v1.1.4

What's Changed

• Reworked Refs Resolution by @SUSTAPLE117 in #423
• feat(config): discover .github/poutine.yml as a config path by @graelo in #424

New Contributors

• @graelo made their first contribution in #424

Full Changelog: v1.1.3...v1.1.4

v1.1.3

Changelog for poutine v1.1.3 🎉

This release focuses on core engine improvements, stability fixes, and modernization of the toolchain. The biggest shift is the move away from exec-based Git operations toward a fully in-memory model using go-git, along with improved resiliency and observability during analysis.

---

Major Improvements 🌟🌟

• ⚡ In-Memory Git with go-git v6: Replaced exec-based Git operations with go-git using in-memory storage. This significantly improves performance, portability, and reduces reliance on system binaries, by @SUSTAPLE117.
  (#400)

• 🛡️ Resilient Repository Batch Fetching: Improved robustness of repository batch fetching, reducing failures during large-scale analysis operations, by @SUSTAPLE117.
  (#399)

• 📊 Analysis Progress Monitoring Improvements: Enhanced visibility into analysis progress, making long-running operations easier to track and debug, by @SUSTAPLE117.
  (#419)

---

Improvements 🔧

• 🧪 Snapshot Testing Added: Introduced snapshot testing to improve regression detection and testing confidence, by @SUSTAPLE117.
  (#401)

• ⚙️ Go 1.26 Upgrade + Dependency Refresh: Upgraded to Go 1.26 and refreshed dependencies for improved performance and compatibility, by @SUSTAPLE117.
  (#412)

• 🔐 Improved Rule Handling for GitHub Actions: Configured skip actions to be ignored for the github_action_from_unverified_creator_used rule, improving rule accuracy, by @mbarbero.
  (#398)

• 📦 Goreleaser Configuration Updates: Updated release configuration and tooling for improved build and distribution workflows, by @SUSTAPLE117.
  (#417), (#418)

---

Bug Fixes 🐛

• 🐳 Docker Image Parsing Fixes: Fixed issues with Docker image parsing and purl generation, by @SUSTAPLE117.
  (#413)

• 📄 YAML Parsing Fixes: Resolved YAML parsing errors affecting analysis reliability, by @SUSTAPLE117.
  (#414)

• 🔑 GitHub Fine-Grained PAT Compatibility: Fixed organization repository listing failures when using fine-grained tokens without Issues:Read, by @fproulx-boostsecurity.
  (#415)

• 🧾 SARIF Taxonomy GUID Fix: Corrected SARIF taxonomy GUID issues to ensure proper report compatibility, by @SUSTAPLE117.
  (#416)

---

Dependency Updates ⬆️

GitHub Actions

• Updated github/codeql-action from 3.30.5 to 4.31.2. (#370)
• Updated ossf/scorecard-action from 2.4.2 to 2.4.3. (#371)
• Updated step-security/harden-runner from 2.13.0 to 2.13.1. (#375)
• Updated actions/upload-artifact from 4.6.2 to 5.0.0. (#376)
• Updated actions/setup-go from 5.5.0 to 6.4.0. (#403)
• Updated goreleaser/goreleaser-action from 6.4.0 to 7.0.0. (#411)
• Updated actions/deploy-pages from 4.0.5 to 5.0.0. (#410)
• Updated actions/checkout from 5.0.0 to 6.0.2. (#408)
• Updated sigstore/cosign-installer across versions 3.9.2 → 4.0.0 → 4.1.1. (#377), (#405)

Go Modules

• Updated gitlab.com/gitlab-org/api/client-go from 0.151.0 to 0.157.1. (#369)
• Updated github.com/open-policy-agent/opa from 1.9.0 to 1.10.0. (#372)
• Updated github.com/mark3labs/mcp-go from 0.41.1 to 0.42.0. (#373)
• Updated golang.org/x/oauth2 from 0.31.0 to 0.32.0. (#374)
• Updated golang.org/x/crypto from 0.42.0 to 0.45.0. (#380)

---

Full Changelog 📜

For a detailed view of all changes, see the full changelog.

v1.1.2

What's Changed

• build(deps): bump gitlab.com/gitlab-org/api/client-go from 0.151.0 to 0.157.1 by @dependabot[bot] in #369
• build(deps): bump github/codeql-action from 3.30.5 to 4.31.2 by @dependabot[bot] in #370
• build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by @dependabot[bot] in #371
• build(deps): bump github.com/open-policy-agent/opa from 1.9.0 to 1.10.0 by @dependabot[bot] in #372
• build(deps): bump github.com/mark3labs/mcp-go from 0.41.1 to 0.42.0 by @dependabot[bot] in #373
• build(deps): bump step-security/harden-runner from 2.13.0 to 2.13.1 by @dependabot[bot] in #375
• build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @dependabot[bot] in #376
• build(deps): bump sigstore/cosign-installer from 3.9.2 to 4.0.0 by @dependabot[bot] in #377
• build(deps): bump golang.org/x/oauth2 from 0.31.0 to 0.32.0 by @dependabot[bot] in #374
• build(deps): bump golang.org/x/crypto from 0.42.0 to 0.45.0 in the go_modules group across 1 directory by @dependabot[bot] in #380
• Add Resiliency to Repo Batch Fetch by @SUSTAPLE117 in #399
• Configured 'skip' actions for rule 'github_action_from_unverified_creator_used' are ignored by @mbarbero in #398
• Add Snapshot Testing by @SUSTAPLE117 in #401
• build(deps): bump actions/setup-go from 5.5.0 to 6.4.0 by @dependabot[bot] in #403
• build(deps): bump sigstore/cosign-installer from 4.1.0 to 4.1.1 by @dependabot[bot] in #405
• build(deps): bump goreleaser/goreleaser-action from 6.4.0 to 7.0.0 by @dependabot[bot] in #411
• build(deps): bump actions/deploy-pages from 4.0.5 to 5.0.0 by @dependabot[bot] in #410
• feat: replace exec-based git with go-git v6 in-memory storage by @SUSTAPLE117 in #400
• Go 1.26 + Deps Upgrade by @SUSTAPLE117 in #412
• fix docker image parsing and purls by @SUSTAPLE117 in #413
• Fix Yaml Parse Errors by @SUSTAPLE117 in #414
• build(deps): bump actions/checkout from 5.0.0 to 6.0.2 by @dependabot[bot] in #408
• fix(github): org repo listing fails with fine-grained PATs lacking Issues:Read by @fproulx-boostsecurity in #415
• Fix SARIF Taxonomy GUID by @SUSTAPLE117 in #416
• Updated Goreleaser Config by @SUSTAPLE117 in #417
• updated goreleaser version by @SUSTAPLE117 in #418

Full Changelog: v1.0.8...v1.1.2

v1.0.8

What's Changed

• Use case-insensitive matching for Git error "Not a valid object name" by @mdferdousalam in #389
• Add --fail-on-violation flag to exit non-zero when violations are detected by @mbarbero in #392
• Fix SARIF formatter silently dropping findings from build dependencies by @mbarbero in #393

New Contributors

• @mdferdousalam made their first contribution in #389
• @mbarbero made their first contribution in #392

Full Changelog: v1.0.7...v1.0.8

v1.0.7

What's Changed

• Add more structured metadata fields for programmatic access of LOTP targets by @fproulx-boostsecurity in #386

Full Changelog: v1.0.6...v1.0.7

v1.0.6

What's Changed

• Add structured metadata fields to findings for programmatic access by @fproulx-boostsecurity in #385

Full Changelog: v1.0.5...v1.0.6

v1.0.5

What's Changed

• Add GHSA-pwf7-47c3-mfhx to OSV advisories database by @kawsarahmedbhuiyan in #381
• Add ubuntu-slim as built-in GitHub Actions runner by @Copilot in #383
• Fix SARIF validation errors for GitHub CodeQL upload by @Copilot in #384

New Contributors

• @kawsarahmedbhuiyan made their first contribution in #381

Full Changelog: v1.0.4...v1.0.5

v1.0.4

What's Changed

• Add Boost Sarif Metadata by @SUSTAPLE117 in #367

Full Changelog: v1.0.3...v1.0.4

v1.0.2

What's Changed

• Add support for embedding custom Rego rules (library and CLI) by @fproulx-boostsecurity in #355
• Support --allowed-rules filtering with MCP server by @Copilot in #358
• Add documentation for custom Rego rules by @Copilot in #363
• Fix Sarif Output Git URL by @SUSTAPLE117 in #365
• Add test coverage for GitHub Actions YAML 1.2 anchor support by @fproulx-boostsecurity in #362
• Document skip configuration for acknowledging findings by @Copilot in #364

New Contributors

• @Copilot made their first contribution in #358

Full Changelog: v1.0.1...v1.0.2

v1.0.1

Changelog for poutine v1.0.1 🎉

We’re thrilled to announce the release of poutine v1.0.1 — marking a major milestone in the project’s evolution! This version introduces powerful new MCP capabilities, enhanced developer experience, and several dependency updates to keep everything running smoothly.

Major New Features 🌟🌟

• 🧠 Model Context Protocol (MCP) Integration: Introduced full MCP support, including a new Poutine MCP Server, local analysis capabilities, and comprehensive setup instructions. This integration enables seamless interoperability with external tools and automation workflows. Implemented by @SUSTAPLE117.

  • [#346 – Add Poutine MCP Server](#346)
  • [#352 – Add Analyze Local to MCP](#352)
  • [#354 – Add MCP Instructions](#354)

Improvements 🔧

• 🪶 Pretty Print Summary Table: Improved summary table formatting to display neatly even when no results are found, ensuring a cleaner CLI experience, by @SUSTAPLE117. ([#316](#316))
• 🚀 Upgraded to Go 1.25 + Dependency Bumps: Updated to Go 1.25 and refreshed several Go module dependencies for better stability and performance, by @SUSTAPLE117. ([#353](#353))
• 🧰 Batch Go Dependency Updates: Modernized core dependencies across the project for enhanced compatibility and security, by @fproulx-boostsecurity. ([#332](#332))

Dependency Updates ⬆️

GitHub Actions

• Updated ossf/scorecard-action from 2.4.1 to 2.4.2. ([#312](#312))
• Updated step-security/harden-runner from 2.11.0 to 2.13.0. ([#311](#311)), ([#331](#331))
• Updated github/codeql-action from 3.28.16 to 3.30.5. ([#310](#310)), ([#330](#330)), ([#351](#351))
• Updated actions/dependency-review-action from 4.6.0 to 4.8.0. ([#309](#309)), ([#350](#350))
• Updated actions/setup-go from 5.4.0 to 5.5.0. ([#308](#308))
• Updated actions/checkout from 4.2.2 to 5.0.0. ([#342](#342))
• Updated actions/upload-pages-artifact from 3.0.1 to 4.0.0. ([#341](#341))
• Updated goreleaser/goreleaser-action from 6.3.0 to 6.4.0. ([#340](#340))
• Updated sigstore/cosign-installer from 3.8.2 to 3.9.2. ([#329](#329))
• Updated golangci/golangci-lint-action from 7.0.0 to 8.0.0. ([#320](#320))

Go Modules

• Updated gitlab.com/gitlab-org/api/client-go from 0.128.0 to 0.129.0. ([#306](#306))
• Updated github.com/open-policy-agent/opa from 1.4.2 to 1.5.0. ([#307](#307))
• Updated github.com/go-viper/mapstructure/v2 from 2.3.0 to 2.4.0. ([#334](#334))

Full Changelog 📜

For a detailed view of all changes, see the [full changelog](v0.18.0...v1.0.0).