The scan report format for the Web Application Scanning v2 API endpoint GET /was/v2/scans/{scan_id}/report has been updated from version 1.0 to version 1.1. Previously, in scan report report format version 1.0, all cross-references were returned within the xrefs object. In scan report format version 1.1, all cross-references are returned as structured references to make parsing easier for the user.

Tenable.io Vulnerability Management now limits the number of scans you can create to 10,000 scans. If you're close to the maximum limit, Tenable recommends you re-use scheduled scans instead of creating new scans. An HTTP 403 error is returned if you attempt to create a scan after you have already reached the scan limit of 10,000.

Tenable.io now offers the option to automatically delete assets in a network after a specified number of days. The assets_ttl_days body parameter can be specified when creating or updating a network. Additionally, a new endpoint has been added that allows you to return the total number of assets in a network along with the number of assets that have not been seen for a specified number of days.

The Tenable.io Web Application Scanning v2 API now supports HTML and PDF scan exports. The HTML and PDF exports contain the list of targets, scan results, and scan notes.

The Tenable.io Web Application Scanning v2 API now supports email notifications upon scan completion. You can configure email notifications when you create a scan configuration. Email notifications are sent upon scan completion for both on-demand and scheduled scans.

The default behavior for vulnerability exports has changed. By default, vulnerability exports will now only include vulnerabilities found or fixed within the last 30 days if no time-based filters (last_fixed, last_found, or first_found) are submitted with the request. Previously, the default behavior was all vulnerabilities since Unix epoch time.

Tenable recommends the use of a standard User-Agent string in request headers when building integrations with the Tenable.io API. A standard User-Agent string helps Tenable to identify your integrations and API calls, and it assists in debugging and troubleshooting if you have issues with the API, rate limits, or concurrency limits.

The Web Application Scanning v2 API now returns more specific error messages when validating user input. The new error model helps users to quickly identify and correct input errors.

Two new asset filters were added to the Tenable.io API to help filter deleted and terminated assets. The new filters are is_deleted and is_terminated. If these filters are set to true, the Tenable.io API will return all assets that have been deleted or terminated.

The Web Application Scanning v2 API has been updated to make targets a primary entity. You can now define target in the main body of your request instead of within the settings object. This change allows users to create a scan configuration with no settings block if they wish to use the default settings. Tenable recommends that you use the target parameter in the main body instead. This change affects the POST /was/v2/configs and PUT /was/v2/configs/{config_id} endpoints.