Skip to main content

v1.2.0

Release Date: May 6 2026

New Features

  • Vendor Security Review — Organizations can now conduct structured AI-powered vendor security reviews. Upload SOC 2 reports, penetration test reports, and other vendor security documentation; the AI evaluates each document against your configured security requirements, generates targeted follow-up questions, and produces an overall security posture summary with an approval recommendation. The review workflow includes a two-column Q&A interface with auto-save, bulk question export to clipboard, source document downloads, a full audit log of all finding and response changes, manually editable finding statuses (including a "Does Not Meet - Risk Accepted" option for formally acknowledging accepted risks), and support for custom AI instructions in Settings to tailor analysis to your organization's policies. Supports multi-round Q&A, re-review with updated documentation, re-evaluation reminders, and a full vendor status lifecycle. (Vendor Security Review docs)
  • Vendor Security Requirements Settings — Configure vendor security requirements in Settings. Admins can add, edit, and delete requirements with severity levels (Deal Breaker, Highly Desired, Preferred, Optional), import requirements from policy documents using AI extraction, and browse a curated library of recommended security controls. (Vendor Security Review docs)
  • Generic Zip Upload — Users can now upload any .zip archive of source code (not just browser extensions) for security, license, and code-quality analysis. (Submit ZIP docs)
  • Malicious Code Grade Override — The AI can now flag files containing intentionally malicious code (e.g., data exfiltration, backdoors, obfuscated payloads). When malicious content is detected, the final grade is automatically overridden to "F" regardless of the weighted score. (Risk Scoring docs)
  • Direct API Access via API Keys — Tier 3 organizations can now generate API keys in Settings to interact with RepoRisk programmatically — submit repositories, poll scan status, retrieve reports, and browse scan history without using the web UI. Keys support optional sub-org scoping for fine-grained access control. (API Reference docs)
  • Interactive API Explorer — The RepoRisk API is now documented with Swagger UI (at /api/docs) and ReDoc (at /api/redoc), providing a live, browser-based interface to explore and test all API endpoints. (API Reference docs)
  • API Reference Documentation — A new API Reference section in the docs covers authentication, all endpoints, curl/Python examples, and an error reference. (API Reference docs)

Bug Fixes

  • Security: cryptography CVE-2026-39892 — Updated the cryptography library to address a buffer overflow vulnerability (CVE-2026-39892).
  • Security: Pillow FITS decompression bomb — Upgraded Pillow to fix a GZIP decompression bomb vulnerability in FITS image decoding that could cause unbounded memory consumption.
  • Security: python-multipart DoS — Upgraded python-multipart to fix a denial-of-service vulnerability triggered by crafted multipart requests.
  • Security: follow-redirects auth header leak — Fixed a vulnerability where custom authentication headers could be forwarded verbatim to cross-domain redirect targets.