Product Update - 9/24/2025

Added Protections for Supply Chain Attacks

Block dependencies before the ecosystem can vet them.

Heeler now includes a Minimum Age guardrail that blocks newly released dependency versions that haven’t had time to be analyzed by the security community.

Most supply chain attacks target freshly published packages, which are discovered within 24 hours of release.

Recommendation: Set a minimum age of 2 days to give time for threat intel and community detection to catch malicious packages.

Detect Unpinned Dependencies

Pinning dependencies is one of the most effective defenses against supply chain attacks. Heeler now makes it easy to filter for repositories with unpinned dependencies—so you can enforce better hygiene and proactively reduce your attack surface.

Spring Boot Actuator Exposure Detection

Actuator endpoints now visible—along with their security posture. Spring Boot Actuator endpoints can unintentionally expose:

• Environment variables

• Secrets (like API keys and passwords)

• Remote code execution vectors

Heeler now detects:

• Which Actuator endpoints are enabled

• Whether the endpoints are authenticated or publicly exposed

Use the repository filter to detect where actuator endpoints are enabled:

You can also view the authentication status for each endpoint, with results included in Heeler’s API export for broader automation and alerting.

SBOM + Deep Dependency Graph: First-Party, Transitive & Bundled Dependencies

Heeler now provides even deeper visibility into your application’s software supply chain with improved dependency classification and SBOM generation.

Visualize the Full Dependency Graph

Heeler’s enhanced dependency graph now clearly distinguishes between:

• Root nodes (entry point for each codebase)

• Direct dependencies

• Transitive dependencies

• First-party libraries

• Bundled dependencies (especially common in JavaScript)

This makes it easier to trace how every dependency enters your codebase—and who’s responsible for it.

Quickly identify key context for dependencies such as classification and license:

Dependency graph for a transitive Java dependency brought in through a first party library:

SBOM Generation at the Code Root

You can now generate a Software Bill of Materials (SBOM) from the Code Root level in CycloneDX format. Heeler’s SBOM includes:

• Dependency relationships (direct, transitive, bundled)

• First-party vs third-party classification

• License information

This helps teams meet compliance requirements and improve visibility across the software lifecycle.

License Policy Enforcement

Manage license risk with confidence—especially in the age of AI-assisted development. As AI-generated code becomes more common, managing open source licenses has grown both more complex and more critical. Heeler now helps teams reduce license risk with:

• A global license policy to define what’s allowed

• Real-time detection of license violations in dependencies

• A guardrail to automatically block risky license usage in pull requests

Customizable Global License Policy

A default license policy based on OSI-approved licenses is now available. Admins can customize this policy to align with your organization’s legal or compliance requirements. This policy powers Heeler’s detection and enforcement capabilities, including the Unapproved License guardrail.

License Violations in Dependency Listings

Heeler now flags any dependency—direct or transitive—that violates the license policy. This gives developers and security teams immediate visibility into license risk across the codebase.

Guardrail: Unapproved License Blocking

Use the Unapproved License guardrail to automatically prevent risky licenses from being introduced. This guardrail can block pull requests that attempt to add any dependency (direct or transitive) that violates your policy—stopping issues before they reach production.

Language Expansion: Ruby, PHP, Rust & Kotlin

Heeler now supports Ruby, PHP, Rust, and Kotlin, continuing our push to deliver deeper, broader language coverage.

Deep Analysis with Build Emulation

All newly supported languages use Heeler’s build emulation technology to analyze dependencies—even when lockfiles are missing. This allows Heeler to uncover both direct and transitive dependencies and display them in a clear dependency graph.

Ruby and PHP go a step further by providing additional metadata, including:

• Language version

• Dependency scope

These details improve prioritization and fixability insights.

API Enumeration Across Popular Frameworks

We’ve also added API endpoint enumeration for the most widely-used frameworks in each language—helping you discover attack surface and perform faster security reviews.

Agentic Remediation – Coming Soon!

Automated pull requests for safe, validated dependency upgrades. Heeler’s upcoming agentic remediation capability will automatically generate non-breaking, validated pull requests for eligible dependency upgrades.

As a preview, you’ll start seeing a new “Automatable” flag alongside fixability analysis—indicating which remediations Heeler can handle for you.

Agentic remediation helps eliminate years of accumulated dependency debt—saving security and engineering teams significant time while improving application resilience.