Blog

We are excited to share the latest release from Pensar! We've made major improvements to our core vulnerability scanning and patching system, introduced a new AI Agent security framework, improved our dependency scanning and auto-fix capabilities, and shipped a new Gitlab integration.

Improved precision of vulnerability scans

Quality of scans has dramatically improved, meaning Pensar is able to more accurately detect complex vulnerabilities in your codebase giving you better security coverage than other strictly rules-based static analyzers.

This is because our system extracts and effectively utilizes relevant context across your codebase including the structure of your application, what dependencies are used, what development patterns you are using, the actual production use case of your application, and so on.

For example, Pensar is able to detect instances of missing authentication on sensitive API routes and generate a patch that leverages existing functions in your codebase to fix this issue.

AI Agent Security

We have introduced a new security scanning framework aimed at detecting vulnerabilities unique to AI Agent applications.

Pensar is able to detect when an Agent is dangerously using external tools, has the potential to run unsafe generated code, lacks guardrails, is improperly handling customer data, or is exposed to manipulation/prompt injection attacks.

Take a look at our intentionally insecure repo for examples of the kinds of issues (and patches) Pensar finds: https://github.com/KeremP/insecure-ai-agents/pull/52

In this case Pensar found that SQL queries generated and executed by the agent are not being sanitized - leaving the door open for the agent to unintentionally delete or write to the database. Pensar submitted the linked pull request implement a much safer SQL query execution tool.

Enhanced triaging

We have shipped major improvements to our triaging pipeline that boosts Pensar's ability to more accurately detect and filter out false positives, reducing the amount of noise generated by Pensar's alerts.

This is done by implementing a verification step wherein a reasoning model attempts to generate example exploits before proceeding with its triage analysis.

This does not necessarily mean you will see less alerts overall from us, but the alerts you do receive will be much higher signal.

Smarter patch generation and auto-PRs

Vulnerability patches generated by Pensar now take better advantage of the context available in the codebase to generate higher quality security patches that require far less human review than before.

We have developed a feedback loop that ensures generated patches do not break business logic, do not introduce new third-party dependencies, and can make multi-function edits if required - all while ensuring vulnerabilities are being properly closed.

In the latest version of Pensar, customers on the Console Pro Plan will be able to configure auto-PRs - this will allow our system to automatically create a pull request with a vulnerability patch instead of requiring a human to navigate to the Pensar console web app and manually creating a pull request.

This feature can be tuned to your preferences (e.g. only enable auto-PRs for critical and high severity issues) and supports applying patches on a per-file or per-issue basis. Per-file patches will combine multiple patches into a single pull request for faster review.

Dependency scanning

Open source dependency scanning has received major improvements to the auto-fix capability included in the Console Pro Plan.

Pensar will generate small patches to upgrade all insecure dependencies in your project that can be applied with a single pull request.

Additionally, if the newly recommended package version includes breaking changes, Pensar will generate code patches to ensure core business logic in your application is not broken due to a dependency upgrade caused by an external security event.

Many of our customers have been replacing Snyk's dependency scanning capabilities with great results.

Gitlab integration

Gitlab support has landed, enabling our customers who use Gitlab as their preferred version control provider to easily connect their repositories with Pensar and build Pensar's vulnerability scanning into their CI/CD pipelines.

Navigate to the integrations tab on the sidebar in the Pensar console or select "Connect Gitlab account" when creating a workspace to enable our Gitlab integration.