This release includes 3 security fixes for security teams reviewing exposed deployments.
Topics
+14 more
Affected surfaces
Summary
AI summaryAuto-scan container images discovered from cloud providers.
Full changelog
What's Changed
- fix: prevent false positive CVEs when installed version >= patched version by @msaad00 in https://github.com/msaad00/agent-bom/pull/895
- fix: proxy hardening — credential detection in errors, rate limit enforcement, audit log rotation by @msaad00 in https://github.com/msaad00/agent-bom/pull/896
- fix: parser symlink cycle dedup + transitive dep logging + doc alignment by @msaad00 in https://github.com/msaad00/agent-bom/pull/897
- fix: scanner accuracy — GHSA multi-range OR logic, NVIDIA CSAF recursive depth, Go OSV v-prefix by @msaad00 in https://github.com/msaad00/agent-bom/pull/899
- fix: proxy security — redact credentials from audit log + policy file size cap by @msaad00 in https://github.com/msaad00/agent-bom/pull/900
- fix: wire IaC findings through AIBOMReport to JSON, SARIF, and --fail-on-severity (#851) by @msaad00 in https://github.com/msaad00/agent-bom/pull/901
- fix: correct policy key blocked_tools → block_tools in docs and README by @msaad00 in https://github.com/msaad00/agent-bom/pull/902
- fix: wire CMMC tags, AISVS benchmark, runtime_correlation end-to-end (#903) by @msaad00 in https://github.com/msaad00/agent-bom/pull/903
- docs: simplify architecture diagrams (#904) by @msaad00 in https://github.com/msaad00/agent-bom/pull/904
- chore: bump version to v0.71.2 by @msaad00 in https://github.com/msaad00/agent-bom/pull/898
- fix: remediation plan no longer suggests package downgrades by @msaad00 in https://github.com/msaad00/agent-bom/pull/905
- feat: auto-scan container images discovered from cloud providers by @msaad00 in https://github.com/msaad00/agent-bom/pull/906
- fix: unparseable fixed versions no longer silently drop CVE findings by @msaad00 in https://github.com/msaad00/agent-bom/pull/907
- chore: flask security pin — fix 11 OpenSSF Scorecard vulnerabilities by @msaad00 in https://github.com/msaad00/agent-bom/pull/908
- fix: downgrade docker/non-OSV ecosystem log from WARNING to DEBUG by @msaad00 in https://github.com/msaad00/agent-bom/pull/909
- fix: URL encode Cargo/Maven package names + SpecifierSet for GHSA ranges by @msaad00 in https://github.com/msaad00/agent-bom/pull/910
- feat: Go module transitive dependency resolution by @msaad00 in https://github.com/msaad00/agent-bom/pull/911
- fix: read action.yml with read_text() to avoid file handle isolation issue in test suite by @msaad00 in https://github.com/msaad00/agent-bom/pull/912
- feat: native Helm chart security scanner (Chart.yaml + values.yaml) by @msaad00 in https://github.com/msaad00/agent-bom/pull/913
- feat: wire native transitive dep resolution (npm/pypi/go) into scan pipeline by @msaad00 in https://github.com/msaad00/agent-bom/pull/914
- chore(deps): bump pyasn1 from 0.6.2 to 0.6.3 by @dependabot[bot] in https://github.com/msaad00/agent-bom/pull/915
Full Changelog: https://github.com/msaad00/agent-bom/compare/v0...v0.71.2
Security Fixes
- Proxy hardening — credential detection in errors, rate limit enforcement, audit log rotation
- Proxy security — redact credentials from audit log and enforce policy file size cap
- Flask security pin – fix 11 OpenSSF Scorecard vulnerabilities
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About msaad00/agent-bom
AI supply chain security scanner with 18 MCP tools. Auto-discovers 20 MCP clients, scans dependencies for CVEs (OSV/NVD/EPSS/CISA KEV), maps blast radius from vulnerabilities to exposed credentials and tools, runs CIS benchmarks, generates CycloneDX/SPDX SBOMs, and enforces compliance across OWASP LLM Top 10, MITRE ATLAS, NIST AI RMF, and EU AI Act.
Related context
Related tools
Beta — feedback welcome: [email protected]