Skip to content

Releases: JulietSecurity/abom

v0.2.1

Choose a tag to compare

@github-actions github-actions released this 24 Apr 13:24
949aae1

Changes

  • Advisory database is now fetched from https://advisories.juliet.sh/db/advisories.json (CDN-cached, behind a stable custom domain). Previously used raw.githubusercontent.com, which has tighter rate limits under heavy CI use. No user-facing behavior change.

v0.2.0

Choose a tag to compare

@github-actions github-actions released this 23 Apr 23:31
e328c89

Features

  • --verify-shas: verify SHA-pinned action refs are reachable from their upstream repo (#4)
  • --fail-on-warnings: exit non-zero when any warnings fire (#4)
  • --resolve-refs: optionally resolve tag and branch refs to commit SHAs at scan time (#7)
  • OSV 1.7.5 advisory format: advisories are now consumed in OSV format from abom-advisories (#6)

Fixes

  • SHA-pinned refs at fixed versions are no longer flagged as compromised (#8). Tag resolution via git ls-remote enables version comparison for SHA-pinned actions. Runs automatically with --check, no extra flag needed.

Thanks

v0.1.3

Choose a tag to compare

@github-actions github-actions released this 26 Mar 15:09

Changelog