This release includes 3 security fixes for security teams reviewing exposed deployments.
Topics
+14 more
Affected surfaces
Summary
AI summaryZero‑trust authentication model makes SSO the default and eliminates stored passwords.
Full changelog
What's Changed
- feat: dynamic MITRE ATT&CK mapping via STIX + CWE bridge by @msaad00 in https://github.com/msaad00/agent-bom/pull/386
- docs: align all description surfaces to one canonical message by @msaad00 in https://github.com/msaad00/agent-bom/pull/393
- feat: agent identity (#388), semantic injection (#387), HF model hashes (#389) by @msaad00 in https://github.com/msaad00/agent-bom/pull/394
- ci: scope fuzz workflow to fuzz/** only by @msaad00 in https://github.com/msaad00/agent-bom/pull/395
- feat: zero-trust auth model — SSO default, no passwords stored by @msaad00 in https://github.com/msaad00/agent-bom/pull/396
- docs: promote proxy+scanner equally, fix roadmap accuracy by @msaad00 in https://github.com/msaad00/agent-bom/pull/397
- security: harden proxy message size + expand Trust section by @msaad00 in https://github.com/msaad00/agent-bom/pull/398
- chore: bump version to v0.63.2 by @msaad00 in https://github.com/msaad00/agent-bom/pull/399
- feat: JWKS signature verification + .agent-bom.yaml project config by @msaad00 in https://github.com/msaad00/agent-bom/pull/400
- chore: bump version to v0.63.3 by @msaad00 in https://github.com/msaad00/agent-bom/pull/401
- feat: standalone introspect command + WebSocket live metrics + protect_cmd config wiring by @msaad00 in https://github.com/msaad00/agent-bom/pull/402
- fix: WebSocket auth + O(1) deque ring buffer + AI enrichment call cap by @msaad00 in https://github.com/msaad00/agent-bom/pull/403
- fix: Next.js API proxy + JSON import + Streamlit treemap + demo agent_type by @msaad00 in https://github.com/msaad00/agent-bom/pull/410
- feat: Next.js Insights page — supply chain treemap, blast radius radial, pipeline flow by @msaad00 in https://github.com/msaad00/agent-bom/pull/411
- fix: validate + sanitize JSON report upload by @msaad00 in https://github.com/msaad00/agent-bom/pull/413
- feat: UI charts, retry buttons, treemap drill-down + OSS hardening by @msaad00 in https://github.com/msaad00/agent-bom/pull/414
- fix: pin transitive CVEs + slowloris hardening by @msaad00 in https://github.com/msaad00/agent-bom/pull/415
- feat: fullstack deploy guide + MCP tool titles by @msaad00 in https://github.com/msaad00/agent-bom/pull/416
- fix: MITRE offline fallback + obfuscated credential detection by @msaad00 in https://github.com/msaad00/agent-bom/pull/417
- feat: browser extension discovery (--browser-extensions) by @msaad00 in https://github.com/msaad00/agent-bom/pull/422
- chore: bump version to v0.64.0 by @msaad00 in https://github.com/msaad00/agent-bom/pull/423
Full Changelog: https://github.com/msaad00/agent-bom/compare/v0.63.1...v0.64.0
Breaking Changes
- Passwords are no longer stored; SSO becomes the default authentication method (zero‑trust auth model).
Security Fixes
- Proxy message size hardened and Trust section expanded (general hardening)
- Slowloris attack hardening implemented
- Transitive CVEs pinned during build
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About msaad00/agent-bom
AI supply chain security scanner with 18 MCP tools. Auto-discovers 20 MCP clients, scans dependencies for CVEs (OSV/NVD/EPSS/CISA KEV), maps blast radius from vulnerabilities to exposed credentials and tools, runs CIS benchmarks, generates CycloneDX/SPDX SBOMs, and enforces compliance across OWASP LLM Top 10, MITRE ATLAS, NIST AI RMF, and EU AI Act.
Related context
Related tools
Beta — feedback welcome: [email protected]