Releases

2026.02.10

n8n

The latest release of Security Reporter includes an integration with n8n, making it possible to add another layer of automation and customization on top of Security Reporter without having to write a single line of code!

Follow the guide here to set up the Reporter integration in n8n.

Our latest blog shows an example of how you can integrate Reporter with Jira using n8n.

Other Improvements

In the finding layout, you can now configure conditions to show or hide fields based on assessment and client fields. The n8n blog post includes an example in which the Jira Issue field is displayed only when it is not empty.
OWASP ASVS v5 has been added to the checklist templates. You can add it to the list of checklist templates by going to Templates > Checklist Templates, clicking Clone default template, and selecting OWASP Application Security Verification Standard v5.
Admin users can now be assigned to test cases directly from the checklist table.
Editor autocomplete has been improved. You can now use the Tab key to accept a suggestion, and [mask] has been added to the autocomplete options.
Add 'Show details' tooltip to tool finding titles.
Documentation for using custom CA certificates has been added.
An option has been added to URL custom fields to control link behavior, either opening in a new tab or the current window. For existing custom fields, links now open in a new tab by default.
The section status badge that appears in the assessment overview tab is now smaller.
A button has been added to the top of a finding that scrolls to the latest retest when clicked:

Report compilation bug fixes

Fix an issue where a link in a PDF that continues on the next page would make the whole page clickable.
Fix an issue where rendering inline code inside a table would crash report compilation.
Fix an issue where mark tags could highlight the wrong text when used in combination with Unicode characters.
Fix an issue where inline code started a new paragraph.
Fix a bug that caused the PDF index to contain duplicate entries.
Fix several additional rare issues related to PDF compilation.

Other bug fixes

Fix an issue where the 'Add Checklist' button was visible to users without checklist creation permissions.
Fix a bug that caused targets to not appear in the targets list after adding them.
Fix an issue where the checklist table always showed the pass rate in the PDF report, even if the option was turned off.
Fix an issue where the pass rate text could not be translated.
The deprecated 'X-XSS-Protection' header has been removed.
Fix results when filtering assessments by 'Research phase completed at'.
Fix a bug that caused custom field regex validation to fail when using a pipe operator.
Boolean custom field changes in the theme editor are now saved.
Fix a bug that caused theme exports to fail when the colors of a custom field had previously been modified in the theme settings.
Fix a bug that made it impossible to change the 'password-protected PDF reports' setting from 'false' to 'true'.
Fix a bug that caused the add snippet button to not work in the assessment template edit page.
Fix a bug that caused the user page to throw an error if the logged-in user had no timezone.
Fix a bug in pages with a resizable split pane (such as the finding layout edit page) that caused the divider to stick to the mouse.
Fix a bug that sometimes caused a 500 Internal Server Error on the task page.
Fix a bug that caused result icons to become misaligned in the checklist table.
Fix a bug that caused the result of a test case to not get updated when the vulnerability state of a finding changed.

2025.12.30

Download Show checksums

API Filtering

In the previous release, we introduced new API filter operators such as greater-than and not-equal. A bug in that implementation caused some API integrations to break when multiple filter values were used. Previously, a filter like filter[severity]=1,2 returned results where severity = 1 OR severity = 2. Due to the bug, this was incorrectly evaluated as severity = 1 AND severity = 2, resulting in no matches. This issue has now been fixed. Multiple filter values once again default to OR behavior.

In addition to this fix, we added support for more advanced filtering. Filters prefixed with and_ require all conditions to be met, enabling use cases such as “not 1 AND not 2.” For example: filter[and_severity]=<>1,<>2.

Other Improvements

Improved several UI interactions with checklists:
- You can now collapse categories while filtering.
- You can now stop editing test cases by clicking on them.
- Test case finding link now has a visual indicator that findings are a link.
- Those finding links now open in a new tab.
- When the checklist is updated, test cases you are editing no longer reload.

Bug Fixes

Fixed unreliable syncing to Elasticsearch, causing some or all results to be missing from search results.
Fixed the "Add Target" button in the targets tab on the main assessment page.
Fixed a bug where non-markdown text fields, such as names and titles, that allow Todo tags, were saved HTML-encoded.
Fixed an issue where Elasticsearch would reindex every night for large databases.
Requesting a revision without text now correctly displays the validation error instead of reloading the page.
Tables in PDF reports no longer sometimes run off the page if there is a placeholder in them.

2025.12.11

Download Show checksums

Elasticsearch and Redis updated

Breaking change, read the upgrade guide! - Likelihood of Impact: Very High

Reporter has been updated to use Elasticsearch 8 and Redis 8. You MUST upgrade to Elasticsearch 8 and Redis 8 as part of this upgrade! Reporter will not be compatible with Elasticsearch 7 after this upgrade.

Use the following instructions to set up Elasticsearch 8 and Redis 8:

Upgrade Guide

Dynamic comparison operators for API filters

You can now use comparison operators in API filters for exact fields by prefixing the field name. For example, filter[severity]=<2 returns records where severity is less than 2.

Operator	Description	Example
(none)	Equal to	`filter[severity]=2`
`<>`	Not equal to	`filter[severity]=<>2`
`<`	Less than	`filter[severity]=<2`
`<=`	Less than or equal to	`filter[severity]=<=2`
`>`	Greater than	`filter[severity]=>2`
`>=`	Greater than or equal to	`filter[severity]=>=2`

New checklist templates

The following checklist templates are now available:

OWASP AI Testing Guide - Version 1
OWASP Top 10 for LLM Applications - version 2025
OWASP Mobile Top 10 - version 2024
OWASP API Security Top 10 - version 2023
OWASP Top 10 CI/CD Security Risks - version 2023
OWASP Kubernetes Top 10 - version 2022
OWASP Cloud-Native Application Security Top 10 - version 2022
OWASP Top 10 - version 2021
OWASP Docker Top 10 - version 2020
OWASP Internet of Things Top 10 - version 2018

You can add any of the new templates if you are an admin or a checklist template manager by following these steps:

Go to the Checklist templates page.
Click Clone default template.
Select the template you want to add.
Click Create fresh copy of template.

new checklist templates instructions

Improvements

[todo] tags are now also rendered in text fields, for example, in the title of the finding (template) edit page.
The assessment wrench dropdown menu has been restructured for improved clarity.
Targets on the finding show page are now rendered as links. Clicking on a target opens a modal with its details.
Add storage and Elasticsearch info to the status report.

Bug Fixes

Updated several third-party dependencies.
Fixed inconsistent expand/collapse behaviour in the checklist table.
Fixed an error that occurred when loading the researcher panel in certain assessments.
Resolved out-of-memory issues and a MySQL packet limit issue with the tool import.
Fixed a bug where test cases on the finding show page would not open the checklist modal after using inline edit on another field.
Fixed an issue where unclosed callouts in markdown were not rendered properly or caused an error.
Fixed an error that caused documents to not be rendered correctly in the researcher panel target details.
Fixed a bug that prevented the project admins from seeing assessment activity.
Fixed a bug where filtering assessments by manager or researcher did not work.
Fixed broken links to "suggest" and "create templates from findings".
Fixed an error that occurred when trying to create a file custom field.
Fixed a bug that cause the result of a test case to become desynced from the related findings.

2025.11.12

Download Show checksums

Duplicate Assessments

With just a few clicks, you can now duplicate entire assessments, making this functionality perfect for setting up recurring engagements. Create your assessment once, then clone it for each new iteration or project. All your targets, structure, and even unresolved findings can be carried over.

You can access the duplication feature from the Assessment dropdown on the main assessment page. When you duplicate an assessment, basic information and the assessment structure is always copied. Other elements, like the researcher briefing, targets, and unresolved findings, can be toggled. Duplicated assessments are always assigned a "Duplicated - Needs Review" tag, allowing you to find them easily. See the documentation for more details.

Duplicate assessments form

Targets in the Researcher Panel

Targets are now directly accessible from the Researcher Panel. Switch views using the new buttons in the top-left corner to easily jump between findings and targets.

In the Targets view, you can view details, create, edit, delete, and reorder targets without needing to refresh the page. This gives researchers and managers a smoother and more efficient experience.

Targets in researcher panel

Improvements

Added a new [mask] tag to the markdown editor that can be used to mask sensitive information, such as credentials, by default. An icon is displayed next to the mask, which can be used to reveal the contents.
- Note that the content is not hidden in PDF reports!
Added retest icons to findings in the section view in the researcher panel that show the status of the latest retest.
Search indexing is now much faster. You should be able to use the search functionality much more quickly after a server restart.
Task indicators are now red if you have overdue tasks, and orange if you have tasks due today.
You can now assign assessment tasks to global admins who are not assigned to the particular assessment.
Non-client users, such as researchers and assessment managers, now consistently see unpublished findings in all draft reports and on the web interface. For example, unpublished findings are now counted in report components that count findings by severity.

Bug Fixes

Fixed an issue where the loading indicator didn't disappear in the finding search modal.
Applying filters in the multi-filter search on the assessment index page now properly updates the URL.
The assessment analytics chart (second chart on the analytics page) now has clickable links.
Sections with todo tags now again have warning icons.
Fixed a bug that would prevent the schedule from loading.
When creating a new finding, the "Found At" field is now correctly prefilled with the current time in the user's timezone.
Importing an assessment template with incomplete translations no longer causes an error.
Fixed a bug that caused the checklist template names not to appear in the assessment template form.
Fixed a bug that caused the assessment template edit page to sometimes not render properly.
Fixed some issues with finding template suggestions and linked findings.
Fixed a bug where some finding fields were missing from the API docs and Zapier integration
Made downloading findings as CSV a lot faster, preventing timeouts.
Fixed an issue where the reports table component would incorrectly show resolvers when used in markdown fields.
Tasks to revise an assessment section now complete when you request a new review.
Changing a reviewable from "Draft" to "Revision requested" now completes the task to complete the reviewable.

2025.10.01

Download Show checksums

Assessment templates and editor

The assessment template editor has been completely redesigned. You can now configure the entire assessment template, including all its sections, in a single form. Sections can be reordered with drag-and-drop, properties can be modified on the spot, and translations can be added directly without leaving the page. All changes are saved at once, making it much easier to maintain templates.

Alongside the new editor, several new assessment templates have been added, and existing ones have been updated. To use them, click the 'Clone default template' button on the Assessment Templates page.

New assessment templates

The following templates are now available:

OWASP Top 10 for LLM Applications (2025)
OWASP Top 10 CI/CD Security Risks (2023)
OWASP Cloud-Native Application Security Top 10 (2022)
OWASP IoT Top 10 (2018)

Updated templates

The following templates have been updated:

Microsoft Cloud Security Benchmark (v1 → v2)
CWE SANS Top 25 (2022 → 2024)
OWASP Mobile Top 10 (2016 → 2024)
OWASP API Security Top 10 (2019 → 2023)

Syntax highlighting combined with mark tags

Syntax-highlighted code blocks now also support [mark] tag highlighting! Previously, [mark] highlighting only worked in plain code blocks without syntax highlighting. With this update, you can now combine the two, making it easy to call out specific parts of code, HTTP requests and responses, data snippets, and more, without sacrificing readability.

Python API wrapper updated

The Python API wrapper has been updated to include the latest endpoints, making integrations easier to set up and maintain. It is available on PyPI: https://pypi.org/project/securityreporter/. The full details can be found on GitHub: https://github.com/dongit-org/python-reporter.

Improvements

The tagging feature in the Markdown editor can now be accessed directly from a toolbar button, making it easier to add tags without remembering shortcuts.
The category name format in checklist tables is now customizable, just like the test case name format.
The default PDF report filename now includes the client’s name for easier identification and organization.
The checklist depth limit has been increased to 5, allowing more levels of nesting in checklist templates.
Findings from previous assessments can now also be imported into the current one via the Add finding dialog.
The order of severities in report components such as the "finding counts by severity" table, the "findings by severity" chart, and the "findings by severity and status" bar chart can now be reversed.

Bug fixes

Fixed a bug in the checklist table, where expanding or collapsing one category would sometimes cause a different category to be expanded or collapsed.
The checklist editor no longer occasionally incorrectly fails validation with a "test case code is duplicate" error message.
In the PDF report's table of contents, dotted lines now appear after all sections, if that setting is enabled.
In the online report's table of contents, sections no longer overlap.
In the PDF report, all URLs now get the correct color.
In the online report, when inline editing Markdown fields, the assessment language is now used to render the result, instead of the default language.
When making a new assessment checklist, the IDs and codes now get correctly copied over from the template categories.
Report generation no longer crashes when a finding has a multiselect custom field where the "Show as a badge" option is set to false, or where specific enums (such as Assessment Status) are used for the values.
The "Download default SVG backgrounds" button that was removed from the theme editor is now added to the theme index page, under the "Theme" dropdown.
When editing a task, the description text area now expands to fit its contents.
If the user tries importing targets using an invalid CSV file, a validation error is now shown.
The "findings by import status" and "checklist table" components can now also be previewed in the context of an assessment template.
Report compilation no longer crashes on certain inline code fragments if the report language is not set to English.
In the API, includes can now again be passed using the "array notation" (?include[]=assessment&include[]=user). Due to a bug, only "comma-separated notation" (?include=assessment,user) would be accepted.
The "list custom fields" endpoint in the API now returns a paginated response, consistent with other "list" endpoints.
Report pages can now again be included with themes through the API