Black Duck shipped its May 2026 update for the Polaris application security platform, packing the release with new CI evidence capabilities, AI-driven scanning improvements, expanded license governance, revamped reporting, and stronger static analysis. The update also delivers Bridge CLI versions 4.1.2 and 4.2.1, which bring streamlined software composition analysis (SCA) scans and tighter integration with CI/CD pipelines.

The Polaris SaaS platform has become a cornerstone for enterprises that need to manage open-source risk across thousands of applications. With this update, Black Duck directly addresses the friction that development teams face when trying to inject security into fast-moving pipelines. The headline additions are all about making AppSec results more actionable at the very point where developers work—inside their CI systems and source repositories.

What’s New in the Polaris May 2026 Update

The release touches nearly every major component of the platform. Here is a breakdown of the most significant additions:

  • CI Evidence: Scan results can now be persisted as native evidence inside CI/CD tools such as GitHub Actions, GitLab CI, Jenkins, and Azure DevOps. This means pipeline logs, pull request status checks, and audit trails carry a verifiable record of every SCA scan without requiring separate tooling.
  • AI Scanning Enhancements: The existing machine-learning models that power vulnerability detection have been retrained on a broader dataset. They now flag suspicious code patterns with higher confidence and fewer false positives. A new “AI Confidence Score” appears alongside each finding.
  • License Governance Overhaul: Policy management now supports custom license classification, automated approval workflows for permissive licenses, and an express risk-rating system that evaluates license compatibility across an entire dependency tree.
  • Static Analysis Upgrades: Polaris’s built-in static application security testing (SAST) engine gains support for additional languages—including Kotlin and Swift—and delivers faster scan times through incremental analysis.
  • Reporting & Dashboards: A redesigned reporting engine generates executive summaries, developer-friendly issue cards, and compliance snapshots. PDF and CSV exports can now be scheduled and sent automatically to distribution lists.
  • Bridge CLI 4.1.2 and 4.2.1: The command-line utility that connects on-premises scanners to the Polaris cloud now handles larger codebases more efficiently and supports scanning of container images directly from registries.

CI Evidence: Security Results Inside the Pipeline

For years, the security team’s mantra has been “shift left.” But developers often push back because scanning tools slow them down and produce results in separate consoles that nobody checks until the eve of release. The CI evidence feature tackles that head-on.

When a Jenkins pipeline triggers a Polaris scan, the results are now injected directly into the pipeline’s output. In GitHub Actions, the scan writes a signed attestation that can be referenced by branch protection rules. In Azure DevOps, the evidence appears as a build artifact that the release gate can evaluate automatically. This native integration means a failing policy check can block a pull request without any custom scripting on the developer’s side.

For Windows-centric teams, the Azure DevOps integration is especially important. Many enterprises running .NET and C++ workloads have standardized on Azure DevOps Server or Azure DevOps Services. Polaris can now output NuGet-oriented SCA results directly into the build summary, so a .NET developer sees immediately that a vulnerable version of Newtonsoft.Json needs bumping. The same flow applies to npm, Maven, and PyPI dependencies scanned inside Windows-hosted build agents.

Audit-Ready Artifacts

Each piece of CI evidence is cryptographically signed and includes the full bill of materials that Polaris generated. Compliance officers can later retrieve the attestations from the pipeline history and map them back to a specific build ID. In regulated industries—finance, healthcare, aerospace—that audit trail shaves days off the review process before a release goes out.

AI-Powered Vulnerability Detection

Black Duck has been layering machine learning on top of its vulnerability database for several releases, but the May 2026 update marks a step change. The AI models no longer just correlate package names and version numbers with the National Vulnerability Database. They now analyze the structure of open-source code at the function level to predict whether a vulnerable code path is actually reachable.

The platform surfaces an “AI Confidence Score” between 0 and 100 next to each finding. Findings scored 90 and above indicate a very high likelihood of exploitability; those below 30 are treated as informational and can be suppressed automatically. Early adopters in the preview program reported a 40 percent reduction in triage time because analysts could focus on the high-confidence items first.

For Windows shops, this capability is especially useful when dealing with legacy C++ libraries that may have been forked years ago. The AI engine can differentiate between the original vulnerable function and a patched variant even when the package metadata has not changed—a scenario that frequently trips up regex-based SCA tools.

License Governance Gets a Policy Engine

Open-source licensing has grown more complex, with dual-licensing, SSPL, and Business Source License variants appearing in popular libraries. Polaris’s new license governance module introduces a flexible policy engine that allows legal and security teams to define classification rules without writing code.

Teams can now:
- Classify licenses into custom tiers (Permissive, Reciprocal, Restricted, Banned).
- Set approval workflows: a developer can request an exception for a Reciprocal license, which triggers a review chain inside Polaris.
- View license compatibility matrices: the system computes the interaction of all licenses across a dependency graph and flags conflicts (e.g., GPLv3 linked with a proprietary module).
- Automate blocking: if a component with a Banned license is introduced, the CI evidence feature can halt the build immediately.

These policies tie into the CI evidence engine, so the same pipeline check that catches a critical vulnerability also enforces license rules. For a Windows ISV shipping a commercial desktop application, this eliminates the manual effort of running a separate licensing audit before signing the installer.

Reporting Overhaul: From PDF to Dashboard

The reporting module has been completely rebuilt. Previously, users had to manually export PDFs from the Polaris web console. Now, they can schedule reports—daily, weekly, or per-release—and have them land in email inboxes or team collaboration channels.

Key reporting improvements:
- Executive Summary: one-page view showing high-level risk trends, policy compliance, and open findings over time.
- Developer Issue Cards: each vulnerability is formatted as a scannable card that includes the CVE, severity, suggested fix, and any AI confidence data.
- Compliance Snapshots: generate on-demand SBOMs in SPDX or CycloneDX format, with license and copyright information included.
- Customizable Widgets: teams can build dashboard-like views inside the Polaris console, filtering by business unit, application, or technology stack.

For enterprise customers, these enhancements mean they can present AppSec posture to the board without relying on separate BI tools.

Bridge CLI: Faster, Leaner, and Container-Aware

Bridge CLI is the unsung workhorse of the Polaris ecosystem. It sits on a Jenkins node, an Azure DevOps agent, or a developer’s laptop and orchestrates the scanning process. Version 4.1.2, released early in May, focused on performance and stability. Large monorepos with thousands of dependencies now scan roughly 30% faster because the CLI caches intermediate results more intelligently.

Version 4.2.1, which dropped later in the month, introduces direct container-image scanning. Developers can point Bridge CLI at a Docker image tarball or a registry URL, and it will extract SCA, license, and AI-scanning data from the image layers. This is critical for Windows environments where teams are moving .NET Framework apps into Windows containers. The CLI handles the peculiarities of Windows base images and can differentiate between OS-level packages and .NET assemblies.

Additionally, Bridge CLI 4.2.1 adds support for scanning Python 3.12 and Swift 6 projects, and it improves its handling of Gradle 9 builds—a welcome fix for Android and Kotlin Multiplatform teams.

How It All Fits Together

The value of the May 2026 update is not any single feature but the combination. A developer pushes code to GitHub; a CI workflow triggers a Polaris scan via Bridge CLI; the AI model identifies reachable vulnerabilities and assigns confidence scores; the license governor checks for policy violations; the results are injected as CI evidence into the pull request; and if anything fails, the PR is blocked. Meanwhile, the security team receives an automated weekly executive summary that highlights the most critical risks across all projects.

For Windows .NET developers, the flow is now seamless. A typical scenario: a developer updates a NuGet package, the Bridge CLI scan runs on Azure DevOps, and within seconds the build summary shows whether the new version introduces a high-confidence vulnerability or a license conflict. The developer can fix it before asking for a code review, which dramatically shortens the feedback loop.

Windows-Specific Considerations

While Polaris is a cloud-based platform, its scanning capabilities extend deeply into Windows ecosystems. The Bridge CLI can be installed on Windows Server 2022 build agents and Windows 11 workstations. It supports MSBuild-based projects, .sln solutions, and C++ codebases that rely on vcpkg or Conan. With the new update, Polaris can also generate Windows-specific attestations that tie into Microsoft’s Secure Supply Chain Consumption Framework (S2C2F), helping Azure DevOps customers meet supply chain integrity requirements.

What This Means for AppSec Teams

The update reduces three common pain points:
- Friction: Developers no longer need to switch contexts to see scan results; they stay in the tools they already use.
- Noise: The AI confidence scoring cuts down on the flood of low-importance alerts that desensitize teams.
- Governance: License and vulnerability policies are enforced uniformly, leaving an audit trail that satisfies compliance without manual effort.

Early feedback from the community has been positive. In discussions on the WindowsForum, several users noted that the CI evidence integration with Azure DevOps “just worked” out of the box, and that the AI scoring helped their small teams prioritize effectively without hiring additional AppSec engineers.

Looking Ahead

Black Duck’s roadmap suggests more convergence between the Polaris static analysis engine and its SCA roots. A future update may bring runtime analysis through eBPF-based agents, though no timeline has been announced. For now, the May 2026 release delivers a cohesive platform where scanning, policy, and evidence flow together—a significant step toward making AppSec invisible to developers but invaluable to the business.

The release is available immediately for all Polaris subscribers. New users can request a trial through the Black Duck website. Detailed documentation for Bridge CLI 4.1.2 and 4.2.1 is up on the Polaris docs portal.