Enhancements

Report & Export Permissions Update

Improved report permissions to make data access clearer and more secure:

• PDF reports and report template configurations now require login with a Bearer token (used in the Bright web app).
• API Keys continue to support other export formats such as CSV, JSON, SARIF, and HAR.

If your automations use API Keys for PDF reports, switch to Bearer token authentication to continue using this feature.

Scope behavior for exporting reports:

New: Filter Entrypoints by Host

A new host-based filter has been added to the Entrypoints tables in both Scan and Discovery pages. This improvement allows users to quickly isolate and view entrypoints associated with specific hosts, ensuring more accurate visibility and troubleshooting across multi-host projects.

Improved Projects Page Layout

Projects page UI improvements for easier navigation and use.

What's New:

• Moved the toolbar from the bottom to the top of the page for better visibility and a more intuitive layout.
• Added a Create Discovery button in the Discovery tab.
• Added a Create Entry Point button in the Entry Points tab.
• You can now share direct links to specific tabs or items within the Projects page.

These updates are part of our ongoing effort to improve usability and align the Projects area with the upcoming new Bright dashboard experience . No workflow or automation changes are required on your side - this update is UI only.

Bright-CLI

New version of Bright-CLI v13.8.0.

New features:

• CI: support arm64 in docker hub.

Bug fixes:

• Resolved the repeater connection issue which occasionally happened on bridge service restart, where repeaters appeared connected but were unresponsive.

Removed deprecated endpoint

The entry point GET '/api/v1/me/org/memberships' is now deprecated.

Integrations

OX Security integration (ASPM)

Bright now integrates with OX Security. You can automatically import Bright DAST findings into OX to manage AppSec risks in a single backlog with consistent prioritization and automated routing. The integration enables seamless visibility and unified risk management across your SDLC.

Enhancements

Mask toggle for Additional Headers in the Authentication Flow dialog

Values of a specific header in the Advanced tab of the Authentication flow dialog can now be set to display as Clear Text or Masked Text. This masking enhancement follows the same role scopes as the existing mask feature.

Note: The unmasking access scope determines the ability to mask and unmask values.

For more information, see Additional Headers

Unconfirmed Issues Tab Now Visible by Default

The Unconfirmed Issues tab is now visible by default on the Scan and Project details pages. This tab was previously hidden by default making it harder for new users to find unconfirmed issues show in the scan widgets to locate their details.

Redesigned Email Templates

Bright system emails now include modernized layouts, and improved readability for easier communication and understanding.

Improvements

Scheduled Scans Reliability Improvements

The issue preventing scheduled scans from running as expected due to unavailable repeaters or off-line environments is resolved. Scans will now start and complete in the correct sequence, ensuring reliable automation and scheduled scan results.

SSO Configuration Fix

The issue preventing users from completing SSO setup after removing a previous authentication provider is now resolved. A Disconnect button was added enabling users to to reset or remove configurations at any time, preventing setup interruptions.

Visual Fixes in Scan Progress

Several UI inconsistencies in the Scan Info > Progress view are now resolved. When no entry points are scanned (0/0), the system now displays N/A instead of 100%, providing a clearer and more accurate representation of scan results.

Upcoming breaking changes

API Scope Update - Effective October 21, 2025

Report permissions will be more clear and secure.

What will change

Starting October 21, 2025, certain actions related to PDF report generation will require a different authentication method:

• PDF report generation (for Scan and Project) and organization-level report configuration will be available only when using a Bearer token – the same authentication method used in the Bright web app.

  These actions will require two specific permissions:

  • reports:read – to view and export reports
  • reports:write – to edit or configure report templates

• API Keys will no longer support these report-related endpoints.

  • Regular exports such as CSV, JSON, SARIF, HAR, etc., will continue to work with API Keys as before.

This update helps prevents users with limited roles from exporting sensitive report data without proper access.

What you’ll need to do

If you or your automations currently use API Keys to generate PDF reports or configure report templates, switch to Bearer token authentication to continue using these capabilities.

No action will be required for other export formats.

Enhancements

Repeater Editing Scope Restriction

Addition of a dedicated scope restriction ensuring that only authorized users can make edits to specified repeaters.

In large organizations, multiple teams often work with the same repeaters. This new dedicated repeater scope ensures that only specified team members can edit a repeater’s name or settings.

Repeater editing options include:

• Rename
• Change description
• Reassign to a different project
• Add a script

Key updates:

• Scope restriction:
  • Only users with the new scope repeaters:manage can perform edit actions.
  • Scope repeaters:write is still required for creating and removing repeaters, as well as activating/deactivating them.
  • During rollout, repeaters:manage will be automatically added to any Role or API key that already has repeaters:write.

Non-authorized users:

• The Edit button is changed to View, and the edit window is grayed out.

Audit logs:

• All repeater edit actions (name, description, reassignments, scripts) are logged.
• Audit logs include repeater name, action, user, and timestamp.

This change strengthens governance and prevents accidental or unauthorized changes across teams, while ensuring all activity remains visible in audit logs.

Pretty print for JSON bodies

The Request and Response Body display fields now include a Pretty print toggle. When enabled, the field shows JSON in an indented, multi-line view instead of a single line.

For example From:

To:

Re-auth triggers: AND/OR groups

It is now possible to combine re-auth triggers with AND or OR and to organize them into groups. This makes it easier to describe how authentication failure looks in mixed targets (web pages and APIs).

• See more details here: https://docs.brightsec.com/docs/add-new-auth-object#/

User icon tooltip now displays the user’s full name

The header tooltip has been updated: when hovering the user icon, it now shows the full name of the logged-in user (replacing the previous “Account” text). This helps confirm which account is active at a glance.

API Endpoint Deprecation Notice - /api/v1/me/org/memberships

We are deprecating the endpoint /api/v1/me/org/memberships.

Timeline

Deprecation start: September 22, 2025

Removal date: October 19, 2025, midnight UTC

The endpoint will continue to function during the deprecation window. After the removal date, it will no longer be available, and requests will fail.

Enhancements

Bulk selection in the status tab

Now you can save time managing large sets of issues inside the Issues table, reduce repetitive work across pages, get clear visibility with a “Selected X of Y” counter, and stay in control with transparent feedback after every bulk action.

What’s new

• Select all across pages - use the "Add all to selection" button to select every issue that matches your current filters, not just the ones on the current page.
• Filter and select - apply bulk actions to only the issues that match your chosen filters.
• Clear selection- reset your choices instantly with the "Clear selection" button.
• Selection counter - always see how many issues you’ve selected out of the total.
• Smarter bulk actions - bulk actions (Resolve, Reopen, Ignore) apply only where they are supported. For example, “Reopen” will affect only resolved issues.
• Confirmation & feedback - before applying an action, you’ll see a confirmation window. Once complete, a notification shows exactly how many issues were updated and if any were skipped.

How it works

• If you select issues with mixed statuses, all actions appear, but only relevant ones are applied.
• If you bulk select a single status, only the actions valid for that status will be highlighted.

Updated API Documentation Link

We’ve updated the API docs link in the Help menu (top toolbar). The link now points to the latest V3 API documentation: API docs V3

This ensures you always have quick access to the most up-to-date API references and capabilities.

Simplified Access to Logs

We’ve streamlined log access by removing the unused logs scope. Going forward, only the org.logs scope will be available for viewing organization-wide logs.

What this means for you

• No impact on access - users with the correct roles and API keys will continue to see all log information as before.
• Audit Log unchanged- all Audit Log features remain fully accessible.
• Cleaner permissions - reduced redundancy makes roles and scopes easier to understand and manage.

Fresh Look: Updated Product Logo

We’ve refreshed our product logo to align with our new brand look.

Enhancements

Install the Bright CLI Repeater as a Helm Chart

The Bright CLI Repeater lets you run Bright security scans without exposing your internal applications to the Internet.

The Repeater acts as a secure proxy that connects to your local targets and forwards scan requests from the Bright cloud engine. With this release, the CLI Repeater can now be installed as a Helm Chart.

For more information, see Bright CLI Repeater.

Find and parse GQL entrypoints

The Bright engine now automatically detects and parses the GraphQL schemas it encounters. This new feature automatically expands the scan's scope by adding all endpoints defined within the schema, ensuring that even hidden APIs are detected and tested.

For more information, see Adding entrypoints to your project.

Mask toggle for headers and bodies in the Authentication Flow dialog

You can now define if a value of a specific header or body would be displayed as Clear Text or Masked Text.

Note: The ability to mask and unmask values is determined by the unmasking access scope.

For more information, see Authentication Flow.

Import Baseline Parameters from Insomnia

You can now import Baseline Parameters directly from Insomnia’s YAML export (type: collection.insomnia.rest/5.0)

To learn more information about Baseline Parameters, see: Baseline Parameters

Pretty Print format in Auth Flow steps

Users can now toggle to Pretty Print format in the body fields of the request/response of the Test result tab of the Authentication object.

Disable 2FA for Users

To help organizations maintain flexibility without compromising on security, Bright now provides admins and owners with a controlled way to manage members' 2FA settings. This ensures business continuity in urgent cases while keeping full auditability and accountability.

Bright organization Owners and Admins with the scope: org.memberships.reset-mfa can now disable 2FA for members directly from the Members page. The disable option is available only to users who have 2FA enabled. T

When 2FA is disabled for a member, the member will be logged out of all active sessions and will need to re-enroll when logging in again. Every 2FA action taken is fully tracked in the audit log, including the timestamp, the actor, the target user, and the IP address. Members whose 2FA was disabled will automatically receive an email notification regarding the change.

Restrictions:

• Admins cannot disable 2FA for other Admins.
• Owners can disable 2FA for all members.
• Users without the correct scope will not see Disable 2FA as an option from the kebab menu in the members page.
• If organization-wide mandatory 2FA is enabled, users will be required to reconfigure 2FA on their next login.

Ignored Issues tab and improved widgets

We’ve introduced a new Ignored Issues tab in the Scan and Project details pages to help you better manage issues you’ve chosen to ignore, such as false positives or irrelevant entry points.

Ignored Issues tab

• After marking issues as Ignored (single or bulk), they're now automatically move to the tab, keeping the main Issues table view focused on active vulnerabilities.
• The Ignored issues tab displays the same columns as the main Issues table.
• You can set a *Reopen status to ignored issues individually (via the kebab menu) or in bulk, moving them back to the main table.
• The Ignored Issue setting persists across rescans, so you don't need to perform the same action again and again.
• Tab visibility can be toggled via the gear icon in Settings.

Widgets & History

• Ignored cases are now grouped under the Closed section, with hover tooltips showing the breakdown between Ignored and Resolved.
• Hovering on severity labels shows a breakdown of New vs. Recurring issues, while hovering on Closed/Total shows Resolved vs. Ignored.
• Clicking a widget opens a filtered view per severity.
• The History page shows the total number of vulnerabilities found (unfiltered). Clicking it drills down into filtered views.

Contextual Issue Actions

The Issues table actions now show only the relevant options based on each issue’s current status, reducing confusion and preventing invalid actions.

Status-based actions:

• New → Resolve, Ignore (move to ignored issues tab)
• Resolved → Reopen
• Ignored → Reopen (moves back to main Issues table)
• Recurring → Resolve, Ignore

Bulk actions:

• Actions are only available if all selected issues support them.
• If not applicable, buttons are disabled with tooltips explaining why.
• For bulk changes, a confirmation modal will appear (e.g. “Are you sure you want to Resolve 12 issues?”).

UI improvements: Action buttons are now color-coded for clarity:

• Resolve → Green
• Reopen → Purple
• Ignore → Orange

API for a bulk project issue action changes:

The following API was added:

/api/v1/project-issues/status

Payload:

{"projectIssueIds": string[],"action": "resolve" | "ignore" | "reopen"}

Enhancements

New scan type: Scan By Status

We’re excited to roll out a new type of scan: "Scan by Status", giving you the power to run scans filtered by Entry Point status: New, Changed, Tested, Vulnerable.
No more scanning everything when you don’t have to - target exactly what matters, save time, and get results faster.

Create Scan By Status

Where to Use:

• Create Scan Page - Create status-based scans from the "scans" page that always use the latest Discovery results from the project.
• Project Page - Select specific entry points from the project page; there's no need to pre-filter by status. Choose statuses when you create the scan, and the filtering will be done automatically.
• Retest- Retest past scans with updated statuses. If entry points were selected in the original config, they’ll be reused.

Tip 1: You can select one or multiple statuses when setting up the scan, attach a Repeater, and define a schedule via the Summary and Scheduling tab.

Tip 2: Automate your workflow by scheduling a Discovery scan first, followed by a status-based DAST scan with a short delay. To ensure your DAST scan always uses the latest Entry Points without manual selection, we suggest configuring it from the scan page.

API Support for Scan by Status

Endpoint:
POST /api/v1/scans

Request Body:

"entryPointsStatuses": ["new", "changed", "tested", "vulnerable" ]

New Ignored Issues Tab

We’ve added a dedicated tab for Ignored Issues in the Project details page - making it easier than ever to manage issues you’ve chosen to ignore. This means you can keep your main Issues tab clean and focus only on what matters most - while still keeping ignored items just one click away

What’s new:

Dedicated Tab: A new "Ignored Issues" tab appears next to the Issues tab. You can hide it anytime via the settings.

Quick Actions:

• Setting the issue under the status "Ignore" will automatically move the issue to the dedicated tab.
• Reopen an ignored issue directly from the menu to move it back to the main table.
• Bulk-select multiple issues and reopen/ignore them all in one click.
• Seamless Workflow: If an ignored issue reappears in a scan, it will stay ignored and remain in this tab - no need to re-ignore it again.

Test authentication now shows progress results in real-time

Previously, you had to wait for the authentication test process to complete to see results. Steps now show progress in real-time.

Crawler will correctly find and parse OAS entrypoints

The crawler automatically detects and parses the OpenAPI Specification it encounters. Automatically expands the scan's scope by adding all endpoints defined within the schema, ensuring even "hidden" APIs are tested.

Additional Headers in Authentication Objects

Additional Headers are used to handle complex login scenarios. This feature enables you to inject custom HTTP headers or internal feature flags into every request throughout the entire authentication process. This could be essential for successfully bypassing conditional access controls like WAFs, captchas, or other security measures that could otherwise block the login flow.

Skipped Entrypoints moved to a dedicated tab

To increase the efficiency when reviewing Entrypoints in the discovery details page, we have moved the skipped Entrypoints to a separate tab. You can now see the list of skipped Entrypoints and the skipped reason without having to drill down into the Entrypoint details page.

Updates:

• The Skipped Entrypoints tab is now shown by default. Use the gear settings button on the right to disable it.
• Skipped entrypoints will be deleted after 61 days from Discovery/Scan job is finished.

API Update

Deprecated API Endpoints Have Been Removed

As of August 12th, 2025, the following API changes announced on July 15th are now in effect. The previously deprecated endpoints have been removed and are no longer operational. Please ensure all your applications and integrations are updated to use the current API endpoints to maintain functionality.

• Audit log:
  • Update:
    /api/v2/me/org/logs
  • Being deprecated:
    • /api/v1/me/org/logs
    • /api/v1/me/logs
• Scan PDF:
  • Update:
    /api/v1/scans/{scanId}/reports/pdf
  • Being deprecated:
    • /api/v2/scans/{scanId}/entry-points/report-vulnerable
    • /api/v1/scans/{scanId}/checks
• Project PDF:
  • Update:
    /api/v2/projects/{projectId}/issues/pdf
  • Being deprecated:
    • /api/v2/projects/{projectId}/entry-points/report-vulnerable
    • /api/v1/projects/{projectId}/checks

Enhancements

Skipped Entrypoints moved to a dedicated tab

To increase the efficiency when reviewing Entrypoints in the discovery details page, we have moved the skipped Entrypoints to their own tab. You can now see the list of skipped Entrypoints and the skipped reason without having to drill-down into the Entrypoint details page.

Note: The Skipped Entrypoints tab isn't shown by default. Use the gear settings button on the right to enable it.

Baseline parameters now support masked values

You can now define that a specific parameter should be Masked instead of being stored as Clear Text. Masked values can only be unmasked with the unmasking access scope.

Additional columns in the Discovery history tab

The Discovery history table has two additional columns: Elapsed and Entrypoints.

Notice of Upcoming Breaking API changes

Starting August 12th, 2025 the following API endpoints will be changed. Take note of the deprecations listed and their replacements. Replacement endpoints can be used as of today, July 15th. All deprecated endpoints will remain available until August 11th at midnight UTC.

• Audit log:
  • Update:
    /api/v2/me/org/logs
  • Being deprecated:
    • /api/v1/me/org/logs
    • /api/v1/me/logs
• Scan PDF:
  • Update:
    /api/v1/scans/{scanId}/reports/pdf
  • Being deprecated:
    • /api/v2/scans/{scanId}/entry-points/report-vulnerable
    • /api/v1/scans/{scanId}/checks
• Project PDF:
  • Update:
    /api/v2/projects/{projectId}/issues/pdf
  • Being deprecated:
    • /api/v2/projects/{projectId}/entry-points/report-vulnerable
    • /api/v1/projects/{projectId}/checks

Enhancements

Baseline parameters

Import of Global Variables that were exported from Postman, can now be imported as baseline parameters.

Deduplication of similar entrypoints

Deduplication of similar entrypoints skip entrypoints with similar content. With this release a content overlap customization setting was added. The setting defines the percentage of content overlap allowed between web pages before they are treated as the same. Read more in here.

Audit log

The Audit log now records additional actions related to: Project and Scan reports generation and access to the audit log.

Issues table

The default columns sorting of the issues table (in project and scans) have changed, and now the Severity and Issue Type will appear first.

Notice of Upcoming Breaking API changes

Starting August 12th, 2025 the following API endpoints will be changed. Take note of the deprecations listed and their replacements. Replacement endpoints can be used as of today, July 15th. All deprecated endpoints will remain available until August 11th at midnight UTC.

• Audit log:
  • Update:
    /api/v2/me/org/logs
  • Being deprecated:
    • /api/v1/me/org/logs
    • /api/v1/me/logs
• Scan PDF:
  • Update:
    /api/v1/scans/{scanId}/reports/pdf
  • Being deprecated:
    • /api/v2/scans/{scanId}/entry-points/report-vulnerable
    • /api/v1/scans/{scanId}/checks
• Project PDF:
  • Update:
    /api/v2/projects/{projectId}/issues/pdf
  • Being deprecated:
    • /api/v2/projects/{projectId}/entry-points/report-vulnerable
    • /api/v1/projects/{projectId}/checks

Enhancements

Recorded Browser-Based Advanced JSON Editor

The recording editor now supports a full JSON edit of the recording file. Read here for additional information.

Audit log

The Audit log has a few additional improvements:

• Certain events now contain the modified attributes.

  

• Added coverage for bulk operations.

• New actions were added: Scan templates, usage of revoked/expired API keys, Password reset operations, Usage of obsolete refresh tokens, Reports generation and User lockouts.

Bright-CLI

• v13.5.0: You can now specify multiple certificates for a repeater instance. This includes specifying different certificates for the same host on different ports. See the cert attribute for samples in Initializing the Repeater.

Enhancements

Expanded Activity Log coverage

The Activity Log now records additional actions related to: Failed logging attempts, Password reset requests and User lockout events.

Infrastructure

Various infrastructure & platform improvements and updates were made to increase scan speed.