AgileSec 3.4 Release Notes

DECEMBER 2025

This release delivers incremental scanning, expanded sensor and deployment capabilities, major on-premise and installer improvements, UI refreshes, and critical API, security, and scalability enhancements.

New Features and Enhancements

• Incremental Scan
  Git, Artifactory, GitHub and GitLab sensor now support incremental scanning. Incremental scan can be enabled for sensors configured through the UI or when triggered through the API. For more information, refer to the guides in the Sensors section.

• Auto-Resolution of Deleted Findings
  Deleted findings are automatically resolved as part of incremental scan post-scan process.

• MS SQL Database sensor

  • Supports Group Managed Service Account Authentication (gMSA).

  • Supports deployment and execution through Crowdstrike workflows. See MS SQL Database Sensor user guide for details.

• CBOM Export
  Generate and download findings in Cyclone DX CBOM format (spec v1.6). CBOM can be downloaded per source.

• Unified Sensor Download Through UI
  Unified Sensor Package for Linux and Windows can now be downloaded directly from the UI for on-premise deployments.

• Host Scan through CrowdStrike

  • Deploy and run Linux and Windows host scans through CrowdStrike

• Tanium host sensor flows

  • Deploy Tanium package and sensors through Tanium API.

• UI Updates

  • New Keyfactor branding.

  • New left navigation menu.

  • Updated sensor configuration and scan history screens for incremental scan.

  • New menu option for EDR ID management, enabling sensor deployment through EDRs.

  • Last Findings Only toggle is now disabled by default when viewing reports.

• Authenticated Access to OpenSearch API
  Added OpenSearch proxy endpoint /v1/open-search-proxy/search, It requires an access token generated via Settings → Access Tokens. Direct API access to OpenSearch will continue to work if proxy bypass rules are in place.

• Scan API updates:

  • The Scan API endpoint /v3/scan is being deprecated.

  • The new Scan API endpoint /v3/scan/create should be used going forward. This endpoint supports incremental scanning.

  • The new /v3/scan/execute endpoint is now available to trigger incremental scans on previously created sensors

  • For details, see the API guide Scan API.

• SAML 2.0 SSO Configuration Option
  Admins can configure SAML 2.0 SSO via Settings → Authentication Options → SAML2.0 Single Sign-On

• Updates for On-Premise Deployments

  • Full HA support for frontend and backend nodes, see On-Prem High Availability (HA) Guide.

  • New Scan-node support: Scan nodes install the minimal components required for running scans and can be deployed on smaller VMs, see On-Prem High Availability (HA) Guide.

  • Wildcard certificates support for internal TLS certs, reducing the number of certificates required for single-node and multi-node installations.

  • Option to generate a single client certificate for all services (default) or per-service client certificates, reducing the number of certificates that need to be managed.

  • Configurable number of OpenSearch index shards per node via installer configuration.

• Unified Installer Updates for On-Premise Deployments

  • Configuration files are generated for all nodes during initial configuration generation.

  • Auto-detect private-ip for single-node installations.

  • Health check improvements for HAproxy.

  • Installation can be performed into an existing directory.

  • Configurable cron-based health check.

  • Configurable temporary directory during installation.

  • Improved logging.

• Server Component Upgrades

  • OpenSearch upgraded to 2.19.4.

  • MongoDB upgraded to 7.0.28.

• Documentation
  Updated installation, deployment, and sensor documentation for this release is available in the documentation site together with these release notes.

Sensors and Connectors

The following additional sensors are available with v3.4:

n/a - not applicable

Performance and Scalability

• More services have moved to an event-driven architecture to improve scalability.

Bug Fixes

• Fixed OpenSearch permissions required for report generation.

• OpenSearch admin user access is now available by navigating directly to OpenSearch Dashboards endpoint. Use the admin username and the initial password set during installation.

• Updated SSO integrations with OpenSearch and CipherInsights to adjust NotBefore handling and reduce issues caused by clock drift.

Known Issues

• Label filtering on Analysis screens does not yet respect other active filters.

• Hashset scanning is currently disabled.

• In some on-premise deployments, sensor status may remain Running or Queued if the unified sensor encounters an out-of-memory (OOM) condition. Increasing VM memory typically resolves this.

• GitLab and GitHub sensors may generate incorrect source.type value in certain situations.

• CBOM export for sources with 4M+ unique objects is currently not supported.
  

Vulnerabilities Status

• Medium vulnerabilities > than 90 days exist in these components.

Download Links

Release packages can be downloaded from the ISG download portal and include the following:

• On-premise Unified Installer for RHEL8

• On-premise Unified Installer for RHEL9

• Unified Sensor Package for Linux and Windows (for on-premise deployments, this can also now be downloaded from the UI)

• Unified Sensor Package for MS SQL and host scan via CrowdStrike (Windows)

• Unified Sensor Package for host scan via CrowdStrike (Linux)

• AWS EKS deployment package

• Azure AKS deployment package

• Documentation

Access credentials are required for all download links.