Changelog

What's new in XploitScan

v1.0.3April 1, 2026

Compliance Dashboard, Export Tools, and UX Polish

  • +Compliance page scorecards — at-a-glance pass/fail status for SOC2, ISO 27001, OWASP Top 10, and CWE
  • +Expandable compliance controls — click any control to see all mapped rules and their status
  • +Compliance export — copy as AI prompt, export as Markdown, JSON, or CSV
  • +Framework info tooltips — plain-English explanations of what SOC2, ISO 27001, OWASP, and CWE are and why they matter
  • +Severity tooltips on scan results — hover to learn what Critical, High, Medium, and Low mean
  • +Custom checklist items now work correctly — no longer stuck as N/A
  • +Device session names now persist across browsers
  • +Consistent pointer cursor on all interactive elements
  • +Navigation simplified for logged-out users
  • +GitHub Action now correctly reports scan grades and finding counts
  • +Updated Terms of Service and Privacy Policy with AI and data handling disclosures
v1.0.2March 31, 2026

Security Hardening, Referral Program, and QA Fixes

  • +Referral program — earn 1 free month for every referral that subscribes
  • +Trial abuse prevention — one free trial per account
  • +Security hardening across CLI, web, and API
  • +Shared checklist links now expire after 30 days
  • +Team members properly recognized as paid across the app
  • +Viewer role fully enforced — Scan/Checklist hidden from nav, pricing hidden from billing
  • +Billing improvements — canceled trials now show correct status
  • +Automatic data cleanup for free-tier scans, shared checklists, and audit logs
  • +PDF export audit trail for SOC2 compliance
  • +Updated FAQ, Terms of Service, and Privacy Policy
v1.0.0March 30, 2026

XploitScan V1.0 — Production Launch

  • +Team Plan ($99/mo) — 5 seats included, shared scan history, RBAC, team invite management, and portfolio reports
  • +Annual billing with 20% discount — Pro $23/mo, Team $79/mo when billed annually
  • +In-app plan switching — upgrade, downgrade, or change billing interval with prorated billing
  • +Full team management — invite members by email, assign roles (Owner/Admin/Member/Viewer), remove members
  • +Role-based access control (RBAC) with granular permissions for each team role
  • +Team members inherit Pro features through the owner's subscription — no separate payment needed
  • +Email notifications — welcome emails, team invites, trial ending reminders, weekly security digests
  • +Notification preferences — control which emails you receive from Settings
  • +Reduced false positives — improved detection accuracy for test files, documentation, and common libraries
  • +Finding deduplication — one finding per location, specific rules take priority over generic detections
  • +Exposure badges — every finding tagged as Public or Internal based on file path
  • +Impact explanations — real-world risk callouts explaining why each finding matters
  • +Auto-fix code suggestions — before/after diffs showing the secure version
  • +Full SOC2, ISO 27001, OWASP Top 10, and CWE compliance mapping for all 131 rules
  • +Portfolio Overview — aggregate security stats across all projects with PDF, Markdown, and CSV export
  • +Plan comparison table in Settings for transparent feature visibility
  • +Updated Terms of Service and Privacy Policy for launch
v0.8.0March 28, 2026

Auto-Fix Code, Exposure Badges, Impact Explanations, PR Comments

  • +Auto-fix code suggestions — top rules now show before/after code diffs with the secure version
  • +Exposure badges — every finding tagged as Public or Internal based on file path
  • +Impact explanations — 'Real-world risk' callouts in the 'Why it matters' section
  • +GitHub Action now posts a security report summary comment on pull requests
  • +CLI rule gating — free users get 30 core rules, Pro users get all 131
  • +Single upload button — auto-detects file type (individual files or ZIP)
  • +Added blog: 'Why AI-Generated Code Is Insecure'
  • +Polished docs page with configuration, SBOM, compliance mapping, and API reference sections
  • +Dashboard defaults to most recently scanned project
  • +QA pass with fixes across security, performance, and content accuracy
v0.7.0March 26, 2026

131 Rules, Rate Limiting, Compliance Mapping

  • +Added 15 new high-impact security rules: path traversal, PII logging, OAuth secrets, deprecated TLS, weak RSA, ECB encryption, Terraform state exposure, and more
  • +Total rule count now 131 across CLI, web, and API
  • +Server-side scan rate limiting — free users: 5 scans/day, Pro users: unlimited
  • +Scan limit banner with real-time usage counter
  • +SOC2/ISO 27001 compliance mapping for all rules
  • +GitHub Action verified end-to-end with SARIF upload to Security tab
v0.6.0March 25, 2026

Enterprise Features, Billing, CI/CD

  • +Added 10 IaC and container security rules: Dockerfile, Kubernetes, Terraform, Helm, AWS IAM
  • +SOC2 and ISO 27001 compliance mapping for all rules
  • +SBOM generation in CycloneDX 1.4 format
  • +Audit logging for all user actions
  • +Custom YAML rules — define your own security rules
  • +Pro plan with 7-day free trial and billing integration
  • +Webhook notifications for Slack and Discord
  • +GitHub Action for CI/CD scanning with SARIF output
  • +Security launch checklist with persistence and sharing
  • +Terms of Service and Privacy Policy
v0.5.0March 25, 2026

New Rules, False Positive Fixes, Smarter Detection

  • +Added 10 performance and code quality rules
  • +Reduced false positives across lockfiles, Electron, and HTML detection
  • +Scan public GitHub repos by pasting a URL — no download needed
  • +Scan history shows project names instead of generic labels
  • +Improved PDF export and report visualization
v0.4.0March 24, 2026

XploitScan Launch, 116 Rules

  • +Launched as XploitScan with xploitscan.com
  • +Expanded to 116 security rules covering secrets, injection, auth, crypto, Docker, Kubernetes, CI/CD
  • +AST-based analysis for JavaScript/TypeScript — fewer false positives
  • +Entropy-based secret detection — catches secrets regardless of format
  • +Confidence scores (high/medium/low) on every finding
  • +Framework-aware rule filtering — fewer irrelevant findings
  • +Authentication with dark theme support
v0.3.0March 23, 2026

96 Security Rules, PDF Export, Webhooks

  • +Added 96 security detection rules (up from 10)
  • +PDF report export with security grades
  • +Slack and Discord webhook integrations
  • +Public security badge for READMEs
  • +CLI --watch mode for continuous scanning
  • +.xploitscanrc configuration file support
  • +OWASP Top 10 and CWE compliance mapping
v0.2.0March 15, 2026

Web Dashboard & Drag-and-Drop

  • +Web dashboard with drag-and-drop ZIP scanning
  • +Git diff scanning mode
  • +Scan history with score trends
  • +Framework auto-detection
  • +Security grade (A-F) scoring system
v0.1.0March 8, 2026

Initial Release

  • +CLI scanner with 10 custom security rules
  • +JSON and SARIF output formats
  • +GitHub Actions integration
  • +Plain-English vulnerability explanations