Highlights
Group-Scoped Patterns
Group-Scoped Patterns extend Aptori’s flexible testing framework by allowing teams to define and manage custom patterns at the group level, in addition to existing global patterns.
Release Notes
2025.7.3
Enhancements
- Configuration Editor: Data Exposure Pattern Options
When selecting a pattern for Data Exposure analysis, you can now:- Choose whether to report faults for unauthorized sessions only or for both unauthorized and authorized sessions
- Specify a custom fault ID, fault name, and severity level
- API Type Support: GraphQL Subgraph
Support was added for a new API type: GraphQL Subgraph.- Enables validation and testing of Apollo Federation Subgraph schemas.
- Enhances GraphQL testing capabilities for federated architectures.
- Runs Report Enhancements
The Runs report now includes two new columns:- Operations Successful
- Operations Total
Bug Fixes
- View Definition Button Fix
The "View Definition" button now consistently displays the most recent version of the API definition.
Sift
New Features
- GraphQL Subgraph Support
Support was added for GraphQL schemas that define an Apollo Federation Subgraph.- Use the definition type graphql-subgraph.
- Sift automatically includes required schema extensions for Apollo Subgraph compliance.
Bug Fixes
- OpenAPI Memory Optimization
Reduced memory usage when processing certain OpenAPI definitions, improving performance on large schemas.
2025.7.2
Bug Fix
- Pattern Configuration Fix
Fixed an issue in Patterns where the Sift configuration generated for the JSON type was incorrect.
Sift
Changed
- SecurityHeaders Analyzer: HSTS Policy
The SecurityHeaders analyzer now requires a minimum max-age value of 1 year in the Strict-Transport-Security header (reduced from 2 years). - SecurityHeaders Analyzer: Header Reporting
The analyzer now only reports findings for sensitive headers (e.g., Server, X-Powered-By) when they contain non-empty values. - DataExposure Analyzer: Config Parameter Renaming
Renamed the configuration parameter from findingTitle to findingName.- findingTitle is still supported but deprecated.
Bug Fix
- GraphQL Crash Fix
Resolved a crash in Sift when executing GraphQL queries containing a union type.
2025.7.1
New Features
- Group-Scoped Patterns
In addition to global patterns, you can now define patterns scoped to specific groups. These can be added by any member of the group, enabling more tailored and decentralized testing strategies. - New Type for Patterns: JSON
Introduced a simplified JSON pattern type to replace the older OneOfJSON. The new type streamlines configuration while maintaining equivalent functionality. The Patterns configuration in the UI accepts multiple choices for the value of a field.
Enhancements
- UI Improvements
Refreshed the Runs and Issues pages for a cleaner and more intuitive interface.- When viewing an issue, you can now click on previous detections to view evidence from specific runs.
- The revision history clearly displays the last updated timestamp for better auditability.
Bug Fix
- Revision Handling
Sift now correctly uses the latest revision of an OpenAPI revision during scans.
Sift
New Features
- New Generator: json
Introduced the new json generator, which replaces OneOfJSON.- json uses the configuration property values.
- OneOfJSON uses options.
- Functionality is identical; naming has been standardized.
- Template Expression Updates
Template action strings are no longer quoted by default.- Use quote() for quoted JSON-escaped strings.
- Use js() for escaping without quotes.
Enhancements
- BrokenObjectLevelAuth Analyzer
Now supports both multi-user and single-user attack scenarios.- The BrokenObjectLevelAuthSingleUser analyzer is deprecated but still supported (with a warning).
- If both analyzers are present, only BrokenObjectLevelAuth will run.
- PasswordExposure Analyzer
Behavior now better conforms to the documentation:- Detects fields named "password" with values of 4 or more characters.
- Detects any string that includes "password" and a likely password value.
- EndpointExposure Analyzer
Removed /actuator/health from the list of paths considered exposed. - Regex Generator
Now uses the same random number generator as other generators when a seed is set, ensuring consistent behavior. - DataExposure Analyzer
- Evaluates all response fields and reports on all matching pattern rules.
- Findings can now include optional metadata such as title, fault ID, severity, reason, and remedy.
- Displays warnings for unsupported rule types in pattern sets.
- Generator Naming Standardization
Generator names now use kebab-case (e.g., date-time, int-range, json, regex).- CamelCase variants (e.g., OneOfJSON) are deprecated and may be removed in future releases.
Bug Fixes
- Template Expression Evaluation
Template expressions in referenced TestProfile files are now correctly evaluated when specified via configuration or CLI flags.