v0.4.5

• New secret detectors: Supabase credentials, Packagist credentials, Discord bot tokens, Bitwarden OAuth2 access tokens
• New vulnerability detector: PAM misconfigurations
• New software extractors: NuGet .csproj, Spack packages
• Improved accuracy and test coverage of various secret detectors
• GKE image-streaming support in the containerd extractor
• Started migration of inventory locations to a more structured format
  • This release only includes proto changes. The next release will bump a major version and remove the old locations fields in favor of the new structured ones.

v0.4.4

• New extractors: QEMU disk images, opam, Bazel Maven dependencies
• New secret detectors: Square API creds, Salesforce creds, SendGrid API key, Deno PAT, Heroku Platform API Key, npmjs Registry Access Token, Cloudfare API token
• Fixed the StoreAbsolutePath ScanConfig option to work with annotators + enrichers

v0.4.3

• New secret scanners: OpenRouter key, base64-encoded Github PATs, PayStack secret,Telegram Bot API key, Cursor API key, Elastic Cloud API key, Salesforce OAuth2 Client Credential / Access Token / Refresh Token, Mistral API Key, CircleCI Personal Access Token and Project Access Token
• New extractor: Mise tools
• New detectors: NetScaler CVE-2025-7775, Cron job privesc vulns
• New annotators: Homebrew source metadata
• More comprehensive testing for secret detectors
• Migrated extractors to use global proto for configuration
• --unsafe flag for enabling potentially unsafe plugins

v0.4.2

• New secret extractor for Bitbucket and Amazon CodeCommit git basic auth URLs
• Rust reachability annotation migrated from OSV-Scanner
• New extractor for Chocolatey packages (Windows)
• Deps.dev API usage for pomxml dependency resolution

v0.4.1

• New secret detectors: AWS access token, Recaptcha secret key, pyx v1/v2 user key, Amazon CodeCatalyst, generic JWT
• Go source reachability enrichment using Govulncheck
• Support for more assignment patterns in the .gemspec extractor
• Support for BellSoft/Alpaquita OS packages
• Fixes: Correct the COS os-duplicate annotator behavior, avoid duplicate inventories when traversing multiple ScanRoots
• Include PackageVulns in output proto

v0.4.0

• Global plugin config: Plugins can now be configured through a unified flag from the CLI and proto field from the library
  • Using e.g. --plugin-config=max_file_size_bytes:10000000 --plugin-config=go_binary:{version_from_content:true}
  • Migration for all plugins to use this setup is still in progress
  • This adds a new plugin config param to the list.go plugin initializers (list.FromNames()) and is thus a breaking change for current list.go API users
• New secret scanners: MariaDB creds, MySQL mylogin.cnf creds, VAPID keys
• Guided Remediation support for Python projects managed with Pipenv
• Enricher that adds package deprecation information: -plugins=packagedeprecation/depsdev
• Annotator for DPKG package sources: -plugins=misc/dpkg-source

v0.3.6

• New extractors: K8s images, .node-version, pylock.toml, VirtualBox disk images, openEuler support in RPM extractor
• New secret detectors: 1password, Postgres pgpassfile, crates.io API token
• Package licenses now surfaced in the SPDX output
• Per-file error reporting in scan results

v0.3.5

• New extractors: docker-compose images, nvm packages,
• New secret detectors: Stripe API keys, GCP OAuth2 access tokens, GitHub tokens, Slack tokens, Azure storage account access keys
• Guided remediation: Support for pyproject.toml to relax strategy
• --extractor-override flag which forces specific extractors to run on specific file patterns

v0.3.4

• New secret detectors: DigitalOcean API keys, OpenAI project keys, Tink plaintext keysets, GitLab PAT, HashiCorp Vault+App tokens, GitHub app refresh tokens
  • See the docs for an overview of all currently supported secret types.
• Luarocks software extractor
• Secret detection+validation can now be enabled individually with e.g. --plugins=secrets/gcpsak,secrets/gcpsakvalidate
• Support fetching Maven dependencies from Artifact Registry
• Improvements to semantic version comparison

v0.3.3

• Vulnerability matching on Extracted packages with OSV.dev: Enable in the CLI with --plugins=vulnmatch/osvdev
• Secret extractors with validation: Anthropic API keys, Perplexity API keys, Grok xAI API keys, Docker Hub PAT, private keys,
• Inventory extractors: MacPorts, Winget, asdf package manager, Nimble
• Vuln detectors: Docker Socket Exposure

Thanks to all Patch Reward Program participants for the new plugins!

If you're interested in contributing through the PRP yourself and earning rewards, check out https://bughunters.google.com/about/rules/open-source/6436351477940224/osv-scalibr-patch-rewards-program-rules