This release includes 2 security fixes for security teams reviewing exposed deployments.
Topics
+14 more
Affected surfaces
Summary
AI summaryFixed multiple pipeline and Docker image issues including a security upgrade addressing two CVEs.
Full changelog
What's Changed
- fix: self-scan gate blocks all publish jobs in release pipeline (#943) by @msaad00 in https://github.com/msaad00/agent-bom/pull/944
- fix: SARIF relative paths + filter self-scan to HIGH+ only by @msaad00 in https://github.com/msaad00/agent-bom/pull/945
- fix: skip git SHA fixed_versions — eliminates false positive CVE matches by @msaad00 in https://github.com/msaad00/agent-bom/pull/946
- fix: upgrade pip in Docker images — fixes CVE-2025-8869 + CVE-2026-1703 by @msaad00 in https://github.com/msaad00/agent-bom/pull/947
- release: v0.71.4 — SARIF fix, false positive elimination, Docker pip CVEs by @msaad00 in https://github.com/msaad00/agent-bom/pull/948
- fix: filter SARIF to HIGH+ before GitHub Security upload by @msaad00 in https://github.com/msaad00/agent-bom/pull/949
- fix: release gate severity back to critical (known HIGH deps) by @msaad00 in https://github.com/msaad00/agent-bom/pull/950
Full Changelog: https://github.com/msaad00/agent-bom/compare/v0...v0.71.4
Security Fixes
- CVE-2025-8869 — fixed by upgrading pip in Docker images
- CVE-2026-1703 — fixed by upgrading pip in Docker images
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About msaad00/agent-bom
AI supply chain security scanner with 18 MCP tools. Auto-discovers 20 MCP clients, scans dependencies for CVEs (OSV/NVD/EPSS/CISA KEV), maps blast radius from vulnerabilities to exposed credentials and tools, runs CIS benchmarks, generates CycloneDX/SPDX SBOMs, and enforces compliance across OWASP LLM Top 10, MITRE ATLAS, NIST AI RMF, and EU AI Act.
Related context
Related tools
Beta — feedback welcome: [email protected]