Changelog

All notable changes to Mayo ASPM are documented here. Releases follow semantic versioning.

---

v1.0.0 — April 2026

Mayo ASPM is generally available. This is the first production release, delivering a complete application security posture management platform.

---

Dashboard & Analytics

• Real-time dashboard with five metric cards: Total Findings, Open Critical, Total Scans, Scan Success Rate, and Scanner Capacity.
• Severity donut chart showing the distribution of open findings by severity. Click any segment to drill down into filtered findings.
• Status bar chart showing finding distribution by triage status (Open, Confirmed, Accepted Risk, Resolved, False Positive). Clickable segments.
• Top projects table ranking projects by open finding count, with Critical and High severity breakdowns.
• Date range selector for filtering dashboard data: Last 7 days, Last 30 days, Last 90 days, and custom range.
• All dashboard data updates in real time — no manual refresh needed.

---

Assets & Repository Management

• GitHub App integration for connecting repositories. Install once, select repositories, and assets are created automatically.
• Automatic asset creation when repositories are synced from GitHub. Includes branch loading, language detection, and webhook registration.
• Public repository support — add any public GitHub repository by URL without installing the GitHub App.
• Asset detail page showing branches, language breakdown, finding counts, scan history, and project assignments.
• Asset management — rename, archive, delete, and reassign assets to projects.

---

Security Scanning

• Ad-hoc scans — on-demand scans triggered from the UI or API. Choose scanner, branch, and rule set.
• Scheduled scans — configure cron-based schedules for automated recurring scans.
• PR scanning — automatic scanning on every pull request. Findings posted as PR comments with code-level annotations.
• PR check statuses — pass/fail check runs on pull requests. Configurable to block merges based on severity thresholds.
• Scan queue management — view running, queued, completed, and failed scans with real-time status updates.

Supported scanners

Scanner	Type	Languages / Targets
Semgrep	SAST (static analysis)	Python, JavaScript, TypeScript, Go, Java, Ruby, C, C++, Kotlin, Scala, Swift, PHP, and more
Bandit	SAST (Python-specific)	Python
Trivy	SCA (dependency scanning)	All languages via lockfiles and manifests; also scans Dockerfiles
Gitleaks	Secret detection	Language-agnostic
Checkov	IaC misconfiguration	Terraform, CloudFormation, Kubernetes YAML, Dockerfile, Helm

---

Findings Management

• Centralized findings list aggregating vulnerabilities from all scanners and all assets into a single view.
• Finding detail page with title, severity, status, scanner, rule ID, CWE/CVE identifiers, file path, line number, code snippet with syntax highlighting, and remediation message.
• Triage workflow with five statuses: Open, Confirmed, Accepted Risk, Resolved, False Positive.
• Filtering by severity, status, scanner, file path, rule, CWE, CVE, date range, and asset.
• Sorting by severity, first seen, last seen, file path, and status.
• Bulk actions — select multiple findings and change status or generate Jira tickets in bulk.
• Finding deduplication across scans using scanner + rule ID + file path + line range as the dedup key.
• Auto-resolution — findings that disappear in a subsequent scan are automatically moved to Resolved.

---

Projects

• Auto-created projects — a project is automatically created for each newly synced repository.
• Custom projects — create, rename, and organize projects to group assets by team, domain, or application.
• Sub-projects — hierarchical project nesting for multi-level organizational structures.
• Aggregated findings — view combined findings across all assets in a project from a single page.
• Project-level metrics — finding counts, severity breakdowns, and scan history scoped to the project.

---

OPA Policy Engine

• Policy-as-code using Open Policy Agent (OPA) and the Rego language.
• Five policy kinds:
  • Triage policies — auto-set finding status based on criteria.
  • Priority policies — assign priority scores beyond scanner severity.
  • Ownership policies — assign findings to teams or individuals based on file path, project, or metadata.
  • Project policies — auto-map assets to projects based on naming patterns or repository topics.
  • PR scan policies — control whether PR scans block, warn, or allow based on finding attributes.
• Policy Playground — test policies against real findings in a sandbox before deploying.
• Policy scoping — assign policies to specific assets, projects, or organization-wide.
• Version history — every policy edit is versioned. Roll back to any previous version.

---

Integrations

• GitHub App — secure GitHub integration via GitHub App (not OAuth). Short-lived tokens, explicit repository selection, read-only code access.
• Jira Cloud — connect Jira to generate tickets from findings. Configurable field mapping, project selection, and issue type.
• REST API — full API access for automation. Manage assets, trigger scans, query findings, and configure policies programmatically.
  • Interactive docs at docs.api.mayoaspm.com/docs (Swagger) and docs.api.mayoaspm.com/redoc (ReDoc).
• API key management — create, rotate, and revoke API keys from Settings.
• Apache Airflow — trigger and orchestrate scans using Airflow DAGs.

---

Universal Search

• Cmd+K / Ctrl+K shortcut to open search from anywhere.
• Cross-entity search — search findings, assets, scans, projects, and policies from one input.
• Instant results — results appear within 100ms as you type.
• Magic side panel — hover or arrow-key to a result to see a full preview without navigating away.
• Quick triage — change finding status directly from the search side panel.
• Navigation shortcuts — type >dashboard, >assets, >findings, etc. to jump to any page.
• Full keyboard navigation — arrow keys, Enter, Tab, and Escape for a keyboard-only workflow.

---

Account & Organization Management

• Email-based sign-up with email verification.
• Organization creation with name and description.
• Team management — invite members with role-based access control: Owner, Admin, Member, Viewer.
• Tier selection — Free, Pro, and Enterprise tiers with clear feature and limit boundaries.
• Billing management — upgrade, downgrade, and manage payment methods from Settings.
• Organization switcher — switch between multiple organizations without logging out.

---

Security & Infrastructure

• TLS 1.2+ encryption for all data in transit.
• AES-256 encryption for all data at rest.
• GitHub App private key stored encrypted, never exposed or logged.
• Short-lived tokens — GitHub installation tokens expire after 1 hour and are scoped to selected repositories.
• Rate limiting on all API endpoints to prevent abuse.
• Audit logging for organization-level actions (coming in v1.1).

What's next

We are actively working on the next release. Upcoming features include Slack notifications, audit logging, SAML/SSO, custom scanner support, and SLA-based alerting. Stay tuned.

---

Mayo ASPM Changelog — Updated April 2026