualization for Last Scan details in the Workspace Dashboard; we have updated our GitHub webhook responses to avoid having GitHub register a timeout error; we have added an exception handler for when our scans encounter a corrupted zip file, now allowing the scan to continue while also logging the issue; resolved an issue that would display a blank screen after authentication at login; we have added some string validation to the Workspace creation dialog to enforce a *.my.salesforce.com pattern.
September 2024 Release Notes
Release September 18, 2024 v 19.3.23c
Tag Library
We have made a substantial upgrade to our Tag management system. Users that have been active with DigitSec will recall that we have been actively expanding the scope of the Tag system, starting with Issues and moving on to Scans and Workspaces. We are now capitalizing on that foundation and are transitioning to a centralized management system. While this may appear to be a rather subtle change, there are many facets of complexity that are important to note.
Primarily, Admins will now be able to access a new system under the Configure menu that allows them to Create and Inactivate tags from a central location. This addresses a common complaint that our older system allowed for too much potential variation on assignment. This will also be an assignable permission for lower level Environment Users, Managers or Custom Roles.
Next, Tags are now also typed by whether they are applied to an Issue, Scan or Workspace. When Creating a Tag, it is possible to choose to automatically add to all types, or it can be limited to a single type. In addition to types, we are now also tracking a Tag's state of "Active" or "Inactive". In the Active State, tags will appear in menus as a valid option for Linking (or assigning). In the Inactive State, tags will no longer be available for Linking, but existing linkages are not removed. In this way, a Tag assignment could be valid for a time and then inactivated, but still be searchable at a later time. We're interested in your feedback on this feature. Our centralized Tag Library tracks Inactive tags and it is possible to Restore them to Active status.
Tag Creation and Tag Linkage/Delinkage are also assignable permissions at the Workspace level, so it is possible to restrict who can do these actions for your Custom Roles.
Users of our API will be familiar with the fact that we had previously stored tags for Issue/Scan records in a Custom Fields array as a complex object with Key:Value:URL properties. We are now introducing a specific Tag field that will store an array of IDs. On the front-end and through our CSV exports, we will include the related record information. However, on the back-end, users will need to interpret the ID values.
API Versioning
We are now introducing Version 3.0.2 of our API. This is a minor update to our existing 3.0.1, but it introduces several new endpoints to help with Tags.
More importantly, users are advised that we have reconfigured our services to allow for a separation between different versions of the API. This will allow API users to test new features, changes in input parameters or response data for some time after release and not be forced to change on an uncertain schedule.
The standard pattern for addressing the API is https://s4.digitsec.com/<endpoint>. This will always point to the "oldest" version of the API. To specify a specific version, you would add the version stub between the <domain> and the <endpoint>. We are currently supporting two versions: v301 and v302.
- https://s4.digitsec.com/v301/<endpoint>
- https://s4.digitsec.com/v302/<endpoint>
Transition
One final note about both API Versioning and the Tag Library. We are automatically transferring the old Tag information contained in the Custom Fields array into the new Tag Management system. Each unique Key:Value pair becomes a new Tag and then we create the associated Item:Tag linkages. While we are deprecating the use of Custom Fields through our App, we are not removing any of the data that is currently stored in the Custom Fields array. If there are any questions or concerns about Tag updates, we will be able to refer back to the existing data. API users will still be capable of accessing and modifying the data in the Custom Fields array (using v301 only). We do not have plans at this time to remove that functionality, however we would like to caution our customers not to rely on those fields for long term management or tracking.
Code Snippet Visibility
Our Issue Details pages have highlighted the single line of code that triggers an Issue creation. Users have always appreciated having that displayed along with the filename and line number. However, we've also heard great feedback that it would be helpful to have a bit more context. The code snippet section now has a page control that will expand to show the complete final function so it is easier to understand if there are potential mitigating factors that might indicate a false-positive finding. Users that rely on the JSON export or retrieving data via the API will also notice that we've added two fields: vulnerablefunction and vulnerabilefunctionline. Respectively, these fields will contain the entire function from the code and the starting line number that the function appears.
Scheduler System
We have resolved a longstanding issue with our Scheduling System. Some users had reported seeing discrepancies between the number of issues identified in a Scheduled Scan versus the number of issues identified in an On-Demand Scan. We had advised several of our customers that actively used this feature of the issue. The issue has now been resolved and we advise customers that they should see consistent results between On-Demand and Scheduled scans. However, we do want to highlight that we have disabled the ability to link tags to scheduled scans prior to execution. Tags can be linked to scans once they have been completed.
Minor Fixes and Additions
Several of our patch release in the past few weeks have included small tweaks to our remediation guidance bullets. We have also made some progress in the removal of small typos and errors in some of our text. In our API, we have modified a number of endpoints to pre-validate the input prior to executing the request. For the /bulkfinding endpoint, we've also added acceptance for both _scanID and for scanId to accommodate some Apex variable name requirements. Some users have also mentioned needing to refresh their browsers after login to have the Workspaces Dashboard display; that issue has been resolved. Users should note that when switching between a scan's issue index and an issue detail page, using the browser refresh button will drop the active query and users will be returned to the first page of scan results. We've resolved an issue in the User Management system where longer-term customers might have encountered an error accessing Inactive users. We have also updated the Update Workspace flow for Connected Apps to work as expected. Finally, we have added a new value, "By-Design" to the Status Assignment control that should give teams a bit more flexibility in how they track Issues.
This is version 19.3.23c
July 2024 Release Notes
Response to Polyfill.io Threat
Recent news has highlighted a malware threat from code that relies on the Content Delivery Network (CDN) polyfill.io. This patch update modifies our Software Configuration Analysis (SCA), Config and Static Application Security Testing (SAST) scans to identify any code that relies on this CDN or a compromised polyfill.io.
Protection against Polyfill.io
As we know there is an active advisory from Salesforce and detected by numerous sources that polyfill.io should not be considered safe. There are some reports of malware being propagated through the library.
We are protecting our customer against the polyfill exploit as follows:
- Our SCA engine is checking for all libraries which match the polyfill library type and functions, even an altered version of polyfill will be flagged if the same function signatures exist.
- While scanning Lightning Web Components (LWC) and VisualForce pages we are looking for any remote references to polyfill either directly by referencing polyfill.io or indirectly from a CDN.
- When running a scan against a Salesforce environment, we are checking Content Security Policies (CSP) to ensure that polyfill.io is not being allowed.
- When running a scan against a Salesforce environment we are checking Cross Origin Request Sharing (CORS) setting to ensure polyfill.io is not enabled in a Salesforce environment.
- When checking Remote Sites we are checking that Apex connections are not made to polyfill.io.
- Any 3rd party packages whether downloaded from AppExchange or other sources can be checked to see if they reference or use polyfill
This is the most comprehensive approach to protecting our customer's Salesforce environment and users against this supply chain malware attack.
We are continuing to monitor this issue and will share any updates as needed.
Please feel free to reach out to us if you have any questions or concerns.
You can take advantage of this update by simply running a new scan on your connected Salesforce orgs or code repositories. Please ensure, Static Analysis, SCA, and Config are turned on in your settings. Any polyfill.io related issues will be flagged as Critical.
This is version 2023.19.3.21m
Update: Supplemental Advisory
It has been observed that several other hosts are exhibiting similar malicious activities for hosted polyfills. These additional hosts include:
- googie-anaiytics.com
- polyfill.com
- polyfill.site
- polyfillcache.com
- bootcdn.net
- bootcss.com
- staticfile.net
- staticfile.org
- unionadjs.com
- xhsbpza.com
- union.macoms.la
- newcrbpc.com
These hosts have been identified as malicious and are tagged within the DigitSec platform as critical vulnerabilities. Our team is also analyzing the behavior of files in the Salesforce environment during runtime testing.
June 2024 Release Notes
Bulk Issue Modification
Users that need to make the same modification to the User Assignment, Tags, Comments, or Status of many different Issues will now be able to do so quickly and easily without having to rely on the API. It will now be possible to select up to 100 (or just a few) of the Issues that appear on a Workspace's Issue Page and then apply the same modification to all of them at once.
This new feature also respects the expanded permission control over each one of those Issue inputs (Status, Assignment, Tags, Comments) as well as the Required Comment control that have been introduced in recent patches.
Furthermore, for teams that want to make these changes via the API, we've created a new endpoint that will be able to handle 10,000 record modifications in a single request. Contact your Customer Success representative to get early access to the documentation updates.
Code Snippet Contextualization
One of the ways that our scanning engine is built to be fast and efficient relies upon the way we identify findings across workspaces and scans. In this release, we've made a critical update so that the line numbers of existing findings are updated to reflect the most recent scan results. Previously, once the issue had been identified we did not update the line numbers within the function call tree as long as that tree remained the same.
Salesforce Connection Authorization
We have added a new method for connecting your DigitSec environment to Salesforce. You can now set up a Connected App in Salesforce and connect to a DigitSec workspace by providing the Custom URL and the Connected App Client ID.
Minor Fixes and Resolution of Known Issues
This release sees the resolution of a number of Known Issues and a large number of minor fixes.
- Resolved: New Issue Feature only works with Workspace Setting Feature
- Resolved: Workspace Assignments for New Team Members Not Saving Properly
- Resolved: Commerce Cloud Workspaces do not have isNew control
- Resolved: Export from Scan Issues Page using isNew filter
- Added a Reset Password button to User Profile screen
- Fixed an issue where page would blank when using certain query filters
- Updated CRUD Rule remediation guidance to fix a typo and show WITH_USER_MODE
- Fixed a Permission issue related to downloading a CSV report
- Fixed a Permission issue related to Workspace Managers not being able to add comments
- Fixed a display issue to accurately reflect workspace assignments for Admin level users
- Added a new control for Security Gates and scan settings to make it more clear when a Workspace is governed by local or environmental settings.
- Resolved an issue where our rules related to Profile Security were evaluating inactive profiles
This is version 19.3.21 - Release Date: 2024-06-04
March 2024 Patch 2
Bulk File Ignore
Expanding the functionality of our Ignore Rule, users can now simply upload a file that contains many filename entries for files they wish to exclude from their scans.
Improved Environment-Workspace Settings Management
We have improved the user interface associated with managing the Scan Settings and Security Gate Settings at the Environment and Workspace levels. Administrators should have their default settings active at the Environment level. Workspace Managers have always been able to override these settings, but now they have the control to also revert back to the Environment Settings. In the case of Security Gates, Workspace Managers can also toggle the Security Gates off and on, while preserving the values they had previously entered.
We think this will make it much more clear to every team which settings are active within a Workspace.
Updated Security Rules
We've updated our security rules to include support for WITH_USER_MODE for code that might have potential CRUD Issues. This change should allow more up-to-date code to pass without being flagged as a potential Issue.
Minor Bugs and Fixes, Disabled API Endpoint
This release contains a number of small bug fixes and changes that may not have a direct impact on user experience. Most notably, we have removed a legacy endpoint from our API:
/dashboard/trendingscans
If you attempt to access this endpoint, you will now receive an error.
This is version 19.3.19 - Release Date: 2024-03-27
March 2024 Patch 1
Enhanced Permission Granularity on Issue Data
For Teams that require more robust control over which team members can make modifications to Issue Data, we have now put READ/WRITE controls on Issue Comments, Issue Status, Issue Severity, Issue Tags, and Issue User Assignment. (WRITE permissions are inclusive of READ permissions).
When a Custom Role is created and the Issue object permission is set to WRITE, these five Child Permissions are displayed and can each be set as either READ or WRITE. When the Issue object permission is set to READ, all of these child permissions are also set to READ.
Edit Custom Roles
We have added added the capability to edit and delete established Custom Roles and to browse existing Custom Roles in a new tab underneath the Configure Main Navigation.
Required Comments
On an environment wide basis, we have added a new capability to require a comment when a user makes a change to an Issue Status. To use this feature, use the Configure Main Navigation, under the Advanced Tab, activate the switch for Required Comments.
When this feature is active, a user modifying the Status on the Issue Detail screen will be prompted to enter a comment. If they cancel the modal dialog, the status change will be discarded. If they submit the comment, the comment and status change will be captured to the Issue Detail history.
Updated VS Code Extension
We have updated our VS Code Extension (v2.1.1) to now rely on a User's API Key found under Workspace → Integrations rather than authenticating with User Name and Password. We believe this is ultimately more convenient to users and follows best practice.
This is version v.19.3.17 - Release Date: 2024-03-18
February 2024 Patch 4
Minor Fixes
We've made a number of small fixes and changes in this release to resolve some issues. In particular, we've modified some of the alignment of text in the interface as the window changes size; we've corrected word-wrapping within the Users → Roles column; we've modified the behavior of some of the internal navigation buttons on the Issues Detail Screen when that screen is launched as child tab to the Issues Index Query page; New Issue control now works for Commerce Cloud; New Issue Scan option is available for Scheduled Scans
Notification Management
We've introduced a new feature for Administrators that will allow them to disable notification messages for Scan Activity, Schedule Activity and Issue Detail updates on an environment wide basis. For teams that are making many changes to Issues via the API, this toggle can be used to spare your team members' email inbox from being flooded with messages.
We've also simplified and clarified the Disable Notification control for individuals. This control can be found by editing their Profile.
Notifications related to user access such as Forgot/Reset Password are never disabled and are exempt from this control.
OWASP Mappings
We have mapped all of our security rules to the OWASP Top 10. Users can now rely on these mappings to organize and prioritize their Issues. With this release, these mappings will only be available for new scans on newly created Workspaces. Existing Issue information generated from older scans will not include this information. New Scans on existing workspaces will not include the information. Our goal is to apply this data retroactively to older scan information in the coming weeks, but do not yet have a timeframe to share.
This is version v.19.3.15 - Release Date: 2024-02-20
February 2024 Patch 3
We've made a number of small changes.
- The Scheduler system has been revised to require a 2 day advance window to schedule scans. This is in place to make sure that future scans are properly queued.
- The Reset button that appears on the Issues Index Query Builder now works as expected to clear all query inputs and reset the page to the default query.
- The New Tab link for Issue Detail pages now loads properly.
- Paging through issue detail pages that jump between pages of results (ie Issue 100 on page 1 and Issue 101 on page 2) now works as expected.
- The isNew finding count on Issue Index pages should now work properly.
This version is v.19.3.13 - Release Date: 2024-02-09
February 2024 Patch 2
We made some small changes to some of the query filter controls and the minor fixes to the scheduler system.
This version is 2023.19.3.11 - Release Date: 2024-02-07
February 2024 Patch
Resolving Known Issues
We have resolved a couple of known issues from some of our previous releases including a double refresh problem that prevented the display of Issue Detail screens; improving the performance of Query Filters with the New Issue control.
Issue Query Page
We have added a Query Reset button to the Issues Index page to provide more flexibility to end-users when results don't populate as expected.
Scheduler Change
We now initiate the creation of the scheduler queue at exactly midnight UTC (+00:00). This resolves an error where queued scans that might have gotten scheduled in the early morning but before our queue creation were not executing properly. Customers are advised to schedule their automated scans with a 24 hour cycle keyed to the UTC time in mind.
This version is 2023.19.3.7 - Release Date: 2024-02-06
January 2024 Patch
We launched a patch update that introduced a new feature and made some improvements to existing features.
- New Findings Feature
In Workspaces --> Advanced, please find a new setting that will allow users to specify that scans should return new findings only. This does not impact existing scan records, but will only show vulnerabilities that had not been identified previously. Please note there are some Known Issues with some of this feature.
The New Findings toggle that now appears at the top of a scan's Findings Index reflects the setting at the time the scan was run. If the setting was enabled when the scan was initiated, the toggle will appear enabled when viewing the scan results.
- Minor Fixes
We've removed the Trash Can icon from the cards that appear on the Workspaces--> Reports tab. We've resolved issues where non-admins could not create workspaces. We've resolved an issue where vulnerability details pages did not display properly.
This version is 2023.19.3.5 - Release Date: 2024-01-30
Winter 2023 Update
We launched a minor update that includes several new features and improvements.
-
Scan Scheduler
Admin Users can now schedule scans to be run in the future on a one-time or recurring basis. All scan settings can be set for specific scans separate from the Workspace defaults. - Vulnerability Findings Query Modification
Display and export of results is now more intuitive and query results are persistent between the detail findings and the index review. - Multi-Factor Authentication
Users can now choose between Email, SMS or Device-based multi-factor authentication - User Reports
Admins can now pull exports of Authorized and Deleted Users - Workspace Dashboard
Scan Index screen now displays more information about a scan at a glance. We have also added a query tool allowing users to search for specific scans by date, initiator, tag, or scan type. - GitHub Improvements
We've provided some additional configuration options that can limit the type of Pull Requests that activate scans. - Minor Fixes
We've added a password confirmation to the Reset Password sequence, added more data to our CSV export, improved performance across scalability and speed, and we've added Scan Title to the top of the Vulnerability Findings index.
This version is 2023.19.3.1 - Release Date: 2024-01-23
October 2023 Patch Update
We made a patch update to correct issues and improve performance.
- We created more efficiencies in our code for users accessing vulnerability finding details from Saved URLs.
- We resolved an issue where Security Gates were not working properly.
- We have improved load management across our infrastructure to improve communication between component systems and to improve scan performance.
This is version 19.1.17 - Release Date: 2023-10-17
September 2023 Patch Update
We made a patch update to resolve a minor issue.
On the Dashboard for a Workspace, the two visualizations and the top-line severity counts were reflecting the total number of issues found rather than only showing counts of issues with an ACTIVE status. This has been fixed.
This is version 19.1.5 - Release Date: 2023-09-29
September 2023 Update
We made a minor update that included a couple of small feature releases.
- Updated Reports
We added a "Lite Report" option that displays PDF reports with minimal formatting to reduce file sizes and enhance the ability to share and email. - Updated API
We have updated our API documentation to reflect a greater range of request methods to allow for greater functionality. - Log Viewer v1
Under the Setup-->Logging Main Navigation it is now possible to view log data associated with an environment. You can use different criteria to review the activity for a particular scan or a Workspace.
This is version 19.1.3 - Release Date: 2023-09-27
Minor Update - August
We made a patch update to resolve a minor issue.
- Email Notifications for 2 Factor Authentication were not being sent promptly. Small code change to accommodate better reliability.
This is version 19.0.89
Minor Update - July
We made a patch update to resolve a number of minor issues.
- Resolved bug that would crash the user session when navigating between a newly opened tab to review a finding and the Findings Index screen in the previous tab.
- Resolved an issue related to using Single Sign-On with Azure AD
- Resolved an issue where scans would get stuck in pending status
- Resolved an issue where HTML encoded characters needed for spacing were appearing in Vulnerability Stack Tracing
- Resolved an issue with query parameters not working with screen pagination in Findings Detail screen
- Resolved an issue with the "Quick Export" button not working
- Resolved an issue with the formatting of long filenames and filepaths in printable report feature
- Resolved an issue with Google Auth SSO
This is version 19.0.87
Spring 2023 Update 1
We've made a number of follow-on bug fixes, and both feature and performance enhancements.
-
Improvements/Bug Fixes for GitHub Integration:
We have been working to improve the experience using DigitSec to scan GitHub repositories. We have reduced the number of scans that we run on a repository to only the target branch. We've also improved the way issues are communicated to GitHub so that there is greater alignment between the findings presented in our system and the findings that are presented in the SARIF file. GitHub does have certain limitations to the number of issues they can accommodate and we have noted that in our documentation. Also, GitHub deems some vulnerabilities as duplicates thus causing a slight variance in the top-line number of vulnerabilities reported. -
Algorithm Update:
We have made some updates to our Algorithm that will improve recognition of certain bugs such as SOQL injection vulnerabilities. -
User Permission Editing:
We have resolved a bug that prevented certain users that had been assigned a particular permission from being edited. -
Saved URLs:
We have updated our system to properly handle authentication and redirection of inbound links. In some cases, Users relying on saved links were getting an error after authenticating. -
Modifying Scan Settings on Multiple Workspaces:
For users that utilized the Switch Workspace pull-down menu to quickly make changes to Scan Settings, there was a bug with the UI not properly reflecting new changes even though the system recorded them. This has been fixed. -
Vulnerability Bookmark interfering with Working Issues Export:
In our Summer 23 Release, we introduced a new feature that would visually highlight the previously viewed Vulnerability when moving from a Vulnerability Detail screen to a Vulnerability Index screen. This introduced an issue where there was not a way to "de-select" the highlighted vulnerability. This caused a further impact in that the "Working Issues Export" would now only include the highlighted vulnerability and not reflect the current page of the Active Working Query. We have temporarily rolled back this feature in this version to accommodate a more substantive resolution to this problem that will include new working exports reflecting an active query from the findings database. -
Improved Formatting on View Report:
We are making some minor changes to the View Report functionality to resolve some of the extraneous spacing between some of the report elements and to fix the way some of the long file paths do not wrap properly on the page. This is in advance of additional working this summer to deploy "lighter weight" reports and to allow for more customized reports.
This is version 19.0.81
Spring 2023
-
Improved User Interface
We have updated the underlying front-end design framework from Bootstrap/Angular to use React. This component-based design is much more nimble and responsive. We are also integrating cards and tabs much more consistently across screens. You will also notice improved data visualizations for each Workspace. -
Meta-Data for Scans
We have improved the amount of data we are presenting to users on the Scan Statistics screen as well as on the data cards for each Scan. Users can now see at a glance which scan types were run and for management purposes, they can modify the title or assign tags to Scans. -
Updated User Model
We have upgraded our user management model to now allow admins to strictly control access on a per Workspace basis. The system includes two tiers of management: Environment and Workspace; there are also Admins, Managers, Users, and Read-Only roles that are pre-established. Admins can create custom roles by assigning Read or Read/Write permissions on any major object.
Spring 2022
-
Web Upload Zip File
Running SAST and SCA scans on zipped code packages got a lot easier when we added the capability to upload a file via browser Drag and Drop or File Picker to the S4 site. This capability has always been a part of the S4 Command Line Interface utility, but we extended it to the web as well. -
Common Weakness Enumeration
Software Developers from across different backgrounds and experiences can now reference DigitSec S4 findings against a standard reference for the Software Development Lifecycle. Each vulnerability displays the CWE ID and the Findings Index page includes a pull-down menu for filtering results. -
Commerce Cloud
DigitSec expands the capabilities of S4 under a new licensing program that can target security vulnerabilities under Salesforce Commerce Cloud. Allowing public access to Salesforce CRM data can unleash amazing potential for business and organizations, but it can also expose massive vulnerabilities. Give your team the tools they need to confidently secure your Commerce Cloud environment.
Winter22
-
Single Sign On / Third Party Authentication
Integrate S4 with your Single Sign On provider and streamline your S4 onboarding process to include all the users in your organization. They’ll no longer be required to login directly to S4.- OneLogin
- OKTA
- Azure Active Directory
- Dynamic SAML
-
SAML Integrations
Leveraging the power of Security Assertion Markup Language allows you to integrate S4 with some of the most popular SSO providers. You can also leverage other SSO providers that are SAML compatible. -
Two Factor Authentication
Increase the security of your accounts by adding 2 Factor Authentication to every S4 user account. Users will receive a random string via email that will be used to verify access. -
Google OAuth
If you signed up for S4 with your Google Account, you can leverage that identity to authorize your access to S4. -
VS Code Plug-in
DigitSec has developed a robust plug-in for VS Code. You can find it in the VS Code Extensions Library by clicking on the Extensions icon and using the Search Tool to find "DigitSec s4". Now, Developers can run S4 scans on single files or entire projects directly from the IDE immediately after clicking Save. Vulnerability finding reports now allow you to click and go directly to that line of code. -
SARIF Support with GIT
Connecting S4 to a GitHub repository now allows Developers to quickly run scans against their source and target branches simultaneously to speed the process of identifying new vulnerabilities and fixes. This is a very powerful tool that makes it easy to keep track of potential problems. Bring the S4 Vulnerability Findings Detail report directly into your source code repository to empower your entire team to resolve issues across source and feature branches. -
Scan Type filtering on Finding Reports
We are expanding the slice and dice capabilities of our findings detail pages for each scan, now allowing you to filter vulnerabilities by the type of scan that identifies the issue: Configuration Scans (CONFIG), Runtime/Interactive Scans (IAST), Code Composition (SCA), Static Code Analysis (SAST) . -
Expansion of Trial Account Functionality
Our free trial accounts have always been a great way to get a sense of S4 and how easy it is to get started with scanning S4. Many potential customers have been amazed to see the dashboard results showing the number of vulnerabilities that have grouped by severity. In the past, we've limited access to vulnerability findings reports to potential customers that are willing to schedule a meeting with us. In an effort to be more efficient and build more momentum with customers earlier in the sales cycle, we've modified the trial to show one example finding from each severity type. Customers can now see a real world example of how S4 interacts with their own code and config to highlight critical problems. -
Copado Essentials Integration
In our Summer21 release, we added S4 integration with Copado. In this release, we expand on that integration by bringing S4 to the Copado Essentials Continuous Integration tool. You can access the S4 Scan results by jumping directly into S4. -
Compliance Reporting Overlays
DigitSec Vulnerability Reports now include features that allow you to prioritize or filter findings based upon certain compliance regimes like HIPAA, SOX, APPI, ISO-27001, GDPR, and PCI-DSS. -
UX/UI Improvements
With every release we make minor bug fixes and improvements. In this release, we've added the ability to add custom fields and values to S4 Findings results and have improved the filter selection tools for reports to include custom fields as well as the scan types, error types, severity level, task assignments, and compliance priorities.
Summer21
-
CI/CD Pipeline Integration
- Copado Integration
Adding to our existing CI/CD tools, we’ve integrated with Copado, an industry
leading DevOps Platform Manager. S4 can be called to scan your code during
every build and test phase. You can manage Flow Parameters to set critical
thresholds for gating your flows. Severity Summaries are entered into the
Description of the Step Results with a link back to the S4 Dashboard Vulnerability
Findings Report.
- Copado Integration
-
Code Repository / Version Control
- Integrate S4 with one of these code repositories and you will be able to run SAST and SCA scans directly on your code, instead of pulling from Salesforce. This functionality gives developers more control over scanning their code prior to deployment. Developers can initiate these scans from the S4 Dashboard, using the S4 CLI in their favorite IDE, or as a trigger in their CI/CD pipeline. Comments can be added to your commit or pull request with the severity summary findings of the scan.
- Bitbucket
- GitHub
- Gitlab
- Azure DevOps
- Integrate S4 with one of these code repositories and you will be able to run SAST and SCA scans directly on your code, instead of pulling from Salesforce. This functionality gives developers more control over scanning their code prior to deployment. Developers can initiate these scans from the S4 Dashboard, using the S4 CLI in their favorite IDE, or as a trigger in their CI/CD pipeline. Comments can be added to your commit or pull request with the severity summary findings of the scan.
-
Salesforce OAuth Workflow for S4 Authorization
- Connecting to S4 and Salesforce is now even easier! Instead of needing to generate a specific key on Salesforce and then pass that key over to S4, Salesforce Administrators can add a Salesforce Org to S4 by simply logging into Salesforce with their credentials and clicking a confirmation button.
-
Expanded User Access Controls
- S4 Administrators now have a wider array of granular permissions that can be assigned to S4 users. Specific Users can be limited to scanning only certain Salesforce Orgs.
-
Expanded Scan Granularity on a per Org basis
- Users now have more flexibility on being able to control which scans run on a per Org basis when they initiate the scan via the S4 Dashboard. For example, your sandbox org may only need SAST/SCA scans while your production org would have SAST/IAST/SCA/CONFIG. These changes will be effective for all users in your S4 account.
-
UX/UI Improvement
- With every release we make minor bug fixes and improvements. In this release, we have made changes to the dashboard that improves the readability of the data visualizations. We’ve also improved the multi-select dropdown menus for easier de/selection of orgs included in the visualization. Also, you can now use our dashboard to schedule scans on a per org basis. Finally, page display and HTML redirects now provide a better UX experience.
Spring21
-
Jenkins Integration
- Connect S4 to one of the popular CI/CD automation tools and have S4 run a scan on
your code after kicking off a commit.
- Connect S4 to one of the popular CI/CD automation tools and have S4 run a scan on
-
S4 CLI
- Harness the power of the S4 Cloud by using this utility that integrates with your favorite
Command Lite interface.
- Harness the power of the S4 Cloud by using this utility that integrates with your favorite
-
IDE Plugin Integration
- Developers live in the Integrated Development Environments. They can now include S4 information directly into their source code and issue commands to run scans from local files directly from their IDE Terminal Command line.
- IntelliJ
- VS Code
- Developers live in the Integrated Development Environments. They can now include S4 information directly into their source code and issue commands to run scans from local files directly from their IDE Terminal Command line.
Winter21
-
Jira Integration
- S4 now allows you to synchronize your Vulnerability Findings Report with JIRA allowing
you to manage the remediation of bugs inside your existing Software Development
Lifecycle Management tools and processes.
- S4 now allows you to synchronize your Vulnerability Findings Report with JIRA allowing
-
Software Composition Analysis Scan 2.0
- S4 integrates a new scan to the platform which analyzes bundled and remotelyreferenced code libraries to check whether they are appearing in Common Vulnerability
and Exploit databases, giving you confidence in your software supply chain.
- S4 integrates a new scan to the platform which analyzes bundled and remotelyreferenced code libraries to check whether they are appearing in Common Vulnerability
-
Improved UX/UI Elements
- With every release we make minor bug fixes and improvements. In this release, we have
integrated powerful data visualizations into the S4 dashboard that gives users a fulsome
understanding of the distribution of potential attack vectors.
- With every release we make minor bug fixes and improvements. In this release, we have