Skip to content

kastelldev/kastell

v1.8.0 Security

This release includes 8 security fixes for security teams reviewing exposed deployments.

Published 2mo Server & OS Management
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 8 known CVEs

Topics

automation cli coolify devops digitalocean docker
+10 more
dokploy hetzner linode mcp security-audit self-hosted server-management typescript vps vultr

Affected surfaces

auth rce_ssrf deps

Summary

AI summary

Added Fleet Visibility, Notification Module with multi‑channel alerts, Guard integration, and Doctor --fix interactive remediation.

Full changelog

Added

  • Fleet Visibility (kastell fleet) — Parallel health check across all servers with status table (online/degraded/offline), audit scores, response times. --json for structured output
  • Notification Module (kastell notify) — Multi-channel alert dispatch: webhook, Slack, Discord, email (SMTP). kastell notify add-channel + kastell notify test
  • Guard Notification Integration — Guard breach alerts automatically dispatched via configured notification channels with severity categorization
  • Doctor --fix (kastell doctor --fix) — Interactive auto-remediation for doctor findings. Per-finding confirm gate, --force to skip prompts, --dry-run to preview. Whitelisted fix commands only
  • MCP server_fleet tool — Fleet visibility exposed via MCP
  • Shell completions updated — fleet, notify, audit, evidence commands and all v1.8 flags added to bash/zsh/fish generators

Security

  • OWASP review — 8 security fixes: evidence path traversal, evidence lines sanitize, webhook SSRF protection, guard stale comment fix, doctor fix whitelist, metrics file permission, audit history file permission, backup restore safe mode guard
  • 8 code quality improvements: notify DRY, Promise.all optimization, channel validation, guard version tracking, firewall platform messages, secure score DRY, default audit constants, IP validation consolidation

Changed

  • Layer violation fix — firewallSetup and secureSetup moved from commands/ to core/
  • Adapter deduplication — sharedCreateBackup and sharedRestoreBackup extracted to shared module
  • PostSetup decomposed into barePostSetup + platformPostSetup
  • Test count: 3,038 → 3,175 (+137 new tests)
  • MCP tools: 12 → 13 (server_fleet added)

Full Changelog: https://github.com/kastelldev/kastell/compare/v1.7.0...v1.8.0

Security Fixes

  • Fixed evidence path traversal
  • Sanitized evidence lines to prevent injection
  • Added webhook SSRF protection
  • Resolved guard stale comment issue
  • Corrected doctor fix whitelist handling
  • Enforced proper permissions for metrics file
  • Enforced proper permissions for audit history file
  • Implemented safe‑mode guard for backup restore
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track kastelldev/kastell

Get notified when new releases ship.

Sign up free

About kastelldev/kastell

Server security auditing and hardening toolkit. 413 security checks across 29 categories (SSH, Firewall, Docker, TLS, HTTP Headers), CIS/PCI-DSS/HIPAA compliance mapping, 19-step production hardening, fleet management, and forensic evidence collection. Supports Hetzner, DigitalOcean, Vultr, and Linode. 13 MCP tools.

All releases →

Related context

Beta — feedback welcome: [email protected]