Changelog

What's new in XploitScan

Trust Page polish, CLI reliability, and five rule precision fixes

  • +CLI v1.1.8 published — scan uploads now reach your dashboard reliably. Earlier versions had a routing issue that caused some scans to complete locally but never appear in the web dashboard or update your Trust Page. Run `npm install -g xploitscan@latest` to pick up the fix.
  • +Trust Page timestamps now render in the visitor's local timezone instead of UTC. A scan that ran at 7:43 PM Eastern no longer displays as 11:43 PM to the visitor — the timestamp shows in whatever timezone their browser is set to.
  • +Trust Page badge layout updated to read "[Company Name] — Verified by XploitScan" instead of the previous "Secured by [Company Name]". The earlier wording read as the customer attesting to themselves; the new order makes XploitScan's third-party verification explicit. Existing embedded badges update automatically within five minutes of the next view (CDN cache window) — no need to re-paste the HTML.
  • +Five common false-positive patterns no longer flag as critical: SCREAMING_CASE constants holding kebab-case identifier strings (localStorage / cookie / cache keys); parameterized SQL `IN (?,?,?)` clauses built with the standard `placeholders` idiom; intentional `dangerouslySetInnerHTML` sites for theme-flash-prevention scripts and server-built embed previews; magic-link / claim-token URL patterns; and authenticated non-webhook routes that import auth libraries. Rule precision improves accordingly on real codebases — fewer noise findings to triage.
  • +New `// VC###-OK: <reason>` inline silencer convention. Add it on the same line or directly above an intentional finding to suppress that one site without weakening the rule globally. Currently honored by VC063 (dangerouslySetInnerHTML) and VC146 (token in URL). The `// scanner-OK` wildcard form silences any rule at that site.
  • +Scan API now picks up rule changes automatically on every deploy — no more occasional drift between the CLI's rule set and what api.xploitscan.com runs. Rule fixes published to npm propagate to all five surfaces (CLI, MCP server, GitHub Action, web app, edge API) on their next deploy.
  • +Security disclosure contact consolidated to admin@xploitscan.com on the /security page, RFC 9116 security.txt files, and the GitHub-rendered SECURITY.md. One inbox handles both general support and vulnerability reports.
  • +Web framework dependency (Hono) bumped to 4.12.19 to pick up the latest security patches.
  • +Released `xploitscan-shared-rules` v1.7.0 on npm — bundles the five rule precision fixes plus the new inline-silencer helper. Downstream CLI / MCP / Action publishes follow within hours.

XploitScan GitHub App, plus refreshed CLI, MCP, and Action releases

  • +The XploitScan GitHub App is live — install it on any account or organization and every pull request gets an automatic security scan posted as a Check Run, with findings shown inline in the diff view. Free plan covers the core 30 rules; Pro and Team unlock the full 206-rule set plus the AI false-positive filter on every PR. Install at github.com/apps/xploitscan or from your dashboard.
  • +Dashboard now has a GitHub tab listing your installed accounts, recent PR scans across all of them, and one-click links to manage which repositories the App can see.
  • +GitHub Action v1.3.2 published — the Marketplace listing and the PR-comment footer both now accurately advertise the full 206-rule Pro set. The previous release was still showing the older 158-rule count from before the spring rule additions.
  • +Marketplace description tightened to fit GitHub's 125-character cap so the action is cleaner to skim on its discovery page.
  • +CLI v1.1.2 and MCP server v1.1.2 published on npm — both rebuilt against the current rule corpus so `npx xploitscan@latest` and any AI agent using the MCP server pick up the exact same detection set the web scanner uses.
  • +Page-load reliability improvements across the site for visitors using browsers with strict security policies — a few residual console errors are now gone and the product analytics that drive roadmap decisions are more accurate.

GitHub Action Pro unlock, live demo repo, and pricing polish

  • +GitHub Action Pro unlock is live — add `api-key: ${{ secrets.XPLOITSCAN_API_KEY }}` to your workflow to run all 206 rules in CI (previously capped at the 30 free rules). Generate a key under Settings → API Keys. Also now accepts an optional `anthropic-api-key` input that routes findings through the AI false-positive filter on CI runs for ~$0.01 per scan.
  • +xploitscan-demo repo is live at github.com/bgage72590/xploitscan-demo — a deliberately-vulnerable Express app that scans on every PR. Linked from the Action's README so prospective users can see a real PR comment, real Security-tab alerts, and real inline annotations in one click.
  • +Action v1.3.1 published on the GitHub Marketplace — includes the api-key / anthropic-api-key inputs, an MIT LICENSE file (GitHub's license detector was reporting null), the belt-and-suspenders install fallback chain so a broken CLI publish can't block customer CI, and documented every output (previously `medium-count`, `low-count`, and `sarif-file` were exposed but undocumented).
  • +Settings → Billing now exposes the full upgrade/downgrade matrix. A Pro user can one-click downgrade to Indie, a Team owner can one-click downgrade to Pro or Indie, and every transition confirmation spells out exactly what you gain or lose so team-plan downgrades don't surprise anyone by deactivating members.
  • +Pricing page CTAs are now auth-aware. Signed-out users see 'Choose Indie' / 'Start Free Trial'; signed-in users on Pro see 'Current plan' on the Pro card, 'Upgrade to Team' on Team, and 'Downgrade to Indie' on Indie — with the CTA hitting Stripe checkout directly instead of bouncing through the sign-in redirect. Clicking a plan while signed in no longer lands you on the dashboard by mistake.
  • +Annual sticker prices rounded to conventional SaaS numbers: Indie $59/yr, Pro $119/yr, Team $699/yr (effective $5 / $10 / $59 per month). Savings still clear the 40% marketing claim on every tier (Pro is actually 48% off). No change to monthly prices.

AST-based detection, benchmark grown to 151 fixtures, head-to-head with Bearer goes live

  • +Detection benchmark expanded from 41 to 151 labeled fixtures across 25+ vulnerability classes — secrets, SQL injection, XSS, SSRF, SSTI, prototype pollution, mass assignment, deserialization (Python pickle, js-yaml, Java ObjectInputStream), path traversal, NoSQL injection, XXE, JWT alg confusion, weak hashing, hardcoded crypto keys, CSRF, TOCTOU, IAM wildcards, Docker root, Kubernetes privileged containers, GitHub Actions script injection, CORS wildcards, insecure WebSocket, sensitive data in URL params, plus 30 realistic multi-file mini-app fixtures (auth flows, file upload pipelines, payment webhooks, GraphQL APIs, OAuth callbacks, admin dashboards) that exercise rules in integration-level contexts.
  • +AST-based detection layer alongside the existing pattern matcher. Babel-parsed taint tracker recognizes user-controlled sources from Express (req.body / query / headers), Fastify (request.*), Koa (ctx.request.*), Next.js App Router (await request.json(), formData, text), Web Fetch API, process.argv, and AWS Lambda event.body. Taint propagates through const/let bindings, destructuring (including renames), assignments, template literals, and member access.
  • +Ten rules upgraded to dual-layer regex + AST: SSRF (VC041), prototype pollution (VC023), mass assignment (VC042), XXE option-object inspection (VC081), SSTI (VC082), timing-unsafe secret comparisons (VC043), log injection (VC044), weak password hashing across files (VC060), insecure RNG with security-context detection (VC034), and the schema-aware fix to VC030 that no longer false-positives on yaml.load with FAILSAFE_SCHEMA.
  • +Benchmark precision now 100% (zero false positives across the entire 151-fixture corpus). Recall is 80%+ on the 60+ rules with active fixtures; the remaining tracked-but-not-yet-detected entries are documented openly on the /benchmark page in a dedicated 'in progress' section with an amber badge so transparency replaces the previously confusing dashes.
  • +Bearer goes live on /benchmark. Two-way head-to-head was running with Bearer reporting zero matches due to a path-bucketing bug in the comparison runner; that's fixed and Bearer's real numbers are now visible alongside Semgrep and XploitScan.
  • +Detection methodology page at /docs/detection-methodology — full writeup of the regex + AST architecture, taint tracker scope, fixture labeling convention, TP/FP/FN counting rules, the methodology used for fair comparison against Semgrep and Bearer, and reproducibility instructions for running the benchmark locally.
  • +Benchmark CI gate now compares per-rule enforcedF1 (which excludes documented in-progress fixtures from the regression check) instead of total micro-F1. Means a corpus-growth PR that adds tests for a not-yet-detected vulnerability won't trigger a false regression alert while the rule is being improved.
  • +Benchmark workflows are 5–15× faster — the runners now invoke each scanner once across the whole corpus instead of once per fixture. Cuts CI wall-clock from ~4 minutes to ~30–60 seconds, lets corpus-growth PRs land in the time it takes to write the commit message.
  • +Three smaller fixes shipped along the way: Vercel deploys no longer block on auto-refresh commits (workflow now commits as github-actions[bot] instead of an unmapped synthetic email); benchmark JSON walkers now scan Dockerfile, .tf, .hcl, and .json fixture files that the previous skip-all-.json filter silently dropped; and the benchmark JSON now successfully commits back to main when the file is brand new (the previous git diff --quiet check returned 0 on untracked files and skipped the commit forever).

VS Code extension, MCP server, public detection benchmark, Docker image, and SIEM exports

  • +VS Code extension — security scanning in your editor as you work. Scan on save, findings in the Problems panel with severity and fix suggestions, and a compact status-bar indicator with per-file counts. 206 rules, runs locally, nothing uploaded. Coming to the VS Code Marketplace shortly; the VSIX is available now from the repo's CI artifacts.
  • +XploitScan MCP server — install with `npx -y xploitscan-mcp` and wire it into Claude Desktop, Cursor, Windsurf, or any other Model Context Protocol client. Your AI coding agent can now call `scan_code`, `explain_rule`, and `grade_code` as native tools, so it can self-check its output before writing it to disk.
  • +Public detection benchmark at xploitscan.com/benchmark — precision, recall, and F1 scored on a labeled corpus of 41 vulnerability fixtures covering SQL injection across five database libraries, XSS, command injection, unvalidated redirects, missing pagination, reflected CORS, and service-specific secret detection (AWS, Anthropic, GitHub, Slack, Supabase). The runner is open source; the numbers regenerate on every commit.
  • +Head-to-head comparisons with Semgrep and Bearer on the same corpus, visible on /benchmark. See what each scanner catches and misses side by side, with full methodology and reproducibility instructions on the page.
  • +New blog post: 'We Ran Semgrep Against Our Benchmark. It Missed Half the Bugs.' — a walkthrough of where Semgrep's community rules fall short on the patterns AI coding tools produce by default, with specific examples for SQL injection via template literals across Prisma, Drizzle, Knex, pg, and mysql2.
  • +Docker image for on-prem and air-gapped environments — `docker pull ghcr.io/bgage72590/xploitscan:latest` gives you a multi-arch (amd64 + arm64) scanner image, pinned to each CLI release. Runs as non-root, mount your source read-only, nothing touches the network. `docker save` for air-gapped transport.
  • +GitLab CI and Bitbucket Pipelines guides at /guides/gitlab and /guides/bitbucket — drop-in YAML templates that mirror the GitHub Action we shipped earlier, so every major CI platform now has the same one-step integration path.
  • +SIEM export formats — three new CLI output formats. `--format splunk-hec` emits Splunk HTTP Event Collector envelopes. `--format elastic-ecs` emits Elastic Common Schema 8.11 compliant NDJSON that works with Elastic Security and OpenSearch Security Analytics without custom mappings. `--format datadog-logs` emits the Datadog Logs v2 format with `ddtags` pre-populated for dashboards and monitors.
  • +Context-aware entropy scanner — the secret detector now suppresses high-entropy strings that aren't actually secrets. Tailwind class fingerprints (`css-2kx3yr8`), SVG path data, Next.js content-addressed bundle filenames (`_next/static/chunks/main.4e5f6a78.js`), publishable key prefixes (`pk_live_`, `pk_test_`, `NEXT_PUBLIC_`, `VITE_`), JWT prefixes, CSP and SRI hashes, and variables named `hash` / `digest` / `etag` / `buildId` / `contentHash` / `fingerprint` no longer produce false-positive findings.
  • +Four scanner improvements from running the benchmark on harder real-world patterns: SQL injection is now caught on knex.raw with string concatenation and every other .raw() / .sql() / .queryRawUnsafe() pattern; command injection is now caught when spawn is called with shell: true and an interpolated command; Supabase service role JWTs are now caught (the previous regex excluded the dot separator every JWT has); and Prisma.sql-tagged and Drizzle sql-tagged templates are correctly recognized as safe — both parameterize the interpolation under the hood, so they no longer produce false positives.
  • +Pro CLI coverage expanded — 20 service-specific secret detectors (hardcoded Anthropic, GitHub PAT, SendGrid, Slack bot token, GCP service account JSON, Shopify, GitLab, Twilio, Mailgun, Datadog, Vercel, Supabase service role, HashiCorp Vault, and Pinecone keys, plus secrets-in-URL-param / console.log / error-response / bundle-config / HTML-attribute / CLI-argument surfaces) now ship in the Pro bundle. Run `npm install -g xploitscan@latest` to pick them up.
  • +CLI `--version` output now reflects the actual installed version instead of a stale hardcoded string. Verify with `xploitscan --version`.
  • +Grammar polish — the grade summary line now reads 'N critical vulnerabilities require immediate attention' or '1 critical vulnerability requires immediate attention' depending on count, not the singular-noun-plural-verb variant.
  • +Under the hood: the scanner engine is now a single npm package (`xploitscan-shared-rules`) consumed by the CLI, the web app, the GitHub Action, the MCP server, and the VS Code extension. One rule change, every surface updates in the same release — no more drift across products.

API keys, Cursor integration, privacy tools, and compliance exports

  • +API keys for CI — generate personal access tokens in Settings → API Keys and pass them to the GitHub Action via the new api-key input to authenticate CI scans with your Pro or Team plan
  • +XploitScan for Cursor — drop our security ruleset into any project with one command and Cursor will proactively avoid the most common AI-generated vulnerabilities (unprotected webhooks, hardcoded secrets, missing auth checks, SQL injection) as it writes. New landing page and step-by-step install guide
  • +Broader dependency coverage — the CLI now checks every pinned package against a comprehensive live vulnerability database in addition to our curated rule set. Covers npm, PyPI, and RubyGems
  • +Auditor-ready compliance exports — PDF and Markdown reports now include a rule-by-rule pass/fail breakdown inside every SOC 2 and ISO 27001 control so you can drop the export straight into your audit binder
  • +Download your data — new 'Export My Data' option in Settings creates a single JSON file with every record we hold for your account. Available under GDPR Article 20
  • +Delete your account — new self-service account deletion flow in Settings with type-to-confirm. Cancels any active subscription and removes all of your data in one step
  • +Cookie and privacy controls — explicit consent banner on first visit with Accept all / Essential only options, plus a Terms of Service and Privacy Policy acknowledgment on sign-up
  • +Team member profiles — add first name, last name, and title to any team member so the team list reads like a roster instead of an email dump
  • +Richer dashboard trends — new 7-day / 30-day / 90-day toggle above the trend charts and a 'fixes made this period' callout so you can see progress at a glance
  • +Scan history page size — pick how many scans to show on the dashboard (25, 50, 100, or all). Your choice is remembered across visits
  • +Three new landing pages targeting specific audiences: Cursor users shipping to production, anyone who's been burned by a webhook bug, and teams prepping for a SOC 2 audit
  • +Five interactive how-to guides under /guides — web scanner, CLI, GitHub Action, API, and Cursor integration — each with numbered steps, copy-to-clipboard snippets, and progress tracking
  • +New blog post: 'Why Traditional SAST Tools Fail on AI-Generated Code' — our take on why the old-school scanners miss the bugs AI coding tools ship by default
  • +Cleaner top navigation — work-focused nav for logged-in users (Dashboard, Scan, Reports, Compliance, Settings), conversion-focused nav for visitors (Live Demo, Cursor, Pricing, Blog, Docs). Active page highlighting throughout
  • +Various reliability and polish improvements across the dashboard, team management, and billing flows
  • +CLI v1.0.7 on npm with the new cursor install command and expanded dependency scanning

Interactive Guides, Animated Hero, Dashboard Polish, and SARIF Fixes

  • +Interactive guides — new /guides section with step-by-step walkthroughs for the web scanner, CLI, GitHub Action, and API. Persistent progress checkboxes, copy-to-clipboard code blocks, expected output panels, and troubleshooting per guide
  • +Animated hero terminal — homepage now demos a real scan in a typing terminal that loops every ~30 seconds, instead of a static screenshot
  • +No-login demo scan — visitors can run one real scan from /demo without signing in, persisted across reloads
  • +Top Fixes card on dashboard — surfaces the three highest-severity findings from your latest scan with deep links to each fix
  • +Bigger grade indicator with a click-to-open scoring modal explaining how grades are calculated
  • +Trial-end upgrade modal — prompts trial users to add a payment method when their trial has 2 days or fewer remaining
  • +View Demo Project button on the empty-state dashboard so first-time users can see a finished report before scanning
  • +Compare Scans dropdown order fixed — both rows now read chronologically (older → newer) left-to-right
  • +Project name truncation on the dashboard table for very long paths, with a tooltip showing the full path
  • +Low-severity findings now surfaced everywhere — animated hero, demo card, GitHub Action PR comment table (Medium row used to silently double-count Low — fixed)
  • +GitHub Action: SARIF upload no longer rejected — CLI 1.0.4 fixes invalid 'fixes' shape per the SARIF 2.1.0 schema
  • +GitHub Action: new medium-count and low-count outputs, plus PR comment table now shows all four severities
  • +New blog post: 'Why Traditional SAST Tools Fail on AI-Generated Code' answering 'isn't this just Semgrep?'
  • +New blog post: 'The $10,000 Stripe Webhook Bug Hiding in AI-Generated Code'
  • +New About and Support pages with founder bio, Cipherline LLC story, and three help cards
  • +Privacy FAQ promoted to first entry with a direct 'is my code uploaded?' answer
  • +Page metadata added to /scan, /demo, /compliance for better SEO
  • +Sitemap and robots.ts refreshed to include all new pages and disallow authed app surfaces
  • +CLI 1.0.4 published to npm with the SARIF schema fix

Compliance Dashboard, Export Tools, and UX Polish

  • +Compliance page scorecards — at-a-glance pass/fail status for SOC2, ISO 27001, OWASP Top 10, and CWE
  • +Expandable compliance controls — click any control to see all mapped rules and their status
  • +Compliance export — copy as AI prompt, export as Markdown, JSON, or CSV
  • +Framework info tooltips — plain-English explanations of what SOC2, ISO 27001, OWASP, and CWE are and why they matter
  • +Severity tooltips on scan results — hover to learn what Critical, High, Medium, and Low mean
  • +Custom checklist items now work correctly — no longer stuck as N/A
  • +Device session names now persist across browsers
  • +Consistent pointer cursor on all interactive elements
  • +Navigation simplified for logged-out users
  • +GitHub Action now correctly reports scan grades and finding counts
  • +Updated Terms of Service and Privacy Policy with AI and data handling disclosures

Security Hardening, Referral Program, and QA Fixes

  • +Referral program — earn 1 free month for every referral that subscribes
  • +Trial abuse prevention — one free trial per account
  • +Security hardening across CLI, web, and API
  • +Shared checklist links now expire after 30 days
  • +Team members properly recognized as paid across the app
  • +Viewer role fully enforced — Scan/Checklist hidden from nav, pricing hidden from billing
  • +Billing improvements — canceled trials now show correct status
  • +Automatic data cleanup for free-tier scans, shared checklists, and audit logs
  • +PDF export audit trail for SOC2 compliance
  • +Updated FAQ, Terms of Service, and Privacy Policy

XploitScan V1.0 — Production Launch

  • +Team Plan ($99/mo) — 5 seats included, shared scan history, RBAC, team invite management, and portfolio reports
  • +Annual billing with 20% discount — Pro $23/mo, Team $79/mo when billed annually
  • +In-app plan switching — upgrade, downgrade, or change billing interval with prorated billing
  • +Full team management — invite members by email, assign roles (Owner/Admin/Member/Viewer), remove members
  • +Role-based access control (RBAC) with granular permissions for each team role
  • +Team members inherit Pro features through the owner's subscription — no separate payment needed
  • +Email notifications — welcome emails, team invites, trial ending reminders, weekly security digests
  • +Notification preferences — control which emails you receive from Settings
  • +Reduced false positives — improved detection accuracy for test files, documentation, and common libraries
  • +Finding deduplication — one finding per location, specific rules take priority over generic detections
  • +Exposure badges — every finding tagged as Public or Internal based on file path
  • +Impact explanations — real-world risk callouts explaining why each finding matters
  • +Auto-fix code suggestions — before/after diffs showing the secure version
  • +Full SOC2, ISO 27001, OWASP Top 10, and CWE compliance mapping for all 151 rules
  • +Portfolio Overview — aggregate security stats across all projects with PDF, Markdown, and CSV export
  • +Plan comparison table in Settings for transparent feature visibility
  • +Updated Terms of Service and Privacy Policy for launch

Auto-Fix Code, Exposure Badges, Impact Explanations, PR Comments

  • +Auto-fix code suggestions — top rules now show before/after code diffs with the secure version
  • +Exposure badges — every finding tagged as Public or Internal based on file path
  • +Impact explanations — 'Real-world risk' callouts in the 'Why it matters' section
  • +GitHub Action now posts a security report summary comment on pull requests
  • +CLI rule gating — free users get 30 core rules, Pro users get all 131
  • +Single upload button — auto-detects file type (individual files or ZIP)
  • +Added blog: 'Why AI-Generated Code Is Insecure'
  • +Polished docs page with configuration, SBOM, compliance mapping, and API reference sections
  • +Dashboard defaults to most recently scanned project
  • +QA pass with fixes across security, performance, and content accuracy

131 Rules, Rate Limiting, Compliance Mapping

  • +Added 15 new high-impact security rules: path traversal, PII logging, OAuth secrets, deprecated TLS, weak RSA, ECB encryption, Terraform state exposure, and more
  • +Total rule count now 131 across CLI, web, and API
  • +Server-side scan rate limiting — free users: 5 scans/day, Pro users: unlimited
  • +Scan limit banner with real-time usage counter
  • +SOC2/ISO 27001 compliance mapping for all rules
  • +GitHub Action verified end-to-end with SARIF upload to Security tab

Enterprise Features, Billing, CI/CD

  • +Added 10 IaC and container security rules: Dockerfile, Kubernetes, Terraform, Helm, AWS IAM
  • +SOC2 and ISO 27001 compliance mapping for all rules
  • +SBOM generation in CycloneDX 1.4 format
  • +Audit logging for all user actions
  • +Custom YAML rules — define your own security rules
  • +Pro plan with 7-day free trial and billing integration
  • +Webhook notifications for Slack and Discord
  • +GitHub Action for CI/CD scanning with SARIF output
  • +Security launch checklist with persistence and sharing
  • +Terms of Service and Privacy Policy

New Rules, False Positive Fixes, Smarter Detection

  • +Added 10 performance and code quality rules
  • +Reduced false positives across lockfiles, Electron, and HTML detection
  • +Scan public GitHub repos by pasting a URL — no download needed
  • +Scan history shows project names instead of generic labels
  • +Improved PDF export and report visualization

XploitScan Launch, 116 Rules

  • +Launched as XploitScan with xploitscan.com
  • +Expanded to 116 security rules covering secrets, injection, auth, crypto, Docker, Kubernetes, CI/CD
  • +AST-based analysis for JavaScript/TypeScript — fewer false positives
  • +Entropy-based secret detection — catches secrets regardless of format
  • +Confidence scores (high/medium/low) on every finding
  • +Framework-aware rule filtering — fewer irrelevant findings
  • +Authentication with dark theme support

96 Security Rules, PDF Export, Webhooks

  • +Added 96 security detection rules (up from 10)
  • +PDF report export with security grades
  • +Slack and Discord webhook integrations
  • +Public security badge for READMEs
  • +CLI --watch mode for continuous scanning
  • +.xploitscanrc configuration file support
  • +OWASP Top 10 and CWE compliance mapping

Web Dashboard & Drag-and-Drop

  • +Web dashboard with drag-and-drop ZIP scanning
  • +Git diff scanning mode
  • +Scan history with score trends
  • +Framework auto-detection
  • +Security grade (A-F) scoring system

Initial Release

  • +CLI scanner with 10 custom security rules
  • +JSON and SARIF output formats
  • +GitHub Actions integration
  • +Plain-English vulnerability explanations
Changelog — XploitScan