Changelog
Start typing to search…

Release of September 23rd, 2025

Enhancements

Repeater Editing Scope Restriction

Addition of a dedicated scope restriction ensuring that only authorized users can make edits to specified repeaters.

In large organizations, multiple teams often work with the same repeaters. This new dedicated repeater scope ensures that only specified team members can edit a repeater’s name or settings.

Repeater editing options include:

  • Rename
  • Change description
  • Reassign to a different project
  • Add a script

Key updates:

  • Scope restriction:
    • Only users with the new scope repeaters:manage can perform edit actions.
    • Scope repeaters:write is still required for creating and removing repeaters, as well as activating/deactivating them.
    • During rollout, repeaters:manage will be automatically added to any Role or API key that already has repeaters:write.

Non-authorized users:

  • The Edit button is changed to View, and the edit window is grayed out.

Audit logs:

  • All repeater edit actions (name, description, reassignments, scripts) are logged.
  • Audit logs include repeater name, action, user, and timestamp.

This change strengthens governance and prevents accidental or unauthorized changes across teams, while ensuring all activity remains visible in audit logs.

Edit repeater

Pretty print for JSON bodies

The Request and Response Body display fields now include a Pretty print toggle. When enabled, the field shows JSON in an indented, multi-line view instead of a single line.

For example From:

Body pretty print

To:

Body pretty print

Re-auth triggers: AND/OR groups

It is now possible to combine re-auth triggers with AND or OR and to organize them into groups. This makes it easier to describe how authentication failure looks in mixed targets (web pages and APIs).

User icon tooltip now displays the user’s full name

The header tooltip has been updated: when hovering the user icon, it now shows the full name of the logged-in user (replacing the previous “Account” text). This helps confirm which account is active at a glance.

API Endpoint Deprecation Notice - /api/v1/me/org/memberships

We are deprecating the endpoint /api/v1/me/org/memberships.

Timeline

Deprecation start: September 22, 2025

Removal date: October 19, 2025, midnight UTC

The endpoint will continue to function during the deprecation window. After the removal date, it will no longer be available, and requests will fail.


Release of September 9th 2025

Enhancements

Bulk selection in the status tab

Now you can save time managing large sets of issues inside the Issues table, reduce repetitive work across pages, get clear visibility with a “Selected X of Y” counter, and stay in control with transparent feedback after every bulk action.

What’s new

  • Select all across pages - use the "Add all to selection" button to select every issue that matches your current filters, not just the ones on the current page.
  • Filter and select - apply bulk actions to only the issues that match your chosen filters.
  • Clear selection- reset your choices instantly with the "Clear selection" button.
  • Selection counter - always see how many issues you’ve selected out of the total.
  • Smarter bulk actions - bulk actions (Resolve, Reopen, Ignore) apply only where they are supported. For example, “Reopen” will affect only resolved issues.
  • Confirmation & feedback - before applying an action, you’ll see a confirmation window. Once complete, a notification shows exactly how many issues were updated and if any were skipped.

How it works

  • If you select issues with mixed statuses, all actions appear, but only relevant ones are applied.
  • If you bulk select a single status, only the actions valid for that status will be highlighted.
Bulk selection

Updated API Documentation Link

We’ve updated the API docs link in the Help menu (top toolbar). The link now points to the latest V3 API documentation: API docs V3

This ensures you always have quick access to the most up-to-date API references and capabilities.

Simplified Access to Logs

We’ve streamlined log access by removing the unused logs scope. Going forward, only the org.logs scope will be available for viewing organization-wide logs.

What this means for you

  • No impact on access - users with the correct roles and API keys will continue to see all log information as before.
  • Audit Log unchanged- all Audit Log features remain fully accessible.
  • Cleaner permissions - reduced redundancy makes roles and scopes easier to understand and manage.

Fresh Look: Updated Product Logo

We’ve refreshed our product logo to align with our new brand look.


Release of August 27th, 2025

Enhancements

Install the Bright CLI Repeater as a Helm Chart

The Bright CLI Repeater lets you run Bright security scans without exposing your internal applications to the Internet.

The Repeater acts as a secure proxy that connects to your local targets and forwards scan requests from the Bright cloud engine. With this release, the CLI Repeater can now be installed as a Helm Chart.

For more information, see Bright CLI Repeater.

Find and parse GQL entrypoints

The Bright engine now automatically detects and parses the GraphQL schemas it encounters. This new feature automatically expands the scan's scope by adding all endpoints defined within the schema, ensuring that even hidden APIs are detected and tested.

For more information, see Adding entrypoints to your project.

Mask toggle for headers and bodies in the Authentication Flow dialog

You can now define if a value of a specific header or body would be displayed as Clear Text or Masked Text.

Note: The ability to mask and unmask values is determined by the unmasking access scope.

For more information, see Authentication Flow.

Import Baseline Parameters from Insomnia

You can now import Baseline Parameters directly from Insomnia’s YAML export (type: collection.insomnia.rest/5.0)

To learn more information about Baseline Parameters, see: Baseline Parameters

Pretty Print format in Auth Flow steps

Users can now toggle to Pretty Print format in the body fields of the request/response of the Test result tab of the Authentication object.

Disable 2FA for Users

To help organizations maintain flexibility without compromising on security, Bright now provides admins and owners with a controlled way to manage members' 2FA settings. This ensures business continuity in urgent cases while keeping full auditability and accountability.

Bright organization Owners and Admins with the scope: org.memberships.reset-mfa can now disable 2FA for members directly from the Members page. The disable option is available only to users who have 2FA enabled. T

When 2FA is disabled for a member, the member will be logged out of all active sessions and will need to re-enroll when logging in again. Every 2FA action taken is fully tracked in the audit log, including the timestamp, the actor, the target user, and the IP address. Members whose 2FA was disabled will automatically receive an email notification regarding the change.

Restrictions:

  • Admins cannot disable 2FA for other Admins.
  • Owners can disable 2FA for all members.
  • Users without the correct scope will not see Disable 2FA as an option from the kebab menu in the members page.
  • If organization-wide mandatory 2FA is enabled, users will be required to reconfigure 2FA on their next login.

Ignored Issues tab and improved widgets

We’ve introduced a new Ignored Issues tab in the Scan and Project details pages to help you better manage issues you’ve chosen to ignore, such as false positives or irrelevant entry points.

Ignored Issues tab

  • After marking issues as Ignored (single or bulk), they're now automatically move to the tab, keeping the main Issues table view focused on active vulnerabilities.
  • The Ignored issues tab displays the same columns as the main Issues table.
  • You can set a *Reopen status to ignored issues individually (via the kebab menu) or in bulk, moving them back to the main table.
  • The Ignored Issue setting persists across rescans, so you don't need to perform the same action again and again.
  • Tab visibility can be toggled via the gear icon in Settings.

Widgets & History

  • Ignored cases are now grouped under the Closed section, with hover tooltips showing the breakdown between Ignored and Resolved.
  • Hovering on severity labels shows a breakdown of New vs. Recurring issues, while hovering on Closed/Total shows Resolved vs. Ignored.
  • Clicking a widget opens a filtered view per severity.
  • The History page shows the total number of vulnerabilities found (unfiltered). Clicking it drills down into filtered views.

Contextual Issue Actions

The Issues table actions now show only the relevant options based on each issue’s current status, reducing confusion and preventing invalid actions.

Status-based actions:

  • New → Resolve, Ignore (move to ignored issues tab)
  • Resolved → Reopen
  • Ignored → Reopen (moves back to main Issues table)
  • Recurring → Resolve, Ignore

Bulk actions:

  • Actions are only available if all selected issues support them.
  • If not applicable, buttons are disabled with tooltips explaining why.
  • For bulk changes, a confirmation modal will appear (e.g. “Are you sure you want to Resolve 12 issues?”).

UI improvements: Action buttons are now color-coded for clarity:

  • Resolve → Green
  • Reopen → Purple
  • Ignore → Orange

API for a bulk project issue action changes:

The following API was added:

/api/v1/project-issues/status

Payload:

{"projectIssueIds": string[],"action": "resolve" | "ignore" | "reopen"}


Release of August 12th, 2025

Enhancements

New scan type: Scan By Status

We’re excited to roll out a new type of scan: "Scan by Status", giving you the power to run scans filtered by Entry Point status: New, Changed, Tested, Vulnerable.
No more scanning everything when you don’t have to - target exactly what matters, save time, and get results faster.

Create Scan By Status

Where to Use:

  • Create Scan Page - Create status-based scans from the "scans" page that always use the latest Discovery results from the project.
  • Project Page - Select specific entry points from the project page; there's no need to pre-filter by status. Choose statuses when you create the scan, and the filtering will be done automatically.
  • Retest- Retest past scans with updated statuses. If entry points were selected in the original config, they’ll be reused.

Tip 1: You can select one or multiple statuses when setting up the scan, attach a Repeater, and define a schedule via the Summary and Scheduling tab.

Tip 2: Automate your workflow by scheduling a Discovery scan first, followed by a status-based DAST scan with a short delay. To ensure your DAST scan always uses the latest Entry Points without manual selection, we suggest configuring it from the scan page.

API Support for Scan by Status

Endpoint:
POST /api/v1/scans

Request Body:

"entryPointsStatuses": ["new", "changed", "tested", "vulnerable" ]


New Ignored Issues Tab

We’ve added a dedicated tab for Ignored Issues in the Project details page - making it easier than ever to manage issues you’ve chosen to ignore. This means you can keep your main Issues tab clean and focus only on what matters most - while still keeping ignored items just one click away

What’s new:

Dedicated Tab: A new "Ignored Issues" tab appears next to the Issues tab. You can hide it anytime via the settings.

Quick Actions:

  • Setting the issue under the status "Ignore" will automatically move the issue to the dedicated tab.
  • Reopen an ignored issue directly from the menu to move it back to the main table.
  • Bulk-select multiple issues and reopen/ignore them all in one click.
  • Seamless Workflow: If an ignored issue reappears in a scan, it will stay ignored and remain in this tab - no need to re-ignore it again.

Test authentication now shows progress results in real-time

Previously, you had to wait for the authentication test process to complete to see results. Steps now show progress in real-time.


Crawler will correctly find and parse OAS entrypoints

The crawler automatically detects and parses the OpenAPI Specification it encounters. Automatically expands the scan's scope by adding all endpoints defined within the schema, ensuring even "hidden" APIs are tested.


Additional Headers in Authentication Objects

Additional Headers are used to handle complex login scenarios. This feature enables you to inject custom HTTP headers or internal feature flags into every request throughout the entire authentication process. This could be essential for successfully bypassing conditional access controls like WAFs, captchas, or other security measures that could otherwise block the login flow.


Skipped Entrypoints moved to a dedicated tab

To increase the efficiency when reviewing Entrypoints in the discovery details page, we have moved the skipped Entrypoints to a separate tab. You can now see the list of skipped Entrypoints and the skipped reason without having to drill down into the Entrypoint details page.

Updates:

  • The Skipped Entrypoints tab is now shown by default. Use the gear settings button on the right to disable it.
  • Skipped entrypoints will be deleted after 61 days from Discovery/Scan job is finished.

API Update

Deprecated API Endpoints Have Been Removed

As of August 12th, 2025, the following API changes announced on July 15th are now in effect. The previously deprecated endpoints have been removed and are no longer operational. Please ensure all your applications and integrations are updated to use the current API endpoints to maintain functionality.

Release of July 29th, 2025

Enhancements

Skipped Entrypoints moved to a dedicated tab

To increase the efficiency when reviewing Entrypoints in the discovery details page, we have moved the skipped Entrypoints to their own tab. You can now see the list of skipped Entrypoints and the skipped reason without having to drill-down into the Entrypoint details page.

Note: The Skipped Entrypoints tab isn't shown by default. Use the gear settings button on the right to enable it.

Baseline parameters now support masked values

You can now define that a specific parameter should be Masked instead of being stored as Clear Text. Masked values can only be unmasked with the unmasking access scope.

Additional columns in the Discovery history tab

The Discovery history table has two additional columns: Elapsed and Entrypoints.


Notice of Upcoming Breaking API changes

Starting August 12th, 2025 the following API endpoints will be changed. Take note of the deprecations listed and their replacements. Replacement endpoints can be used as of today, July 15th. All deprecated endpoints will remain available until August 11th at midnight UTC.

Release of July 16th, 2025

Enhancements

Baseline parameters

Import of Global Variables that were exported from Postman, can now be imported as baseline parameters.

Deduplication of similar entrypoints

Deduplication of similar entrypoints skip entrypoints with similar content. With this release a content overlap customization setting was added. The setting defines the percentage of content overlap allowed between web pages before they are treated as the same. Read more in here.

Audit log

The Audit log now records additional actions related to: Project and Scan reports generation and access to the audit log.

Issues table

The default columns sorting of the issues table (in project and scans) have changed, and now the Severity and Issue Type will appear first.

Notice of Upcoming Breaking API changes

Starting August 12th, 2025 the following API endpoints will be changed. Take note of the deprecations listed and their replacements. Replacement endpoints can be used as of today, July 15th. All deprecated endpoints will remain available until August 11th at midnight UTC.

Release of July 1st, 2025

Enhancements

Recorded Browser-Based Advanced JSON Editor

The recording editor now supports a full JSON edit of the recording file. Read here for additional information.

Audit log

The Audit log has a few additional improvements:

  • Certain events now contain the modified attributes.

  • Added coverage for bulk operations.

  • New actions were added: Scan templates, usage of revoked/expired API keys, Password reset operations, Usage of obsolete refresh tokens, Reports generation and User lockouts.

Bright-CLI

  • v13.5.0: You can now specify multiple certificates for a repeater instance. This includes specifying different certificates for the same host on different ports. See the cert attribute for samples in Initializing the Repeater.

Release of June 11th, 2025

Enhancements

Expanded Activity Log coverage

The Activity Log now records additional actions related to: Failed logging attempts, Password reset requests and User lockout events.

Infrastructure

Various infrastructure & platform improvements and updates were made to increase scan speed.

Release of May 28th, 2025

Enhancements

Replace host

The project's entrypoints table allows you to change the host of a single entrypoint or multiple entrypoints in bulk. Read more about this in here.

New "Resource" field in OAuth authentication object

We've added support for defining resources when setting an OAuth authentication object.

New Audit log table

The Audit log has a new table design with additional fields and filters. Read more about the audit log in here.

Bright-CLI

Release of May 14th, 2025

Enhancements

Repeaters monitoring

You can now receive alerts if your repeaters go down. See Managing Repeaters.

Expanded Activity Log coverage

The Activity Log now records additional actions related to: Organization and project integrations, Discovery, Projects, Organization report settings, IP restrictions.

Bright-CLI

  • v13.2.0: Syntax change.
    • Use artificial-fragment instead of artifical-fragment.
    • Use artificial-query instead of artifical-query.

Test Deprecation

Mass Assignment