AgileSec 3.6 Release Notes

The AgileSec team is pleased to announce the release of AgileSec 3.6.

Platform Features and Enhancements

AgileSec 3.6 includes the following upgrades.

New UI layout

  • Updated UI layouts aligned with Keyfactor branding guidelines.

  • Improved Remote Sensor history view and Remote Sensor download experience.

  • Various usability refinements throughout the interface.

Improved Performance

  • CBOM exporter performance optimization: asynchronous fetching to increase export performance

  • Policy execution improvements reduce timeouts during high load.

Cross-Cluster OpenSearch Setup

Security Enhancements

  • Document-level security for findings data through role-based access control (RBAC).

  • IdP groups for a user are now surfaced as OpenSearch backend roles, improving SAML group mapping.

  • RSA4096 key support for Secrets Manager (SM) service.

  • Hardened password policy with following configurable options:

    • Minimum password length: 14

    • Failed attempt lock out for 15 minutes after 5 failed attempts

    • Limiting password reuse

    • At least 1 uppercase character, 1 number, 1 special character

  • Hardened HTTP headers for CSP, CORS, cache control, and server information disclosure

  • Hardened HA proxy config

Kubernetes

  • AKS and EKS deployments no longer require separate Helm charts. A single unified chart now covers both environments, simplifying Kubernetes based installations.

Installation Improvements

  • Separate systemd services are now available for all platform components.

  • Additional prerequisite checks added for external server certificates.

  • Admin password reset utility for post-install recovery.

  • Stricter file permissions applied to all installer files

  • Log rotation enabled for all logs files to prevent unbounded growth.

  • Reduced logging verbosity for various components to decrease operational noise.

Module Features and Enhancements

The following modules and module improvements are now available for AgileSec.

New Connector - GCP KMS

  • AgileSec 3.6 introduces a new GCP KMS Connector, available for platform, api, and remote scans.

AWS KMS Connector

  • Symmetric key metadata is now reported in scan results.

Bitbucket Sensor

  • Bitbucket Data-Center API v1 is now supported

  • New options for multi-branch pattern search provide greater flexibility in repository scanning configurations.

GitHub Sensor

  • Updated API flow reduces token consumption, significantly decreasing the likelihood of hitting rate limits.

  • Improved retry mechanism increases resilience when rate limits are encountered.

  • New options for multi-branch pattern search.

GitLab Sensor

  • New options for multi-branch pattern search provide greater flexibility in repository scanning configurations.

Network Sensor, Host Sensor, Cert Store Sensor

  • Fully Qualified Domain Names (FQDN) are now reported in scan results for all three sensors.

Tanium EDR

  • Full Tanium support in 3.6, including Connect jobs.

  • Async mode support for run actions, enabling non-blocking execution.

Remote Sensor Execution

  • Sensors and Connectors target a configurable memory limit, preventing unbounded memory growth and improving overall system stability and resource predictability.

Bug Fixes

The following issues have been resolved:

  • ASE-17456: [Sensor] Windows host sensor intermittent crash has been fixed.

  • ASE-17563: [Sensor] Windows host sensor no longer skips files due to shared access.

  • ASE-17536: [Sensor] Binary scan can now handle path or filename with Unicode characters

  • ASE-17894: [Sensor] GitHub sensor no longer fails when branch name contains special characters.

  • ASE-18327: [Sensor] GitHub sensor no longer fails when encountering a repository with no commit during multi-repository scan.

  • ASE-18329: [Sensor] Bitbucket sensor no longer fails when encountering a repository with no commit during multi-repository scan.

  • ASE-18129: [Sensor] Azure Key Vault sensor now correctly retrieves certificates metadata when RBAC is enabled.

  • ASE-17478: [Sensor] Network sensor now consistently detect KEX for TLS 1.3.

  • ASE-5800: [Sensor] Network sensor now correctly reports TLS 1.2 version for mTLS connections.

  • ASE-17847: [Policy] Policy timeout improvements when running against large data sets.

  • ASE-17579: [Policy] Close stale findings policy now uses the correct data time function.

  • ASE-17849: [UI] Network scan from UI limits endpoints range. UI Sensors → Network Scan

  • ASE-17664: [UI] User’s name is now correctly populated on the signup form.

  • ASE-17893: [UI] Incorrect external IP displayed for remote sensor is now fixed.

  • ASE-17510: [Backend] Token revocation now functions correctly.

  • ASE-18015: [Backend] Scheduled policies are now executed correctly after a fresh install.

  • ASE-18167: [Backend] Manager logs no longer grow excessively very large when Kafka encounters network issues.

  • ASE-17803: [API] Health check endpoint no longer produces noise in API audit logs

  • ASE-18193: [API] Fixed API memory leaks

  • ASE-17732: [Installer] Special characters in admin password no longer break login after a fresh install.

  • ASE-17666: [Installer] The -V parameter no longer fails for generate_certs.sh

  • ASE-17773: [Installer] /tmp directory is no longer used during installation

  • ASE-17946: [Installer] Admin password is no longer stored in plaintext in the .env file during install

  • ASE-17846: [Installer] Slow download for remote sensor is fixed.

  • ASE-17491: [SAML] Invalid Role Mapping error no longer occurs when SAML Assertion Contains Multiple Groups

  • ASE-18197: [SAML] PasswordProtectedTransport for authnContext is no longer incorrectly enforced for SAML 2.0 SSO

  • ASE-17481: [Data Migration] alert.uid and alert.vi_id values are now preserved correctly for migrated data.


Vulnerabilities Status

Customer-Installer

Component

Critical
< 30 days

High
< 60 days

Medium < 90 days

Low
< 180 days

analytics-manager

 0

 0

 0

0

fluentd

 0

0

indexing-service

 0

 0

0

ingestion-service

 0

 0

0

sandbox

 0

 0

 0

0

scheduler-service

 0

 0

 0

0

sm-service

 0

 0

0

web-api

 0

 0

 0

0

web-ui

 0

 0

 0

0

kafka

 0

 0

0

mongodb-server

 0

 0

 0

0

opensearch

 0

 1*

 0

0

opensearch-dashboards

 0

 0

 1

0

unified-installer

0

0

0

1**

* Vulnerability identified is in the javax-mail library used by OpenSearch. The mail feature is not enabled in OpenSearch.

** Low-severity vulnerability is in the jq utility, which is only required during installation. It can be removed post-install if desired.

Kubernetes

Component

Critical
> 30 days

High
> 60 days

Medium > 90 days

Low
> 180 days

analytics-manager

 0

 0

 0

0

fluentd

 0

0

indexing-service

 0

 0

0

ingestion-service

 0

 0

0

sandbox

 0

 0

 0

0

scheduler-service

 0

 0

 0

0

sm-service

 0

 0

0

web-api

 0

 0

 0

0

web-ui

 0

 0

 0

0

kafka (cp-server)

 0

 2

33 

18

mongodb-server

1 *

 3*

86 *

107*

opensearch

 0

 1**

 0

0

opensearch-dashboards

 0

 0

0

0

isg-ingress-nginx-controller

 3

 4

0

prometheus-exporter

 11***

36 ***

13 ***

0

* Vulnerabilities identified are in operating system packages within the container image for which no fix is currently available from the distribution vendor.

** Vulnerability identified is in the javax-mail library used by OpenSearch. The mail feature is not enabled in OpenSearch.

*** Vulnerabilities originate from Golang 1.25 and will be resolved when upstream updates are released.

Upgrade Information

On-Prem Platform Upgrade

See On-Prem Upgrades for information about upgrading On-Prem Linux AgileSec installations.

Note: New connectors may be executed via Remote Scan without upgrading the AgileSec platform if correct config files are provided.

Release packages download.

Access credentials are required for all download links. To get access credentials reach out to your Keyfactor Customer Success Manager or Solutions Engineer.