This release adds 3 notable features for engineering teams evaluating rollout.
✓ No known CVEs patched in this version
Topics
+13 more
Summary
AI summarySSE‑S3 encryption checks are now LOW severity and SARIF spec compliance adds remediation help in GitHub Security.
Full changelog
What's changed
SARIF spec compliance:
physicalLocation+logicalLocations— fixes GitHub Code Scanning compatibilityhelp.markdownon rules — remediation (CLI + Terraform) now visible in GitHub Security tabsemanticVersionon tool driver
S3 encryption check pivot:
- SSE-S3 (AES-256) is now LOW severity (was MEDIUM) — AWS auto-encrypts all objects since January 2023
- SSE-KMS = PASS, DSSE-KMS = PASS
- Extracted
_kms_encryption_remediation()helper
Report improvements:
- Markdown: escape pipes and newlines in all table columns, round duration
- HTML: ARIA attributes on score ring and severity badges, consistent duration formatting
- Imports cleaned up in HTML renderer
Code quality:
- Ruff: enabled
RUF,PIE,RETrule groups S101(assert) now per-file ignored for tests only
Tests: 179 passing (+5 new covering SARIF features, DSSE-KMS, compliance refs)
Full Changelog: https://github.com/gebalamariusz/cloud-audit/compare/v0.6.0...v0.7.0
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About gebalamariusz/cloud-audit
Open-source AWS security scanner with attack chain detection, breach cost estimation, and copy-paste remediation (CLI + Terraform). 47 checks, 16 attack chain rules. First free standalone AWS security MCP server.
Related context
Related tools
Earlier breaking changes
- v2.2.0 Category enum gains THREAT value, separating active-abuse from SECURITY misconfigurations.
Beta — feedback welcome: [email protected]