Version 5.28 - September 30, 2025

Version 5.28 advances policy management and enforcement while expanding remediation across Azure DevOps. It adds full SAST/SCA remediation in Azure, stronger SCA policy controls, and a new Guardrails flow with local and server-side rule evaluation. The release highlights Remediation Risk, which identifies the best version to upgrade for each vulnerable dependency and reduces regressions. It also opens AI Auto-Fix to customer-provided models, so enterprises can choose their model strategy and keep governance intact.

⚠️ Remediation Risk – Breaking Change Detection

Traditional SCA tools recommend the lowest possible version to patch a vulnerability, but they rarely account for the risk of breaking builds or runtime behavior. Xygeni’s Remediation Risk capability goes further by analyzing dependency updates and detecting potential breaking changes before they impact production.

With AI-powered changelog and diff analysis, Xygeni highlights:

  • Removed methods and incompatible API changes

  • Contract differences and type mismatches

  • Exact call sites in your code affected by updates

This analysis is available for Java, C#, and other languages, and integrates directly into dependency update flows and the Xygeni Bot. Developers can see precisely where their code may fail and estimate the remediation effort required.

Key benefits:

  • Upgrade dependencies with confidence

  • Prevent broken builds and runtime errors

  • Save hours of manual changelog review

  • Maintain security while preserving application stability

By reducing the uncertainty of version bumps, Remediation Risk helps teams keep dependencies secure without sacrificing velocity or reliability.

🤖 Xygeni Bot – Automated Remediation

The Xygeni Bot brings automation into the remediation workflow for SAST, SCA, and Secrets findings. It enables teams to define how and when remediation runs:

  • On-demand execution for manual control

  • On every PR to keep branches clean at merge time

  • Daily scheduled runs for continuous upkeep

The bot integrates directly into the development process, creating pull requests with fixes. Developers only need to review and approve or reject the changes, which streamlines collaboration and reduces remediation workload.

With this capability, organizations establish a continuous remediation loop—security issues are fixed proactively while developers stay focused on delivering new features and innovations.

🤖 AI Auto-Fix with Customer Models

Xygeni now supports customer-provided AI models for automated remediation. Instead of relying on Xygeni’s servers, the CLI can connect directly to the configured model—keeping all source code and related information completely private. This gives organizations full control over data privacy and model usage.

Customers can execute unlimited fixes when using their own AI model, removing limits tied to standard plans. Supported providers include:

  • OpenAI

  • Google Gemini

  • Anthropic Claude

  • Groq

  • OpenRouter

This flexibility enables teams to adopt the AI strategy that best fits their governance and infrastructure requirements, while still benefiting from Xygeni’s integrated remediation workflows.

👉 Learn more about setup in the Auto-Fix documentation.

☁️ Managed Scans for Azure DevOps

Xygeni now supports Managed Scans in Azure DevOps (ADO). Users can visually connect their Azure Repos by simply entering the organization name and an access token—no manual setup required.

Once connected, repositories can be scanned automatically, and remediation workflows are available directly in ADO. This includes automatic fixes for SCA and SAST vulnerabilities, applied within the same environment where teams already manage their code.

This integration makes it easier to extend security into Azure-based development pipelines, providing continuous protection and automated remediation with minimal overhead.

👉 Learn more in the Managed Scans documentation.

🧩 Xygeni Plugin for VS Code

The Xygeni Security Scanner extension is now available in the Visual Studio Code Marketplace. The extension is free and brings comprehensive security scanning directly into the VS Code environment.

With the plugin, developers can secure their codebase without leaving the IDE. It supports:

  • Secrets detection – find hardcoded credentials, tokens, and API keys

  • SAST – analyze source code for vulnerabilities in real time

  • SCA – identify open-source dependencies with known issues

  • IaC scanning – detect misconfigurations in Terraform, CloudFormation, and more

  • Supply Chain security – monitor risks across dependencies and builds

The extension integrates seamlessly with daily workflows: issues are highlighted in the editor, detailed remediation guidance is displayed inline, and scans can be launched with a single click.

By embedding Xygeni directly into VS Code, teams shift security earlier into development, empowering developers to identify and remediate risks as they code.

👉 Install it now from the VS Code Marketplace.

⚙️ Expanded SAST for Go and C# (.NET)

Our static analysis engine now delivers stronger detection for Go and C# (.NET) projects.

  • Broader coverage of frameworks and coding patterns to catch more relevant vulnerabilities

  • Optimized rulesets that reduce false positives and improve developer trust

  • Performance improvements that shorten scan cycles without losing depth

With these updates, security teams can analyze modern backends and services with greater accuracy and speed, reinforcing application security while keeping development velocity high.

🛡️ Guardrails in the WebUI

Guardrails can now be fully configured and managed directly from the Xygeni WebUI. A new section in the lateral menu provides access to all provisioned guardrails in the system, making it easier to locate, review, and control them.

From this screen, users can:

  • List and filter all existing guardrails with their status

  • Create, edit, and delete guardrails without leaving the interface

  • Upload guardrails from file or edit them inline in the built-in editor

This integration simplifies the entire guardrails workflow and reduces the need for manual configuration. Teams can enforce consistent security policies with less overhead and better visibility.

👉 Learn more about creating and applying guardrails in the Guardrails documentation.

🗂️ Improved Project Settings

Project settings have been redesigned to give teams more control with less effort. Multi-value attributes and custom properties can now be set more easily, reducing configuration friction.

A new Security Policy tab centralizes critical governance options:

  • Select the security policy to apply

  • Define the compliance standard for the project

  • Configure locations of third-party repositories to enable remediation of externally detected vulnerabilities

In the Configuration tab, branch management has been streamlined. Users can set the default branch and remove unused ones. To keep projects clean, branches with no activity are automatically removed after 30 days—while the default branch always remains.

These improvements make project configuration faster, clearer, and aligned with security and compliance needs.

⚡ Usability & Performance Improvements

This release also includes multiple enhancements that improve speed, efficiency, and overall usability across the platform. Scans run faster with reduced overhead, and navigation between risk views and configuration screens is more fluid—minimizing friction in daily use.

A special highlight is the ability to store vulnerabilities locally during dependency analysis. This allows teams to keep a local record of vulnerabilities for offline review, audits, or integration with custom workflows.

👉 More details are available in the Dependency Scanner documentation.

PreviousChangelogNextVersion 5.17 - June 5, 2025

Last updated