What’s new in Eficode ROOT: October 2025

The leaves aren't the only things changing this October, as we've just rolled out a whirlwind of software updates across our entire toolchain! We've been busy upgrading Bamboo to version 11.0.4, Confluence to 9.2.8, Gitlab to 18.3.2, and Jenkins to 2.516.3. The refresh continues with Jfrog Artifactory now on 7.117.15 and Xray on 3.124.20, alongside SonarQube Community Built 25.7, SonarQube 2025.4, and Sonatype Nexus Repository 3.83.2. Yes, that is a monumental amount of software changes, but these updates bring important security fixes and new features. Our team has processed so many release notes they're now dreaming in semantic versioning, so we hope you enjoy the improvements!
Bamboo
Your continuous integration and deployment workflows are getting a significant boost with the upgrade to Bamboo version 11.0.4. This release is designed to make your build and deployment processes faster and more reliable, resulting in a more efficient and streamlined experience with less manual intervention. Your deployment projects and environments will now be cached, which means you'll experience significantly quicker load times. Additionally, you will benefit from the new automatic management of offline agents, a feature that ensures your builds are always directed to active agents to prevent unnecessary delays and keep your pipelines running smoothly.
Bamboo 11 now features application-level caching for deployment projects and environments, significantly enhancing user experience. This is particularly advantageous for heavy users or those with numerous projects. By caching objects for both the user interface and background processing, Bamboo optimizes resource usage and accelerates display times. While it's recommended to keep this feature enabled, reach us if you would like to have it disabled.
Admins can now set policies for automatic removal of offline agents. This new feature helps maintain a clean instance by freeing up agent names and tidying data, ultimately improving agent processing performance.
Removal of the offline agent.
Confluence
Your Confluence experience is now more stable and reliable with the upgrade to the Long-Term Support (LTS) version 9.2.8. This upgrade provides you with a secure, high-performing platform and prepares the system for future enhancements through an important database update. For your daily work, this translates to a more stable and user-friendly experience as several long-standing bugs have been resolved.
You will no longer be prompted for login credentials when viewing knowledge base articles from Jira Service Management, and event text in Team Calendars will remain visible even after linked Jira issues are closed. Additionally, this update fixes problems with PDF exports, theme inconsistencies, and a bug that caused the Quick Search box to overlap with menus, making for a much smoother workflow. To complete the package, your plugins have also received updates, bringing new features and bug fixes to your favorite tools.
GitLab
Your GitLab experience is being enhanced with the latest update to version 18.3.2. This release is focused on providing you with greater control over your pipelines and deeper insights into your project data. For your projects, this translates directly into enhanced security for CI/CD processes and the ability to create dynamic, integrated views of your GitLab information. You can now apply fine-grained permissions to CI/CD job tokens, precisely controlling which projects a job can access and reducing security risks. Additionally, you can take advantage of new embedded views powered by GitLab Query Language (GLQL) to display live, filterable lists of issues, merge requests, and epics directly within your wikis and markdown files.
Fine-grained permissions for CI/CD job tokens (all users)
We're making your pipelines more secure by giving you more control over job tokens. Previously, these tokens had broad permissions, often more than needed.
Now, you can precisely define what each job token can access within your projects. This means you can easily apply the principle of least privilege, ensuring your CI/CD jobs only have the exact access required to complete their tasks. Learn more here.
Permissions configuration.
SSH key security warnings (all users)
GitLab has introduced a new security feature: a warning will now appear in the user interface if an SSH key is uploaded that is considered weak. This applies to older key types or those with a bit length under 2048 bits. This enhancement aims to educate users on best practices for SSH key security and promote the adoption of more robust cryptographic keys. Learn more here.
Kubernetes 1.33 support (all users)
We're excited to announce that GitLab now offers full support for Kubernetes version 1.33. This means you can upgrade your connected clusters to the latest version and utilize all its features when deploying your applications to Kubernetes. Learn more here.
OAuth apps support SSO authentication (Premium, Ultimate)
OAuth applications now offer a unified and secure authentication experience by integrating directly with your organization’s single sign-on (SSO) requirements. This enhancement eliminates the previous two-step authentication process (GitLab then SSO) that caused friction and complexity for users.
By simply adding a parameter to their authorization requests, OAuth applications can automatically trigger SSO authentication. This provides:
- Unified User Experience: A consistent and streamlined authentication flow for all users.
- Automatic Compliance: Ensures adherence to your organization's SSO policies without manual intervention.
- Consistent Security: Maintains a high level of security across all GitLab integrations.
- Simplified Developer Implementation: Developers can easily implement this feature with a minimal code change.
Your OAuth integrations will now automatically respect SSO policies, providing a secure and straightforward authentication workflow. Learn more here.
Control unique domains default for GitLab Pages sites (all users)
Administrators now have the ability to configure the default domain behavior for new GitLab Pages sites. Previously, new Pages sites automatically used unique domain URLs (e.g., my-project-1a2b3c.example.com) to prevent cookie sharing.
With this new instance-level setting, organizations can now choose to default new Pages sites to use path-based URLs (e.g., [my-namespace.example.com/my-project](https://my-namespace.example.com/my-project)). This allows for better alignment with specific workflows and security requirements.
Individual users retain the flexibility to override this default setting for their projects, and existing Pages sites will not be affected by this change.
Customize instructions for GitLab Duo Code Review (Premium, Ultimate)
Ensure consistent code review standards across all projects by using custom instructions for GitLab Duo Code Review. You can define specific review criteria for various file types with glob patterns, which allows for the application of language-specific conventions precisely where they are most relevant.
With custom instructions, you can:
- Clearly define your team's code review standards.
- Utilize glob patterns to specify file-specific instructions.
- Receive feedback that is clearly labeled and references your custom instructions.
To implement, simply create a .gitlab/duo/mr-review-instructions.yaml file in your repository with your custom instructions. GitLab Duo will then automatically integrate these instructions into its reviews, citing the specific instruction group when providing feedback. Learn more here.
GitLab duo customized suggestions.
Hybrid model selection on GitLab Duo Self-Hosted (Beta) (Premium, Ultimate)
GitLab Duo Self-Hosted now supports a hybrid model approach, allowing GitLab Self-Managed instance administrators to utilize a combination of GitLab AI vendor models and privately configured self-hosted models. This feature, currently in beta, is accessible to all GitLab Duo Enterprise customers.
Administrators can now select between a self-hosted model with a self-hosted AI gateway or a GitLab AI vendor model with a GitLab-hosted AI gateway for each individual feature. This flexibility empowers administrators to effectively manage their security and scalability needs. Learn more here.
New settings to use a mix of GitLab AI vendor models.
Bring your own models to GitLab Duo Self-Hosted (Beta) (Premium, Ultimate)
GitLab Duo Self-Hosted, now in beta for all GitLab Self-Managed customers with GitLab Duo Enterprise, offers increased flexibility by allowing you to "bring your own model" for use with GitLab Duo features.
Instance administrators are responsible for configuring any compatible model and validating its compatibility and performance. It's important to note that GitLab cannot guarantee all GitLab Duo features will work with every compatible model, and technical support will not be provided for issues specific to your chosen model or platform. Learn more here
Choose your own AI models.
Code Review available on GitLab Duo Self-Hosted (Beta) (Premium, Ultimate)
Accelerate your development workflow and maintain data sovereignty with the new GitLab Duo Code Review feature, now in beta for GitLab Duo Self-Hosted. This powerful tool supports various AI model families, including Mistral, Meta Llama, Anthropic Claude, and OpenAI GPT.
Code Review on GitLab Duo Self-Hosted streamlines your merge request process by automatically identifying potential bugs and suggesting improvements. This allows you to rapidly iterate and refine your changes before engaging a human reviewer, ensuring a more efficient and higher-quality development cycle. Learn more here.
GitLab Duo’s self-hosted code review settings: choosing your AI model for merge request analysis.
More models available for use with GitLab Duo Self-Hosted (Premium, Ultimate)
Those with GitLab Duo Enterprise can now leverage Anthropic Claude 4, supported on AWS Bedrock, with GitLab Duo Self-Hosted. Additionally, experimental open-source models, OpenAI GPT OSS 20B and 120B, are now available through vLLM, Azure OpenAI, and AWS Bedrock. Learn more here.
Embedded views (powered by GLQL) (all users)
Embedded views, powered by GLQL, are now generally available. This feature allows you to create and embed dynamic, queryable views of GitLab data directly within your work, such as in wiki pages, epic descriptions, issue comments, and merge requests.
This provides a stable foundation for teams to track work progress without needing to navigate multiple locations. You can query issues, merge requests, epics, and other work items using familiar syntax, then display the results as customizable tables or lists with filtering options.
Embedded views transform static documentation into living dashboards that remain current with your project data, fostering better context and improved collaboration across workflows. Learn more here.
Embedded Views with GLQL: Bringing project insights and dashboards directly into GitLab
New Web IDE source control operations (all users)
GitLab announce new source control features in the Web IDE, designed to streamline your Git workflow directly from your browser. The Source Control panel now allows you to:
- Create and delete branches, including creating a new branch from any existing one.
- Amend your last commit for quick corrections.
- Force push changes directly from the interface.
These enhancements put essential Git operations right at your fingertips. Learn more here.
GitLab Web IDE: Integrated source control and workflow in a single panel.
Enhancements to wiki functionality (all users)
GitLab brings a significantly improved wiki experience, focusing on enhanced collaboration. Key new features include the ability to subscribe to wiki pages, view comments while editing, and sort comments.
These updates transform your GitLab wiki into "living documentation" that evolves with your projects. By enabling direct feedback and discussion, teams can now:
- Discuss content within its context.
- Suggest improvements and corrections easily.
- Maintain accurate and up-to-date documentation.
- Efficiently share knowledge and expertise.
Learn more here.
New navigation experience for groups in Your work (all users)
We're pleased to announce major enhancements to the group overview within Your work, aimed at simplifying how you locate and access your groups. The updated tabbed interface now includes a Member tab, offering a complete display of all accessible groups, and an Inactive tab, which helps you monitor groups awaiting deletion. Additionally, we've refined group management by incorporating Edit and Delete actions directly into the list view for users with the necessary permissions. We believe these improvements will significantly ease the process of finding and managing your most important groups. Learn more here.
Tenant-scale Work Groups: Enhanced performance and organization for large organizations.
AWS Secrets Manager support for GitLab CI/CD (Premium, Ultimate)
Our latest integration simplifies the use of AWS Secrets Manager within GitLab CI/CD, enabling AWS customers to retrieve and utilize secrets directly in their CI/CD jobs. This enhancement streamlines build and deploy processes. Learn more here.
GitLab on AWS: Optimized cloud infrastructure setup.
Faster workspace startup with shallow cloning (Premium, Ultimate)
New workspaces now benefit from shallow cloning, significantly reducing startup times. This feature automatically downloads only the latest commit history during initialization, with the full Git history being converted in the background after the workspace has started. No configuration is needed, and your development workflow remains unaffected. Learn more here.
Bulk edit epic assignees, milestones, and more (Premium, Ultimate)
You can now streamline your epic management by bulk editing additional attributes. Beyond labels, you can simultaneously update the assignee, health status, subscription, confidentiality, and milestone for multiple epics. This enhancement significantly accelerates the process of managing a large number of epics by allowing you to apply consistent changes across them all at once. Learn more here.
Update multiple epics at once for faster roadmap management.
New CLI commands for GitLab-managed OpenTofu and Terraform states (all users)
The GitLab CLI (glab) now features a new opentofu top-level command, enhancing state management for both OpenTofu and Terraform within GitLab. This command is conveniently aliased to terraform and tf for ease of use.
New Commands for State Management:
The following commands have been introduced to streamline your workflow:
- glab opentofu init: Initialize your local state backend.
- glab opentofu state list: View all states associated with a project.
- glab opentofu state download: Retrieve the latest state or a specific version.
- glab opentofu state delete: Remove an entire state or a particular version.
- glab opentofu state lock: Secure a state by locking it.
- glab opentofu state unlock: Release a locked state.
Requirement:
To utilize these new opentofu commands for state management, ensure you are running glab version 1.66 or later. Learn more here.
Keep in mind that availability of Beta features is controlled by a feature flag. This feature is available for testing, but not ready for production use. If you want to have it enabled don’t hesitate to reach us.
Surfacing violations of compliance framework controls (Beta)
Previously, the compliance violations report offered a high-level overview of merge request activity across all projects within a group. This report focused on separation of duty concerns, specifically identifying instances where a merge request author approved their own request, or when a merge request was merged with fewer than two approvals.
However, user feedback indicated that the classification of these violations was often confusing and difficult to understand, as it didn't align well with actual compliance use cases.
With GitLab 18.3, the violations report has been significantly enhanced. It now extends beyond separation of duty to include violations of compliance controls and requirements within compliance frameworks. Each custom compliance framework control is linked to an audit event that provides detailed context about the violation, including who committed it, when it occurred, and how to fix it. This detailed information encompasses the user's name and IP address, along with actionable remediation suggestions.
These improvements provide compliance managers with more powerful and relevant context, helping them ensure their organization adheres to specific compliance frameworks. This also offers reassurance that non-compliance can be effectively identified, rectified, and prevented. Learn more here.
Link compliance violations directly to framework controls for clearer tracking and remediation.
Custom admin role
The new custom admin role offers granular permissions within the Admin area. This feature allows administrators to create specialized roles with access limited to specific functions, rather than granting full access. By enabling the principle of least privilege for administrative tasks, organizations can enhance security by reducing risks associated with overprivileged access and improve overall operational efficiency. Learn more here.
Custom Admin Roles: Assign granular administrative permissions for improved security and control.
Group by OWASP 2021 in the vulnerability report
For projects and groups using GitLab.com or GitLab Dedicated, vulnerability reports can now be grouped by OWASP Top 10 2021 categories. Learn more here.
Group vulnerabilities by OWASP 2021 categories for streamlined risk assessment and prioritization.
User-defined source for license information
GitLab offers greater flexibility in managing open-source license information. Users can now prioritize license data either from the GitLab License database or a CycloneDX SBOM report. This selection can be made through the Security Configuration UI. By default, SBOM data will be used as the primary source for license information. Learn more here.
Grant pipeline execution policies access to CI/CD configurations via API
The Projects REST API now allows programmatic management of the Pipeline execution policy setting within security policy projects. Previously, this setting could only be modified via the GitLab UI.
This enhancement introduces a new field, spp_repository_pipeline_access, enabling users to:
- GET the current status of the Pipeline execution policy.
- PUT to programmatically enable or disable the setting.
This improvement facilitates enhanced automation and integration for teams managing security policies at scale. Learn more here.
Service account and access token exceptions for approval policies
The new Service Account & Access Token Exceptions feature allows for greater flexibility in DevOps automation while maintaining strict security. This feature enables designated service accounts and access tokens to bypass merge request approval policies when necessary, streamlining workflows for known automations.
Key capabilities include:
- Automated Workflow Support: Configure specific service accounts, bot users, group access tokens, and project access tokens to bypass approval requirements for CI/CD pipelines, pull mirroring, and automated version updates. This allows service accounts to push directly to protected branches using approved tokens, while human users remain subject to restrictions.
- Emergency Access and Auditing: Facilitate "break-glass" scenarios for critical incidents with comprehensive audit trails. All bypass events generate detailed audit logs, providing context and reasoning to support compliance and enable rapid response during outages or security fixes.
- GitOps Integration: Address common automation challenges such as repository mirroring, integration with external CI systems (e.g., Jenkins, CloudBees), automated changelog generation, and GitFlow release processes. Service accounts are granted minimum required permissions with token-based access scoped to specific projects and branches.
This enhancement eliminates the need for custom workarounds, preserving governance controls while offering the flexibility required for modern DevOps automation needs. Learn more here.
Scan execution policy templates
Scan execution policy templates offer a rapid way to establish policies tailored to common security needs. You can select from three predefined templates: Merge Request Security, Scheduled Scanning, and Release Security.
After choosing a template, activate the relevant GitLab security scans to quickly implement the policy. For more complex scenarios, you can switch to a custom configuration, allowing you to incorporate specific branch patterns, pipeline sources, and other advanced settings. Learn more here.
Scan Execution Policy Templates: Quickly enforce security scans with predefined templates for common use cases.
Security policy audit events
GitLab offers comprehensive audit events for security policy management, centralizing and organizing them within each security policy project. This enhancement significantly strengthens your security posture by providing greater visibility into policy changes, configuration errors, and enforcement gaps, ultimately enabling faster incident response and thorough auditing.
Key capabilities for security teams include:
- Tracking Policy Modifications: Monitor all policy changes with detailed metadata.
- Monitoring Enforcement Failures: Keep an eye on scan and pipeline execution failures.
- Detecting Skipped Executions: Identify skipped scan execution and pipeline execution pipelines.
- Identifying Policy Violations: Detect policy violations within projects, including merged MRs that violate policies.
- Receiving Limit Alerts: Get notified when defined limits are exceeded.
- Pinpointing Configuration Errors: Detect errors in policy configurations.
- Utilizing Streaming-Only Options: Leverage streaming for high-volume scenarios.
New audit events include:
- security_policy_create
- security_policy_delete
- security_policy_update
- security_policy_merge_request_merged_with_policy_violations
- security_policy_yaml_invalidated
- security_policies_limit_exceeded
- merge_request_branch_bypassed_by_security_policy
- security_policy_violations_detected (streaming only)
- security_policy_pipeline_failed (streaming only)
- security_policy_pipeline_skipped (streaming only)
Learn more here.
Policy Audit Events: Track and analyze security policy changes and violations with detailed metadata.
Jenkins
Your Jenkins experience is being enhanced with an update to version 2.516.2, delivering a more modern and secure environment for your pipelines. This update focuses on improving your daily interaction with the tool and strengthening its security posture. For you, this means a more intuitive and visually appealing interface, along with the peace of mind that comes with enhanced security. The refreshed UI/UX makes navigating and managing your jobs easier and more efficient than ever before. Furthermore, critical security vulnerabilities related to bcrypt have been resolved, ensuring your builds and artifacts are better protected.
The method for filtering files in user content areas, such as workspaces and artifacts, has been improved for a faster experience. The filter box now uses modern JavaScript instead of older URL parameters (?path, ?pattern) to show your results.
- For most users: You won't notice much difference, other than a quicker filtering response. If you have bookmarked a filtered view, simply re-create the bookmark by searching again.
- For script/API users: Support for ?path and ?pattern in GET requests has been discontinued. Please adjust your scripts to use the final URL that Jenkins redirects to, as this URL format will continue to be supported.
To enhance security, Jenkins is now standardizing password requirements. New passwords will be limited to a maximum length of 72 characters to ensure compatibility with our security protocols. If you currently have a password longer than 72 characters, please update it to ensure you can log in without any issues in the future.
Your Jenkins experience is about to become significantly more intuitive, efficient, and visually appealing. The latest update introduces a host of UI/UX enhancements designed to streamline your workflow, improve navigation, and make managing your pipelines easier than ever. Let's explore what's new for you.
A Fresh Look: Redesigned Header and Navigation
The first thing you'll notice is the completely redesigned header and navigation bar. This modernization effort declutters the interface, making it easier for you to find what you need, when you need it. The new layout provides a cleaner, more consistent experience across all pages.
Polished and Consistent Design Across the Board
Beyond the header, you'll discover thoughtful updates to various UI elements that create a more cohesive feel.
- Refined Dialogs: Dialog boxes and the Command Palette now have a refined, modern appearance, making interactions clearer and more pleasant.
- Standardized Layout: The "Manage Jenkins" pages now have a standardized size, eliminating inconsistent layouts and improving readability.
- Consistent Coloring: Critical information, like test results and code in the CodeMirror editor, now uses the official Jenkins color palette, enhancing visual recognition at a glance.
Simplified Management and Configuration
Managing your Jenkins instance is now more straightforward with these key improvements:
- Refreshed API Token UI: The user API Token page has been refreshed, offering a clearer and more user-friendly way to manage your personal access tokens.
- Improved Secret and Password Entry: Inputting sensitive information is now more secure and intuitive, thanks to an improved UI for secret and password fields.
- Clearer Plugin Status: The Appearance configuration page will now display a helpful "No plugins installed" notice, preventing confusion when no appearance-related plugins are active.
Enhanced User Experience and Customization
This update puts more control in your hands and adds several quality-of-life features:
- Personalized Views: You can now configure the Views tab bar to suit your personal preferences, keeping your most important project views just a click away.
- Easy Error Reporting: When you encounter an error, a new "copy to clipboard" button on the error page makes it simple to copy the full stack trace for support tickets or debugging.
- At-a-Glance Action Alerts: A new badge will appear on the navigation menu's "hamburger" icon whenever there are active alerts in the "Actions" section, ensuring you never miss important system notifications.
- Dropdown for Default View: Your default view is now conveniently displayed as a dropdown menu, making it easier to switch between your primary dashboards.
Finally, for system administrators, a new /health endpoint is available to programmatically determine whether your Jenkins instance is healthy, simplifying monitoring and automation. We are confident these changes will make your daily work in Jenkins more productive and enjoyable.
Jfrog Artifactory
Your Artifactory instance is being upgraded to version 7.117.5, which modernizes how repositories are synchronized. This release introduces a necessary breaking change to the Artifactory Federation service to build a more stable and high-performing foundation for the future. For your teams, this means that while the underlying system becomes more robust, you will need to review and potentially adjust your existing federation configurations to align with the new model. This updated framework provides a more resilient and scalable method for synchronizing artifacts, ensuring faster and more consistent access for your distributed teams. Ultimately, this essential change paves the way for a more dependable and efficient development lifecycle across all your federated instances.
The updated Artifactory release introduces a critical change to the Artifactory Federation Service (RTFS) context path, shifting it from /artifactory/service/rtfs to /rtfs. This alteration significantly impacts users with multiple sites (JPDs) utilizing RTFS. Users operating RTFS on a single site or those still employing the legacy Federation service remain unaffected.
There will be a backwards compatible url in place, which will be deprecated at a later point in time to ensure no compatibility issues arise.
For all Hugging Face repositories created prior to Artifactory 7.111.1, the Hugging Face repositories legacy layout will be deprecated in September 2025 and all repositories with the legacy layout will be automatically upgraded to the Machine Learning layout.
The process is automated and no steps need to be taken by Artifactory users.
The JFrog Platform now supports getting a paginated list of projects where a specific global role is used. Learn more here.
Create Release Bundle v2 version from multiple sources
Release Bundle v2 now allows the creation of versions from diverse sources, including artifacts, builds, and existing Release Bundles. Learn more here.
Create a Release Bundle v2 version from packages
Release Bundle v2 now allows users to define and include one or more packages, of any type supported by Artifactory, when creating a Release Bundle. Learn more here.
Create a Release Bundle v2 version using items in remote-cache repositories
Release Bundle v2 now supports packages and artifacts from remote-cache repositories.
SBOMs containing remote-cache dependencies
When creating Release Bundles from build-info, you can now include build dependencies found in remote-cache repositories. This is contingent on activating the option to include dependencies in the Release Bundle. If this option is not selected, remote-cache dependencies will be excluded from the Release Bundle, though their metadata will still be present in the SBOM utilized by Xray.
Release Bundle v2 – support for SBOMs with remote dependencies
In previous versions, Release Bundle v2 lacked information on dependencies from remote repositories, preventing Xray from generating a complete Software Bill of Materials (SBOM). This limitation has been addressed. Now, Release Bundle v2 includes this dependency information, enabling Xray (version 3.121.7 and above) to scan them and produce a comprehensive SBOM. This enhancement significantly boosts transparency and security by offering full insight into all components within the Release Bundle, which in turn aids auditing and compliance efforts.
Source environment of Release Bundle v2 promotions
The API response for a Release Bundle v2 promotion now includes the source environment. This enhancement helps users easily identify the beginning and end of a promotion. Learn more here.
Adding properties to Release Bundle v2 versions
Release Bundle v2 versions now support the addition of user-defined properties and property sets. These properties are key-value pairs that are incorporated into the Release Bundle v2 version's manifest file. Learn more here.
New search and filtering options for Release Lifecycle Management kanban board
The Release Lifecycle Management kanban board now includes search and filter capabilities for Release Bundle versions. These new options allow you to easily pinpoint and prioritize the versions most relevant to your needs. Learn more here.
Release Bundle v2 promotion rollback
Artifactory introduces the ability to roll back the most recent promotion of a Release Bundle v2 version via the REST API. This action effectively deletes all components of that latest promotion, such as artifacts, properties, and evidence. Consequently, the version is reverted to its prior environment, along with the properties and evidence it possessed at its initial creation.
Release Bundle v2 version supports plus sign character
To align with the SemVer 2.0.0 specification, Release Bundle v2 versions can now include a plus sign (+). Learn more here.
Assigning a tag when creating a Release Bundle v2 version
Enhanced Release Bundle Version Tagging:
We've improved the Release Bundle v2 REST API! You can now assign a unique tag when creating a new version, allowing for quicker identification. These tags, such as "nightly-build," "release-candidate," or "bugfix-2025-33124," will be prominently displayed on the Release Lifecycle kanban board for each Release Bundle version card.
Version counter on Release Lifecycle kanban board
The Release Lifecycle kanban board now displays a counter, providing an immediate overview of the number of existing versions for the selected Release Bundle.
Improved error codes during Release Bundle v2 creation
For Release Bundle v2 creation, Artifactory will now issue a 404 error if an artifact or package is not found in the specified list. Additionally, a 403 error will be returned if an artifact or package is filtered out due to insufficient user permissions.
Evidence provider logo displayed on kanban board
The Release Lifecycle kanban board now visually identifies the source of each evidence item with a prominent logo. This logo indicates whether the evidence originates from the JFrog platform or from other providers like GitHub or Sonar, and it is consistently displayed even when the evidence item's contents are viewed.
Support for Composer Packages in Cleanup Policies and Smart Archiving
Cleanup Policies and Smart Archiving now support Composer package type.
Support for Chef and Poppet Packages in Cleanup Policies
Cleanup Policies now support Chef and Puppet package types.
Support for N versions in Retention Policies
Cleanup Policies and Smart Archiving now support N versions for Docker, OCI and Helm OCI. For more information, see Cleanup Supported Packages and Smart Archiving Supported Packages.
API Run Summary Reports for Cleanup and Smart Archiving
Added new API endpoints for cleanup and smart archiving that provide detailed run summary reports in JSON format. For more details, refer to View Package Cleanup Policy Run Summary Report API and View Smart Archiving Policy Run Summary Report API.
Smart Archiving Packages: Evidence
Added support for the archival of evidence associated with any packages. This enhancement ensures that relevant evidence is preserved as part of your archiving strategy, streamlining your package management process. For more information, refer to Smart Archiving.
Property-based Policy Condition - Smart Archiving Packages
Enhanced package-archive functionality with the addition of a property-based policy condition. You can now include or exclude specific package versions from the archive by applying a property-based policy condition. This allows for more granular control over which packages are retained or archived during archive actions. For more information, see Create Smart Archiving Policy. Learn more here.
Default Socket Timeout for Federated Repositories
The default socket timeout for Federated repositories has been extended to 300,000 milliseconds (5 minutes). Should it be necessary, this setting can be modified via an Artifactory system property. Refer to "Increase the Predefined Socket Timeout for Larger Repositories" for further details.
CocoaPods Smart Repositories
The CocoaPods Settings section has been removed from the smart repository creation page. This is because smart repositories now automatically inherit their configuration from their source repository, eliminating the need for manual settings.
Cocoapods CDN Smart Repository Support
Added smart repositories support for CocoaPods CDN.
Improvement in Promoting Docker Images
With Artifactory version 7.117.1 and later, promoting a Docker image that overwrites an existing image tag in the target repository will no longer delete shared layers from other tags of the same image. This resolves an issue present in earlier versions where these shared layers could be inadvertently removed.
It is now possible for non-admin users to use the Get Projects List, Get Project Users, Get Repository Configuration, HA License Information , and Get Storage Summary Info endpoints using a scoped token. For more information, see Create Scoped Token.
We have introduced a new feature that allows you to supply cloud storage identity and credentials as a Kubernetes secret within your values.yaml file for Artifactory Helm deployments. This capability extends to:
- AWS S3V3: Securely provide your AWS S3V3 access keys and secret keys.
- Azure Blob Storage: Securely provide your Azure storage account name and access key.
The Builds table features two important enhancements:
- The maximum of 100 builds displayed in the table has been removed. The table can now display all the builds that exist in your Artifactory instance.
- A search window has been added to make it easier to focus on the builds of greatest importance to you. (This new search window works in coordination with the platform search window at the top of the UI.)
The JFrog Platform now supports filtering users and groups by role within a specific repository via REST API. For example, you can easily retrieve a list of admins for a specific repository to streamline permissions management.
The JFrog Platform now supports allowing users with manage permissions to grant manage and other permissions to other users in Permissions V2, although it is not recommended. Learn more here.
The JFrog Platform now supports setting intervals for email notifications about tokens that are about to expire, either once or daily during the notice period. Learn more here.
Jfrog Xray
Your software supply chain security is getting a major boost with the update to JFrog Xray version 3.124.20. This release focuses on seamlessly connecting your security findings with your development workflows and improving the accuracy of vulnerability scanning. For your team, this means you can manage security vulnerabilities directly within Jira and trust your scan results to be more accurate with fewer false positives. The new Jira integration allows you to create tickets for security issues directly from Xray, while expanded package support ensures more of your software components are covered. Furthermore, this version resolves critical scanning and indexing bugs, including an issue that caused misidentification and false positives in Azure Linux images, making your security data more reliable than ever.
License Attribution Report: Added support for including copyright information and full license text in legal exports via a new API.
License Conclusion: Added support for automatically resolving multi-license cases in legal license exports and SBOM reports based on license category and priority.
Xray now supports a Skip Proxy option, enabling users to bypass global proxy settings when integrating with Jira.
Xray now supports pub packages ( Dart and Flutter).
Catalog now supports Conda packages. Introducing the Labels Center in Catalog; a unified view to manage all labels used in your organization. Learn more here.
New REST APIs are available for managing and retrieving source code scan data, including endpoints to list repositories, branches, commits, and detailed scan results. These APIs enable precise visibility and filtering of scanned Git data across your projects.
The results of on-demand scans run using the CLI jf audit --secrets command are now displayed in the Scans List table.
You can now export Git repository scan data directly from the user interface via Platform >Xray >Scans List.
Introducing the new Exposures Report, this report provides a visual representation of the actively invoked and potentially exploitable components within your code and binaries. By focusing on real-world security risks instead of theoretical vulnerabilities, you can prioritize effectively. Customize your report using advanced filters and scoped views to suit your specific needs and environments.
The Exposures Report is also accessible through the new REPORTS REST APIs, offering the following functionalities:
- Curation now supports Google Maven repositories.
- Enhancements to JFrog Curation Audit Capability:
- Improved package search functionality for easier navigation and discovery.
- Clearer distinctions between blocked, allowed, and dry-run packages.
Introduced a new PASSED package type for items that successfully passed curation without specific policy inspection, providing the user a full view of the Curation process.
Sonarqube Community Built
Your code quality analysis capabilities are expanding with the arrival of SonarQube Community Built version 25.7. This update broadens language support to keep your code analysis on the cutting edge of modern development technologies. For you, this means your static code analysis will now cover a wider array of your projects, including those built with the latest languages. You can now take advantage of official Rust support to find bugs and security vulnerabilities in your Rust code, while also getting ready for the future with support for Java 24.
Furthermore, you will benefit from significant analysis improvements for your Java, Kubernetes, .NET, and Go projects, helping you write cleaner and more secure code across your entire technology stack.
The Community plugin for Mercurial SCM is no longer compatible with SonarQube Server.
The following Java and Kotlin rules are now deprecated:
- S6291 - Using unencrypted databases in mobile applications is security-sensitive
- S6300 - Using unencrypted files in mobile applications is security-sensitive
The precision of the GO analysis has been improved thanks to a cross-file type resolution.
The following rules have been added to better identify performance issues.
- S4030 - Collection and array contents should be used
- S3063 - "StringBuilder" data should be used
- S3024 - Arguments to "append" should not be concatenated
- S3033 - ".length" should be used to test for the emptiness of StringBuffers
The following rule has been improved:
- S7158 - "String.isEmpty()" should be used to test for emptiness
The rule has been extended to work with all CharSequence.
SonarQube can now analyze a Java 24 project.
Improved Python analysis on comprehensions and coroutines. Learn more here.
A Python tab is now available in SonarQube’s project analysis build tool.
The following rules have been improved:
- False positive correction: S2068, S3626
- False negative correction: S1168, S3878, S1871, S2068
SonarQube can detect secret leaks in files located within directories or hidden files that begin with a dot.
As a Quality Gate administrator you can now set a default Quality Gates that is not compliant with Clean as You Code. Learn more here.
Rust analysis is now supported. It offers:
- 85 rules
- Code Coverage import (LCOV and Cobertura formats)
- Cognitive Complexity metric
- Cyclomatic Complexity metric
- Import of Clippy output as external rules (JSON format)
Learn more here.
In addition to the mobile security improvement, the Java analyzer has been improved as follows:
- Java 23 analysis is now supported.
- The following rules targeting Java 22 code have been added:
- S7467 - Unused exception parameter should use the unnamed variable pattern
- S7466 - Use `var` instead of a type with unnamed variable _
- S7475 - The type of an unused component should be removed from pattern matching
The Kubernetes analysis has been improved:
- It’s now possible to disable the analysis of Helm files.
- The sonar.kubernetes.file.suffixes property is now handled correctly.
The following rules have been improved:
- S2222 - Locks should be released on all paths: The locking via lock object primitives is now supported.
- S4158 - Empty collections should not be accessed or iterated: LinkedList is now supported.
Sonarqube
Your code analysis is getting a significant upgrade with the introduction of SonarQube version 2025.4. This release is packed with features to keep your code analysis aligned with the latest Java standards while bolstering security and reporting. For your development teams, this means deeper code insights, proactive secret detection, and more powerful reporting to track your code quality over time.
You can now analyze Java 23 projects with a new set of rules and ensure your Java 24 code is parsed flawlessly, keeping you ahead of the curve. Furthermore, your security posture is enhanced with the addition of secrets detection, one of many new SonarQube Advanced Security features, alongside valuable improvements to reporting that will give you a clearer view of your project's health.
This SonarQube update significantly expands its language support and improves existing features.
- Rust Support: A major highlight is the introduction of initial support for Rust. This allows developers to analyze their Rust code with a solid set of 85 rules, import code coverage reports, measure code complexity, and even integrate analysis from the popular Clippy linter.
- PySpark Support: For data engineers, SonarQube now supports PySpark, the widely used Python API for Apache Spark. This helps identify potential issues in large-scale data processing workflows, ensuring more robust data pipelines.
- Java 22 & 23: The platform keeps pace with the Java ecosystem by adding full support for Java 22 and 23, ensuring developers can confidently analyze code written with the latest language features.
- Improved Python Issue Suppression: Python developers now have more precise control over code analysis. It's possible to suppress a specific rule on a single line of code (e.g., # NOSONAR(S1234)). Additionally, new rules help track the usage of # NOSONAR and # noqa comments to ensure they are used correctly and intentionally.
Improvements have been made to the efficiency of the computationally intensive symbolic execution engine, leading to faster C and C++ analysis on SonarQube Server. This is particularly noticeable when code changes have a limited logical impact, even if they affect widely included header files or large compilation units.
Provides support for Dart 3.8 in SonarQube, ensuring that existing rules are applied, and new constructs are handled appropriately without parsing errors.
Adds Java 23-specific rules to help developers properly use new Java 23 features.
Relevant rules:
- S125: Sections of code should not be commented out
- S1123: Deprecated elements should have both the annotation and the Javadoc tag
- S7474: Markdown, HTML and Javadoc tags should be consistent
- S7476: Comments should start with the appropriate number of slashes
Ensures that the Java analyzer successfully parses Java 24 source files without errors and correctly handles new Java 24 features. Adds Java 24-specific rules and updates existing rules to ensure they properly use new language constructs in Java 24.
Addresses performance issues in Java code by identifying potential performance bottlenecks, providing clear explanations, and offering automated quick-fixes.
Related rules:
- S4030: Collection contents should be used
- S3063: "StringBuilder" data should be used
- S3024: Arguments to "append" should not be concatenated
- S3033: ".isEmpty" should be used to test for the emptiness of StringBuffers/Builders
SonarQube's ability to find hard-coded secrets has been massively expanded, now covering over 400 unique secret patterns through 346 dedicated rules. This includes 89 brand-new rules that are active by default to immediately broaden your security coverage.
This powerful detection is no longer limited to just your primary codebase:
- Kotlin: Secrets detection is now enabled by default for all your Kotlin files.
- YAML & JSON: You can now opt-in to scan your configuration files for secrets by enabling analysis for YAML and JSON files.
The platform's Static Application Security Testing (SAST) capabilities have been strengthened with the introduction of advanced taint analysis for several key languages. This feature tracks untrusted user input as it moves through your application to find critical injection vulnerabilities.
- JavaScript/TypeScript: A next-generation taint analysis engine is now available for JS/TS projects, offering more accurate and actionable security findings. Administrators can enable this feature in the general settings.
- Go: Taint analysis has been introduced for the Go programming language, tracking data flow across functions and files to uncover security weaknesses.
- VB.NET: Support for VB.NET now includes full SAST capabilities, bringing powerful taint analysis to your Visual Basic projects.
Sonatype Nexus Repository
Your repository management is becoming more flexible and reliable with the upgrade to Sonatype Nexus Repository version 3.83.2. This release introduces powerful new support for Docker registries and resolves a key issue for .NET developers. For your teams, this means more intuitive ways to organize Docker images and a smoother, error-free experience when working with NuGet packages.
You can now use path-based repository support to access different Docker repositories through a single, convenient port, greatly simplifying your container management. Additionally, this update fixes a critical bug that caused dotnet restore commands to fail, ensuring your NuGet v3 content requests now succeed without any 404 errors, and it also introduces a new Capabilities API to improve automation.
Sonatype Nexus Repository has introduced a new feature that provides egress information for on-premise instances. This data is accessible to administrators via the Usage tab, located under Settings > System > Licensing.
This enhancement is designed to offer insights into data transfer patterns, which is particularly beneficial for planning a potential migration to the cloud. By understanding egress data upfront, organizations can more accurately estimate the associated costs and resource requirements within a cloud environment.
It is important to note that the Total Egress is calculated at the application level. Consequently, this figure may differ from network transfer measurements provided by cloud providers. Our testing indicates that cloud environments typically show approximately 15% more traffic when estimating total egress. Learn more here.
Firewall now offers enhanced protection by integrating with Zscaler, a cloud-native cybersecurity platform. This new integration automatically prevents the download of actively verified malware components directly from public repositories. By blocking these malicious "shadow downloads," organizations gain an additional layer of defense against malware. Learn more here.
In this release API enhances administrative control by enabling programmatic management of system-level features.
Administrators can now use the API to view, create, update, and delete Capabilities within their Nexus Repository instances. This functionality streamlines setup processes, ensures consistent configurations across different environments, and facilitates integration with infrastructure-as-code workflows. The result is improved efficiency and a reduced risk of human error in administrative tasks. Learn more here.
Previously, Sonatype identified a regression in Nexus Repository 3.81.x, which resulted in quarantine messages not being displayed as expected when a component was blocked by Sonatype Repository Firewall. This new release addresses that issue, restoring the intended quarantine message behavior.
Additionally, this update introduces enhancements for improved clarity and automation. Users working with npm and NuGet formats will now receive more explicit quarantine messages directly within their CLI output when a component is blocked by Repository Firewall. These messages will clearly state the reason for the quarantine, enabling developers to quickly identify and resolve policy violations without extra troubleshooting.
Streamlined Docker Management with Sonatype Nexus Repository:
Sonatype Nexus Repository now features path-based routing for Docker repositories, simplifying Docker setup by removing the need for custom subdomains or intricate certificate management. This new approach offers enhanced security and a more efficient way to access Docker images, particularly vital in cloud environments with stringent security demands.
Path-based routing is mandatory for all Nexus Repository Cloud deployments. For self-hosted environments, while optional, its adoption is strongly recommended to boost security and streamline maintenance.
In Sonatype Nexus Repository, a new "Verify and Repair Data Consistency" task has been introduced. This task is designed to improve recovery in situations where the database and blob stores are out of sync. It replaces the older "Repair - Reconcile component database from blob store" task, offering enhanced precision, faster performance, and greater flexibility.
The primary use of this task is to recover missing component metadata for artifacts that exist in storage but are no longer referenced in the database. This can happen after restoring from backups or during failover events when the database and storage are finalized at different times. Additionally, it allows for the restoration of soft-deleted artifacts before their permanent removal from blob storage.
Administrators have the ability to scope this task by blob store, repository, and time window. A "Dry Run" option is also available, enabling users to preview changes before execution, which facilitates safer and more controlled recovery workflows.
Important Note: During the upgrade to Nexus Repository 3.83.0 or later, any scheduled "Repair - Reconcile component database from blob store" tasks will be automatically removed. This is because the legacy task is incompatible with the date-based blob store layout now used by default in Nexus Repository, and its removal prevents potential errors.
__________________________________________________________________________________
That’s all for October, next update comes in November!
Published: