Skip to content

CHANGELOG.md

Latest commit

 

History

History
717 lines (316 loc) · 29.2 KB

CHANGELOG.md

File metadata and controls

717 lines (316 loc) · 29.2 KB

0.2.19 (2026-04-24)

0.2.18 (2026-04-24)

0.2.17 (2026-04-24)

0.2.16 (2026-04-24)

0.2.15 (2026-04-24)

0.2.14 (2026-04-24)

0.2.13 (2026-04-24)

0.2.12 (2026-04-24)

0.2.11 (2026-04-24)

🐛 Bug Fixes

  • conf: Trust sha pinned versions of plumber (090f8c7)

0.2.10 (2026-04-24)

0.2.9 (2026-04-23)

✨ Features

  • scoring: Change issues severities and dampen score loss (8af879a)

0.2.8 (2026-04-22)

🐛 Bug Fixes

  • gitlab: handle scalar include in GitlabCIConf unmarshalling (a5888cf)
  • tests: Add more exhaustive tests for unmarshaling error on inclusion (a3c0bf1)

0.2.7 (2026-04-21)

🐛 Bug Fixes

  • mr: Mr badge must take to doc (f99986b)

0.2.6 (2026-04-21)

✨ Features

0.2.5 (2026-04-20)

✨ Features

  • scoring: Update scoring badge url to point to our doc and update scoring doc to including letter descriptions (58bad14)

0.2.4 (2026-04-20)

✨ Features

  • release: Update release to use app + update default trustedUrls (00f97a2)

🐛 Bug Fixes

  • ci: Replace with app id (5f880b9)

0.2.3 (2026-04-20)

0.1.84 (2026-04-17)

✨ Features

  • score: Set scoring go v1 and update some severities (6402fd9)

0.1.83 (2026-04-17)

✨ Features

  • artifact: new scoring concept: (ab7d4b6)

0.1.82 (2026-04-13)

✨ Features

  • cmd: Add explain command that explains briefly issues (88f2b91)

🐛 Bug Fixes

  • ci: Update alpine image to 3.22 and only fail CI when issues have known fixes - no point otherwise (f5b9edc)
  • go: Update to go 1.26 (3960953)

0.1.81 (2026-04-03)

0.1.80 (2026-04-03)

0.1.79 (2026-04-03)

0.1.78 (2026-04-03)

0.1.77 (2026-04-02)

✨ Features

  • control: Add control to detect basic DinD and unsecure DinD (6a03424)

0.1.76 (2026-03-31)

✨ Features

  • control: Add control to detect overriden variables pipelineMustNotOverrideJobVariables (bd095da)

0.1.75 (2026-03-27)

0.2.0 (2026-03-27)

0.2.0 (2026-03-27)

0.2.0 (2026-03-27)

0.2.0 (2026-03-27)

0.1.74 (2026-03-27)

✨ Features

  • cmd: Add new flag --ci-config-path to allow overriding .gitlab-ci.yml (150e230)

0.1.73 (2026-03-23)

🐛 Bug Fixes

  • ci: Enable attestation arrival in artifacts (8de06af)

0.1.72 (2026-03-20)

🐛 Bug Fixes

  • pipeline: Attach attestation to container (e465aa2)

0.1.71 (2026-03-20)

🐛 Bug Fixes

0.1.70 (2026-03-20)

0.1.69 (2026-03-18)

✨ Features

  • control: Add control to check unverified inline script exceution (cbb416b)

0.1.68 (2026-03-17)

🐛 Bug Fixes

  • issues: Update issues link (bc42f2f)

0.1.67 (2026-03-16)

✨ Features

  • add structured error codes (PLB-XXXX) with documentation links (692f9d4), closes #92

🐛 Bug Fixes

  • issues: Update issues urls and prefix (7ced522)

0.1.66 (2026-03-13)

🐛 Bug Fixes

  • analysis: Fix output that --failing-warnings exits with code 2 (2a23489)

0.1.65 (2026-03-13)

✨ Features

  • cmd: differentiate exit codes for compliance vs runtime errors (closes #61) (b07f2f8)

0.1.64 (2026-03-13)

✨ Features

  • controls: Add securityJobsMustNotBeWeakened control: (6dbad42)

🐛 Bug Fixes

  • dockerfile: Update builder image to remove vulns (7d620c9)

0.1.63 (2026-03-11)

0.1.62 (2026-03-11)

0.1.61 (2026-03-10)

✨ Features

🐛 Bug Fixes

  • control: Add doc and fix edge cases: (13359f7)

0.1.60 (2026-03-06)

0.1.59 (2026-03-06)

✨ Features

  • ci: Add openssf best practices (c99cc15)

0.1.58 (2026-03-06)

✨ Features

  • ci: Add go vuln checks and ask dependabot to update go deps (3e588c7)

0.1.57 (2026-03-05)

🐛 Bug Fixes

  • ci: Improve scorecard score: (c784ba6)
  • ci: Pin builder image (d8b88f9)

0.1.56 (2026-03-05)

🐛 Bug Fixes

  • ci: Ensure slsa3 attestation is uploaded (29a33c0)

0.1.55 (2026-03-05)

🐛 Bug Fixes

  • ci: Bump semantic release and upload artifact versions (26d81f9)

0.1.54 (2026-03-05)

🐛 Bug Fixes

  • ci: Allow slsa3 stage to write (fea8113)
  • ci: Make salsa upload artifacts before release (bff7fcb)

0.1.53 (2026-03-05)

✨ Features

  • ci: add SLSA 3 provenance, OpenSSF Scorecard, and security hardening (5dad4a3)

🐛 Bug Fixes

  • ci: Update versions and creds handling: (cb3477a)

0.1.52 (2026-03-04)

✨ Features

  • controls: Add unsafe variable expansion control for user-filled predefined variables (0f7ec72)

0.1.51 (2026-03-03)

✨ Features

  • controls: Add debug trace detection control (5e08b97), closes #86

🐛 Bug Fixes

  • rebase: Rebase on main and add spinner (20e8c63)

0.1.50 (2026-03-03)

✨ Features

  • cmd: Add progress spinner during analysis (80b1bad), closes #64

0.1.49 (2026-03-03)

✨ Features

  • ci: Replace trivvy with grype (984286f)

0.1.48 (2026-03-03)

✨ Features

  • ci: Add dependabot (3480a77)
  • ci: Start adding test, lint, scan and pin versions by digest (ec77e70)

🐛 Bug Fixes

0.1.47 (2026-02-25)

✨ Features

  • controls: Add overridden component and templates issue & integration into pbom and cyclonedex (e970c27)

0.1.46 (2026-02-25)

✨ Features

  • cmd: Add --fail-warnings on the analyze and config validate commands (fbc5839)
  • cmd: validating config file before analysis (a1dc4bd)

♻️ Refactoring

  • cmd: extract config validation logic (db02f52)

0.1.45 (2026-02-25)

✨ Features

  • cmd: notify user when a newer version of plumber is available (deca33f), closes #39
  • version: async update check with opt-out (a1ef745)

🐛 Bug Fixes

  • release: Persist creds throughout release cycle (4483cf0)

0.1.45 (2026-02-25)

✨ Features

  • cmd: notify user when a newer version of plumber is available (deca33f), closes #39
  • version: async update check with opt-out (a1ef745)

0.1.44 (2026-02-19)

✨ Features

  • analyze: add --controls and --skip-controls control filtering (9a9aca0)

🐛 Bug Fixes

  • controls: Fix bug in controls parsing and swap around some functions and files (cdf0507)

0.1.43 (2026-02-18)

✨ Features

  • config: Add ValidateKnownKeys to warn on unknown config keys (4c33ca3), closes #58 #58

🐛 Bug Fixes

  • config: Fix compilation issues + make validation recursive to test subkeys (405abe4)

0.1.42 (2026-02-17)

✨ Features

  • analysis: Add --mr-comment to create mr comments during analysis. Add --badge to create/update Plumber compliance badge when running on default remote branch (4cba483)

0.1.41 (2026-02-12)

✨ Features

  • local: Enable lint, validation and analysis of local .gitlab-ci.yml as well as local reoslution of include: local types. (5a2a3aa)

0.1.40 (2026-02-12)

✨ Features

  • UX: Integrate the control pinned by digest inside the immutable one (87bd450)

0.1.39 (2026-02-12)

✨ Features

  • UX: If a control is misisng from .plumber.yaml simply skip it instead of returning an error (3eec388)

0.1.38 (2026-02-12)

✨ Features

  • controls: add image digest pinning control (ea538a9)

🐛 Bug Fixes

  • control: Disable sha pin by default and update readme (1d24837)

0.1.37 (2026-02-11)

✨ Features

  • artifact: Add new concept: Pipeline Bill Of Materials (PBOM) and add cyclonedx output format support (7097605)

0.1.36 (2026-02-11)

✨ Features

  • conf: Add reference to examples in test file for required includes (a8ec829)

0.1.35 (2026-02-11)

🐛 Bug Fixes

  • detection: support SSH URL and Git protocol formats in remote auto-detection (8e162aa), closes #36

0.1.34 (2026-02-10)

✨ Features

  • control: Support Natural Language in pipeline inclusion for templates and components (59c4edd)

0.1.33 (2026-02-10)

🐛 Bug Fixes

  • branch: use correct SHA for ciConfig query when --branch is specified (1729084)

0.1.32 (2026-02-04)

✨ Features

  • control: Make component collecetion compatible with gitlab built-in components (532f071)

0.1.31 (2026-02-04)

✨ Features

  • control: Add 3 new controls (591a850)

0.1.30 (2026-02-03)

✨ Features

  • analysis: Allow auto-detection for gitlab url and project during analysis + update banner (e7a20e6)

0.1.29 (2026-02-03)

✨ Features

  • conf: Add conf view and move generate under conf (8e549e9)

0.1.28 (2026-02-02)

✨ Features

0.1.27 (2026-01-30)

✨ Features

  • ci: Run on ubuntu 24.04 instead of latest (b5473d2)

0.1.26 (2026-01-30)

✨ Features

  • brew: Test release 0.1.26 (1848d52)

0.1.25 (2026-01-30)

🐛 Bug Fixes

0.1.24 (2026-01-30)

✨ Features

  • brew: Enable automatic updating of brew tap formula repo upon new release (ead9860)

0.1.23 (2026-01-30)

✨ Features

  • conf: Correct dockerfile and release file (34263ec)

0.1.22 (2026-01-30)

✨ Features

  • conf: Allow conf generation with command (7390e76)

0.1.21 (2026-01-29)

✨ Features

  • analyze: Make conf and threshold optional (bf6a4df)

0.1.20 (2026-01-28)

✨ Features

  • license: Update license in readme to MPL-2.0 (4cbab86)

0.1.19 (2026-01-23)

🐛 Bug Fixes

  • bug: Cleanup some dead code (fa7e1ae)

0.1.18 (2026-01-23)

✨ Features

  • conf: Introduce priority and automatic detection of conf files (91ef31b)

0.1.17 (2026-01-23)

✨ Features

  • analysis: Revert CI_JOB_TOKEN (6c12fb5)

0.1.16 (2026-01-23)

🐛 Bug Fixes

  • analysis: If no controls ran (e.g., data collection failed), compliance is 0% - we can't verify anything (7ec0e72)

0.1.15 (2026-01-23)

✨ Features

  • component: Allow verbosity in component (b59015a)

0.1.14 (2026-01-23)

✨ Features

  • controls: Rename control outputs and config to make them more human-readable & Start using CI_JOB_TOKEN if in the CI (6669707)

0.1.13 (2026-01-22)

✨ Features

  • log: Improve logging experience (426bcf8)

0.1.12 (2026-01-22)

✨ Features

  • UX: Define default output file, add output json example (3dbfa1c)

0.1.11 (2026-01-22)

✨ Features

  • naming: Rename components to plumber, no need for the analyze suffix (53a0816)

0.1.10 (2026-01-22)

✨ Features

  • output: Improve readability of printed results (97d708f)

0.1.9 (2026-01-21)

🐛 Bug Fixes

  • build: Move release creation to after asset upload (bc96e39)

0.1.8 (2026-01-21)

✨ Features

  • build: Add platforms binary releases (01d9bfa)

0.1.7 (2026-01-19)

🐛 Bug Fixes

  • analysis: Fix bug where analyzed branch was being mistaken for branches to protect (afdd5f8)

0.1.6 (2026-01-19)

🐛 Bug Fixes

  • comment: Add timeout comment to client (15df3f0)

0.1.5 (2026-01-19)

🐛 Bug Fixes

  • component: Add full docker path to plumber as trusted (d7732c8)

0.1.4 (2026-01-19)

🐛 Bug Fixes

  • doc: Add plumber to trusted images (2a80e1a)

0.1.3 (2026-01-19)

🐛 Bug Fixes

  • variables: Fix self referential variable (d5aa9a9)

0.1.2 (2026-01-19)

✨ Features

  • build: Move to alpine to make command customizable in CI (763bcf3)
  • release: Downgrade feat to patch (eb30e81)

0.2.0 (2026-01-19)

✨ Features

  • build: Move to alpine to make command customizable in CI (763bcf3)

0.1.1 (2026-01-19)

🐛 Bug Fixes

  • release: empty commit to trigger release and push (e8bd954)

0.0.1 (2026-01-19)

🐛 Bug Fixes

  • license: Update to use Elv2 license (01656d0)
  • naming: Fix further naming convention with plumber (3389f25)
  • naming: Rename to plumber and disable majors (f442113)