1.12.1 — 2nd June
Traceable CLI 1.12.1 release provides the following updates:
Updates
Support for Scanning SOAP APIs
Traceable CLI now supports running XAST Live and XAST Replay scans on SOAP APIs. As part of this scanning, Traceable parses the XML body of APIs and updates plugins to detect vulnerabilities (issues) in the traffic.
1.12.0 — 27th May
Traceable CLI 1.12.0 release provides the following updates:
Updates
DAST Web Scan Support via CLI
Traceable CLI now supports DAST Web scans that crawl web applications, discover API endpoints, and execute security tests. You can configure these scans using the following configurations:
Configuration
Description
--crawler-seed-urlsA comma-separated list of seed URLs that Traceable should crawl for discovering APIs.
--crawler-usernameThe username Traceable should use for logging in to the seed URLs.
--crawler-passwordThe password corresponding to the username.
DAST Web scans are supported only in operating systems with
glibc v2.28or higher.
Compatibility CLI for Older glibc Versions
A new CLI binary (
traceable-cli-manylinux2014) is now available for systems usingglibc v2.17. This version supports all CLI features except DAST Web scans, ensuring continued support for legacy systems while providing the latest updates in the CLI.
HTTP/2 Protocol Support
The Traceable CLI now supports scanning APIs over the HTTP/2 protocol. This ensures compatibility with modern API deployments.
Enhanced Negative Response Codes
Introduced new negative response codes for improved error visibility during test execution:
Response Code
Description
-5Connection Failure
-6Test Chain Failure
-7Default for unknown errors; previously
0
Runner Liveness Monitoring
A runner now fails its liveness check if it does not send a successful heartbeat API call within 60 minutes. This helps ensure early detection and recovery of unhealthy and unresponsive runners.
Availability of Trace ID in Test Results
Traceable now includes a
trace_idfield in the test results of a scan. This helps you correlate the incoming traffic across the Traceable platform and simplify debugging in case of any issues.
Stored Cross-Site Scripting (XSS) Detection
Traceable CLI now detects cross-site scripting (XSS) issues, enabling enhanced security coverage in API testing.
contains dict Operator in Response Checks
You can now use the
contains dictoperator for validating nested key-value structures in API response bodies.
gRPC Client Version Update
Downgraded the CLI’s gRPC client version to
1.67.1for improved stability and compatibility.
Regex Logic Improvements
Improved the regex matching logic to reduce false positives and enhance accuracy across plugins.
1.11.3 — 21st April
Traceable CLI 1.11.3 release provides the following updates:
Updates
sendRequest Parameter in Custom YAML Plugins
Added a
sendRequestparameter to the Test Object function in Custom YAML plugins. This allows you to define whether Traceable should execute or skip the request for evaluation-only test logic.
Resolved Issues
Purge Configuration Handling
Fixed an issue where the Traceable platform’s surge configuration was not applied as expected. The purge settings are now correctly applied during scan execution.
Runner Busy Check Disabled
Disabled the runner busy check logic to prevent premature scan termination and ensure scan stability.
1.11.2 — 11th April
Traceable CLI 1.11.2 release provides the following updates:
Updates
Proactive Runner Resilience
Added support for enabling automatic self-healing for runners by setting the environment variable
TRACEABLE_SELF_HEAL=True. This feature identifies failures while running plugins or uploading results and restarts the affected processes.
Fail-Early Detection for Stuck Scans
Implemented a logic to detect scans that remain in a stuck state for an extended period and automatically restart the runner process.
Runner Auto-Respawn via Systemd
Added restart attributes to the runner’s
systemdservice configuration to automatically respawn the process as part of resilience improvements.
Test Execution and Skipped Test Visibility
Added periodic logging of the plugin and test statistics, including the number of skipped tests (
TestsSkipped). This helps explain scenarios where fewer tests are executed than generated due to unreachable APIs, usually caused by network connectivity issues.
Resolved Issues
gRPC Version Mismatch Fix
Fixed an issue where gRPC client-server version mismatches in Traceable CLI version 1.11.0 caused the runner to get stuck in a busy state.
gRPC Startup Warnings Fix
Fixed gRPC-related warnings that appeared during runner or CLI startup.
Zombie Runner After Scan Deletion
Addressed an issue where deleting an active scan from the Traceable platform left the runner in a zombie state for an extended duration.
POSIX Multiprocessing Bug Fix
Fixed several multiprocessing-related issues on POSIX-based systems that impacted runner stability.
1.11.1 — 25th March
Traceable CLI 1.11.1 release provides the following updates:
Updates
Support for Non-Default Service Accounts
Added support for deploying Traceable CLI in Kubernetes using a non-default service account.
Log File Purging Validation
Implemented a validation to ensure at least one log file is left post-purging, assuring the availability of the most recent logs.
Kubernetes Liveness Probe for Runners
Added support for Kubernetes Liveness Probe to monitor runner health.
Logging for GRPC and HTTP Stats
Introduced periodic logging of GRPC and HTTP call metrics, including call count and average duration. You can enable this logging using the following environment variables:
Variable
Type (Supported Values)
Default Value
GRPC_STATS_ENABLEDBoolean (True/False)
False
HTTP_STATS_ENABLEDBoolean (True/False)
False
Using the above variables, Traceable can monitor the latency, if any, in your application testing.
Resolved Issues
Fix for AST Headers in CLI Plugins
Fixed an issue where AST headers were being included in test generation. This prevents false positives from being reported on those headers.
Fix for Runners Stuck in Busy State
Addressed an issue where runners were getting stuck in the Busy state even when no scan was running.