July 2025

Enhancements

• Configuration Editor: Data Exposure Pattern Options
  When selecting a pattern for Data Exposure analysis, you can now:
  
  • Choose whether to report faults for unauthorized sessions only or for both unauthorized and authorized sessions
  • Specify a custom fault ID, fault name, and severity level
• API Type Support: GraphQL Subgraph
  Support was added for a new API type: GraphQL Subgraph.
  
  • Enables validation and testing of Apollo Federation Subgraph schemas.
  • Enhances GraphQL testing capabilities for federated architectures.
• Runs Report Enhancements
  The Runs report now includes two new columns:
  
  • Operations Successful
  • Operations Total

Bug Fixes

• View Definition Button Fix
  The "View Definition" button now consistently displays the most recent version of the API definition.

‍

Sift

New Features

• GraphQL Subgraph Support
  Support was added for GraphQL schemas that define an Apollo Federation Subgraph.
  
  • Use the definition type graphql-subgraph.
  • Sift automatically includes required schema extensions for Apollo Subgraph compliance.

Bug Fixes

• OpenAPI Memory Optimization
  Reduced memory usage when processing certain OpenAPI definitions, improving performance on large schemas.

‍

Bug Fix

• Pattern Configuration Fix
  Fixed an issue in Patterns where the Sift configuration generated for the JSON type was incorrect.

Sift

Changed

• SecurityHeaders Analyzer: HSTS Policy
  The SecurityHeaders analyzer now requires a minimum max-age value of 1 year in the Strict-Transport-Security header (reduced from 2 years).
• SecurityHeaders Analyzer: Header Reporting
  The analyzer now only reports findings for sensitive headers (e.g., Server, X-Powered-By) when they contain non-empty values.
• DataExposure Analyzer: Config Parameter Renaming
  Renamed the configuration parameter from findingTitle to findingName.
  
  • findingTitle is still supported but deprecated.

Bug Fix

• GraphQL Crash Fix
  Resolved a crash in Sift when executing GraphQL queries containing a union type.

New Features

• Group-Scoped Patterns
  In addition to global patterns, you can now define patterns scoped to specific groups. These can be added by any member of the group, enabling more tailored and decentralized testing strategies.
• New Type for Patterns: JSON
  Introduced a simplified JSON pattern type to replace the older OneOfJSON. The new type streamlines configuration while maintaining equivalent functionality.  The Patterns configuration in the UI accepts multiple choices for the value of a field.

Enhancements

• UI Improvements
  Refreshed the Runs and Issues pages for a cleaner and more intuitive interface.
  
  • When viewing an issue, you can now click on previous detections to view evidence from specific runs.
  • The revision history clearly displays the last updated timestamp for better auditability.

Bug Fix

• Revision Handling
  Sift now correctly uses the latest revision of an OpenAPI revision during scans.

‍

Sift

New Features

• New Generator: json
  Introduced the new json generator, which replaces OneOfJSON.
  
  • json uses the configuration property values.
  • OneOfJSON uses options.
  • Functionality is identical; naming has been standardized.
• Template Expression Updates
  Template action strings are no longer quoted by default.
  
  • Use quote() for quoted JSON-escaped strings.
  • Use js() for escaping without quotes.

Enhancements

• BrokenObjectLevelAuth Analyzer
  Now supports both multi-user and single-user attack scenarios.
  
  • The BrokenObjectLevelAuthSingleUser analyzer is deprecated but still supported (with a warning).
  • If both analyzers are present, only BrokenObjectLevelAuth will run.
• PasswordExposure Analyzer
  Behavior now better conforms to the documentation:
  
  • Detects fields named "password" with values of 4 or more characters.
  • Detects any string that includes "password" and a likely password value.
• EndpointExposure Analyzer
  Removed /actuator/health from the list of paths considered exposed.
• Regex Generator
  Now uses the same random number generator as other generators when a seed is set, ensuring consistent behavior.
• DataExposure Analyzer
  
  • Evaluates all response fields and reports on all matching pattern rules.
  • Findings can now include optional metadata such as title, fault ID, severity, reason, and remedy.
  • Displays warnings for unsupported rule types in pattern sets.
• Generator Naming Standardization
  Generator names now use kebab-case (e.g., date-time, int-range, json, regex).
  
  • CamelCase variants (e.g., OneOfJSON) are deprecated and may be removed in future releases.

Bug Fixes

• Template Expression Evaluation
  Template expressions in referenced TestProfile files are now correctly evaluated when specified via configuration or CLI flags.

‍