Traceable CLI Release Notes

  • Updated on Sep 15, 2025
  • Published on Mar 26, 2025
  • 6 minute(s) read
Prev Next

1.13.0 — 12th September

Traceable CLI 1.13.0 release provides the following updates:

Updates

GraphQL Variable Mutations

  • The CLI now supports mutating enum, boolean, and int variable types for GraphQL requests, expanding the scope of testing for API schemas.

GraphQL Query Parsing Enhancements

  • Added support for recursive selection in GraphQL query parsing, improving test coverage and accuracy for nested query structures.

Prehook Call for Heartbleed Scan

  • Introduced a prehook call specifically for Heartbleed vulnerability scan to enhance the scan workflow and readiness.

Resolved Issues

Test Count Accuracy Fixes

  • Resolved an issue causing inaccurate test counts in both local and remote plugins, ensuring test results are tracked correctly across executions.

1.12.7 — 11th August

Traceable CLI 1.12.7 release provides the following updates:

Updates

Added jwcrypto Import to CLI Binary

  • Added jwcrypto to the CLI binary imports to support authentication hooks that rely on cryptographic operations. This ensures that the hooks function correctly without requiring external dependencies.

Resolved Issues

Pre-hook Execution for heartbleed Plugins

  • Resolved an issue where the heartbleed plugin did not execute pre-hooks. The plugin now runs pre-hooks as expected, ensuring correct behavior during execution.

1.12.6 — 31st July

Traceable CLI 1.12.6 release provides the following updates:

Resolved Issues

Test Count Handling for CLI Security Header Plugins

  • Resolved an issue where CLI security header plugins did not send a final test result when no issues were detected. A final Not Vulnerable status is now sent to the platform to ensure accurate test counts and result visibility.

1.12.5 — 28th July

Traceable CLI 1.12.5 release provides the following updates:

Resolved Issues

Fix for Retest Scan Flow

  • Resolved an issue in the retest scan flow where an unnecessary call to the scan API caused duplicate test scans to be created. This redundant call has been removed to ensure cleaner and more accurate retest executions.

1.12.4 — 21st July

Traceable CLI 1.12.4 release provides the following updates:

Resolved Issues

Fix for Incorrect Vulnerability Marking in Baseline Tests

  • Resolved a bug where baseline test results for RCE, SQLi, NoSQLi, and RegexDoS were incorrectly marked as vulnerable. This issue led to a spike in false positives. This fix restores accurate evaluation of baseline test outcomes.

1.12.3 — 16th July

Traceable CLI 1.12.3 release provides the following updates:

Updates

Support for Traceable Token as Kubernetes Secret in Helm Chart

  • The CLI runner Helm chart now supports referencing the Traceable API token as a Kubernetes secret. You can specify the secret name and key in the values.yml file for improved security. For more information, see Runners.

Removed Docker Support for manylinux2014 CLI Version

  • Traceable CLI no longer publishes Docker images for the manylinux2014 build. This change discontinues support for the Docker version of this CLI variant starting with this release.

Resolved Issues

Fix for Improper XML Body Parsing

  • Resolved a bug where inline XML bodies were not parsed correctly in certain cases. The update ensures that both inline and multi-line XML payloads are handled accurately across all supported patterns.

1.12.2 — 12th June

Traceable CLI 1.12.2 release provides the following updates:

Updates

Support for DependsOn Attribute in Plugin Class List

  • Added support for the DependsOn attribute in the plugin class list. This resolves issues where plugins were being incorrectly shown as failed in the Plugins table due to missing class references.

Crawler Anchor Enhancements for DAST Web Scans

  • Updated the crawler to follow anchor links even when they are not visible on the page. This improves the overall coverage in DAST Web scans.

Exception Handling for Policy Configuration Issues

  • Added a new exception class to handle errors related to invalid or misconfigured policies. This helps improve error traceability during scan execution.

Resolved Issues

parse_attributes Method Not Found

  • Resolved an issue where calling an unimplemented parse_attributes method caused failures while testing custom plugins.

Retest Scan Command

  • Resolved an issue where an incorrect option name prevented the retest scan command from executing successfully.

1.12.1 — 2nd June

Traceable CLI 1.12.1 release provides the following updates:

Updates

Support for Scanning SOAP APIs

  • Traceable CLI now supports running XAST Live and XAST Replay scans on SOAP APIs. As part of this scanning, Traceable parses the XML body of APIs and updates plugins to detect vulnerabilities (issues) in the traffic.

1.12.0 — 27th May

Traceable CLI 1.12.0 release provides the following updates:

Updates

DAST Web Scan Support via CLI

  • Traceable CLI now supports DAST Web scans that crawl web applications, discover API endpoints, and execute security tests. You can configure these scans using the following configurations:

    Configuration

    Description

    --crawler-seed-urls

    A comma-separated list of seed URLs that Traceable should crawl for discovering APIs.

    --crawler-username

    The username Traceable should use for logging in to the seed URLs.

    --crawler-password

    The password corresponding to the username.

    DAST Web scans are supported only in operating systems with glibc v2.28 or higher.

Compatibility CLI for Older glibc Versions

  • A new CLI binary (traceable-cli-manylinux2014) is now available for systems using glibc v2.17. This version supports all CLI features except DAST Web scans, ensuring continued support for legacy systems while providing the latest updates in the CLI.

HTTP/2 Protocol Support

  • The Traceable CLI now supports scanning APIs over the HTTP/2 protocol. This ensures compatibility with modern API deployments.

Enhanced Negative Response Codes

  • Introduced new negative response codes for improved error visibility during test execution:

    Response Code

    Description

    -5

    Connection Failure

    -6

    Test Chain Failure

    -7

    Default for unknown errors; previously 0

Runner Liveness Monitoring

  • A runner now fails its liveness check if it does not send a successful heartbeat API call within 60 minutes. This helps ensure early detection and recovery of unhealthy and unresponsive runners.

Availability of Trace ID in Test Results

  • Traceable now includes a trace_id field in the test results of a scan. This helps you correlate the incoming traffic across the Traceable platform and simplify debugging in case of any issues.

Stored Cross-Site Scripting (XSS) Detection

  • Traceable CLI now detects cross-site scripting (XSS) issues, enabling enhanced security coverage in API testing.

contains dict Operator in Response Checks

  • You can now use the contains dict operator for validating nested key-value structures in API response bodies.

gRPC Client Version Update

  • Downgraded the CLI’s gRPC client version to 1.67.1 for improved stability and compatibility.

Regex Logic Improvements

  • Improved the regex matching logic to reduce false positives and enhance accuracy across plugins.

1.11.3 — 21st April

Traceable CLI 1.11.3 release provides the following updates:

Updates

sendRequest Parameter in Custom YAML Plugins

  • Added a sendRequest parameter to the Test Object function in Custom YAML plugins. This allows you to define whether Traceable should execute or skip the request for evaluation-only test logic.

Resolved Issues

Purge Configuration Handling

  • Resolved an issue where the Traceable platform’s surge configuration was not applied as expected. The purge settings are now correctly applied during scan execution.

Runner Busy Check Disabled

  • Disabled the runner busy check logic to prevent premature scan termination and ensure scan stability.

1.11.2 — 11th April

Traceable CLI 1.11.2 release provides the following updates:

Updates

Proactive Runner Resilience

  • Added support for enabling automatic self-healing for runners by setting the environment variable TRACEABLE_SELF_HEAL=True. This feature identifies failures while running plugins or uploading results and restarts the affected processes.

Fail-Early Detection for Stuck Scans

  • Implemented a logic to detect scans that remain in a stuck state for an extended period and automatically restart the runner process.

Runner Auto-Respawn via Systemd

  • Added restart attributes to the runner’s systemd service configuration to automatically respawn the process as part of resilience improvements.

Test Execution and Skipped Test Visibility

  • Added periodic logging of the plugin and test statistics, including the number of skipped tests (TestsSkipped). This helps explain scenarios where fewer tests are executed than generated due to unreachable APIs, usually caused by network connectivity issues.

Resolved Issues

gRPC Version Mismatch Fix

  • Resolved an issue where gRPC client-server version mismatches in Traceable CLI version 1.11.0 caused the runner to get stuck in a busy state.

gRPC Startup Warnings Fix

  • Resolved gRPC-related warnings that appeared during runner or CLI startup.

Zombie Runner After Scan Deletion

  • Addressed an issue where deleting an active scan from the Traceable platform left the runner in a zombie state for an extended duration.

POSIX Multiprocessing Bug Fix

  • Resolved several multiprocessing-related issues on POSIX-based systems that impacted runner stability.

1.11.1 — 25th March

Traceable CLI 1.11.1 release provides the following updates:

Updates

Support for Non-Default Service Accounts

  • Added support for deploying Traceable CLI in Kubernetes using a non-default service account.

Log File Purging Validation

  • Implemented a validation to ensure at least one log file is left post-purging, assuring the availability of the most recent logs.

Kubernetes Liveness Probe for Runners

  • Added support for Kubernetes Liveness Probe to monitor runner health.

Logging for GRPC and HTTP Stats

  • Introduced periodic logging of GRPC and HTTP call metrics, including call count and average duration. You can enable this logging using the following environment variables:

    Variable

    Type (Supported Values)

    Default Value

    GRPC_STATS_ENABLED

    Boolean (True/False)

    False

    HTTP_STATS_ENABLED

    Boolean (True/False)

    False

    Using the above variables, Traceable can monitor the latency, if any, in your application testing.

Resolved Issues

Fix for AST Headers in CLI Plugins

  • Resolved an issue where AST headers were being included in test generation. This prevents false positives from being reported on those headers.

Fix for Runners Stuck in Busy State

  • Addressed an issue where runners were getting stuck in the Busy state even when no scan was running.