Changelog

UI, Performance, and Security Improvements

Changes in this release

• Faster Workflows and Better Visibility Workflow Editor Improvements: We've made the workflow editor smarter and easier to use. Dropdowns are now more reliable, and the overall layout has been adjusted for a cleaner look, especially on smaller screens. We've also fixed several small bugs to ensure a seamless experience when creating and editing your automation.
• Real-time Updates Your recent runs now refresh automatically every five seconds, so you're always seeing the latest status without having to manually reload the page.
• Clearer Component Details You can now see the version number of each component you use, giving you better control and a clearer understanding of your workflow's dependencies.
• Smarter Security and Issue Management Better Vulnerability Details: When an issue contains multiple vulnerabilities in the same file, we now show you all of them, with a direct link to the exact line of code where each vulnerability occurs. This makes it much faster to investigate and resolve security issues.
• Improved Secrets Scanning Results: The log viewer now displays results from Secrets Scanners and other nested reports more clearly, making it easier to pinpoint security findings.
• Easier Issue Deletion: You can now delete issues directly from the platform, giving you more control over your security backlog.
• Updated Security Tools: We've made improvements to Elixir SAST scanners (Sobelow, Credo) and Github PR commenter components for more accurate and reliable security analysis.
• Enhanced User Experience Simplified Navigation: We've reduced the size of navigation breadcrumbs and streamlined titles to give you more screen space. The new workflow editor sidebar now collapses automatically, letting you focus on the task at hand.
• Improved Dashboards: All dashboards have been polished and tidied up for a cleaner look. You'll also find that table references no longer overlap, and filters won't accidentally affect your dashboard views.
• Greatly Optimized Performance: We've made significant performance and stability improvements across the platform, especially on the Issues page, so everything feels faster and more responsive.
• Component Ordered Execution: Components of the same type can be fine-tuned to execute in order within a workflow. This is especially useful for creating finalizers, garbage collectors, and other components that need to run in a specific sequence.
• Workflow variable substitution is now supported in component parameters, allowing for more dynamic and flexible workflows.

Smithy Release: Faster, Smarter, and Way Less Painful

Changes in this release

• Faster, smoother navigation – Moving from dashboard to issues is now nearly instant (25× faster). Browsing and filtering no longer cause layout jumps.
• Smarter issue management – Deduplication is now built into Smithy Intelligence by default, making reports cleaner and easier to act on. Disabling it now requires confirmation so you don’t lose visibility.
• Simpler workflow editing – Components are managed directly in the workflow graph (no more dropdown hunting), and deleting parameters no longer nukes whole components.
• Easier sorting & finding issues – Sorting is now built into table headers, so it’s obvious how your list is ordered and faster to spot what matters.
• More stable experience – Fixed annoying bugs like duplicated API calls (3× less load), integration settings not closing, and stray toast messages stacking up.
• Performance boost everywhere – Behind the scenes, the database now runs multithreaded, giving you consistently faster load times across the app.

Performance Improvements & UX Consistency

Changes in this release

• Navigate large lists faster – Locations and Runs pages now load quickly and have pagination, making it easier to browse big datasets without slowdowns.
• Cleaner asset view – Long filenames are neatly truncated, and asset links now let you jump directly to a repository, branch, or filtered list with a single click.
• Stay up to date in real time – The Runs page auto-refreshes every 5 seconds if there are unfinished runs, so you always see the latest status without manual refresh.
• Better GitHub integration – Large GitHub organisations (hundreds of repos) now display all repositories, and new workflows auto-select your current org for faster setup.
• Find help faster – Integration targets now link to all relevant documentation, not just the first doc in the list.
• Massively faster issue pages – Issue details now load up to 15× faster, so you can investigate and act with minimal waiting.
• Quicker asset access – Dropdown menus now let you jump straight to asset details and reference badges in fewer clicks.
• More stable issue pages – Handles missing data gracefully, reducing crashes and improving reliability when investigating issues.
• Better visibility – Assets with no issues are now visible, and file paths are shown correctly on location details.

Finding Management Re-Imagined

Changes in this release

• Customizable dashboards across the application. You can now choose which columns you want to see on any table across the app.Your preferences are saved, so you can curate your dashboard views exactly how you like them.
• Cleaner, More Focused Tables Labels (like workflows, tags, tools, languages) are now collapsible. You’ll only see the details when you need them. Say goodbye to cluttered tables.
• Search & Filter Made Simple Search bars, filters, and sorting options have been moved next to page titles for easier access, giving you more space to focus on what matters: your data.
• New Filter Component Filters are now grouped neatly, so it’s faster and easier to drill down into the data you care about.
• Issue Management Reimagined Fix Vulnerability Classes, not instances! We've improved how issues are grouped. Multiple instances of the same vulnerability (across files, branches, or assets) are now combined into one issue. Focus on fixing the root cause without unnecessary noise.
• New Issue List Filters You can now filter issues by Priority, Status, Workflows, References, Assets, and Tools to zero in on what you want to fix next.
• Bulk Dismissal Simplified Dismissing an issue now dismisses all related findings of that issue type across your project, no more repetitive clicks.
• Redesigned Finding Detail Pages Finding Details Page Overhaul A new overview panel gives you high-level info upfront, while a Locations Overview groups findings logically by file and asset. For findings across multiple branches, you only need to fix it once and merge. This streamlines your remediation flow.
• Location Details Page (New!) Dive into a specific finding and see its status, priority, tags, which workflow found it, and when it was first/last seen, all in one clear view.
• Filters That Follow You When you filter by an asset on the Issue List and click into an issue, the Locations tab will stay filtered for you. Less clicking, more fixing.
• Workflow & Triggers Improvements Run Workflows Without Enrichers You can now execute workflows without needing an enricher by default. For advanced users, a “noop” enricher is added automatically when necessary.
• Smarter Trigger Visibility Triggers tied to disabled targets are now hidden from the UI, keeping things clean and relevant.
• Bug Fixes & Performance Enhancements: Pressing Enter on workflow creation/edit forms no longer submits prematurely. Empty content is now hidden from the Run Details Page for a cleaner look. Fixed dashboard summaries to handle cases when deduplication hasn’t run yet.
• Small but Nice Touches Brand-new loading indicator, a subtle visual upgrade that makes waiting a little less dull.
• Performance improvements and internal changes
• • Database Schema Redesign - hugely speeds up the database with the release of the new issues page.
• • As a result for more than 10m findings, the Issues Page Loading is now sub 1s. Total finding count is back!
• • Noise reduction stats got a facelift, showing HOW findings reduction from 1,818,460 to 2328 actionable issues happens.

'Web Application Deployed' Trigger and DAST reliability

Changes in this release

1. A brand new 'Trigger' component that launches a workflow passing metadata such as 'WebApp Location', and 'Login credentials'. Useful for scanning with one or more DAST or external attack surface detection tools.
2. Reliability fixes for components that require lots of cluster resources. Now you can run Semgrep or ZAP against massive targets reliably with less workflows crashing due to unavailable resources.

Multi-Org support for Github, login with Google, NoOperation Components

Changes in this release

1. The Github trigger now pulls repositories from multiple organizations
2. You can now login to Smithy with Google if you are in an allowlisted workspace.
3. There are noOp components now, you can use them for e.g. running a DAST where there are no preparatory steps such as triggers or targets.
4. Bugfixes and stability improvements

Resiliency improvements, Python SDK and more components!

Changes in this release

1. The SaaS and On-Prem Smithy Databases are now Highly Available Postgres with failovers.
2. There is a new Python SDK released. You can write AI or Data Science enrichers natively in Smithy now!
3. Checkmarx parser component
4. Dependency Track Reporter
5. Run logs are clearer, you can see what is going on during execution and how things failed.

Tarballs, and Tiny Triumphs

Changes in this release

1. Smithy can now download source code artifacts in .zip, .tar, or .tar.gz formats over S3-compatible APIs or plain HTTP(s).
2. There is a new trigger for arbitrary artifacts
3. Kafka notification with an S3 results upload, all in one. Perfect for more air-gapped or hybrid setups, or when you're wiring Smithy into real dev pipelines with storage quirks.
4. You can now configure target metadata persistence to play nice with different backends (yes, even Ceph )

Git Trigger UX improvements, large dataset reliability, Kafka and improved Sentry

Changes in this release

1. Swapping between git triggers types.
2. A Github trigger can scan multiple branches now (used to be either All branches or a Single Branch)
3. Guaranteed persistence for large finding datasets. If a single scan has more than twenty thousand findings Smithy used to be unreliable, now Smithy is more reliable for large datasets via GRPC batching.
4. Support for all types of vulnerability findings in Sentry.
5. There is now a Kafka component that allows for streaming findings to a Kafka topic.

Even more noise reduction, manually run workflows with triggers

Changes in this release

1. Smoother Trigger Setup & More Transparent Workflows Now you can:

• Quickly find the right repos or orgs with a clearer, more intuitive list
• Understand what’s going to happen before you hit “Run Workflow” (finally!)
• See clearer explanations for event types, so you know exactly what’s being monitored

2. While Smithy scans the repository at the state of a PR or Branch, most users don't want to see findings for code that isn't part of the PR. We now auto-clean findings that don’t show up in your diff — so your view stays focused on what’s actually changed.
3. Several bugfixes and smaller improvements.

New way of launching workflows, SonarQube integration, new workflows page look and feel

Changes in this release

1. Triggers and Sources are now "Targets". A target has the ability to monitor a resource and launch a workflow anytime the resource changes. Either via webhook or subscribing to any message queue. Based on the "Target" users have the ability to see how many targets a workflow will affect.
2. There is a new integration with Sonarqube
3. The workflow creation page got a facelift.

Bugixes and Performance Improvements

Changes in this release

1. Main issues list loads faster when Smithy has lots of findings
2. Bugfixes

UX polish, improved ZAP support, Linear and Discord integrations

Changes in this release

1. Users can now filter the findings by their individual triage state. (show me all duplicates or findings for which an exploit doesn't exist or unreachables)
2. Smithy intelligence has editable parameters
3. ZAP authenticated scan has more rules enabled and ZAP exits gracefully on error
4. Discord integration
5. Linear integration
6. Bugfixes

Automated Triaging and more integrations

Changes in this release

1. Smithy can now download and extract archives from S3 compatible locations. Great for ingesting manual test results or raw documents that have e.g. Pentest Reports
2. New reporter for Sentry, you can centralize both runtime errors and security findings in Sentry.
3. There is a reporter for Discord now, you can report scans and their findings to specific Discord channels.
4. Smithy Workflows and the Dashboard now support Automated Triaging. You can set findings to be automatically marked as False Positives or get deprioritized based on configurable logic from the workflow. (e.g. If a finding is unreachable or if the exploit for a CVE is not public). Triaged findings have a clear triage log and are still accessible from the findings lists.
5. Reporters ignore findings that have been triaged out so that downstream reporting targets do not see noise.
6. You can now find all enrichers grouped in a frontend feature called "Smithy Intelligence", enabled by default. Intelligence is a singular hub for what extra information you can add to a workflow. That is one of two types:
   • "Triage", if applied and the condition is true the finding will be automatically marked as false positive
   • "Info", extra information such as ownership, similar other findings, CWE or other standard enrichment, fix information etc.

UI Improvements

Changes in this release

1. The workflows UI shows the graph mostly and users can edit component arguments by clicking on the component.
2. The workflow name is editable by clicking on it directly
3. Bugfixes
4. If a finding is not in the code changed for a branch or PR it doesn't get reported anymore

Exploitability, rich finding info and lots of UX changes

Changes in this release

1. Smithy can add exploitability information to findings
2. Every finding has rich info including remediation advice where applicable, lots of explanation on what the impact is and which exact branch or PR it was found in.
3. SaaS looks more like the marketing website for an eventual seamless experience between the two.

Findings Management and a Jira integration

Changes in this release

1. Smithy can now open Jira tickets for every new, unique finding
2. Users can now choose to Silence (do not show again) or Mark As Resolved (i fixed it) any finding from Smithy

Users can see found vulnerabilities by Repository and Image, Smithy reports on Github PRs

Changes in this release

1. There is a new menu category under "Scan Results" called "Assets", where every target scanned by Smithy shows up with an overview of what security actions have been done to the target and what has been found, prioritised.
2. Smithy can now report findings as Github PR comments. Similarly to how a linter would.
3. An update to the main-page shows the top vulnerable assets.
4. Smithy now understands and can track container images and related image based vulnerabilities.

Dast, unified Snyk, Semgrep, SBOMS

Changes in this release

1. Support for running ZAP authenticated and non-authenticated scans
2. All the disparate Snyk components were unified into 1
3. Support for running CDXGen and generating sboms to be sent to a waiting Dependency Track
4. UX and Data handling Bugfixes
5. Semgrep supports rule customization
6. smithyctl recognizes ambient credentials for authenticating to docker image repositories

SaaS uses V1 components

Changes in this release

1. SaaS now has V1 SDK components
2. SaaS now speaks OCSF
3. With the release of V1, there is a new data engine! This allows the user to Deduplicate findings View and sort all findings via the released Data reporting tool. Also allows faster and more rapid development of data features.
4. SaaS now has an issue list where users can see what are their top priority issues found by all workflows

Operator Improvements to better support on-premise deployments

Changes in this release

1. Smithy SaaS runs on local clusters with support for networked filesystems.
2. Dependencies update to address false positive alerts
3. UI improvements:
   1. Bump NPM packages and address all Dependabot alerts.
   2. Users can now share pre-filtered workflow and instance pages by copying the URL.
   3. Update the UI of the workflows and instances page filters.
   4. Fix a bug when launching a workflow with custom parameters.

OCSF support

All Smithy components in the open-source project now use Open Cybersecurity Schema Framework for their data.

GitHub Triggers

Smithy SaaS now supports Git triggers. You can now run workflows automatically when:

• any repository is updated in your GitHub/GitLab organisation
• a specific repository or branch is updated in your organization