Skip to content

msaad00/agent-bom

v0.88.3 Security

This release includes 5 security fixes for security teams reviewing exposed deployments.

Published 10d Vulnerability Scanning
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 5 known CVEs

Topics

ai-agents ai-security ai-supply-chain aibom blast-radius cloud-security
+14 more
compliance container-security cyclonedx security kubernetes llm-security mcp mcp-server owasp sarif sbom security-scanner supply-chain-security vulnerability-scanning

Affected surfaces

auth deps

Summary

AI summary

Updates across mcp, intel, sdk, api, connectors, action, vuln, graph, scim, plugins, and runtime modules.

Changes in this release

Security Medium

Enforce persistent HMAC in production audit.

Enforce persistent HMAC in production audit.

Source: llm_adapter@2026-05-25

Confidence: high
Security Medium

Require authentication on proxy websockets API.

Require authentication on proxy websockets API.

Source: llm_adapter@2026-05-25

Confidence: high
Security Medium

Require write scope for Shield write actions.

Require write scope for Shield write actions.

Source: llm_adapter@2026-05-25

Confidence: high
Feature Medium

Add Go control‑plane client to SDK.

Add Go control‑plane client to SDK.

Source: llm_adapter@2026-05-25

Confidence: low
Feature Medium

Add bulk lifecycle endpoint to SCIM.

Add bulk lifecycle endpoint to SCIM.

Source: llm_adapter@2026-05-25

Confidence: low
Feature Medium

Expose registry status in plugins.

Expose registry status in plugins.

Source: llm_adapter@2026-05-25

Confidence: low
Dependency Medium

Bump docker/build-push-action from 7.1.0 to 7.2.0.

Bump docker/build-push-action from 7.1.0 to 7.2.0.

Source: llm_adapter@2026-05-25

Confidence: low
Bugfix Medium

Sanitize identity error logs in runtime.

Sanitize identity error logs in runtime.

Source: llm_adapter@2026-05-25

Confidence: high
Bugfix Medium

Route graph events through durable outbox.

Route graph events through durable outbox.

Source: llm_adapter@2026-05-25

Confidence: high
Bugfix Medium

Optimize delta alert scans in graph.

Optimize delta alert scans in graph.

Source: llm_adapter@2026-05-25

Confidence: low
Full changelog

What's Changed

  • docs(plugins): add entrypoint examples by @msaad00 in https://github.com/msaad00/agent-bom/pull/2736
  • feat(mcp): add audited Shield write tools by @msaad00 in https://github.com/msaad00/agent-bom/pull/2735
  • fix(cli): stream agents json output by @msaad00 in https://github.com/msaad00/agent-bom/pull/2737
  • docs(sdk): add Python adoption smoke by @msaad00 in https://github.com/msaad00/agent-bom/pull/2738
  • chore(deps): bump docker/build-push-action from 7.1.0 to 7.2.0 by @dependabot[bot] in https://github.com/msaad00/agent-bom/pull/2739
  • chore(deps): bump starlette advisory fix by @msaad00 in https://github.com/msaad00/agent-bom/pull/2740
  • fix(ci): compare pip-audit PR deltas by @msaad00 in https://github.com/msaad00/agent-bom/pull/2741
  • fix(runtime): sanitize identity error logs by @msaad00 in https://github.com/msaad00/agent-bom/pull/2742
  • feat(intel): add governed source brief metadata by @msaad00 in https://github.com/msaad00/agent-bom/pull/2743
  • feat(runtime): route graph events through durable outbox by @msaad00 in https://github.com/msaad00/agent-bom/pull/2744
  • fix(reports): support offline html exports by @msaad00 in https://github.com/msaad00/agent-bom/pull/2745
  • fix(mcp): scan direct package specs by @msaad00 in https://github.com/msaad00/agent-bom/pull/2746
  • docs(intel): document vendor advisory feed support by @msaad00 in https://github.com/msaad00/agent-bom/pull/2747
  • fix(api): enforce auth on proxy websockets by @msaad00 in https://github.com/msaad00/agent-bom/pull/2748
  • feat(sdk): add Go control-plane client by @msaad00 in https://github.com/msaad00/agent-bom/pull/2749
  • refactor(scan): share scan option contract by @msaad00 in https://github.com/msaad00/agent-bom/pull/2750
  • feat(intel): complete governed daily brief inputs by @msaad00 in https://github.com/msaad00/agent-bom/pull/2751
  • feat(connectors): define database evidence fallback lanes by @msaad00 in https://github.com/msaad00/agent-bom/pull/2752
  • feat(action): expose posture gate outputs by @msaad00 in https://github.com/msaad00/agent-bom/pull/2753
  • feat(mcp): map NSA hardening controls by @msaad00 in https://github.com/msaad00/agent-bom/pull/2754
  • fix(audit): require persistent HMAC in production by @msaad00 in https://github.com/msaad00/agent-bom/pull/2755
  • feat(graph): add code topology schema types by @msaad00 in https://github.com/msaad00/agent-bom/pull/2756
  • feat(action): emit finding annotations by @msaad00 in https://github.com/msaad00/agent-bom/pull/2757
  • feat(vuln): add firmware CPE candidates by @msaad00 in https://github.com/msaad00/agent-bom/pull/2758
  • fix(api): coordinate scan executor lifecycle by @msaad00 in https://github.com/msaad00/agent-bom/pull/2760
  • feat(integrations): persist issue mappings by @msaad00 in https://github.com/msaad00/agent-bom/pull/2759
  • fix(graph): optimize delta alert scans by @msaad00 in https://github.com/msaad00/agent-bom/pull/2761
  • fix(release): guard dashboard csp manifest by @msaad00 in https://github.com/msaad00/agent-bom/pull/2762
  • fix(api): scope docs csp relaxation by @msaad00 in https://github.com/msaad00/agent-bom/pull/2763
  • test(api): avoid tenant scan background work by @msaad00 in https://github.com/msaad00/agent-bom/pull/2764
  • fix(api): add fleet agents list alias by @msaad00 in https://github.com/msaad00/agent-bom/pull/2765
  • docs(product): align trust contract surfaces by @msaad00 in https://github.com/msaad00/agent-bom/pull/2766
  • fix(auth): allow modern OIDC signing algorithms by @msaad00 in https://github.com/msaad00/agent-bom/pull/2768
  • fix(snowflake): add tenant row access policy by @msaad00 in https://github.com/msaad00/agent-bom/pull/2769
  • test(api): cover auth rejection edges by @msaad00 in https://github.com/msaad00/agent-bom/pull/2770
  • feat(scim): add bulk lifecycle endpoint by @msaad00 in https://github.com/msaad00/agent-bom/pull/2771
  • feat(plugins): expose registry status by @msaad00 in https://github.com/msaad00/agent-bom/pull/2772
  • fix(sdk): accept positional client payloads by @msaad00 in https://github.com/msaad00/agent-bom/pull/2773
  • fix(shield): require write scope for write actions by @msaad00 in https://github.com/msaad00/agent-bom/pull/2774
  • fix(skills): chain scan audit events by @msaad00 in https://github.com/msaad00/agent-bom/pull/2775
  • chore(release): prepare v0.88.3 by @msaad00 in https://github.com/msaad00/agent-bom/pull/2776

Full Changelog: https://github.com/msaad00/agent-bom/compare/v0.88.1...v0.88.3

Security Fixes

  • Require persistent HMAC in production audit
  • Enforce auth on proxy websockets in api
  • Allow modern OIDC signing algorithms in auth
  • Add tenant row access policy in snowflake
  • Guard dashboard CSP manifest and scope docs CSP relaxation in release and api
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track msaad00/agent-bom

Get notified when new releases ship.

Sign up free

About msaad00/agent-bom

AI supply chain security scanner with 18 MCP tools. Auto-discovers 20 MCP clients, scans dependencies for CVEs (OSV/NVD/EPSS/CISA KEV), maps blast radius from vulnerabilities to exposed credentials and tools, runs CIS benchmarks, generates CycloneDX/SPDX SBOMs, and enforces compliance across OWASP LLM Top 10, MITRE ATLAS, NIST AI RMF, and EU AI Act.

All releases →

Related context

Beta — feedback welcome: [email protected]