Releases: bomly-dev/bomly-cli
Release list
v0.16.0
What's Changed
- feat(cli): rename
plugincommand toplugins(keeppluginalias) by @bomly-guy in #224 - feat: rename
--containerscan flag to--image(keep--containeralias) by @bomly-guy in #205 - ci: upload SLSA provenance by release ID, not via the generator's auto-upload by @bomly-guy in #225
Full Changelog: v0.15.4...v0.16.0
Release artifacts
- Full builtin
bomlyarchives for Linux, macOS, and Windows. - Alternate
bomly-litearchives for users who prefer external Syft and Grype binaries. - Linux packages for Debian, RPM, Alpine, and Arch-compatible package managers.
- Homebrew, Scoop, and WinGet package-manager manifests or publishing pull requests.
SHA256SUMSfor release artifact verification, signed keylessly with cosign (SHA256SUMS.sigstore.json).- SLSA Build Level 3 provenance (
multiple.intoto.jsonl) generated by slsa-github-generator.
Each archive includes LICENSE, NOTICE, and a licenses/ directory with third-party license texts. See Verify release checksums for signature and provenance verification commands.
v0.15.3
What's Changed
- build(deps): bump github.com/anchore/syft from 1.45.1 to 1.46.0 by @dependabot[bot] in #210
- build(deps): bump golang.org/x/vuln from 1.4.0 to 1.5.0 by @dependabot[bot] in #211
- build(deps): bump github.com/mark3labs/mcp-go from 0.55.0 to 0.55.1 by @dependabot[bot] in #214
- build(deps): bump github.com/anchore/grype from 0.114.0 to 0.115.0 by @dependabot[bot] in #213
- docs: add GitHub release downloads badge to README by @bomly-guy in #215
- ci: harden workflows for OpenSSF Scorecard by @bomly-guy in #217
- Harden plugin path handling by @bomly-guy in #216
- test: update smoke golden files by @github-actions[bot] in #218
- Ignore testdata in broad scanner walks by @bomly-guy in #219
- ci: pin pip installs by hash to clear Scorecard Pinned-Dependencies by @bomly-guy in #220
- Export-ignore testdata for Scorecard archives by @bomly-guy in #221
- ci: sign releases with cosign and generate SLSA provenance by @bomly-guy in #222
Full Changelog: v0.15.2...v0.15.3
Release artifacts
- Full builtin
bomlyarchives for Linux, macOS, and Windows. - Alternate
bomly-litearchives for users who prefer external Syft and Grype binaries. - Linux packages for Debian, RPM, Alpine, and Arch-compatible package managers.
- Homebrew, Scoop, and WinGet package-manager manifests or publishing pull requests.
SHA256SUMSfor release artifact verification, signed keylessly with cosign (SHA256SUMS.sigstore.json).- SLSA Build Level 3 provenance (
multiple.intoto.jsonl) generated by slsa-github-generator.
Each archive includes LICENSE, NOTICE, and a licenses/ directory with third-party license texts. See Verify release checksums for signature and provenance verification commands.
v0.15.2
What's Changed
- fix(plugin): retry GitHub release fetch anonymously on stale token by @bomly-guy in #207
- Show persisted findings in diff text output by @bomly-guy in #208
- Improve Java readiness checks for JVM scans by @bomly-guy in #209
Full Changelog: v0.15.1...v0.15.2
Release artifacts
- Full builtin
bomlyarchives for Linux, macOS, and Windows. - Alternate
bomly-litearchives for users who prefer external Syft and Grype binaries. - Linux packages for Debian, RPM, Alpine, and Arch-compatible package managers.
- Homebrew, Scoop, and WinGet package-manager manifests or publishing pull requests.
SHA256SUMSfor release artifact verification.
Each archive includes LICENSE, NOTICE, and a licenses/ directory with third-party license texts. GitHub-native artifact attestations are planned for a future release.
v0.15.1
What's Changed
- Publish Bomly via Homebrew formula instead of cask by @bomly-guy in #206
Full Changelog: v0.15.0...v0.15.1
Release artifacts
- Full builtin
bomlyarchives for Linux, macOS, and Windows. - Alternate
bomly-litearchives for users who prefer external Syft and Grype binaries. - Linux packages for Debian, RPM, Alpine, and Arch-compatible package managers.
- Homebrew, Scoop, and WinGet package-manager manifests or publishing pull requests.
SHA256SUMSfor release artifact verification.
Each archive includes LICENSE, NOTICE, and a licenses/ directory with third-party license texts. GitHub-native artifact attestations are planned for a future release.
v0.15.0
First public release
This release marks the first public, supported release of Bomly CLI.
Earlier pre-public releases and tags were used while the CLI’s packaging, installation, and distribution paths were being finalized. Those releases have been retired so the project can begin its public version history from a clean, intentional baseline.
From this release forward, Bomly CLI will follow a stable public versioning history across GitHub Releases and supported package/distribution channels. Users should install this release as the first supported public version and track future releases from here.
What's Changed
- feat: add bomly mcp serve — MCP server for AI agent integration by @bomly-guy in #10
- [codex] Add native NuGet, Cargo, pub, and CocoaPods detectors by @bomly-guy in #11
- [codex] Add native Mix, Conan, SwiftPM, and sbt detectors by @bomly-guy in #12
- test: update smoke golden files by @bomly-guy in #13
- Refactor CLI rendering and scan runtime packages by @bomly-guy in #14
- refactor: consolidate config loading into internal/config and reduce boilerplate by @bomly-guy in #20
- build(deps): bump github.com/mark3labs/mcp-go from 0.50.0 to 0.51.0 by @dependabot[bot] in #15
- build(deps): bump google.golang.org/grpc from 1.79.3 to 1.81.0 by @dependabot[bot] in #16
- build(deps): bump go.uber.org/zap from 1.27.1 to 1.28.0 by @dependabot[bot] in #17
- build(deps): bump github.com/anchore/grype from 0.111.1 to 0.112.0 by @dependabot[bot] in #18
- feat: replace ComponentType with DetectorOrigin + DetectorTechnique by @bomly-guy in #21
- refactor: CLI command context and resolution by @bomly-guy in #22
- refactor: pipeline orchestration into engine packages by @bomly-guy in #23
- Remove unused pipeline process stage by @bomly-guy in #26
- cleaning up selector package by @bomly-guy in #27
- Shorten GitHub Actions artifact retention by @bomly-guy in #28
- test: update smoke golden files by @bomly-guy in #29
- Make auto version workflow manual by @bomly-guy in #31
- Upgrade Go and reduce CI validation minutes by @bomly-guy in #33
- [codex] Upgrade Go and golangci-lint by @bomly-guy in #34
- Add dependency graph QA workflow by @bomly-guy in #36
- build(deps): bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0 in the go_modules group across 1 directory by @dependabot[bot] in #37
- Improve native detector QA baselines by @bomly-guy in #43
- build(deps): bump astral-sh/setup-uv from 5 to 7 by @dependabot[bot] in #38
- build(deps): bump golang.org/x/term from 0.42.0 to 0.43.0 by @dependabot[bot] in #39
- build(deps): bump github.com/mark3labs/mcp-go from 0.51.0 to 0.52.0 by @dependabot[bot] in #40
- build(deps): bump github.com/Masterminds/semver/v3 from 3.4.0 to 3.5.0 by @dependabot[bot] in #41
- Update smoke tests by @bomly-guy in #44
- build(deps): bump golang.org/x/text from 0.36.0 to 0.37.0 by @dependabot[bot] in #42
- test: update smoke golden files by @bomly-guy in #45
- Denormalize smoke tests outputs by @bomly-guy in #46
- test: update smoke golden files by @bomly-guy in #47
- Improve dependency graph resolution by @bomly-guy in #48
- test: update smoke golden files by @bomly-guy in #49
- Add user-facing component docs by @bomly-guy in #57
- Improve detector progress and debug logging by @bomly-guy in #58
- feat(sdk): add PackageLocation.Position + wire gomod and pip detectors by @bomly-guy in #56
- feat(output): emit PackageLocation.Position in SARIF physicalLocation.region by @bomly-guy in #60
- Expand interactive scan UI by @bomly-guy in #59
- feat: reachability — confirm vulnerable code is actually reachable from app source by @bomly-guy in #62
- Refine interactive filters and target labels by @bomly-guy in #63
- Improve dependency ID resolution for hoisted packages by @bomly-guy in #64
- Refactor workflows for improved artifact handling and permissions by @bomly-guy in #65
- test: update smoke golden files by @bomly-guy in #66
- feat: enhance help command with examples and exit codes section by @bomly-guy in #67
- Enhance vulnerability enrichment handling in scan and explain commands by @bomly-guy in #68
- test: update smoke golden files by @bomly-guy in #69
- fix(diff): match manifests on path even when kind drifts by @bomly-guy in #70
- redesign diff output and auditing by @bomly-guy in #72
- docs: rewrite Bomly CLI docs and add Veracode-style per-detector pages by @bomly-guy in #71
- docs: split installation into its own page by @bomly-guy in #73
- build(deps): bump github.com/github/go-spdx/v2 from 2.4.0 to 2.7.0 by @dependabot[bot] in #78
- build(deps): bump astral-sh/setup-uv from 5 to 7 by @dependabot[bot] in #74
- build(deps): bump github.com/CycloneDX/cyclonedx-go from 0.10.0 to 0.11.0 by @dependabot[bot] in #75
- build(deps): bump github.com/mark3labs/mcp-go from 0.52.0 to 0.54.0 by @dependabot[bot] in #76
- build(deps): bump google.golang.org/grpc from 1.81.0 to 1.81.1 by @dependabot[bot] in #77
- feat(diff): redesign interactive TUI with shared skeleton and richer tabs by @bomly-guy in #82
- feat: per-step progress lines with bubbles bars and accurate phases by @bomly-guy in #80
- Add markdown outputs and unified output flag by @bomly-guy in #81
- build(deps): bump github.com/go-git/go-git/v5 from 5.19.0 to 5.19.1 in the go_modules group across 1 directory by @dependabot[bot] in #79
- [codex] Dogfood Bomly review action by @bomly-guy in #83
- [codex] Enrich diff markdown and SARIF outputs by @bomly-guy in #84
- Fix bundled Grype matcher readiness by @bomly-guy in #86
- Focus diff Markdown policy findings by @bomly-guy in #87
- feat(plugin): add test and doctor health commands by @bomly-guy in #88
- Scope diff audits to changed dependencies by @bomly-guy in #90
- Enrich grype vulnerability details by @bomly-guy in #91
- fix(auditors): skip typosquat check for version-bumped packages by @bomly-guy in #92
- build(deps): bump github.com/containerd/containerd/v2 from 2.2.2 to 2.2.4 in the go_modules group across 1 directory by @dependabot[bot] in #89
- Expose reachability in report outputs by @bomly-guy in #93
- Fix plugin list smoke assertion by @bomly-guy in #94
- test: update smoke golden files by @bomly-guy in #95
- feat(matchers): add OpenSSF Scorecard matcher by @bomly-guy in #97
- feat(tui): tab 7 keybind, Enter-to-focus details, group Posture by check by @bomly-guy in #98
- [codex] Add shared HTTP proxy and plugin config support by @bomly-guy in #100
- Add json output shortcut by @bomly-guy in #99
- Redact proxy and plugin config secrets by @bomly-guy in #102
- Polish json shortcut docs by @bomly-guy in https://github.com/bomly-dev/bomly-...