These docs are for v1.1. Click to read the latest docs for v1.2.

Enhancements

Ability to unmask passwords in Authentication Objects

Passwords and Authorization headers in Authentication Objects are now masked by default to enhance data protection.
Users with the new unmask-password scope can view the full password when needed. Password masking for recorder browser-based authentication is not yet available but will be supported in a later release.

New Settings layout for improved usability

The Organization section has been renamed to Settings and now features a tabbed layout for easier navigation and better usability.

New Tasks Queue section in Settings

A Tasks Queue section has been added to the Settings view, providing visibility into running and queued scans and discoveries.

Expanded Activity Log coverage

The Activity Log now records additional actions related to: Authentication Objects, Scans, MFA, SSO, Directory Sync, Files, Organization API Keys, and Project API Keys.


Test Deprecation

Mass Assignment

Enhancements

Ability to add a discovery/scan to the top of the queue

  • When starting a new discovery/scan, you can now select to add the new discovery/scan to the top of the queue.
  • Note, the default options were renamed:
    • Run discovery now was renamed to Add discovery to the back of the queue.
    • Run scan now was renamed to Add scan to the back of the queue.

Webhooks

  • Selecting a repeater is no longer a mandatory setting. See Webhooks to learn how to configure a new Webhook.

Upcoming breaking changes

Tests deprecation

Enhancements

New Github Actions Commands

  • The new commands support the modern scan. Full commands documentation can be found here:

    • run-discovery
    • stop-discovery
    • wait-for-discovery
    • list-entrypoints

Project Level PDF Report

  • It is now possible to generate a PDF report from the project level.


Copy Scan Template ID

  • A "Copy ID" option has been added to the Scan Template object, allowing you to easily retrieve this data for automating scan processes.


Bulk Delete Entrypoints

  • A Bulk Delete option has been added to the Entrypoints table, enabling the removal of multiple entrypoints at once.


Authentication Recorder

  • The new Authentication Recorder can now be manually started when you're ready. It also provides feedback on network connection stability.
    -The new recorder feature is disabled by default. Speak to your CSE or Bright support to enable the feature in your environment.


Upcoming breaking changes

Tests deprecation

Enhancements

Organization page

  • The members table has a new "last seen" field, showing a date & time of the last time the member logged in to Bright (either via the UI or by using a user API key).
    Note: The data is shown for logins that happened on or after February 18th. Users with "-" haven't logged in since the feature was rolled out.

Bright-CLI

  • v13.1.0:
    • Added a discovery:polling command to poll the discovery status from the CLI (Polling a Discovery).
    • Descriptive errors were added.

Under-the-hood improvements

  • Increasing crawler coverage.
  • Crawler and Scanning speed improvements.

Upcoming breaking changes

Organization Members

  • Starting March 4th, we will make a change to the "Get all members (v1)" API - and will restrict it to return only the first 1000 members.
    Please plan to move to its v2 version which supports pulling all members by using pagination.

Tests deprecation

Enhancements

Improvements to tests

Vulnerable JavaScript components will now have a varying severity based on the actual CVE.

Under-the-hood improvements

  • Increasing crawler coverage.
  • Crawler and Scanning speed improvements.

Upcoming breaking changes

Authentication Objects

  • Starting February 18th, when creating/editing/cloning authentication objects - selecting a project will become mandatory. Using existing authentication objects (without modifying them) will not be affected.

Organization Members

  • Starting March 4th, we will make a change to the "Get all members (v1)" API - and will restrict it to return only the first 1000 members.
    Please plan to move to its v2 version which supports pulling all members by using pagination.

New business logic test

  • Broken Access Control (BAC). This test checks for improper access controls measures allowing users to perform actions beyond their permissions.
    Read additional details in here.

Enhancements

Bright-CLI:

  1. v13.0.1: Fixed the MSI installer.
  2. v13.0.0: New major release:
    1. Breaking change - Warning logs are now written to stderr instead of stdout.
    2. Scans: Added a concurrency flag to control the maximum concurrent requests allowed to be sent to the target (Running a Scan).
    3. Discoveries:
      1. Added a discovery:run command to run a discovery from the CLI (Running a Discovery).
      2. Added a discovery:stop command to stop a discovery from the CLI (Stopping a Discovery).
      3. Added a discovery:rerun command to re-run a discovery from the CLI (Rerunning a Discovery).
    4. Proxy:
      1. Added a new proxy-domains-bypass optional flag - can be used with either proxy or proxy-target. Accepts a space-separated list of domains. Domains in the list will not be proxied.
        It cannot be used together with proxy-domains (Command Language Syntax).
      2. Added support for reading the PROXY and NO_PROXY environment variables. If those are set, their values will be used as input for the proxy and proxy-domains-bypass flags (Command Language Syntax).
    5. Added log-level 5 - trace (Command Language Syntax).

New option to manage IP restrictions

  • Added IP access restrictions that allow organizations to control account access by specifying trusted IP ranges. This ensures that only users or systems from authorized IP addresses can connect, providing added security and control over organizational access.

Bright's documentation

Enhancements

Snyk integration

  • Added support for importing projects from Snyk collections. Users can now select collections when running a scan and view Snyk collection details in the Scan info section.

Bright's documentation


Queue size on the Discovery page

  • Added the "Queue Size" counter to the discovery details page. Located in the "Scan Progress" box, it shows the crawler queue size (0 for completed/failed/stopped/queued discoveries and >0 for running discoveries). Available for discoveries only.



Activity log

  • Added project-related actions to the activity log. It now tracks project creation, renaming, and deletion, grouped under the corresponding actions for better clarity and visibility.

Bright's documentation


Amazon AWS S3 bucket takeover renaming

  • The "Amazon AWS S3 bucket takeover" test was renamed to "AWS S3 Takeover".

Bright's documentation

New business logic test

  • Broken Object Level Property Authorization (BOPLA). This test checks if the application properly enforces access controls on individual properties of an object.
    Read additional details in here.

Enhancements

Scan health metrics

  • We've adjusted the successful requests logic, and it now includes any request which is not a network timeout, network gateway error, rate-limiting or authentication error.

Authentication objects

  • Email OTP: Added support for base64 encoded emails.

Webhooks

  1. Webhook triggers were extended to support discoveries: You can now trigger a webhook when discovery has started, ended or changed status.
  2. The optional customerMetadata scan field is now included as part of the scan webhook payload.

Webhooks documentation


Bright-CLI:

  1. v12.6.0: The timeout flag now accepts duration strings (Command Language Syntax).

Enhancements

Snyk validation

  1. Added support for branches.
  2. Added support for multiple Synk organizations.
  3. Added the ability to set a minimal severity at the organization level.
  4. Added the ability to select all repositories when running a validation scan.

Snyk validation


Bright-CLI:

  1. v12.5.0:
    1. Added a timeout flag to all commands, accepting values in seconds (Command Language Syntax).
    2. Removal of the old proxy-internal and proxy-external flags (were replaced with proxy-target and proxy-bright).
  2. v12.4.0:
    1. Listing Entrypoints - added a new pretty optional flag to return a "prettified" version of the entry points, in JSON format (Listing Entrypoints).
  3. v12.3.0:
    1. Listing Entrypoints - added new optional filter flags (Listing Entrypoints):
      1. limit - to set a limit of returned entrypoints.
      2. connectivity - to filter by connectivity status.
      3. status - to filter by entrypoint status.

Enhancements

XPath selector support - Bright now supports XPath selectors for Manual and Recorded Browser-Based Authentication flows to find elements on a page.

📘

XPath selectors are expressions used for precise selection, navigation, and manipulation of elements in XML and HTML documents based on their hierarchy, attributes, text, and other characteristics.

Currently, Bright supports XPath, CSS, and ARIA selectors.

For example, here’s how to set up the XPath selector in the Bright web app:

  • Type: text input
  • Name: Email
  • Value: xpath///*[@id="email"]


Added mandatory project flag for Entrypoint scans - When using the new --entrypoint flag, users must now include the --project flag. This allows users to specify a list of entrypoint IDs to run the scan on specific entrypoints.

For example:
bright-cli scan:run --project <project_id> --entrypoint <entrypoint_id1> <entrypoint_id2> <entrypoint_id3> ...

This change ensures that the scan is targeted at the correct project and its associated entrypoints.