Version 5.36 - December 11, 2025

With version 5.36, Xygeni delivers expanded vulnerability context, broader coverage, and elevated usability, making security more actionable and easier to manage. This release brings exploit-intel to vulnerability prioritization, adds DAST ingestion, extends SAST to mobile languages, launches our IntelliJ plugin, strengthens token and access controls, and significantly improves everyday workflow and deployment flexibility. Teams gain deeper insights, tighter control, and smoother integration across diverse environments.

🔍 Prioritization with Known-Exploit Intelligence & EPSS + Reachability Context With v5.36, Xygeni elevates prioritization by integrating verified exploit-intelligence data (such as from CISA’s Known Exploited Vulnerabilities Catalog (KEV) and other public exploit feeds). Now, when a vulnerability in your code or dependencies matches a known-exploit entry, Xygeni flags it accordingly, not just as “theoretically risky,” but as “actively exploited.”

Because Xygeni already mixes EPSS-based exploitability and reachability analysis with severity/risk scoring, the addition of known-exploit data supercharges prioritization. The system can surface the highest real-world threats first, those that combine exploit history, reachability in your environment, and relevant code exposure.

What We Do Under the Hood

• Enrich Xygeni’s threat-intelligence database by ingesting external exploit-catalogs (e.g. KEV) and other public exploit sources.

• Expose exploit-presence metadata directly through the vulnerability detail view and the prioritization funnel.

• Combine exploit-presence with EPSS/reachability and existing metadata to compute a composite “real-world risk” score.

Key Benefits for Customers

• Risk-based remediation prioritization: Fix vulnerability-exploits that attackers actually use — not just hypothetical ones.

• Sharper, actionable backlog: Focus team effort on real threats, while deprioritizing low-signal or unlikely vulnerabilities.

• Compliance readiness (EU / CRA-adjacent): For companies targeting compliance with regulations such as the Cyber Resilience Act, having insight into known exploitable vulnerabilities helps support “no known exploitable vulnerabilities” obligations and vulnerability-handling workflows.

• Better use of limited resources: By surfacing the most critical real-world risks, teams can allocate patching and remediation effort where it yields highest security return.

🌐 DAST Ingestion in ASPM Static analysis (SAST/SCA) flags code-level risks before deployment, useful, but often blind to whether a vulnerability becomes exploitable at runtime. With DAST, teams simulate real-world attacks on running apps to find flaws that only appear under live conditions.

What Xygeni Does

• Ingests DAST outputs (from tools like OWASP ZAP, Acunetix 360 and other XML-based scanners) directly into the Xygeni platform.

• Merges this runtime data with static findings, open-source vulnerability info, and existing context such as asset metadata, exposure, and configuration.

• Passes all findings through a multi-stage funnel (All Issues → Internet Exposed → Unauthenticated → Business Value), progressively filtering out low-impact or unreachable issues.

Why This Matters

• Real-world exposure check. DAST confirms whether a vulnerability is reachable and exploitable on a live application, not just theoretically vulnerable in code. This reduces noise, cuts down false positives and irrelevant alerts, saving time and making security output significantly more trustworthy.

• Signal over noise. The funnel weeds out issues that pose little risk (e.g. internal-only endpoints, authenticated-only paths), leaving a focused set of actionable vulnerabilities that matter in production. This sharpens triage, keeps the security backlog meaningful, and prevents teams from chasing low-impact findings, increasing productivity and reducing security debt.

• Faster, smarter remediation. Teams can triage based on real exposure, business impact, and runtime context instead of wading through generic scanner outputs or false positives. This shortens fix cycles, improves remediation accuracy, and helps maintain release velocity while ensuring security

• Unified view: code → run → risk. By correlating static and dynamic data, Xygeni gives a more accurate security posture across code and deployed environments, helping organizations avoid blind spots and reduce risk. This optimizes DevOps / security resources and lets engineering push forward with confidence, reducing operational drag.

📱 SAST Support for Swift and Kotlin Our proprietaty static-analysis engine now supports mobile languages natively: Swift for iOS and Kotlin for Android. This enables seamless scanning of iOS and Android codebases.

With this update:

• Xygeni scans mobile application source code in Swift and Kotlin, detecting vulnerabilities common to mobile platforms (e.g. insecure data handling, unsafe API usage, risky cryptography, insecure configurations).

• The scanner integrates directly into existing workflows (IDE, CI/CD), enabling early detection, before compilation or deployment so developers catch issues as they code.

• Rulesets and detection logic are optimized for mobile-specific patterns: this improves coverage on mobile-unique risks compared to generic web/backend scanning.

Key Benefits:

• Comprehensive mobile coverage. Both iOS and Android codebases now get the same deep security scrutiny as backend or web services.

• Early detection, lower remediation cost. Catch issues during development phase, which reduces cost and effort compared to fixing bugs after release.

• Consistent security across platforms. Teams working on web, backend, and mobile projects can rely on a unified SAST framework, avoiding tool fragmentation.

🧑‍💻 Xygeni Plugin for IntelliJ

The Xygeni Security Scanner is now available as a plugin for IntelliJ IDEA (and compatible JetBrains IDEs). It brings the same broad security capabilities previously offered via our VS Code extension — directly into the IntelliJ environment.

With this plugin, developers can secure their codebase without leaving their IDE. It supports:

• Secrets detection: find hard-coded credentials, tokens, and API keys

• SAST: analyze source code for vulnerabilities in real time

• SCA: identify open-source dependencies with known issues

• IaC scanning: detect insecure infrastructure as code configurations (e.g. Terraform, CloudFormation)

• Supply-chain and dependency security: Monitor risks across libraries, modules, and third-party components

The extension integrates seamlessly into daily coding and development workflows: issues get flagged inline in the editor, remediation guidance appears contextually, and scans can be launched with a single click or automatically through IDE hooks.

Embedding Xygeni directly into IntelliJ shifts security earlier in the development lifecycle — enabling developers to catch and fix vulnerabilities as they code, rather than waiting for separate scanning phases.

👉 Install it now from the JetBrains Marketplace.

🔑 Token Management & RBAC Enhancements We upgraded how access tokens and permissions work giving you more control, finer granularity, and more secure permission boundaries across projects and teams.

With this change:

• You can now define distinct tokens per project-group or portfolio. That means you can issue one token for a specific group of projects, another for a different portfolio, no one token has to span your entire organization.

• Tokens can be scoped to specific sets of projects (or subsets of portfolios) inside Xygeni. Combined with our RBAC model, that yields precise, least-privilege access control.

Key Benefits:

• Tight, least-privilege access. Tokens grant only what they need, minimizing risk of over-permissioned access (much like how fine-grained personal-access tokens limit scope in other platforms).

• Clean separation between teams/projects. Different teams or project portfolios can operate independently with their own tokens, reducing risk of cross-project access and helping maintain isolation.

• Better auditability and control. Because tokens and permissions tie back to roles and scopes instead of broad “everyone or nothing” permissions, it becomes easier to track who has access to what, a benefit especially valuable for compliance or regulated environments.

• Scalable access management as org grows. As the number of projects and teams grows, RBAC combined with scoped tokens helps scale permission management without exploding complexity.

🛒 Marketplace Presence in GiHub and GitLab. Easier Adoption.

Being listed as a technology partner in GitHub Marketplace and inside GitLab’s CI/CD catalogue gives Xygeni strategic visibility and simplifies adoption for DevOps, platform-engineering, and security teams.

With this publication:

• Xygeni is now listed under GitHub Marketplace as “Xygeni Security” and visible among other CI/CD & security tools.

• For GitLab users, Xygeni appears as a recognized Technology Partner in GitLab’s integrations list.

Why It Matters. Key Benefits

• Zero-friction adoption inside developer workflows. Marketplace listing enables “one-click” installation with minimal configuration, eliminating manual setup, procurement delays, or integration friction. This raises the chance that developers or platform teams will try Xygeni the moment they need it.

• Seamless integration with existing CI/CD & security workflows. Because Xygeni integrates natively with GitHub/GitLab pipelines, dependencies, and security dashboards, teams can adopt it without re-architecting their workflows. This reduces friction, speeds proofs-of-concept (PoCs), and lowers barriers to adoption.

• Alignment with “shift-left” and DevSecOps vision. By living where code, CI/CD, and collaboration happen, Xygeni becomes part of developers’ natural workflow, in pull requests, merge requests, CI pipelines, repo dashboards and infrastructure-as-code projects.

• Scale and long-term stickiness for platform engineering teams. For organizations that maintain internal tool catalogs or curated CI/CD templates, Xygeni’s marketplace presence makes it one click away from being part of their standardized pipeline.

👉 Try Xygeni for free now on GitHub Marketplace. One click to install and secure your repos.

👉 Integrate Xygeni with a single include in .gitlab-ci.yml. Discover it in the GitLab CI/CD Catalog

⚙️ Usability & Deployment Improvements

• Enhanced project filtering The project filter is now available in both the “All Projects” and “Project Management” sections. Users can filter by project group or portfolio, making navigation across many projects far easier. The filter selection persists when returning to those screens, preserving context across sessions.

• Better support for restricted or complex environments We now support a --skip-ssl-verify mode so the scanner continues working even when SSL certificate validation fails — for example, in corporate networks that inspect SSL traffic, use internal proxies, or rely on self-signed certificates. This enables secure scanning in air-gapped, behind-VPN, or proxy-mediated setups while respecting enterprise network and compliance constraints.