Enhancements

Repeaters monitoring

You can now receive alerts if your repeaters go down. See Managing Repeaters.

Expanded Activity Log coverage

The Activity Log now records additional actions related to: Organization and project integrations, Discovery, Projects, Organization report settings, IP restrictions.

Test Deprecation

Mass Assignment

• The Mass Assignment test was deprecated on April 15th, 2025. The following two tests cover its functionality and should be used instead:
  • Broken Object Property Level Authorization.
  • ID Enumeration.

Enhancements

Ability to unmask passwords in Authentication Objects

Password masking for recorder browser-based authentication was added.

Deduplication of similar entrypoints

Discoveries now support the ability to skip entrypoints with similar content. This will result in less entrypoints being added to the project, leading to a faster scan time.

Rate limiting control for discoveries and scans

You can now control how many requests per second will be sent to the target or let us calculate it based on the target's responses.

Expanded Activity Log coverage

The Activity Log now records additional actions related to: Groups, Repeaters, Repeaters Scripts, Webhooks.

New Settings layout for improved usability

Project Settings now features a tabbed layout for easier navigation and better usability.

Test Deprecation

Mass Assignment

• The Mass Assignment test was deprecated on April 15th, 2025. The following two tests cover its functionality and should be used instead:
  • Broken Object Property Level Authorization.
  • ID Enumeration.

Enhancements

Ability to unmask passwords in Authentication Objects

Passwords and Authorization headers in Authentication Objects are now masked by default to enhance data protection.
Users with the new unmask-password scope can view the full password when needed. Password masking for recorder browser-based authentication is not yet available but will be supported in a later release.

New Settings layout for improved usability

The Organization section has been renamed to Settings and now features a tabbed layout for easier navigation and better usability.

New Tasks Queue section in Settings

A Tasks Queue section has been added to the Settings view, providing visibility into running and queued scans and discoveries.

Expanded Activity Log coverage

The Activity Log now records additional actions related to: Authentication Objects, Scans, MFA, SSO, Directory Sync, Files, Organization API Keys, and Project API Keys.

Test Deprecation

Mass Assignment

• Mass Assignment test is now deprecated. The following two tests cover its functionality and should be used instead:
  • Broken Object Property Level Authorization.
  • ID Enumeration.

Enhancements

Ability to add a discovery/scan to the top of the queue

• When starting a new discovery/scan, you can now select to add the new discovery/scan to the top of the queue.
• Note, the default options were renamed:
  • Run discovery now was renamed to Add discovery to the back of the queue.
  • Run scan now was renamed to Add scan to the back of the queue.

Webhooks

• Selecting a repeater is no longer a mandatory setting. See Webhooks to learn how to configure a new Webhook.

Upcoming breaking changes

Tests deprecation

• On April 15th, we will deprecate the Mass Assignment test. The following two tests cover its functionality and should be used instead:
  • Broken Object Property Level Authorization.
  • ID Enumeration.

Enhancements

New Github Actions Commands

• The new commands support the modern scan. Full commands documentation can be found here:

  • run-discovery
  • stop-discovery
  • wait-for-discovery
  • list-entrypoints

Project Level PDF Report

• It is now possible to generate a PDF report from the project level.

Copy Scan Template ID

• A "Copy ID" option has been added to the Scan Template object, allowing you to easily retrieve this data for automating scan processes.

Bulk Delete Entrypoints

• A Bulk Delete option has been added to the Entrypoints table, enabling the removal of multiple entrypoints at once.

Authentication Recorder

• The new Authentication Recorder can now be manually started when you're ready. It also provides feedback on network connection stability.
  -The new recorder feature is disabled by default. Speak to your CSE or Bright support to enable the feature in your environment.

Upcoming breaking changes

Tests deprecation

• On April 15th, we will deprecate the Mass Assignment test. The following two tests cover its functionality and should be used instead:
  • Broken Object Property Level Authorization.
  • ID Enumeration.

Enhancements

Organization page

• The members table has a new "last seen" field, showing a date & time of the last time the member logged in to Bright (either via the UI or by using a user API key).
  Note: The data is shown for logins that happened on or after February 18th. Users with "-" haven't logged in since the feature was rolled out.

  

Bright-CLI

• v13.1.0:
  • Added a discovery:polling command to poll the discovery status from the CLI (Polling a Discovery).
  • Descriptive errors were added.

Under-the-hood improvements

• Increasing crawler coverage.
• Crawler and Scanning speed improvements.

Upcoming breaking changes

Organization Members

• Starting March 4th, we will make a change to the "Get all members (v1)" API - and will restrict it to return only the first 1000 members.
  Please plan to move to its v2 version which supports pulling all members by using pagination.

Tests deprecation

• On April 15th, we will deprecate the Mass Assignment test. The following two tests cover its functionality and should be used instead:
  • Broken Object Property Level Authorization.
  • ID Enumeration.

Enhancements

Improvements to tests

Vulnerable JavaScript components will now have a varying severity based on the actual CVE.

Under-the-hood improvements

• Increasing crawler coverage.
• Crawler and Scanning speed improvements.

Upcoming breaking changes

Authentication Objects

• Starting February 18th, when creating/editing/cloning authentication objects - selecting a project will become mandatory. Using existing authentication objects (without modifying them) will not be affected.

Organization Members

• Starting March 4th, we will make a change to the "Get all members (v1)" API - and will restrict it to return only the first 1000 members.
  Please plan to move to its v2 version which supports pulling all members by using pagination.

New business logic test

• Broken Access Control (BAC). This test checks for improper access controls measures allowing users to perform actions beyond their permissions.
  Read additional details in here.

Enhancements

Bright-CLI:

1. v13.0.1: Fixed the MSI installer.
2. v13.0.0: New major release:
   1. Breaking change - Warning logs are now written to stderr instead of stdout.
   2. Scans: Added a concurrency flag to control the maximum concurrent requests allowed to be sent to the target (Running a Scan).
   3. Discoveries:
      1. Added a discovery:run command to run a discovery from the CLI (Running a Discovery).
      2. Added a discovery:stop command to stop a discovery from the CLI (Stopping a Discovery).
      3. Added a discovery:rerun command to re-run a discovery from the CLI (Rerunning a Discovery).
   4. Proxy:
      1. Added a new proxy-domains-bypass optional flag - can be used with either proxy or proxy-target. Accepts a space-separated list of domains. Domains in the list will not be proxied.
         It cannot be used together with proxy-domains (Command Language Syntax).
      2. Added support for reading the PROXY and NO_PROXY environment variables. If those are set, their values will be used as input for the proxy and proxy-domains-bypass flags (Command Language Syntax).
   5. Added log-level 5 - trace (Command Language Syntax).

New option to manage IP restrictions

• Added IP access restrictions that allow organizations to control account access by specifying trusted IP ranges. This ensures that only users or systems from authorized IP addresses can connect, providing added security and control over organizational access.

Bright's documentation

Enhancements

Snyk integration

• Added support for importing projects from Snyk collections. Users can now select collections when running a scan and view Snyk collection details in the Scan info section.

Bright's documentation

Queue size on the Discovery page

• Added the "Queue Size" counter to the discovery details page. Located in the "Scan Progress" box, it shows the crawler queue size (0 for completed/failed/stopped/queued discoveries and >0 for running discoveries). Available for discoveries only.

  
  

Activity log

• Added project-related actions to the activity log. It now tracks project creation, renaming, and deletion, grouped under the corresponding actions for better clarity and visibility.

Bright's documentation

Amazon AWS S3 bucket takeover renaming

• The "Amazon AWS S3 bucket takeover" test was renamed to "AWS S3 Takeover".

Bright's documentation

New business logic test

• Broken Object Level Property Authorization (BOPLA). This test checks if the application properly enforces access controls on individual properties of an object.
  Read additional details in here.

Enhancements

Scan health metrics

• We've adjusted the successful requests logic, and it now includes any request which is not a network timeout, network gateway error, rate-limiting or authentication error.

Authentication objects

• Email OTP: Added support for base64 encoded emails.

Webhooks

1. Webhook triggers were extended to support discoveries: You can now trigger a webhook when discovery has started, ended or changed status.
2. The optional customerMetadata scan field is now included as part of the scan webhook payload.

Webhooks documentation

Bright-CLI:

1. v12.6.0: The timeout flag now accepts duration strings (Command Language Syntax).