Deepfactor Release Notes


Deepfactor 3.2.2 (March 17, 2023)


  • Deepfactor falls back to offline scans if the image/filesystem scan fails. The error causing the failure will be displayed in the UI


  • Updated instructions for integrating Deepfactor in your CI pipeline

Deepfactor 3.2.1 (March 14, 2023)


  • Deepfactor now supports reporting application SBOM in SPDX formats

  • Deepfactor now allows users to configure to raise an alert for vulnerabilities if the fix is available. When enabled, an alert for the vulnerability will be raised only if the CVSS score exceeds the threshold and the fix is available.

  • Improved portal performance by actively pruning Webapp Service Authentication events for inactive instances.

  • Added new API to de-provision portal users when OKTA integration is enabled on the portal

Deepfactor 3.2 (February 23, 2023)


  • Deepfactor now supports static scans of container images

  • Deepfactor now supports static scans of the application code using the filesystem path

  • Deepfactor now supports static scans of Kubernetes workload during deployment

  • Deepfactor now supports reporting application SBOM in CycloneDX format

  • Deepfactor introduces a new alert policy category for static scans

  • Ability to enable or disable static scan along with runtime instrumentation per namespaces

  • Correlation of runtime insights to prioritize static scan alerts based on package usage by the application


  • Jira integration workflows can now take mandatory fields like user id, fix versions that may be required for creating tickets.


  • Static scan reports can be downloaded in CSV and PDF formats.

  • Performance optimization in Deepfactoir runtime to avoid CPU spike during the launch of the instrumented application container.


  • Blackduck integration for Static Scan is currently not supported.


Deepfactor 3.1.1 (December 22, 2022)


  • Added support for users to specific headers that must be included while invoking notification webhook. This can be used by users to specify authentication headers for the webhook that require auththencation

  • UI enhancements to support paging for screens that may potentially contain large telemetry data

  • Upgrades of portal installed in Kubernetes cluster will be using helm command. UI option for portal upgrades will list a set of helm commands that can be executed to upgrade the portal


Notifications on sent to the configured webhook do not support the throttling or retry mechanism. Due to this limitation, there is a possibility that not all notifications will be received by the webhook.

Deepfactor 3.1 (December 7, 2022)


  • Configurable telemetry retention period for efficient disk usage based on customers' requirements

  • Monitoring of instrumented Kubernetes workloads for failure due to increased resource consumption and graceful bailout on pod restarts

  • Configure and centrally manage webhook config for multiple clusters running applications instrumented with Deepfactor

  • Deepfactor will bump up the pod initialDelaySeconds by configured value to account for Deepfactor’s CPU spike on container startup. This is to avoid pod restarts due to readiness probes failure due to Deepfactor runtime overhead

  • Portal performance improvements to support a higher number of instrumented applications for the default portal deployment

  • Deepfactor webhook & runtime now detect the application restarts, potentially due to additional overhead, and send an alert to the portal before launching the application without Deepfactor instrumentation

  • Jira integration support for projects configured with mandatory fields. Supported fields include

    • Sprint

    • Assignee

    • Category


Deepfactor 3.0.1 (September 26, 2022)


  • Improved Deefactor runtime performance by using deterministic startup sequence for event processing agent dfeventd

  • Adding images or pods to the exclusion list configuration in the Deepfactor webook config would render the exclusion list ineffective when multiple mutation requests were received at the same time. This issue is now fixed

  • High CPU consumption by portal BOM service is now fixed. New portal sizing guidelines published.

  • Dangling references to the alerts from before the portal upgrade is now fixed.


  • Applications generating telemetry at a high rate may see “memory limits exceeded" errors for some of the backend services. This is a temporary condition and should be resolved as soon as the load subsides.


Deepfactor 3.0.0 (September 18, 2022)


  • Deepfactor 3.0 release has completely rearchitected backend component to backend microservices horizontally scalable to handle high rate or telemetry from instrumented applications.

  • All backend components are deployed with default resource limits and horizontal pods autoscaling enabled and min and max replica sets

  • New UI to make user interaction and navigating workflow more intuitive

  • Bootstrap mechanism to detect application distro makes the application workflows simpler and less error-prone. This enables better handling and reporting of instrumentation errors. This also eliminates the need for the image analyzer to detect the libc flavor of the container image entry point programs

  • Disabling stackTraces will disable reporting of native stack traces as well.

  • Improved Deepfactor instrumentation error messages to report static or unknown libc programs.

  • Default webhook configuration will not instrument Kubernetes Jobs and Cronjobs. To enable instrumentation of Kubernetes jobs and cronjobs, you can add config excludeJobsPods and set it to false. For more information please refer to Configure Deepfactor Mutating Webhook 


  • Unified alerts policy for compiled and interpreted languages

Alerts Improvements

  • Deepfactor portal reports one alert per occurrence. In the previous releases, we used to correlate and report one alert for multiple occurrences in an instance.

  • Alert policies are now assigned to running instances of an instrumented application.

  • Redefined alert categories and sub-categories to enable new

  • New alerts rule engine and alert grammar to

Installation & Onboarding

  • Portal components are installed with default resource limits and HPA enabled for horizontal pods autoscaling

  • Deepfactor portal & webhook installation will default to using cert-managers to generate required certs.

  • Deepfactor portal can store the RunToken, DB and portal-password and portal-token in the vault if already installed and configured in the cluster.


  • License information for application dependency will also be fetched along with vulnerability information from the Blackduck server when Blackduck integration is enabled


  • OVA supports taking docker auths for provisioning the portal


  • The proxied ZAP scans will be disabled when installing or upgrading the portal to 3.0 version. This can be enabled using the portal override config during the upgrade.

  • Applications generating telemetry at a high rate may see memory limits exceed errors for some of the backend services. This is a temporary condition and should be resolved as soon as the load subsides.

  • The UI/APIs may see 502 responses temporarily as backend services scale up to process increasing volumes of raw telemetry data.

  • Enabling methodTracing on pods with set resource limits may encounter CrashLoopBackoff. It is advisable to disable or increase pod resource limits if methodTracing enabled in the webhook config.

  • Deepfactor portal & webhook installation using ArgoCD fails when ArgoCD is deployed from :latest tag.

  • Applications generating raw telemetry at a high rate may see the instance reported as not-running. This is a temporary condition and should be resolved as soon as the load subsides.

Deepfactor 2.4.6 (August 24, 2022)


  • Webhook now supports specifying node selectors to assign webhook pods to specific nodes in the cluster
  • Pod init containers used for application instrumentation with Deepfactor are now injected with resource limitations
  • Webhook now supports per namespace configs to disable package info queries. Users may use this configuration to avoid high initial CPU consumption after container launch. When disabled, Deepfactor runtime will not report OS packages
  • Webhook now supports per namespace configs to disable dependency info queries. Users may use this configuration to avoid high initial CPU consumption after container launch. When disabled, Deepfactor runtime will not report application dependencies. Following is a sample config for these controls:

dfRunToken: "<Your run token>"
- name: "my-namespace"
packageInfoEvents: false
dependencyCheckInfoEvents: false
  • Disabling stack traces disable collecting native stack frames along with application stack frames.

  • Fixed bug in reporting of OS packages for RedHat containers

Deepfactor 2.4.5 (July 28, 2022)


  • Updated package repository details for Clickhouse DB components

Deepfactor 2.4.4 (July 25, 2022)


  • Deepfactor mutating webhook deadlock causing deployed failure with “Context Deadline Exceeded” error fixed

  • Fixed regression in re-establishing DB connection after DB restarts

Deepfactor 2.4.3 (July 12, 2022)


  • Fixed regression in loading of CVE details for alerts after TTL telemetry period expiry.

  • NodeJS BOM will now include vulnerable .js files along with modules.

  • Fixed the failure in processing Dependency checks for NodeJS packages from private repositories.

  • Fixed the failure in the processing vulnerabilities for NodeJS apps when Blackduck integration is activated.


Deepfactor 2.4.2 (July 3, 2022)


  • DeepFactor Kubernetes mutating admission webhook will now be deployed with failure policy set to Ignore. This is to make sure that the application deployment with not fail due the unavailability or error in the webhook.

  • Fixed bugs in Kubernetes mutating admission webhook which were causing instrumentation to fail in some corner cases.

Alerts Improvements

  • Fixed missing alert “Connection Request to IP Address Not Previously Resolved” when the application issues DNS resolution request for an IP address before connecting to the same IP address.

Installation & Onboarding

  • Deepfactor Portal OVA can now be installed with static IP address configuration instead of DHCP

  • The Deepfactor mutating webhook will now be deployed with resource limits and horizontal pod auto-scaling. For more details, pls refer to the document Install Deepfactor Mutating Webhook.



Deepfactor 2.4.1 (June 25, 2022)


Alerts Improvements

  • Missing ”Attempt to create new executable files” alert when the application truncates files using write() API call with the optional flag to truncate the file is now fixed.

  • Missing “New executable created” alert, when the new executable is created using creat() API call with mode set to grant execute permission is now fixed


  • Achieved Deepfactor portal and runtime performance improvement with deduplication of events in application runtime and batch processing of vulnerabilities.

  • Optimized telemetry retention period for efficient disk usage


  • Application loading multiple versions of a dependency with one of them being vulnerable, may not result in an alert raised at times resulting in a false negative.


Deepfactor 2.4 (June 8, 2022)



  • Deepfactor runtime when used with default configuration uses language agents to collect stack traces. Users will have to launch the applications with --disable-stack-traces for dfctl or set stackTraces: false option in webhook config in order to disable these features.

  • Application instances can be filtered in the UI using the namespace attribute in which these applications are deployed

Alerts Improvements

  • Added support for reporting vulnerabilities for applications running on Centos:9, Ubuntu:22.04, and Alpine:3.16

  • Additional application instrumentation alerts when the application launches a process with non-OS libc.

  • Alerts will be raised if the application deletes a file configured as a sensitive path in the alert policy. This fix enables raising an alert even when the application used a relative path to delete the file.

  • The absolute path of the created file will be reported in alerts for “New Executable Created”

  • False Positive in “New executable created” alert due to directory create event is fixed.

  • False-positive alert “File opened with RD/WR” when a file from the configured sensitive path is open with read permission.

Installation & Onboarding

  • Deepfactor portal can now be deployed using ArgoCD

  • Deepfactor runtime admission controller can now be deployed using ArgoCD

  • Deepfactor portal can now be deployed using cert-manager which eliminates the need to run the script to generate self-signed certificates

  • Deepfactor runtime admission controller can now be deployed using cert-manager which eliminates the need to run the script to generate self-signed certificates

  • Deepfactor portal supports TLS termination on the external load balancer

  • Nginx ingress controller in Deepfactor portal stack will now be deployed as deployment instead of daemonset.

  • Added check for minimum supported Kubernetes version. The minimum supported Kubernetes version for the portal is 1.19 and for the webhook is 1.19.


  • Overall Portal and runtime performance improvement


  • Deepfactor runtime ensures all the telemetry is flushed and sent to the portal before exec. This may have some performance impact on applications with high process count during execution.

  • While upgrading pre 2.4 portal to 2.4 and later using helm charts, you must option use --set dfstartup.enabled=false for successful portal upgrades. Please refer to "Updating your Deepfactor portal" for more details.

Deepfactor 2.3.3 (May 12, 2022)


  • Deduping of Deepfactor runtime file, network, and DNS events to report only unique occurrences. This is to limit the volume of reported telemetry without losing alert fidelity.

  • Reduced Deepfactor runtime memory consumption due to events optimization

  • Performance improvements specifically in application & component dashboard.

  • Click-house DB init error fixed when portal instruments more than 600 active instrumented components

  • Added webhookconfig.monitorExec to enable monitoring processed run in monitored container via kubectl exec of docker exec.

  • “Suspicious process launched” alert fixed to trigger based on process launch event or process start event. This fixes the missing of alert when processes are launched using kubectl exec commands.

Bug Fix

  • UI link to Deepfactor instrumentation warnings KB article fixed

Deepfactor 2.3.2 (April 14, 2022)


  • Deepfactor UI migrated to a new brand logo and text

  • Deepfactor portal optimizations to improve UI and portal response times with 640 active applications monitored by Deepfactor.

  • Deefactor runtime optimizations to and deduplicate network and file telemetry.

  • Webhook config now supports the specifying runtime log file path per namespace webhookconfig.namespaces.logFile. This option enables log file generation to debug runtime issues. Alternately you can also set env DF_LOG_FILE in the pod spec for instrumented containers.

  • Webhook configuration now supports specifying image pull secret. This can also be used for the Deepfactor runtime image by those who wish to pull these images from authenticated container registries.

  • BOM API for packages and dependencies now includes vulnerability summary/details in the response

Bug Fix

  • The Download Report link from the application dashboard left panel is fixed

  • The Vulnerability Report for OS packages now contains “Fixed In” information

  • The Vulnerabilities Report for dependencies now contains dependencies information

  • Formatting errors in PDF reports are fixed


  • The default for webhook config webhookconfig.appNameSource in previous releases was "namespace". With the 2.3.2 upgrade, the default now changes to "podspec". While upgrading to 2.3.2 (and later) releases, the admins must set this config to “namespace" if they wish to retain the application name source to the defaults of 2.3.1 and previous releases.


Deepfactor 2.3.1 (March 28, 2022)


  • Configurable list of images or pods that must be excluded from mutation by the Admission Controller

    • The exclusion list can be specified as a prefix as well as regex matching for the pods and/or image names

  • Enabling of Runtime logs via environment variable configuration in webhook-config

Bug Fix

  • Fixed Admission Controller Failure to mutate Kubernetes workloads. The error reported with log 'failed to call webhook, context deadline exceeded' was fixed


Deepfactor 2.3 (March 21, 2022)


  • Deepfactor mutating admission controller webhook now supports instrumented namespaces. All Kubernetes workloads deployed in the configured namespace will be instrumented with Deepfactor runtime.

    • With this, the users are no longer required to add annotations to the pods to enable Deepfactor instrumentation.

    • Any error encountered during instrumentation with Deepfactor mutating webhook will result in the workloads being deployed without Deepfactor, and a summary of failure will be sent to the portal.

    • Improved handling of containers running mixed libc environments and better reporting

  • Deepfactor runtime makes the best effort to detect the language used to build the application. Identified language drives injection of agents to collect stack traces and/or method tracing if enabled in the config. A list of detected languages is also displayed in the UI.

  • The DF CLI tool dfctl now supports a test mode to validate if the standalone application can be instrumented to run with Deepfactor’s runtime intercepts.

  • Liveness/health-check probes and any process executed inside a container using kubectl exec or docker exec commands are no longer monitored by Deepfactor runtime.


  • Deepfactor runtime alert will be generated if an instrumented Java application is launched without Language-Specific Agent (LSA)

  • Deepfactor runtime alert will be generated if an instrumented Python application is launched without Language-Specific Agent (LSA)

  • Deepfactor webhook alert will be generated if it fails to instrument a distroless container.,

  • Fixed reporting of the license information for Alpine and CentOS packages

Alerts Improvements

  • Following new alerts were added.

    • Alert if application dependency or package uses an unwanted license (BM1)

    • Alert if the application is running on an operating system distro that is past its End of Life (EN2)

    • Use of chmod +x or creation of new binaries (FS8)

    • Unexpected UID promotion/change (PS10)

    • Unexpected GID promotion/change (PS11)

    • Weird params detection (FS14)

  • Fixed alert handler for sensitive information in environment variables

  • Fixed alert handler for files deleted/truncated from system directory (e.g /var)

  • Added API to get all vulnerabilities across all components of the application.

  • Alert policies now support a configurable list of suspicious paths in LD_LIBRARY_PATH and LD_PRELOAD environment variables.

  • OWASP Dependency-Check used in Deepfactor portal is now upgraded to version 6.5.3

Installation & Onboarding

  • Deepfactor’s mutating admission controller webhook is now supported on Kubernetes cluster version 1.18 and up.


  • Multiple runtime and backend optimizations to improve UI and API performance.

  • Faster OS alerts and dependency check alerts computation.

  • Runtime logs are disabled by default. To enable runtime logs, users will have to set the environment variable export DF_LOG_FILE=/tmp/deepfactor.log.


  • After upgrading to the 2.3 release, the vulnerability data for the applications run previously may not be seen in the UI. The user will have to rerun the applications to regenerate the vulnerability information for these applications.

  • Application container images built using Deepfactor’s Dockerfile for instrumentation, when deployed in a multi-container pod, may not report dependency info for all the container images in the pod. To mitigate this limitation, multi-container pods must be deployed using Deepfactor’s mutating admission controller.

  • Application container images built using Deepfactor’s Dockerfile for instrumentation, when deployed in cgroupsv2 enabled cluster may report each process as a separate application instance of the component. To mitigate this limitation, the application container must be deployed using Deepfactor’s mutating admission controller.


Deepfactor 2.2.1 (Feb 7, 2022)


  • The OS package and SBOM widgets failed to load sometimes for both existing and newly added apps. This widget loading issue is fixed.
  • A link in the Dependencies column of the application list that was navigating to a blank page is now navigating to the Dependencies tab from BOM.
  • The memory exceeded exception generated during NT10 alerts (connection requests to unresolved IP addresses) has been fixed. The clickhouse-server.err.log file no longer contains the memory-related exception.
  • For better performance, the API calls from the Portal UI for the OS packages have been reduced.


Deepfactor 2.2 (Jan 31, 2022)


  • Announcing Tech Preview of Deepfactor Instrumented Kubernetes Namespace support.

  • Graceful instrumentation of containers in K8s cluster: Compatibility checks are performed on containers in your K8s pods and if these checks fail, such containers are not instrumented with Deepfactor. They will continue to come up and a warning will be shown on the Deepfactor Portal UI with details of the failed checks and how to resolve them.

  • Deepfactor runtime now supports a mixed libc execution environment.


  • Deepfactor shows telemetry for each alert occurrence anchored at event occurrence time so your developers can know exactly what was happening in your application at the time of the alert.

  • Python Language Specific Agents (LSA): Deepfactor now provides an LSA for python. When enabled by setting the -l option, python stack trace frames will be shown for alerts.

  • Application warnings are shown on the portal UI when Deepfactor runtime detects mixed libc environments

  • Deepfactor reports license and source information of OS packages and dependencies from the application environment

  • Outgoing connections now report stack trace information

  • Fixed In version information is reported for OS packages vulnerabilities

Alerts Improvements

  • New alerts (NT17 and NT18) for applications making an inbound or outbound connection to an IP address not defined in CIDR allowlist.

  • New alert (PS28) if the process running in an instrumented application runs with elevated privileges

Installation & On-boarding

  • Bring your own certificate (BYOC): Deepfactor Portal can now be installed with your own certificate.

  • You can now set CPU and memory resource limits for each of the Deepfactor portal pods using helm override.yaml.
  • Deepfactor Portal can be installed with customer supplied passwords for DB via the config file

  • Helm chart to install and upgrade mutating admission controller webhook.


  • Integration with Synopsys Black Duck® to fetch vulnerability information for python dependencies

  • Integration with Synopsys Black Duck® to fetch package license information

  • Dockerfile provided by Deepfactor which runs a multi stage build to inject Deepfactor into your containers now supports all available dfctl options


  • Kubernetes workloads running with Deepfactor will report the pod and namespace information in the UI

  • Improved load times for the application list and the tile view

  • The default port used for running proxied ZAP scans has been changed from 8443 to 13443 to reduce the chances of conflict with other applications


  • Deepfactor Python LSA which collects stack trace information is not supported for Python 2.x versions and 3.11 version and up

  • Portal installation requires opening an incoming TCP connection to port 13443 for running ZAP scans


Deepfactor 2.1.1

  • Alerts policy for Interpreted Language will have the following settings disabled by default to suppress alerts raised by the interpreter

    • Insecure File System Usage

      • Alert, when an application uses the mknod API

      • Alert, when an application writes to files in /proc

      • Alert, when an application writes to files in /sys

    • Insecure Memory Usage

      • Alert, when a program forks (creates a child process) without clearing sensitive memory regions

  • LB1 and LB2 Alerts (Alerts for vulnerable packages) now uses CVSS v3 score to calculate the severity

  • Minor UI issues fixed


Deepfactor 2.1.0


  • Deepfactor UI will report application deployment mode along with deployment attributes like pod name, container repository, etc. for applications deployed in the Kubernetes cluster.


  • Deepfactor now supports dependency checks for python applications. The runtime collects python module-info and the platform raises an alert for vulnerable modules used by Python applications.

  • Containerized applications launched using dfctl run --docker-run will fail with an appropriate message on the Linux terminal when not supported by Deepfactor runtime.

  • Containerized applications launched in a Kubernetes cluster and instrumented using Deepfactor’s Mutation Admission Controller Webhook, will fail gracefully when not supported by Deepfactor runtime. This means that the application will be launched without Deepfactor runtime.

  • In either fail fast or fail gracefully conditions, an error or warning message will be sent to the portal describing the reasons for failing to launch the container with Deepfactor.

Alerts Improvements

  • Deepfactor platform now supports PCI 3.2 and SOC 2 framework for application compliance.

Installation & On-boarding

  • Deepfactor provides a single interactive shell to deploy the portal into your Kubernetes cluster.

  • If the Kubernetes cluster is set up with Vault, the DF portal can connect to store encrypted JWT tokens.

UI Enhancements

  • Option to switch between tile view and list view of instrumented applications.

  • A comprehensive dashboard with Compliance, Supply Chain, and Security views of instrumented applications.


  • Docker builds to add Deepfactor runtime visibility to your docker images now support options to specify alert policies, environment name, LSA, and other configuration parameters along with support for mixed libc environments. More details can be found at Adding Deepfactor to your container image


  • Integration with Synopsys Black Duck SCA to fetch vulnerability information. If Black Duck integration is active, the DF portal uses Black Duck to fetch vulnerability information for dependency check.
  • BOM APIs are added to API docs.


  • Deepfactor release version has migrated from maj.min-build to maj.min.patch-build format.


  • Vulnerability reports for Python dependencies are still fetched from NVD despite enabling Synopsys Black Duck integration. This will be resolved in a future release.


Deepfactor 2.0.1

  • Java app vulnerability dependencies now display methods and classes
  • Stack trace alerts now show unsafe API strings
  • Default Kubernetes component names now include a version tag when annotation application and components are not used


Deepfactor 2.0 


  • Improved runtime performance ensures Deepfactor’s telemetry collection will consume less CPU.
  • Improved Language Specific Agent (LSA) performance when collecting Java application method tracing insights.
  • Race condition between deploying webhook pod and enabling admission controller fixed. (The error condition caused pod deployment failures with the error “Connection refused.”)

ZAP Scan Improvements

  • Deepfactor portal 2.0 installed in K8s clusters can run multiple ZAP scans (default 10) simultaneously, resource permitting.


  • Deepfactor platform now reports all OS components installed in host/container images where the application is running.
  • Fixed deadlock in Java agent used for Language Specific insights when used to instrument JBoss.
  • SBOM will report all incoming URIs at the application and component level.

Installation & On-boarding

  • Deepfactor Portal can now be deployed in a Kubernetes cluster. Release 2.0 has been tested for deployment in EKS, AKS, and GKE.


  • Fixed files upload for symbol files greater than 100 MB.
  • Running docker images with dfctl run now validates dfctl version installed on the host with the version installed in docker volume. The container run will fail if the version differs.
  • Components/Instance details API now reports additional container information that includes image name and SHA.


Deepfactor 1.9.4 


  • Added clean restart of init containers used to initialize pods with Deepfactor.

  • Added reporting support for all OS packages installed on host/container image.

  • Fixed crash when instrumenting statically linked application with multilibc option set to “auto.”


Deepfactor 1.9.2 


  • Deepfactor’s Mutating WebHook Admission Controller for instrumenting Kubernetes application is now deployed as a non-root container. The application initialization process is also executed with non-root privileges.

  • Improved initialization of Deepfactor’s runtime to avoid deadlock when instrumenting Java applications in an Alpine image.

  • Deepfactor Jenkins Plugin 1.0.1 was released to add Deepfactor to a Docker image, initiate a DAST scan, generate reports, and review alerts in a DevOps pipeline.

Deepfactor 1.9.1


  • UI display options to select java agent for LSA.

  • The smoke test in Dockerfile downloaded from the Deepfactor portal platform to package application containers with Deepfactor instrumentation caused a build failure for Alpine applications. The smoke test in the Dockerfile is now fixed with 1.9.1 release.

  • Kubernetes Admission Controller, Mutating Webhook provided by Deepfactor was referencing an older version of the Deepfactor runtime container image. The smoke test is now fixed in 1.9.1 to avoid deployment failures.

Deepfactor 1.9


  • DF CLI (dfctl) supports options to select java-agent, or JVMTI, or both agents when instrumenting Java applications.
  • Deepfactor runtime reports dynamically assigned port when the application binds on port 0.
  • Application BOM reports well-known service names for listening ports.
  • Deepfactor removes duplicate URIs from the OWASP Zap scan reports.
  • Deepfactor generates an alert (PS28) if the application modifies the environment variable LD_LIBRARY_PATH.
  • Added an API to get all alerts occurrences at the application/component level with version and date filters.
  • Integration APIs now support taking the deployment environment name while running integration tests.
  • GertDockerfileEndpoint() now supports app-name and component-name.


  • Live events stream and stream API now report LSA events including Java classes loaded and methods invoked.
  • Improved methods to determine unique stack traces in Alert evidence.
  • Deepfactor platform maintains and reports audit trails per alert.
  • If Slack integration is enabled, Deepfactor will send a scan completion notification.

Deepfactor 1.8.1 Kubernetes Technology Preview

Installation and Onboarding

  • Deepfactor portal 1.8.1 can now be deployed in a Kubernetes cluster (EKS).
  • Previous Kubernetes cluster portal releases can be upgraded to 1.8.1 release.

  • To download ZAP scan logs, users do not need to disable DAST resource clean up as noted in the previous release.

Deepfactor 1.8.1

Improvements and Fixes


  • Fixed Java agent issue in 1.8 release in failure to report application usage metrics for application jars and fat jars.

    • For detailed application stack traces and usage information, users need to use the --lang java command-line option to dfctl,

  • Added support for Deepfactor runtime instrumentation of applications dependent on glibc runtime in the alpine container images.

Installation and Onboarding

  • Added support for Deepfactor mutating webhook for instrumenting applications deployed in Kubernetes clusters version 1.19

  • Added support for Deepfactor Portal installation on EC2 instances without a public hostname / IP address.

UI Enhancements

  • Application Bill Of Material is now displayed in a separate tile in the application dashboard.

  • Application Bill Of Material now includes an application dashboard list of listening ports.

  • Users can now apply build filters at the application level.

Deepfactor 1.8

Improvements and Fixes


  • Added Deepfactor Portal support for integration with on-prem Jira sever. This allows admins/AppSec engineers to raise tickets for Deepfactor Alert mitigation.


  • Added Java agent support to collect and report application’s method call usage metrics. These usage metrics are included in the Application’s BOM (Bill Of Material)

  • Added support for Deepfactor alerts generated from API scan reporting in the API Security alerts category and will be displayed in the API security tile on the dashboard.

  • Added Deepfactor runtime improvements for the reporting of module versions for NodeJS applications. This improves accuracy in running dependency checks on NodeJS applications.

  • Added Deepfactor runtime support for fat jar file processing while performing dependency checks. This improves accuracy while running dependency checks on java applications especially spring boot applications.

Alerts Improvements

  • Added support for the Alert, “Attempt to connect to IP address not previously resolved,” to now also report the FQDN, service name, and protocol for which the connection was attempted.

  • Added the ability for allowing users to configure thresholds for the rate of DNS. If the application's rate of DNS lookup calls exceeds configured value, Deepfactor will raise an alert.

  • Added a built-in alert policy for applications developed in interpreted languages (Java, Python, etc).

  • Added policy configuration support for configuring whitelist for geo-locations.

  • Added the ability for users to add comments when changing alerts severity while configuring alert policies.


  • Added support for downloadable Application BOM as CSV and PDF reports.

  • Added support for triaging an alert by marking it as “not an issue.”


  • Modifying the alert policy or changing the assigned alert policy to a component does not trigger alert re-computation. These changes will take effect on the next run of applications.

  • Java agent fails to load with instrumented JBoss/Wildfly servers.

  • The Deepfactor runtime has limited CVE reporting for applications running on SuSE, Fedora 34, and Alpine 3.14.X.

  • Java agent fails to report usage metrics for application jars and fat jars.

  • Using the Java agent requires adding addition a Java command-line option as follows:

    1-Xbootclasspath/a:/usr/lib/df-agent.jar -javaagent:/usr/lib/df-agent.jar


Deepfactor 1.7.2 K8s Technology Preview

Installation & Onboarding
The Deepfactor portal deployed in a Kubernetes cluster is installed with a prepopulated OS and dependencies vulnerability database. With this change, the Deepfactor platform will report vulnerabilities for instrumented applications without waiting for the database to be populated.


  • Users can upload applications' debug symbols for reporting detailed stack traces as alert evidence.
  • Deepfactor portal upgrades can be performed using helm commands.
  • Users can also download diagnostics using K8s commands.

ZAP Scan Improvements

  • Added capability allowing Deepfactor to run ZAP scans for multiple applications simultaneously.
  • Added ZAP scan log download capability using K8s commands.


  • Portal passwords are stored in plain text in config.
  • ZAP scan logs are auto cleaned as soon as the ZAP scan completes. This is true for successful as well as errored scans. To collect logs please follow instructions from Disable DAST Resource Clean Up When K8s Debugging – Deepfactor.
  • ZAP scans may get scheduled on Kubernetes nodes with limited resources. This resource limitation may cause a failure to launch a scan driver, while the web scan state is set to a running state after max retries.

Deepfactor 1.7.1

Improvements and Fixes

Alerts Improvements

  • Fixed UI filter for alerts that causes count mismatch for vulnerable OS Packages. This issue is seen when Deepfactor portal v1.6 is upgraded to v1.7.


  • Added Mutating Webhook support for instrumenting Opensuse-based workloads with Deepfactor.
  • Added Mutating Webhook support for specifying application language to collect additional telemetry.
  • Added support for Java applications.
  • Fixed error in loading language-specific agent (LSA) for apps deployed using the Mutating Webhook.

UI Enhancements

  • Added UI help for GitLab integration.

Deepfactor 1.7

Improvements and Fixes

Zap Scans

  • Fixed ZAP scans generating partial scan reports due to connections issue.
  • Improved scan management when a user deletes applications with scans in progress.
  • Fixed reporting of HTTP/HTTPS scheme in alerts generated by direct scans (ZAP scans for non-df-instrumented applications).


  • Improved DF runtime stability for applications that use scripts for app initialization.
  • DF CLI (dfctl) now supports using an agent (JVMTI) to collect Java app stack frame details for alert evidence. This can be specified using -l or --lang argument to dfctl with “java” set as the value.
  • DF CLI (dfctl) now supports specifying alert policy to be used for analyzing app telemetry. This can be specified using -p or --policy argument to dfctl with policy name passed as value.
  • DF CLI (dfctl) now supports the command verb to list all available alert policies. This enables users to choose a policy for subsequent calls. This can be specified using the command dfctl policy list.
  • DF now supports reporting the instrumented application’s Runtime Bill of Material (BOM) . This report includes dependent modules, OS packages, outgoing connections, usage information, and generated Deepfactor alerts.

Alerts Improvements

  • Deepfactor now processes IOCTL commands used by the instrumented application and generates relevant alerts with evidence.
  • Improved pattern matching for files accessed modified to reduce potential false positives in alerts. For example, alerts for files accessed/modified in /etc should be treated differently than files accessed/modified in /opt/deepfactor/etc.
  • Deepfactor now allows users to custom set alert rule severity while defining alert policies.
  • Vulnerable OS package and dependency alerts are generated per occurrence and reported in separate categories.
  • Vulnerable OS package alerts now also report the shared object used by the application as evidence.
  • Vulnerable OS packages/dependency alerts now honor CVSS v3/v2 score set in associated alert policies.

Installation & On-boarding

  • Fixed Deepfactor portal upgrade failure when deployed behind a proxy for internet access.
  • Deepfactor Kubernetes mutating webhook now supports using proxy required to access.
  • Deepfactor package repository. Access to the package repository is required to complete pod initialization.

UI Enhancements

  • Deepfactor now enables users to generate and download PDF reports of application runtime Bill of Material (BOM) and Alerts.
  • The alert summary page allows a multi-select/multi-action way to acknowledge multiple alerts at once.
  • Deepfactor dashboard now reports the count of active instances of an application component.


  • Application stats API now reports the count of processes launched by instance.
  • Added API to get alert list web services.


  • Heart Beat live stream now contains process names for identification and correlation of parameters.
  • DF CLI is able to instrument and launch the RHEL container using dfctl run --docker-run command.

Deepfactor 1.6.3


  • Added support to running DF instrumented application on SUSE Linux Distro.

Deepfactor 1.6.2


  • Fixed crash in Deepfactor Portal CVE service.

Deepfactor 1.6.1

Improvements and Fixes

ZAP Scan Improvements

  • Added ZAP scan diagnostics log downloading for all scans.

Instrumentation & Insights

  • Added the ability to delete cloned/custom alert policies.
  • Added the ability to live stream telemetry from the application creation timestamp.
  • Improved Deepfactor runtime performance using local caching and reusing TLS connections. Customers must upgrade the deepfactor-runtime package and re-instrument their applications to implement this improvement.
  • Fixed Deepfactor runtime deadlock in applications with complex initialization sequences requiring multiple initialization scripts. Customers must upgrade the deepfactor-runtime package and re-instrument their applications to implement this improvement.
  • Fixed regression introduced in 1.6 release regarding CVE alert reporting for vulnerable libraries loaded by the application.
  • Renamed Black/White lists to Allow/Deny lists.

Alerts Improvements

  • Improved alert details for MM6 “program forked without clearing sensitive memory regions.
  • Improved alert policy processing rules for AppSec policy Violations (PS8, LB4, LB &, LB8).
  • Added Deepfactor platform performance alert if applications have high rates of launching child processes.
  • LB4 Alert “Loading dynamic library from the uncommon path” disables by default in the alert policy. Users need to enable it based on their application composition.
  • Fixed reporting error in the rate of library load per second.


  • Added support for GitLab integration.
    • Deepfactor now supports the complete integration of Deepfactor alerts within the GitLab dashboard.

Installation & On-boarding

  • Added beta version support for Deepfactor portal deployments in Kubernetes clusters (EKS).
    • Note: This feature is currently limited to a maximum capacity of the worker node running the Deepfactor backend service (WebAppSvc).
    • Deepfactor portals deployed with Kubernetes supports launching ZAP scans simultaneously for Web Applications.
    • Deepfactor portal can be deployed in EKS clusters using Helm Charts.

UI Enhancements

  • Added application dashboard reporting across various categories.


  • The following are limitations for Deepfactor portals deployed in EKS clusters.:
    • Portal passwords are stored in plain text in config.
    • UI will display a set of commands to be executed by Kubernetes admins to upgrade DF portal.
    • UI will display a set of commands to download ZAP scan logs for DF portals deployed in Kubernetes.
    • The beta version of DF portal deployed in Kubernetes does not support the uploading of the application debug symbol.
    • Deepfactor portals deployed in Kubernetes clusters are not set up with the pre-populated vulnerability database. Hence, instrumented applications may not show vulnerabilities until the database is fully populated.


Deepfactor 1.6

Improvements and Fixes

ZAP Scan Improvements

  • Added support to launch ZAP scans from a portal deployed with proxy configuration.


  • Improved event push architecture to scale to billions of events from a single component instance. 

  • Improved evidence reporting to make alerts actionable. In addition, for OWASP alerts, you can now generate a curl command to replay the attack for debugging.

  • Fixed bug in CVE processing engine that resulted in false-positive reporting of vulnerable OS dependencies. 

Installation & On-boarding

  • Users can request a portal license upgrade from portal UI,

UI Enhancements

  • Live telemetry streaming with event summary reporting.


  • Old CVE alerts for vulnerable OS dependency may be false positives and must be ignored. Users must use correct build filters to eliminate old potentially False Positive old alert data.
  • Portals configured with proxy do not support Custom ZAP scans.
  • Stack traces for Alpine applications are not reported by DF runtime. However, Java application stack traces will be reported.
  • The agent to collect java application stack traces needs to be configured while launching Java applications. Currently, dfctl does not detect java applications to automatically inject java agents while launching.


Deepfactor 1.5.1

Improvements and Fixes

Installation and onboarding

  • DF Portal can now be deployed behind a proxy for internet access

ZAP Scan improvements

  • Fixed failure of first external ZAP scans 

Instrumentation Improvements

    • DF runtime install scripts now support installing a specific version of runtime packages that include setting up docker volumes 


    • DF portal deployed with a proxy configuration may have limited support for running ZAP scans on applications

Deepfactor 1.5

Improvements and Fixes

  • ZAP Scan improvements
    • Deepfactor now supports specifying authentication parameters for DAST scans
    • Users can save and reload their scan configurations
    • Users can also configure a list of URIs to be included or excluded during scans. These are configurable scan parameters.
    • Deepfactor can now launch DAST scans against non-instrumented web applications
    • All of the above functions can be exercised via APIs
  • Instrumentation Improvements
    • Deepfactor now supports launching Docker images with the DF runtime instrumentation of container images at launch time
  • Insights and Alerts
    • Improved evidence reporting in the Deepfactor alerts DF platform
    • Added APIs to report differences in alerts generated between application build versions
    • Added support for Java agents to collect application stack traces as evidence for alerts
  • Limitations
    • The agent to collect Java application stack traces needs to be configured while launching Java applications. Currently, dfctl does not detect the java applications to automatically inject the java agent while launching.

Deepfactor 1.4

Improvements and Fixes

  • ZAP Scan Improvements
    • Upgraded ZAP version from 2.9 to 2.10
    • Optimized ZAP plugin for HTTP request and response evidence collection and reporting
    • Added OWASP alert web confidence report  
    • Added WebApp scanning using Swagger (yaml or json) document 
  • Insights
    • Added reporting of CVE alerts at the occurrence level
    • Added stack trace alerting for Alpine applications
    • Added DF CLI help page
  • Miscellaneous Fixes
    • Added ability to add comments to alert at each occurrence level
    • Added API to create Jira tickets at the alert occurrence level
    • Added Web Scan repo in diagnostics logs
    • Added API to compare alerts difference between App versions
  • Known Limitations
    • Stack traces are currently not reported for Alpine applications

Deepfactor 1.3.1

Improvements and Fixes

  • Insights
    • Fixed Alert count mismatch in risk scenarios tile.
    • Disabled ZAP plugin to report HTTP requests and responses to address high memory consumption when scanning some web applications.
  • Instrumentation

    • Added Kubernetes admission webhook for DF instrumentation of applications
    • Added parsing json blob as an argument to application run using dfctl run.
      dfctl run now requires the absolute path of the command.
  • Integrations

    • Published Orb for integrating DF into CircleCI pipeline.  
    • Added OpenAPI document publishing on the portal for downloads

      Note: Deepfactor does not publish OVAs and AMIs for patch releases. Customers can upgrade to 1.3.1 using their portal instances.

Deepfactor 1.3

The Deepfactor 1.3 release contains the following improvements and fixes. 

Improvements and Fixes

  • ZAP scan improvements
    • Reporting HTTP requests and responses as evidence in ZAP alerts.
    • Added ability for users to exclude URI params in scan config.
    • Added ability for users to stop running ZAP scan and collect results.
  • Insights
    • Reporting of stack traces in alerts
    • Improved alert workflow
    • Alerts and Alert policy regrouping
    • Alert acknowledgment at occurrence level.
  • Integrations
    • Okta integration for the standard edition
    • Published REST APIs for third-party integration
    • Published Orb for integrating DF into CircleCI pipeline.  
  • Miscellaneous fixes
    • DF_API_TOKEN has been renamed to DF_RUN_TOKEN. DF runtime will support DF_API_TOKEN for one more release before deprecating it.
    • Fixed scripts to not upgrade all packages on the host.
    • Added support for “Scan Strength Config” while launching ZAP scans via API
    • Added ability for admins to change passwords for other users. This is also supported via API
    • Reporting of the name of the process as evidence for alerts on loading of the library that are not part of any package.
    • Added alert page summary info at the top.
    • Email verification is mandated for users signing up for accounts on DF resolute server.
    • Fixed forgot password flow on the resolute server.


  • The swagger document is not available as yet. This should be published soon.

Deepfactor 1.2

The Deepfactor 1.2 release contains the following improvements and fixes. 

Improvements and Fixes

  • Instrumentation
    • Added new application onboarding flow.
    • Transitioned from build-time instrumentation to runtime instrumentation by adding support for
      dfctl run instead of dfctl create and manifest-based sealed application launch.
  • ZAP Scan Improvements
    • Improved evidence in ZAP scans.
    • Increased handling of HTTP response by 3XX.
    • Enhanced reporting scan progress.
    • Added active scan policy support.
    • Added more evidence for SQL injection alerts.
  • Insights
    • Added stack trace alert reporting.
    • Fixed reporting CVEs for Alpine applications.
  • Installation and On-boarding
    • Users can now change data TTL from admin settings.
    • Added one-command installation of dfctl.
    • portalctl now supports the restart verb to restart portal services.
  • Integrations
    • Improved Slack Notifications.
    • Added API support for third-party integrations (Work in Progress).
  • General Fixes
    • Fixed error in reporting CVEs for some Ubuntu versions.
    • Fixed ZAP Scan proxy fills out the disk.


  • Stack trace for Alpine applications is not reported.
  • Deepfactor instrumented Chrome application running NodeJS has undefined behavior.
  • Jenkins plugin needs to upgrade after changes in supported API.
  • Launching of DF instrumented Postgres service on CentOS 7 fails.
  • MongoDB on CentOS7 VM does not send telemetry to the backend.
  • Deepfactor instrumented service telemetry will only be reported in the default runtime environment.
  • Deepfactor supports registering only one component per container image (more than one component executing inside one container image is not allowed).

Deepfactor 1.1

The Deepfactor 1.1 release contains the following new features and improvements. The build version is 1.1-482.

New Features

  • Added User Flow in the portal UI replacing Invite User to improve the user onboarding workflow.
  • Added alert reporting by sub-category.
  • Added support to revoke tokens using portalctl.
  • Added ZAP Scan performance improvements for web servers that do not set content-length or transfer encoding. (Requests that depended on connection close to terminate content previously took 60 seconds to time out.)
  • Added more evidence for ZAP Scan Alerts.
  • Added Jenkins CI Plugin for Deepfactor container build instrumentation.

Improvements and Fixes

  • Fixed issues with Dependency Check for applications using JAVA as well as NodeJS components.
  • Fixed issues in telemetry reporting for DF instrumented Redis service on CentOS7 platform.
  • Fixed issues in telemetry reporting for DF instrumented Httpd service on CentOS7 platform.
  • Fixed user token expiration issue.


  • Launching the Deepfactor instrumented postgres service on CentOS 7 fails with the following error:
Jun 09 08:22:49 localhost.localdomain postgresql-check-db-dir[22892] : sh: rpm: command not found
Jun 09 08:22:49 localhost.localdomain pg_ctl[22907]: sh: rpm: command not found
    • WebApp Scan may launch against old/dead instances.
    • Application instrumented using dfctl create, when launched, extracts an instance of libdf under /tmp. This may cause file system to fill up over a period of time.
    • Deepfactor Instrumented HAProxy Service may experience crashes.
    • Deepfactor supports registering only one component per container image. (The service cannot have more then one component executing inside one container image.)
    • Deepfactor instrumented service telemetry gets reported in default runtime environment.
    • MongoDB on CentOS7 VM does not send telemetry to the backend.
Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.