Some users received unexpected vulnerability findings in their SCA (Software Composition Analysis) reports related to Go runtime dependencies. The issue began on May 8, 2025 at 14:02 (UTC-5) and was identified proactively by our team 5.3 hours later through routine monitoring. The change was fully reverted in 3.8 minutes (TTF), resulting in a total window of exposure of 5.3 hours (WOE). No customer data was lost or compromised. The findings were informational in nature and did not reflect actual vulnerabilities in client systems. A total of 19 groups across 12 organizations were exposed to 154 spurious advisories in their reports.
A feature update to the SCA pipeline, adding detection of Go runtime and toolchain versions from dependency files was released to production before completing the required internal review process. This caused a set of Go standard library advisories to be included in client SARIF reports via prebuilt SBOM outputs. The release process lacked an explicit gate to enforce sign-off before deployment.
The feature was fully reverted. Go runtime and toolchain package detection was removed, and the 154 affected advisories were suppressed from all client reports. Clients who received these findings can disregard them, they do not reflect real vulnerabilities in their systems.
This incident reinforces that any feature affecting client-visible vulnerability reports must receive documented product team approval as a mandatory gate before merging to production. Going forward, this sign-off will be required and recorded in the corresponding issue prior to any deployment to the SCA pipeline.
COMMUNICATION_FAILURE < INCOMPLETE_PERSPECTIVE