This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
+14 more
Summary
AI summaryMulti-hop blast radius tracking and OS-level package vulnerability scanning are introduced.
Full changelog
What's Changed
- feat: SDK shared patterns.json + cross-language test fixtures by @msaad00 in https://github.com/msaad00/agent-bom/pull/753
- fix: MCP Registry description <= 100 chars by @msaad00 in https://github.com/msaad00/agent-bom/pull/754
- fix: move railway.json to project root — fix SSE deploy by @msaad00 in https://github.com/msaad00/agent-bom/pull/755
- feat: TypeScript runtime SDK — 7 MCP traffic detectors by @msaad00 in https://github.com/msaad00/agent-bom/pull/756
- chore(deps): bump pyjwt from 2.11.0 to 2.12.0 by @dependabot[bot] in https://github.com/msaad00/agent-bom/pull/757
- fix: log warnings for skipped unknown/latest versions by @msaad00 in https://github.com/msaad00/agent-bom/pull/766
- fix: eliminate silent failures in scanner pipeline — comprehensive error logging by @msaad00 in https://github.com/msaad00/agent-bom/pull/767
- perf: batch DB lookups for local vulnerability scanning by @msaad00 in https://github.com/msaad00/agent-bom/pull/768
- fix: expand GHSA ingestion to all ecosystems by @msaad00 in https://github.com/msaad00/agent-bom/pull/769
- docs: add P0 issues section to CONTRIBUTING.md by @msaad00 in https://github.com/msaad00/agent-bom/pull/770
- feat: multi-hop blast radius with delegation chain tracking by @msaad00 in https://github.com/msaad00/agent-bom/pull/771
- feat: CWE enrichment from NVD weaknesses + skip optimization by @msaad00 in https://github.com/msaad00/agent-bom/pull/772
- feat: OS-level package vulnerability scanning — wire deb/rpm/apk into OSV by @msaad00 in https://github.com/msaad00/agent-bom/pull/773
- feat: NIST 800-53 Rev 5 + FedRAMP compliance frameworks by @msaad00 in https://github.com/msaad00/agent-bom/pull/774
- fix: address ClawHub security review — strengthen credential handling, remove cross-platform reads by @msaad00 in https://github.com/msaad00/agent-bom/pull/775
- fix: optimize deployment configs — Glama multi-stage build, Railway cold start by @msaad00 in https://github.com/msaad00/agent-bom/pull/776
- feat: IaC misconfiguration scanning — 37 rules across 4 formats by @msaad00 in https://github.com/msaad00/agent-bom/pull/777
- fix: clean --version output, update compliance count, fix demo tape by @msaad00 in https://github.com/msaad00/agent-bom/pull/778
- fix: update mcp-server help — list all 32 tools by @msaad00 in https://github.com/msaad00/agent-bom/pull/779
- fix: update stale counts across 25 files — compliance, cloud, tools by @msaad00 in https://github.com/msaad00/agent-bom/pull/780
- release: v0.70.8 — Ruby parser, GH Action inputs, ecosystem expansion by @msaad00 in https://github.com/msaad00/agent-bom/pull/781
Full Changelog: https://github.com/msaad00/agent-bom/compare/v0...v0.70.8
Security Fixes
- Address ClawHub security review — strengthen credential handling and remove cross-platform reads
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About msaad00/agent-bom
AI supply chain security scanner with 18 MCP tools. Auto-discovers 20 MCP clients, scans dependencies for CVEs (OSV/NVD/EPSS/CISA KEV), maps blast radius from vulnerabilities to exposed credentials and tools, runs CIS benchmarks, generates CycloneDX/SPDX SBOMs, and enforces compliance across OWASP LLM Top 10, MITRE ATLAS, NIST AI RMF, and EU AI Act.
Related context
Related tools
Beta — feedback welcome: [email protected]