We’re heading to Singapore for Black Hat Asia 2025, and we’ll be showing off the latest in streamlined reporting and collaboration at our Dradis Arsenal demo. We’re excited to be part of the Black Hat Arsenal, demoing how Dradis helps security teams collaborate and report more effectively.
Catch us here:
🧪 Dradis @ Black Hat Arsenal 📅 March 27, 15:30–17:50 SGT
Learn how our most recent updates—which include in-app quality assurance workflows, easier deployment with Docker, and AI-driven enhancements—allow for the creation of reports faster and with greater quality.
When we’re not presenting, we’ll be diving into the briefings, trainings, and executive summits across AI, exploit development, cloud, and physical infrastructure. Here’s what we’re most excited about.
Liquid Dynamic Content in Word and HTML reports
We have already supported Liquid content in Dradis Gateway templates for a while – now we are bringing Liquid Dynamic Content to Word and HTML reports as well.
Want to refer to document properties like dradis.client inside a ContentBlock? Want to show the count of evidence inside the text of an Issue? Want to use conditionals like “If this property is in Spanish, export this issue in Spanish instead of English”? Now you can! For example, the following will export into an Issue:
#[Description]#
Global:
{{ project.name }} for {{ team.name }} team
{{document_properties.available_properties}}
Tag Name:
{% for tag in issue.tags %} {{ tag.name}} {%endfor%}
CVSSv3 score:
{{ issue.fields['CVSSv3.BaseScore'] }}
Evidence:
{% for evidence in issue.evidence %} {{ evidence.fields["Label"] }} {%endfor%}
The {{ issue.title }} issue has {{ issue.evidence.size }} instances of Evidence
Evidence count per node:
{% for node in issue.affected %}
{{ node.label}} has {{node.evidence.size}} instances of evidence
{% endfor %}
It would give a result like the following:
Better filters in Word templates
We now have two more filtering options available in Word: Filters with spaces, and filters on Nodes.
Filtering with spaces means you can use double quotes in both field names and filter values. For example, you can filter by "CVSS Base"|(9.0..10.0) or Category|"A1 Injection".
Nodes can be filtered by Node Properties. For example, if you have a Node property for type with values of internal/external, you can filter a Node by type|internal to only see content for internal-type Nodes.
DuoWeb and ServiceNow support in the Integration Manager
We have changed the way our integrations work, so you can now install DuoWeb and ServiceNow right in the Integration Manager. No need to use the command line to install 2FA! You can also configure Duo and ServiceNow, as well as integrations like Azure DevOps, right in the Integration Manager.
Release Notes
AccessTokens: allow the storage of per-user encrypted tokens
QA: Show state changes in activity feed
Sessions: Store :secret_key_base in encrypted configuration file
Tylium: Extend support for Liquid Dynamic Content
Upgraded gems:
bootstrap, popper_js, simple_form
Bugs fixes:
Issue Library: Prevent rendering navbar over top of the fullscreen editor
QA: Redirect to correct view when changing states on QA edit views
Users: Force logout for users with locked accounts
Integration enhancements:
Acunetix: Parse inline code, not just code blocks
Burp: Adds strong and code tags parsing
CSV: Fix CSV Upload for files with special characters
Nessus:
Parse code tags as inline code
Add plugin_type as an available Issue field
Nexpose:
Parse inline code, not just code blocks
Wrap ciphers in the ssl-weak-message-authentication-code-algorithms finding
Qualys: Adds Request/Response Evidence fields for Web Application Scans (WAS)
Azure DevOps: Switch authentication from PAT to OAuth2
Duo 2FA:
Migrate to UI-based configuration
Add to Integrations Manager
ServiceNow:
Migrate to UI-based configuration
Add to Integrations Manager
Reporting enhancements:
Word
Add support for filtering nodes by properties
Add support for the notextile tag
Allow multi-word fields/values in the content control filters with double quotes
Extend support for liquid dynamic content in Word reports
Warn of missing blank lines around a screenshot only when it’s not the first or last item in a field
I was fortunate enough to attend RailsConf Atlanta 2023, and in this post I share some of the thoughts that I gathered while reflecting upon the conference.
What is RailsConf?
RailsConf is a Ruby on Rails developer’s dream. It’s a place where some of the best Rails developers come together once a year to share knowledge and expertise, and meet like-minded individuals. You have the ability to attend workshops from Rails developers that have large YouTube followings, and attend talks that discuss in-depth technical topics. It was an action-packed 3 days, and the best part was how welcoming and diverse the Rails community is!
We’re a small organization, but we have a mighty team!
As the days went on, I began to reflect and compare my experience at Security Roots with what others were sharing about their own working lives. I met developers from all over the USA, Canada and Europe. As we were discussing the different ways that our companies operate, and I was sharing my experience about how we work at Security Roots, it was apparent that we’re doing something special here.
Working asynchronously is no easy feat, but our founder has figured out a formula for making this working model a success.
“How do you get work done if you don’t have meetings?” One developer asked me.
I laughed as this was a common question I was getting.
It was interesting to learn that we had just as many, if not more, releases than most other teams over the past 8 months.
“We have great documentation, and everybody takes ownership of their work. I said. “We find information ourselves, only asking others if we have looked extensively first. We get things done because we know that there isn’t anyone else who’s going to do it for us.”
I watched as they stared back at me with confusion, surprise, and undoubtedly one thousand questions running through their mind.
It was eye-opening to learn about other team structures, and what other developers’ day to day work lives look like.
Personal Growth
As a developer relatively early in my career, I am excited by the learning opportunities presented to me each day. Some of them include:
Learn the inner workings of virtual machines through debugging with users
Interact directly with users to determine what’s working and what’s not working for them, which informs my day-to-day work.
Work with a team of people from all over the world, everyone bringing a unique perspective to our work.
Take creative freedom in my solutions, and discuss them with my team.
Despite not having meetings, we are a very collaborative and close-knit team, and this is the greatest thing about working at Security Roots.
After coming back, I couldn’t wait to share what I gathered at the conference with my team. Most notably, that what we accomplish with a small team is remarkable. We produce and release more than many other larger teams, without sacrificing quality.
I felt inspired and excited to come back to my team and write beautiful Rails code!
I learned a lot at RailsConf, including:
How to contribute to the framework
How the inner workings of some of the most abstract parts of the framework function
How best to manage incoming Webhooks (from the master himself, Chris Oliver)
New command line tools that I can leverage every day
New ways of approaching problems.
It was great to be surrounded by so many Ruby on Rails developers who are just as passionate about their craft as I am.
I hope to take more members of the team with me next year!
We’re heading to Singapore for Black Hat Asia 2025, and we’ll be showing off the latest in streamlined reporting and collaboration at our Dradis Arsenal demo. We’re excited to be part of the Black Hat Arsenal, demoing how Dradis helps security teams collaborate and report more effectively.
Catch us here:
🧪 Dradis @ Black Hat Arsenal 📅 March 27, 15:30–17:50 SGT
Learn how our most recent updates—which include in-app quality assurance workflows, easier deployment with Docker, and AI-driven enhancements—allow for the creation of reports faster and with greater quality.
When we’re not presenting, we’ll be diving into the briefings, trainings, and executive summits across AI, exploit development, cloud, and physical infrastructure. Here’s what we’re most excited about.
Quality Assurance
Review/approve Issues and Content Blocks before including them in reports.
The goal here was to give you a way to differentiate between “I’ve reviewed this issue” and “I haven’t reviewed this issue yet”.
You can use the new QA view to look at your “Ready for review” Issues and Content Blocks and review them before including them in reports.
Then, on the Export page, the default is to export just the Published records. But, you can also export All if that makes more sense for your team’s workflow.
Tester Administration
We’ve also added better in-app tester administration. If a user gets locked out of their account with too many incorrect login attempts, Admin users will now be able to unlock their account with 1 click.
Release Notes
Quality Assurance: Review/approve Issues and Content Blocks before including them in reports
Tester Administration: Add unlock button to UI for locked Testers
Integration enhancements:
JIRA: Add support for Jira Data Center v8.4+
Upgraded gems:
rack, rails, time
Bug fixes:
Kits: Enable import of kit with no project template
We’re heading to Singapore for Black Hat Asia 2025, and we’ll be showing off the latest in streamlined reporting and collaboration at our Dradis Arsenal demo. We’re excited to be part of the Black Hat Arsenal, demoing how Dradis helps security teams collaborate and report more effectively.
Catch us here:
🧪 Dradis @ Black Hat Arsenal 📅 March 27, 15:30–17:50 SGT
Learn how our most recent updates—which include in-app quality assurance workflows, easier deployment with Docker, and AI-driven enhancements—allow for the creation of reports faster and with greater quality.
When we’re not presenting, we’ll be diving into the briefings, trainings, and executive summits across AI, exploit development, cloud, and physical infrastructure. Here’s what we’re most excited about.
Inline Code Support
We already supported code blocks, but now, you can use @ symbols to create in-line code inside of your Dradis project:
When you export this to a Word report that has a custom InlineCode character style, you’ll get that code styled automatically:
Custom Tag Management
Previously, you could create custom tags by editing the XML of the project template directly. That’s still an option if you happen to enjoy dealing with XML. Otherwise, you can now use the UI for that whole process. There’s even a color picker so that you can get just the right shade for your custom tags.
From the project level, you can also manage your tags and create, edit, or delete them as needed:
Opt-in Usage Analytics
Prior to v4.7, we had no way to receive usage data from your instance other than a ping to our licensing server when you first activate the instance. In v4.7, we have rolled out optional usage analytics that you can share with us. Yes, optional!
For full transparency, you can see exactly what you would be sending to us in the event log. It’s all anonymized data like “someone exported a Word report” or “someone logged in as a contributor” that is designed to help us understand how teams are using Dradis and should not reveal anything sensitive, not even your email address.
Of course, you can always opt out of sharing this data with us if you prefer. We’re excited to have a bit more information about how you’re currently using Dradis so that we can make the product even better for everyone in the future.
Release Notes
Configurations: Add usage tracking and sharing
Content Blocks:
Add auto-caching
Add image upload button to source view toolbar
Issues: Display the results from importers in a Datatable
Rubocop CI:
disable EnforcedShorthandSyntax rule under Style/HashSyntax cop
Tylium:
Add breadcrumbs to Revision History view
Add secondary sidebar toggling functionality
Remove Recent Activity tabs and add View History link to the dots menu
Tags: Add tag management
Nginx:
Remove support for TLSv1.0 and TLSv1.1
Add support for TLSv1.3
Integration enhancements:
Burp: Add support for large base64 response
Nessus: Clean up code tags in description fields
Netsparker: Add issue.classification_owasp2021 as a new avaiable field
We’re heading to Singapore for Black Hat Asia 2025, and we’ll be showing off the latest in streamlined reporting and collaboration at our Dradis Arsenal demo. We’re excited to be part of the Black Hat Arsenal, demoing how Dradis helps security teams collaborate and report more effectively.
Catch us here:
🧪 Dradis @ Black Hat Arsenal 📅 March 27, 15:30–17:50 SGT
Learn how our most recent updates—which include in-app quality assurance workflows, easier deployment with Docker, and AI-driven enhancements—allow for the creation of reports faster and with greater quality.
When we’re not presenting, we’ll be diving into the briefings, trainings, and executive summits across AI, exploit development, cloud, and physical infrastructure. Here’s what we’re most excited about.
Integration and Tool Manager
Now you can install and upgrade integrations (such as DuoWeb and Jira) and tools (such as the Gateway and the Remediation Tracker) directly in the Dradis application – no need to use ssh or the command line! Simply browse to the Integration and Tool Manager in Dradis v4.6, Get the tool, and then Enable it. Then you should be good to go!
Instance Dashboard
Want a better overview of what is going on in your Dradis instance after login? The new Instance Dashboard gives you an at-a-glance overview of Projects, Tickets, and Tasks assigned to you; a list of the newest unread notifications; and and overview of what’s new in the latest version of Dradis.
As a new feature, please do let us know if there are other things you would like to see or change on the instance dashboard once you start using it.
Permanently delete items in Trash
As of v4.2 of Dradis, you could soft-delete projects and teams so they end up in an Instance Trash. However, to permanently delete items in trash, you needed to use the command line. Not anymore! Now you can permanently delete items in Trash straight from the UI.
New Kits
We have long had a few templates and kits available for download at the Dradis Users Portal. We have overhauled some of these kits and made them available directly from the Dradis UI. Simply go to Templates –> Kit Upload, and either upload a kit file as you normally would, or click the Upload button under your preferred preinstalled testing kit.
Release Notes
Dashboard: See active projects, notifications, assignments, and what’s new in one view
Integration and Tool Manager: Add UI for installing and managing integrations
Kits:
Add selection of kits to choose from
Enable import of kit with no templates
Mintcreek: Adjust element contrast ratios to be WCAG 2.1 compliant
Navbar:
Split the Addons menu into Integrations and Tools menus
Remove inaccessible addon’s menu items for contributors
Notes: Remove category selection from form UI
Projects: Update active projects empty state
Trash: Delete projects and teams permanently
Rubocop: lint changed files since previous commit
Upgraded gems:
nokogiri
Bugs fixes:
Comments: Align comment header content in Safari
Content Blocks: Fix revision history links
New integrations:
Core Impact
Veracode
Integration enhancements:
Implement enable/disable feature for Gateway, JIRA, Remediation Tracker, Scheduler, and VSTS
JIRA:
Add view for editing configuration
Hide link in addons menu for contributors
VSTS:
Add view for editing configuration
Issues: add WorkItem Status and Comment feed
REST/JSON API: new v2 released
Projects: undiscard and permanently delete from trash.
Teams:
Undiscard and permanently delete from trash.
Deprecate the “/clients” endpoint, use “/teams”
Deprecate the “client_since” attribute, use “team_since”
We’re heading to Singapore for Black Hat Asia 2025, and we’ll be showing off the latest in streamlined reporting and collaboration at our Dradis Arsenal demo. We’re excited to be part of the Black Hat Arsenal, demoing how Dradis helps security teams collaborate and report more effectively.
Catch us here:
🧪 Dradis @ Black Hat Arsenal 📅 March 27, 15:30–17:50 SGT
Learn how our most recent updates—which include in-app quality assurance workflows, easier deployment with Docker, and AI-driven enhancements—allow for the creation of reports faster and with greater quality.
When we’re not presenting, we’ll be diving into the briefings, trainings, and executive summits across AI, exploit development, cloud, and physical infrastructure. Here’s what we’re most excited about.
CSV Importer
Dradis can now import CSV files into projects! Some vulnerability scanners produce output in CSV format rather than e.g. XML or JSON. You can now import these (and other) CSV files into Dradis, and configure which column to assign to which field in your Dradis projects on a per-file basis. Simply go to “Upload”, select the CSV importer, upload a file, and you will be redirected to an interface to assign data to fields. As with other plugins, you can create Issue, Evidence, or Node data and fields.
This is v1 of the CSV importer, so we look forward to your feedback on what works for you and what you would like to see in the future from this feature!
Note that for the sake of internal naming consistency, we have renamed the CSV exporter plugin with this change, so if you have the CSV exporter installed, you will need to reinstall the plugin as dradis-csv_export.
JIRA bulk send
Do you use our JIRA integration? If so, you can now bulk-send issues to JIRA. Simply select multiple issues from your project in the “All Issues” view, and click “Send to JIRA”:
That will send all your selected issues to the Dradis-JIRA interface. Pick the destination project, issue type, and other required fields for each item, and you’re done!
Bug fixes and quality-of-life improvements
Another focus of the v4.5 release is working through some bug reports and lower-level requests we have accumulated over time.
Bug fixes include multiple items relating to attachment validation and export, Node labels linking to external resources (so e.g. clicking on a Node label of “www.google.com” will no longer redirect you to Google instead of the Node in Dradis), and the Rules Engine matching against IssueLibrary entries without trailing empty lines.
Quality-of-life improvements include adding Revision History for Content Blocks and improved error messages in the Output Console on Word report export. Check our release notes for more detail!
We’re heading to Singapore for Black Hat Asia 2025, and we’ll be showing off the latest in streamlined reporting and collaboration at our Dradis Arsenal demo. We’re excited to be part of the Black Hat Arsenal, demoing how Dradis helps security teams collaborate and report more effectively.
Catch us here:
🧪 Dradis @ Black Hat Arsenal 📅 March 27, 15:30–17:50 SGT
Learn how our most recent updates—which include in-app quality assurance workflows, easier deployment with Docker, and AI-driven enhancements—allow for the creation of reports faster and with greater quality.
When we’re not presenting, we’ll be diving into the briefings, trainings, and executive summits across AI, exploit development, cloud, and physical infrastructure. Here’s what we’re most excited about.
Plugin Manager Validation
The Plugin Manager has new validation! Previously, you’d need a file like issue.txt to use when configuring the Plugin Manager. Now, you can simply associate the Plugin Manager with one of the report templates on your Dradis instance. You’ll see a validation check on the right that will tell you about any missing fields as you configure.
Rules Engine Population
Remember that after a tool file is uploaded, the data runs through the Plugin Manager, then hits the Rules Engine. So, we’ve also updated the Rules Engine so that when you build out new Rules, the Match Field trigger is populated with a dropdown of fields that matches what you configured in the Plugin Manager. No more double-checking field names, capitalization, or anything else like that.
Duplicate a Project
Want to start over with a copy of one of your existing projects? Previously, we had the project import/export feature that would work for this but the new Duplicate button streamlines the process significantly. For retests or just starting over with a copy of a project, just hit the Duplicate button and a new project will be automatically created that is identical to the old one.
Bulk Update Issues and Evidence fields
Have you ever run into a situation where you wished that you could edit multiple Issues or instances of Evidence at once? You can now! Just select multiple Issues or instances of Evidence:
Release Notes
Login View: Design update
Plugin Manager: Add ability to validate plugin templates with report templates
Projects: Add ability to clone projects
Tylium:
Implement bulk updating for issues/evidence fields
Improve mobile experience
Show the resource title in the header when viewing a resource
Upgraded gems:
nokogiri, rack, sinatra
Bugs fixes:
Cards: Prevent adding ‘card’ class to card comments
Login: Add button styles for 3rd party login addons
Integration enhancements:
Rules Engine: Matching fields are now based on the fields defined in the Plugin Manager
Reporting enhancements:
Word: Assign unique Word IDs to each element in the document.
So you’ve been using Dradis for a while (or maybe you’re a new user — welcome to the community 👋), and you’ve been avoiding the Plugin Manager because it’s been a little intimidating. Its purpose may not have been clear, and the relationship between the Plugin Manager, uploading files, the Rules Engine, and what ends up in a project may have been fuzzy. You uploaded some scanner results, dove into your project, and realized things didn’t appear as expected. Now you’re clicking around trying to figure out what went wrong. Sounds familiar? We’ll admit the Plugin Manager caused some confusion, but you’re in for a treat with Dradis Pro v4.4.0!
We took action to smooth out the friction
Since most of the mystery and confusion seems to be around how changes in the Plugin Manager affect projects and reports, we decided to add a way for users to validate their Plugin Manager configurations. This validation happens on a per-tool basis against any report template uploaded to Dradis. Let’s dive into some of the changes we made and the thought process behind some of those changes.
Improvements to the user interface
Before building out this new feature, we had to figure out where it would live. While deciding on that, we also determined it would be a great time to tidy up the Plugin Manager layout.
When users first landed on the Plugin Manager view, we presented them with some explainer text and an example of how tool output translates to a Dradis note. This wasn’t terrible, but it wasn’t exactly super helpful or welcoming.
Some of the issues we identified and set out to improve here were:
Parts of the copy were confusing
The example section wasn’t clear to first-time users
Users didn’t have a sense of direction (what do they need to do next?)
The plugins menu was not labelled or explained (users had to explore by clicking)
The layout wasn’t very consistent with other views in the app
We decided to shuffle the layout around a little to tackle these points and make it more consistent with other views. Most of our views have a page title, the main content area and a sidebar, so we wanted to implement that here as well. Here is an early mock-up with some changes added with a fat marker (Title, subheading, section headers, and a sidebar with some tips).
Overall, the plan was to:
update the copy and move it to a tips panel in the sidebar
change the example section to a vertical layout with some arrows added to show the flow of stages in the process
update the headings of the three stages in the example section to make them clear
add a header to the plugins menu
add some copy (not pictured above) to direct the user to select a plugin from the menu on the left
These changes would bring consistency to the view, enable the user to quickly understand the relation of the three stages in the example, and give the user some direction as to what to do next. This design addresses all five issues we wanted to improve, so we started implementing these changes, and this is the new view as a result:
Addition of Plugin Manager Validation
So far, the above changes are fine and dandy, but they still don’t help users bridge the gap between what they expect in their projects and what they get. This is where the shiny new validation feature comes in.
The idea was to allow users to edit their plugin manager configurations and show them how it will jive with their report template of choice. The validation feature would work by having users select a plugin and a report template. It would show which fields are mapped correctly and which fields are missing. We had internal discussions about the best approach and where we could incorporate validation into the Plugin Manager. Initially, we thought about adding the validation section to the main Plugin Manager view, but we quickly decided against that and thought about a new view dedicated to this new validation feature:
This is the first look at the validation feature design and components. We’ll get into the details a little farther down, but the overall idea is that users select a plugin, select a report template, and they see what’s mapped correctly and what’s not.
This view would show all things related to the validation of the selected plugin, and at first, it seemed like it would work in terms of layout. The view would be consistent with other related views, it would give users all the validation functionality, and it would allow users to edit the plugin’s configuration. However, after further design work and discussing with the team, we realized this implementation would be pretty annoying for users. It would require users to make an edit, come to this validation view, check their validation, realize they need to make further edits, go back to editing, then come back here to re-check their validation… you get the idea, way too much clicking around to get one thing done so back to the drawing board.
Rather than making users navigate away from the validation view to make the edits to the configuration, we figured why not bring the validation feature to the edit view? Another upside of having validation added to the edit view is that we would eliminate the need for users to select which plugin they want to validate. Here is a screenshot of the current edit view for reference:
It’d be pretty crowded if we just dropped that validation section into this view, so we knew we had to make further refinements to the design.
We also had to consider cases where there could be multiple exporters for the selected plugin (i.e. Qualys has Asset, Vuln, and WAS), and each of those exporters could have templates that map to Issues, Evidence, or Notes in Dradis Projects. It can be a bit of a guessing game to know which template maps to issues, notes, or evidence. Here is an example:
The image above shows that Nessus has Report host, Report item, and Evidence templates. Users can guess that Nessus Evidence maps to Evidence in Dradis projects, but what about Report Item or Report Host? We decided to get rid of the guesswork for users. Let’s jump into an early mock-up with some fat markered changes:
This design iteration would:
Remove those long prefixes in the plugins menu to give us some more real estate to work with
Add a selector for Issue, Evidence, and Note (where applicable). This selector makes it easier for users to determine where things will end up in Dradis Projects; no more guessing!
Add the validation feature to the sidebar. This is a more condensed version of what we designed initially, but all of the same info is there, just arranged in a way that would be more effective in a sidebar format.
It’s a good general direction, but dissecting this further, we didn’t like that the preview is now stacked under the editor. This is awkward and inconsistent with every other view where we show previews. This also makes for awkward placement of the save button.
Enter the final design iteration:
We really wanted the editor to be side by side with the preview, but we needed some more space to make the editor and preview usable. Ultimately, we decided to trade the plugin menu on the left for that extra space. Removing the plugin menu enabled us to have the side-by-side layout we wanted. The keen observer may have noticed that this design moves the exporter select menu out of the validation section and into the main content area. We made this change here because users not concerned with validation would still need to select the exporter if they wanted to make edits in the editor. The validation feature is only really concerned about which report template users wish to validate against.
After a few more minor tweaks, we implemented this design and got this final result:
Users are now able to:
Differentiate between Issue, Evidence, and Note templates
Differentiate between multiple exporters
Validate that all fields are mapped accordingly
How to validate your configuration
Now that we have this awesome new feature, let’s take it for a spin. Let’s say you have a report template with some issue/evidence fields defined and your plugin of choice is Burp.
Head over to the Plugin Manager and select Burp from the plugin menu:
Select the template you want to validate:
Then select the exporter (if there are options):
At this point, you will see the selected plugin’s template content and a preview of how it would appear based on some sample Burp output.
Now you can select a report template in the Report Template Validation panel:
A validation check will now be executed, and you will see if any fields are not mapped as expected by the report template you selected. From here, you can make edits in the editor to add those missing fields. As you type, you will see the validation panel update in real-time to show you if the configuration passes validation.
Once you see a green validation checkmark, your configuration is valid. You can start importing tool output into Dradis and exporting reports knowing that fields will appear as expected.
Pretty cool, right?
But wait, there’s more!
Earlier in this blog post, I mentioned that the Rules Engine is involved in all of this, but we haven’t touched on it yet. If you’re not familiar with the Rules Engine, it can be used to manipulate the plugin output before it imports everything into a project. For example, based on user-defined conditions, the Rules Engine can do things like:
Replace the description that comes from the plugin output with a custom description
Change the risk rating
Delete a finding
and much more.
Here is an example of a Rule being created in the Rules Engine:
We have the condition that has to be met on the left and the actions that will be executed on the right.
Up to now, when building conditions, users would have to manually enter the field that the condition would check, but this required knowledge of the plugin manager configuration. This was also prone to user errors as the field name had to exactly match a field in the plugin manager for the selected plugin. Considering that we already have these fields in Plugin Manager, there is no reason to put this burden on the user.
With the changes to Plugin Manager, this seemed like a great time to update the Rules Engine and do something about that pesky field input.
Another issue we tackled was the scalability of this view. With the 2-column setup (conditions on the left and the actions on the right), we found that the arrow in the center would often get misaligned. This arrow guides the user’s flow from one side to the next, but when it gets misaligned, it becomes hard to understand and sometimes, it may even add confusion.
Keeping the above in mind, we set out to design some changes. We wanted to ensure the view could scale well, accommodating both small and large numbers of conditions and actions for each rule. After some experimenting, we decided to flip the layout into a top-down orientation to give it more of a timeline or story-like feel that paints the complete picture for users.
The view would list all conditions at the top, and as users transition their attention down the page, they would flow into the actions. We added some copy to guide the users between the conditions and actions. This layout scales well because regardless of how many conditions and actions there are, nothing gets misaligned and everything stays grouped together. Users start with their attention at the top, then transition towards the bottom with everything they need in between. We gave this design the green light, and after some further tweaks to the design, this is the implementation:
During this updated layout implementation, we also updated the condition boxes. They now have an uploader select to differentiate between the different uploaders a plugin may have (similar to the exporters in Plugin Manager). In addition, the field input has been replaced by a field selector. This Field selector lists all the possible fields based on the corresponding plugin manager configuration. Now users can simply select available fields without knowing what they are ahead of time or ensuring they don’t mistype anything. The action boxes largely remained the same with just a minor tweak to the headers where we now number the actions to convey the order of the actions executing.
Give it a whirl
All of these changes combined make for an easier UI to follow and a less complex UX to upload scanner output, map the fields to Dradis in the Plugin Manager, process the data through the Rules Engine, and get the desired results in projects.
Give v4.4.0 a go and test out these new features yourself. Feel free to experiment with them and share your feedback with us. We’d love to know how you like this new validation feature in the Plugin Manager and the updates to the Rules Engine.
We’re heading to Singapore for Black Hat Asia 2025, and we’ll be showing off the latest in streamlined reporting and collaboration at our Dradis Arsenal demo. We’re excited to be part of the Black Hat Arsenal, demoing how Dradis helps security teams collaborate and report more effectively.
Catch us here:
🧪 Dradis @ Black Hat Arsenal 📅 March 27, 15:30–17:50 SGT
Learn how our most recent updates—which include in-app quality assurance workflows, easier deployment with Docker, and AI-driven enhancements—allow for the creation of reports faster and with greater quality.
When we’re not presenting, we’ll be diving into the briefings, trainings, and executive summits across AI, exploit development, cloud, and physical infrastructure. Here’s what we’re most excited about.
Auto-update Charts in Word
Previously, to include charts in Word templates, VBA macros were necessary to be able to update the charts in exported reports. This was a problem for the Mac users among us, as the relevant VBA is not supported in Office for Mac. We have now tweaked the reporting engine so that the source Excel sheets for charts in Word can be filled in with filters so they will auto-update during the export process from Dradis. The supported filters support the majority of use cases we have seen, such as issue counts by CVSS score, severity, type, category, host, etc.
Gateway comments
Do you use the Dradis Gateway? We have now improved this collaboration feature! Comments are already supported within Dradis projects, but now comments have reached the Gateway as well. If you are an Admin or Author on a project, you can choose to make a comment public (available on Gateway) or not (only visible to your team members within the project). Gateway contributors are able to view your public comments and submit their own comments on issues and other content inside the Gateway.
Qualys Asset Scans
Dradis now supports Qualys Asset Scans! This expands our Qualys coverage to include:
Qualys Vulnerability Scans (Vuln)
Qualys Web Application Scans (WAS)
Qualys Asset Scans (ASSET)
Release Notes
Comments: Show public comments for issues in a project
Mintcreek: Add breadcrumb navigation
Uploads: Allow subsequent file uploads from the same scanner without needing to re-select the scanner
Upgraded gems:
nokogiri, rails
Bugs fixes:
Document Properties: Set focus to property name/value inputs when clicking the edit icon
Editor:
Add keyboard shortcut support for windows and linux
Allow comparing document property values with “==” operator
Allow text selection expansion using shift-click
Issues: Show correct links in the “Send To” menu
Subscriptions: Show correct Subscribe/Unsubscribe link after a new comment is posted
Tables: Prevent columns state from resetting after 2 hours
Teams: Prevent displaying trashed projects
Tylium: Remove extra left padding from the first line of content in a code block
Upload: Show pre upload validation for Qualys
Integration enhancements:
Openvas: Update Node label parsing. Include :hostname and :asset_id properties.
Qualys: Add Qualys Asset Scanner (ASSET) support
Reporting enhancements:
Word: Charts in Word can now be exported without the need for macros
Security Fixes:
Low: Password reset token can be reused in a 5-minute window
We’re heading to Singapore for Black Hat Asia 2025, and we’ll be showing off the latest in streamlined reporting and collaboration at our Dradis Arsenal demo. We’re excited to be part of the Black Hat Arsenal, demoing how Dradis helps security teams collaborate and report more effectively.
Catch us here:
🧪 Dradis @ Black Hat Arsenal 📅 March 27, 15:30–17:50 SGT
Learn how our most recent updates—which include in-app quality assurance workflows, easier deployment with Docker, and AI-driven enhancements—allow for the creation of reports faster and with greater quality.
When we’re not presenting, we’ll be diving into the briefings, trainings, and executive summits across AI, exploit development, cloud, and physical infrastructure. Here’s what we’re most excited about.
Project Soft-Delete and Instance Level Trash
Previously, once you deleted a project or a team, it was gone forever! We have now added soft-delete and an instance-level trash. So, if you delete a project or team, you can find it in your instance’s Trash, and you can recover it from there.
Choose Which Fields to Display by Default in Projects
In recent versions of Dradis, new projects will display all fields for Issues and Evidence in their respective tables by default. This can lead to a cluttered view. You can update which columns to display, but this is stored on a per-project basis. Now, you can select which Issue and Evidence fields to display by default in the Report Template Properties for your project’s associated report template in Templates –> Reports. Simply switch the toggle to “Show” to whichever fields you want to display by default, and that will apply instance-wide from then on. Of course, if you have project-specific preferences, or if you have multiple people working on the same project but with different preferences of which columns to display, each user can still manually set their preferences on a per-project basis as before.
Improved Evidence Creation from the Issue Level
Dradis lets you add Evidence directly from Issues by going to the Evidence tab of an Issue and hitting the “+ New Evidence” button. Previously that only allowed you to add a blank piece of Evidence or adding a Note template with no customised content. Now, you can customise the content right in the “Add New Evidence” form and choose where to put it, including in new nested Nodes.
Release Notes
Editor: Support fields with the same name in the Fields View
Increased table loading performance on Issues, Evidence, and Notes for
projects with a lot of issues, evidence, or notes
Issues:
Display evidence in a table
Load evidence tab content asynchronously
Multi-delete evidence at the issue level
Update evidence content while creating evidence records at the issue-level
Notifications Navbar Dropdown:
Improve font-sizes
Wrap long notifications links
Projects:
Generate default report content when updating the report template
Truncate long team name badges in active project cards
Report Templates: Add Show option to display certain evidence and issue fields by default in tables
Trash: Allow projects and teams to be soft deleted
Tylium:
Import CSS manifests from addons
Move ‘…’ (more actions) menu closer to the content affected by the actions of the menu
Move the ‘Edit’ action out of the ‘…’ (more actions) menu for issues, evidence, notes, etc.
Remove extra left padding from the first line of content in a code block
Remove height restriction from code blocks
Simplify issues table columns
Updates focus state outline color
Upgraded gems:
mini_racer, puma, rails
Bug fixes:
Comments: Show sticky toolbar when adding long comments
Issues: Send To menu updates when new plugins are installed
Fixes background services from not restarting after upgrades
Liquid drops: Allow author collection to be called in ProjectDrop
Methodology: Fix misformatted cards when saving a methodology as a template
Redirect back to issue when updating evidence from the issue level
Rules Engine: Allow authors with “update” permission to sort rules
Tables: Prevent the select all button from selecting filtered out rows when a filter is been applied
Subscriptions: Fixed a caching issue preventing users from subscribing or
unsubscribing after the first cache was stored
Integration enhancements:
Dradis Projects:
Fixes missing parent nodes during template and package imports
Fixes missing nodes for attachments during template and package imports
Gateway:
Bug fixes:
Fixes ‘authors’ call for the atlantia theme
Fixes missing attachments crashing Gateway
Select a default pane when Authors edit a Gateway project instead of
loading a mostly blank screen
Nexpose:
Add the Hostname Node property from the name rather than site-name tag
Nipper:
Add Nipperv1 fields to issues
PDF Export:
Add Thor task for console export
Add view hook for Export#index
Qualys:
Add ‘element.qualys_collection’ as issue field
Add Qualys Web Application Scanner (WAS) support
Remediation Tracker:
Bug fixes: Hide the tickets’ “edit” and “delete” buttons for unauthorized users
SAML:
Add PingIdentity support
Add SAML logo to Log in button
Increases log verbosity on errors
Scheduler
No longers shows disabled projects in the calendar
VSTS:
Format issue content when sending to VSTS
REST/JSON API enhancements:
Projects/Teams:
Discard Projects through the DELETE endpoint
Hide discarded projects/teams from endpoints
Security Fixes:
Low: Authenticated author broken access control: read access to screenshots
