Highlights
Group-Scoped Patterns
Group-Scoped Patterns extend Aptori’s flexible testing framework by allowing teams to define and manage custom patterns at the group level, in addition to existing global patterns.
Release Notes
2025.7.1
New Features
- Group-Scoped Patterns
In addition to global patterns, you can now define patterns scoped to specific groups. These can be added by any member of the group, enabling more tailored and decentralized testing strategies. - New Type for Patterns: JSON
Introduced a simplified JSON pattern type to replace the older OneOfJSON. The new type streamlines configuration while maintaining equivalent functionality. The Patterns configuration in the UI accepts multiple choices for the value of a field.
Enhancements
- UI Improvements
Refreshed the Runs and Issues pages for a cleaner and more intuitive interface.- When viewing an issue, you can now click on previous detections to view evidence from specific runs.
- The revision history clearly displays the last updated timestamp for better auditability.
Bug Fix
- Revision Handling
Sift now correctly uses the latest revision of an OpenAPI revision during scans.
Sift
New Features
- New Generator: json
Introduced the new json generator, which replaces OneOfJSON.- json uses the configuration property values.
- OneOfJSON uses options.
- Functionality is identical; naming has been standardized.
- Template Expression Updates
Template action strings are no longer quoted by default.- Use quote() for quoted JSON-escaped strings.
- Use js() for escaping without quotes.
Enhancements
- BrokenObjectLevelAuth Analyzer
Now supports both multi-user and single-user attack scenarios.- The BrokenObjectLevelAuthSingleUser analyzer is deprecated but still supported (with a warning).
- If both analyzers are present, only BrokenObjectLevelAuth will run.
- PasswordExposure Analyzer
Behavior now better conforms to the documentation:- Detects fields named "password" with values of 4 or more characters.
- Detects any string that includes "password" and a likely password value.
- EndpointExposure Analyzer
Removed /actuator/health from the list of paths considered exposed. - Regex Generator
Now uses the same random number generator as other generators when a seed is set, ensuring consistent behavior. - DataExposure Analyzer
- Evaluates all response fields and reports on all matching pattern rules.
- Findings can now include optional metadata such as title, fault ID, severity, reason, and remedy.
- Displays warnings for unsupported rule types in pattern sets.
- Generator Naming Standardization
Generator names now use kebab-case (e.g., date-time, int-range, json, regex).- CamelCase variants (e.g., OneOfJSON) are deprecated and may be removed in future releases.
Bug Fixes
- Template Expression Evaluation
Template expressions in referenced TestProfile files are now correctly evaluated when specified via configuration or CLI flags.