agent-bom v0.75.0

What's Changed

• docs: Enterprise Deployment guide + demo tape v0.74.1 by @msaad00 in #1008
• chore(deps): batch dependency update (March 2026) by @msaad00 in #1017
• fix: P0/P1 hardening — multi-tenancy, quarantine, audit chain, confidence by @msaad00 in #1018
• feat: Phase 3 — dashboard UX (posture grade, attack paths, security graph) by @msaad00 in #1020
• feat: wire Jira + FP feedback end-to-end (dashboard → API → persistence) by @msaad00 in #1023
• feat: dashboard UX polish — pagination, search, filters, export by @msaad00 in #1024
• docs: architecture diagram + blog outline for community growth by @msaad00 in #1025
• feat: Phase 6+7 — CLI polish + CI/CD context awareness by @msaad00 in #1026
• fix: stop logging full URLs in validate_url() (CodeQL #1417) by @msaad00 in #1027
• feat: Phase 4 — compliance narratives + remediation dashboard by @msaad00 in #1029
• feat: Phase 5 — Vitest UI component tests (75 tests) by @msaad00 in #1030
• fix: full-stack alignment — serialization, router, fonts, skip dirs by @msaad00 in #1031
• fix: Codex P0/P1 — offline strict, AST FPs, doctor command, vitest by @msaad00 in #1032
• feat: count alignment + homepage rework + --posture summary by @msaad00 in #1033
• feat: close #530 #546 #523 #510 + skills restructure + compact diagram by @msaad00 in #1034
• release: v0.75.0 — dashboard UX, compliance narratives, cross-agent detection by @msaad00 in #1035

Full Changelog: v0...v0.75.0

agent-bom v0.74.1

What's Changed

• fix: MCP Registry description length (422 validation) by @msaad00 in #1002
• Use pyproject.toml as source of truth for version in publish workflow by @andres-linero in #1001
• Enterprise foundation: dev experience, scanner accuracy, bug fixes by @msaad00 in #1003
• fix: runtime security + compliance wiring audit fixes by @msaad00 in #1004
• feat: supply chain provenance + Go checksum DB + cloud timeout by @msaad00 in #1005
• release: v0.74.1 — security hardening, compliance wiring, README overhaul by @msaad00 in #1006
• chore: align Docker Hub + action.yml for v0.74.1 by @msaad00 in #1007

Full Changelog: v0...v0.74.1

agent-bom v0.74.0

What's Changed

• fix: update integration descriptions for v0.72.0 by @msaad00 in #966
• feat: 5-product CLI architecture + CycloneDX ML BOM + agent-shield deep defense by @msaad00 in #967
• fix: harden fleet min_trust filter for Python 3.14 compat by @msaad00 in #969
• fix: mock scan pipeline in API tests + graph-export and shield endpoints by @msaad00 in #970
• fix: suppress CVE-2026-33231 (nltk wordnet_app — not reachable) by @msaad00 in #971
• feat: v0.73.0 release prep — version bump, MCP graph tool, 27 E2E tests, docs by @msaad00 in #972
• feat: PII redaction + 110 security patterns for agent-shield by @msaad00 in #973
• feat: CLI architecture alignment — agents command, shield slim, clean command hierarchy by @msaad00 in #974
• docs: update all references from scan to agents command by @msaad00 in #975
• refactor: internal rename — cli/scan to cli/agents, aligned file names by @msaad00 in #976
• feat: 7 P0/P1 gap closures — AST scanner, Shield SDK, OCSF, secrets, red team by @msaad00 in #985
• docs: update README, descriptions, and integration metadata for v0.73.0 by @msaad00 in #986
• feat: PCI DSS 4.0 compliance + cloud-native SBOM pull by @msaad00 in #987
• fix: eliminate scanner false positives with version-range filtering by @msaad00 in #988
• fix: auto-detect ecosystem and scan both pypi+npm when ambiguous by @msaad00 in #989
• fix: scanner accuracy A+ — severity inference + actionable filtering by @msaad00 in #990
• feat: auto-run AST analysis + secret scanning in agents command by @msaad00 in #991
• fix: null safety across entire Next.js dashboard — 120 fixes by @msaad00 in #992
• feat: sidebar navigation + React Flow fix + HTML report redesign by @msaad00 in #993
• release: v0.74.0 — sidebar nav, CVE fixes, docs alignment by @msaad00 in #994
• fix: validate EPSS score range + KEV cache mypy fix by @msaad00 in #995
• fix: add SSRF + process spawn patterns — verified 112 count by @msaad00 in #996
• fix: align all docs and integrations to v0.74.0 by @msaad00 in #997
• feat: v0.74.0 demo GIF (high-res) by @msaad00 in #998
• fix: correct demo GIF + output format count (15 → 18) by @msaad00 in #999
• fix: demo shows full agent tree + blast radius (no --quiet) by @msaad00 in #1000

Full Changelog: v0...v0.74.0

agent-bom v0.72.0

What's Changed

• fix: upgrade Next.js 16.1.7 → 16.2.0 — fixes 3 HIGH GHSAs by @msaad00 in #951
• fix: handle Go pseudo-versions in vulnerability range comparison by @msaad00 in #952
• fix: suppress Scorecard-flagged GHSAs — all fixed at locked versions by @msaad00 in #954
• feat: expand Terraform IaC rules 20→50 (TF-SEC-021 through TF-SEC-050) by @msaad00 in #955
• feat: expand K8s rules 17→30 + Helm rules 8→15 by @msaad00 in #956
• fix: SARIF exclude-unfixable, Action scan-type, Scorecard hardening by @msaad00 in #957
• refactor: reorganize CLI — categorized help, command groups by @msaad00 in #958
• fix: rename OSV config for Scorecard auto-discovery (Vulnerabilities 0→10) by @msaad00 in #959
• chore: Docker Hub tag retention — keep last 10, auto-clean on release by @msaad00 in #960
• docs: update all command references to new CLI groups by @msaad00 in #961
• feat: CLI UX polish + input validation hardening by @msaad00 in #962
• feat: v0.72.0 — version accuracy, AI BOM tools, 30 MCP clients, compliance noise reduction by @msaad00 in #963
• docs: v0.72.0 architecture refresh — 30 clients, version bump, all surfaces updated by @msaad00 in #964
• docs: demo GIF for v0.72.0 by @msaad00 in #965

Full Changelog: v0...v0.72.0

agent-bom v0.71.4

What's Changed

• fix: self-scan gate blocks all publish jobs in release pipeline (#943) by @msaad00 in #944
• fix: SARIF relative paths + filter self-scan to HIGH+ only by @msaad00 in #945
• fix: skip git SHA fixed_versions — eliminates false positive CVE matches by @msaad00 in #946
• fix: upgrade pip in Docker images — fixes CVE-2025-8869 + CVE-2026-1703 by @msaad00 in #947
• release: v0.71.4 — SARIF fix, false positive elimination, Docker pip CVEs by @msaad00 in #948
• fix: filter SARIF to HIGH+ before GitHub Security upload by @msaad00 in #949
• fix: release gate severity back to critical (known HIGH deps) by @msaad00 in #950

Full Changelog: v0...v0.71.4

agent-bom v0.71.3

What's Changed

• chore(deps): bump next from 16.1.6 to 16.1.7 in /ui by @dependabot[bot] in #916
• fix: release hardening — Docker Hub sync, demo clean, HELM-003 Jinja, transitive log, docs flag by @msaad00 in #919
• fix: release hardening — Docker Hub auto-sync, demo clean paths, HELM-003 Jinja, transitive log, prod docs flag by @msaad00 in #918
• ci: mark Python 3.14 as experimental (pre-release, non-blocking) by @msaad00 in #920
• fix: update compliance framework count in SVG diagrams 11 → 14 by @msaad00 in #921
• fix: bump base images python 3.12.13-slim + enforce Trivy image gate by @msaad00 in #922
• fix: resolve GitHub code scanning — privileged checkout + token-permissions by @msaad00 in #923
• fix: close scanner coverage gap — osv-scanner uv.lock + real self-scan SBOM by @msaad00 in #924
• fix: patch OS CVEs in Docker images + add supply chain attestations by @msaad00 in #925
• Improve security, error handling, and deployment configuration by @andres-linero in #928
• fix: mask Docker Hub token + pin Alpine digest + Glama healthcheck by @msaad00 in #929
• fix: bound BFS queue in context graph to prevent OOM (#877) by @msaad00 in #930
• fix: close scanner self-scan gap — OS package scan in Docker CI by @msaad00 in #931
• fix: replace urllib callers with retry-capable httpx client (#878) by @msaad00 in #932
• fix: pre-release audit — empty version guard, CMMC API, action.yml by @msaad00 in #933
• release: v0.71.3 — scanner accuracy, HTTP reliability, Docker hardening by @msaad00 in #942

New Contributors

• @andres-linero made their first contribution in #928

Full Changelog: v0...v0.71.3

agent-bom v0.71.2

What's Changed

• fix: prevent false positive CVEs when installed version >= patched version by @msaad00 in #895
• fix: proxy hardening — credential detection in errors, rate limit enforcement, audit log rotation by @msaad00 in #896
• fix: parser symlink cycle dedup + transitive dep logging + doc alignment by @msaad00 in #897
• fix: scanner accuracy — GHSA multi-range OR logic, NVIDIA CSAF recursive depth, Go OSV v-prefix by @msaad00 in #899
• fix: proxy security — redact credentials from audit log + policy file size cap by @msaad00 in #900
• fix: wire IaC findings through AIBOMReport to JSON, SARIF, and --fail-on-severity (#851) by @msaad00 in #901
• fix: correct policy key blocked_tools → block_tools in docs and README by @msaad00 in #902
• fix: wire CMMC tags, AISVS benchmark, runtime_correlation end-to-end (#903) by @msaad00 in #903
• docs: simplify architecture diagrams (#904) by @msaad00 in #904
• chore: bump version to v0.71.2 by @msaad00 in #898
• fix: remediation plan no longer suggests package downgrades by @msaad00 in #905
• feat: auto-scan container images discovered from cloud providers by @msaad00 in #906
• fix: unparseable fixed versions no longer silently drop CVE findings by @msaad00 in #907
• chore: flask security pin — fix 11 OpenSSF Scorecard vulnerabilities by @msaad00 in #908
• fix: downgrade docker/non-OSV ecosystem log from WARNING to DEBUG by @msaad00 in #909
• fix: URL encode Cargo/Maven package names + SpecifierSet for GHSA ranges by @msaad00 in #910
• feat: Go module transitive dependency resolution by @msaad00 in #911
• fix: read action.yml with read_text() to avoid file handle isolation issue in test suite by @msaad00 in #912
• feat: native Helm chart security scanner (Chart.yaml + values.yaml) by @msaad00 in #913
• feat: wire native transitive dep resolution (npm/pypi/go) into scan pipeline by @msaad00 in #914
• chore(deps): bump pyasn1 from 0.6.2 to 0.6.3 by @dependabot[bot] in #915

Full Changelog: v0...v0.71.2

agent-bom v0.71.1

What's Changed

• chore: remove ToolHive integration by @msaad00 in #882
• chore: weekly uv.lock upgrade 2026-03-16 by @msaad00 in #883
• fix: ensure packaging installed in GitHub Action by @msaad00 in #888
• chore: MCP registry sync — 0 new, 15 versions, 0 CVE-enriched by @msaad00 in #884
• fix: skip CWD auto-detect when --sbom is provided by @msaad00 in #889
• feat: live OS package scanning — dpkg, rpm, apk by @msaad00 in #890
• feat: agent-bom run — launch MCP server through runtime proxy by @msaad00 in #891
• feat: ingest ToolHive catalog as MCP server discovery source by @msaad00 in #892
• chore: bump version to v0.71.1 by @msaad00 in #893
• fix: guard against empty server spec in agent-bom run by @msaad00 in #894

Full Changelog: v0...v0.71.1

agent-bom v0.71.0

What's Changed

• fix: repo alignment audit — GIF, proxy syntax, cloud descriptions by @msaad00 in #856
• feat: agent-bom mcp command group by @msaad00 in #857
• feat: focused scan commands — image, fs, iac, sbom by @msaad00 in #858
• feat: agent-bom cloud command group by @msaad00 in #859
• docs: align README + CLI help with new command structure by @msaad00 in #860
• feat: scan auto-detects lockfiles + IaC in current directory by @msaad00 in #862
• docs: update architecture diagram with new CLI structure by @msaad00 in #863
• chore: bump version to v0.71.0 by @msaad00 in #866
• docs: v0.71.0 full alignment — frameworks, README, cloud providers by @msaad00 in #868
• fix: eliminate false positives + scan UX + docs alignment by @msaad00 in #870
• fix: skip CWD auto-detect when scanning images by @msaad00 in #873
• fix: production hardening — OCI safety, policy logic, parser robustness by @msaad00 in #875

Full Changelog: v0...v0.71.0

agent-bom v0.70.12

What's Changed

• perf: 3x scan speed — fix DB query bottleneck by @msaad00 in #835
• chore(deps): bump sigstore/cosign-installer from 4.0.0 to 4.1.0 by @dependabot[bot] in #837
• chore(deps): bump actions/download-artifact from 8.0.0 to 8.0.1 by @dependabot[bot] in #838
• chore(deps): bump astral-sh/setup-uv from 7.3.1 to 7.5.0 by @dependabot[bot] in #839
• chore(deps): bump docker/setup-qemu-action from 3.6.0 to 4.0.0 by @dependabot[bot] in #840
• chore(deps): bump actions/cache from 4.3.0 to 5.0.3 by @dependabot[bot] in #841
• chore(deps-dev): bump @types/node from 20.19.33 to 25.5.0 in /ui by @dependabot[bot] in #842
• chore(deps-dev): bump @tailwindcss/postcss from 4.2.0 to 4.2.1 in /ui by @dependabot[bot] in #843
• docs: Trust & Transparency section in README by @msaad00 in #844
• feat: expand IaC rules 42 → 82 across 4 formats by @msaad00 in #845
• feat: CIS 100% coverage + CMMC 2.0 compliance module by @msaad00 in #847
• fix: scan guard accounts for all scan modes by @msaad00 in #850
• fix: compact output UX — framework tags + severity hint by @msaad00 in #853
• fix: severity on basic scans — capture CVSS from OSV by @msaad00 in #854
• chore: bump version to v0.70.12 by @msaad00 in #855

Full Changelog: v0...v0.70.12