Skip to content

CHANGELOG.md

Latest commit

 

History

History
1833 lines (1556 loc) · 191 KB

CHANGELOG.md

File metadata and controls

1833 lines (1556 loc) · 191 KB

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

0.2.45 (2026-05-03)

Bug Fixes

0.2.44 (2026-05-03)

Bug Fixes

Performance Improvements

Documentation

0.2.43 (2026-05-01)

Bug Fixes

Documentation

Unreleased

Bug Fixes

  • detect nested brace-format lookups that reach tracked defaultdict factories
  • avoid str.format picklescan false positives when a ChainMap shadows a defaultdict
  • block statistics.quantiles call-iterator consumption in picklescan call-graph analysis
  • block additional eager statistics consumers in picklescan call-graph analysis
  • avoid picklescan false positives for inert metadata under dangerous dotted globals
  • preserve path-sensitive scan results while hashing duplicate directory contents
  • correct analysis suspiciousness scoring and alias-aware semantic risk handling
  • harden detector heuristics against comment padding, byte-backed credentials, unmarked Python blobs, and spoofed network context
  • fail closed when bounded scanner windows leave relevant model content uninspected
  • fail closed when TorchServe MAR limits leave manifest-referenced payloads unscanned
  • recurse into nested ZIP members inside PyTorch archives and fail closed when compression-ratio guards leave members unscanned
  • preserve large Office-like ZIPs when prefilter inspection is incomplete
  • fail closed when directory scans stop at the total-size budget
  • restrict Hugging Face bookkeeping filename skips to recognized cache layouts
  • preserve unsuccessful child results after scan-result merges
  • preserve supported payloads hidden behind default directory-skip names
  • use bounded raw Jinja fallback windows and fail closed when PyYAML is unavailable for YAML template configs
  • let extensionless file scanners participate in local file selection so supported extensionless Llamafiles do not fall through to clean unknown results
  • fail closed when PyTorch ZIP tensor-metadata validation can only inspect a bounded pickle prefix or cannot complete member analysis
  • preserve and scan concatenated compressed-wrapper member boundaries so a benign first member cannot hide later malicious payloads

0.2.42 (2026-04-27)

Bug Fixes

  • require latest picklescan release (a0237a7)

0.2.41 (2026-04-27)

Bug Fixes

  • ci: skip POSIX proof cases on Windows (#1072) (bfa17a3)
  • docker: add apt-get clean and pinned pip constraints to Dockerfile.tensorflow (#1079) (8d9f9b7)
  • harden picklescan call graph RCE detection (#1061) (19c4fc4)
  • harden picklescan stdlib callable detection (f0f57b4)
  • improve test isolation, reduce duplication, and fix command injection risk in test suite (#1078) (3867c83)
  • picklescan: avoid call-graph false positives for PyTorch storage IDs (#1069) (e75ed24)
  • silence stale CodeQL generated import alerts (#1080) (9530740)
  • telemetry: stabilize modelaudit identity (#1071) (592a656)

Documentation

0.2.40 (2026-04-17)

Bug Fixes

  • add manual release recovery path (aeea2da)
  • avoid duplicate manylinux compatibility tag (412677f)
  • persist manylinux picklescan artifacts (346bb3f)

0.2.39 (2026-04-17)

Bug Fixes

0.2.38 (2026-04-17)

Features

Bug Fixes

Performance Improvements

Documentation

Unreleased

Added

  • security: inspect non-canonical SavedModel root siblings for suspicious executable-like content
  • security: detect bare-string Lua require "module" loads in Torch7 artifacts
  • security: keep trusted NeMo namespaces from suppressing suspicious Hydra _target_ leaf names
  • security: fail closed when NeMo archives contain no analyzable config files
  • security: analyze GGUF-embedded chat templates through the Jinja scanner while preserving GGUF scanner ownership
  • security: run JAX checkpoint analysis for JAX-like pickle payloads that stay on the primary pickle scanner path
  • security: detect mailcap.findmatch pickle call targets that can execute attacker-controlled mailcap test commands on Python versions that still provide mailcap
  • security: detect setuptools._distutils.spawn.spawn pickle call targets that can execute attacker-controlled subprocess command lists when setuptools is installed
  • security: detect pipes.Template pickle call targets that can execute attacker-controlled shell pipelines on Python versions that still provide pipes
  • security: resolve module-level bound-method aliases and same-module constructor call paths in pickle call-graph analysis so process-dispatch wrappers are blocked
  • security: resolve dangerous six.moves compatibility aliases, including vendored six copies, in pickle call-graph analysis so subprocess, pickle deserializer, and builtin execution wrappers are blocked
  • security: resolve constructor-default sink aliases assigned to instance attributes in pickle call-graph analysis so wrappers like Botocore credential process providers are blocked
  • security: resolve sink defaults forwarded through super().__init__ in pickle call-graph analysis so async credential process wrappers are blocked
  • security: resolve parameter-fed function-local class instance aliases in pickle call-graph analysis so wrapper functions like click.edit are blocked
  • security: resolve function-local import aliases in pickle call-graph analysis so wrappers that import RCE sinks inside function bodies are blocked
  • security: preserve callable invocation aliases when import-reference metadata is crowded, while ignoring uninvoked nested function and lambda bodies during pickle call-graph analysis
  • security: detect typing._eval_type pickle call targets that can evaluate attacker-controlled ForwardRef expressions
  • security: detect dataclasses._create_fn pickle call targets that can execute attacker-controlled generated Python source
  • security: detect typing.get_type_hints pickle call targets that can evaluate attacker-controlled annotation strings
  • security: detect public operator.call pickle call targets that can invoke attacker-controlled callables
  • security: detect builtins.map pickle call targets that can lazily invoke attacker-controlled callables when iterated
  • security: detect itertools.starmap pickle call targets that can lazily invoke attacker-controlled callables when iterated
  • security: detect builtins.filter pickle call targets that can lazily invoke attacker-controlled callables when iterated
  • security: detect types.MethodType pickle call targets that can synthesize attacker-controlled bound methods for later invocation
  • security: detect types.DynamicClassAttribute.__get__ pickle call targets that can invoke attacker-controlled descriptor getters
  • security: detect functools.cached_property.__get__ pickle call targets that can invoke attacker-controlled cached-property getters
  • security: detect functools.cmp_to_key pickle call targets that can invoke attacker-controlled comparators during rich comparison
  • security: detect logging.Filterer.filter pickle call targets that can invoke attacker-controlled logging filter callbacks
  • security: detect inspect.getmembers pickle call targets that can invoke attacker-controlled descriptors during introspection
  • security: detect builtins.hasattr pickle call targets that can invoke attacker-controlled descriptors during attribute-existence checks
  • security: detect __del__ finalizer string seeds that can execute attacker-controlled methods when pickle-built objects are dropped
  • security: detect __eq__ rich-comparison string seeds that can execute attacker-controlled methods during equality checks
  • security: detect __lt__, __le__, __gt__, __ge__, and __ne__ rich-comparison string seeds that can execute attacker-controlled methods during ordering checks
  • security: detect __contains__ membership string seeds that can execute attacker-controlled methods during containment checks
  • security: detect __setitem__ item-assignment string seeds that can execute attacker-controlled methods during item mutation
  • security: detect __getitem__ and __delitem__ item-protocol string seeds that can execute attacker-controlled methods during item access
  • security: detect binary arithmetic and bitwise dunder string seeds that can execute attacker-controlled methods during operator dispatch
  • security: detect reflected and in-place binary operator dunder string seeds that can execute attacker-controlled methods during operator dispatch
  • security: detect unary operator dunder string seeds that can execute attacker-controlled methods during operator dispatch
  • security: detect context-manager entry dunder string seeds and contextlib.ExitStack.enter_context pickle call targets that can invoke attacker-controlled __enter__ methods
  • security: detect iteration protocol dunder string seeds that can execute attacker-controlled methods during builtin iteration dispatch
  • security: detect numeric rounding protocol dunder string seeds that can execute attacker-controlled methods during rounding helper dispatch
  • security: detect descriptor setup and numeric coercion dunder string seeds that can execute attacker-controlled methods during class creation
  • security: detect presentation and size protocol dunder string seeds that can execute attacker-controlled methods during common builtin dispatch
  • security: detect PathLike __fspath__ dunder string seeds that can route attacker-controlled paths into file APIs during pickle loading
  • security: detect direct pickle calls to stdlib file-write sinks such as pathlib.Path.write_text, io.open, and _io.FileIO
  • security: detect pickle calls to logging file handlers and emit/handle dispatch methods that can write attacker-controlled startup hooks
  • security: detect pickle calls to argparse.FileType and high-level logging stream dispatch methods that can write attacker-controlled startup hooks
  • security: detect pickle calls to NumPy text writers that can write attacker-controlled startup hooks
  • security: detect pickle calls to python-dotenv key writers that can write attacker-controlled startup hooks
  • security: detect pickle globals whose Python call graph reaches known RCE-capable source primitives such as os.execvpe
  • security: detect pickle globals whose Python call graph pairs file-open and file-write wrappers that can create executable startup hooks
  • security: resolve pickle-imported Python class globals through bounded constructor and object-method call graph entrypoints
  • security: detect public io.FileIO and io.TextIOWrapper.write aliases for blocked _io file-writing primitives
  • security: detect builtin namespace dictionary access that can recover blocked primitives through mapping lookups
  • security: detect dotted pickle global aliases that resolve to blocked source primitives such as os.system
  • security: detect concrete pathlib path writer aliases and module namespace dictionary recovery for modules with blocked globals
  • security: detect module namespace and __builtins__ access used for dynamic builtin recovery
  • security: detect string.Formatter.get_field pickle call targets that can traverse attacker-controlled field expressions into callable objects
  • security: detect unittest.mock._get_target pickle call targets that can manufacture delayed pkgutil.resolve_name resolver partials
  • security: detect descriptor getter pickle call targets that can bind recovered function descriptors and expose builtin namespaces
  • security: detect wrapper and method descriptor getter pickle call targets that can bind recovered slot wrappers for dynamic attribute access
  • security: detect global references to attribute-access and function namespace source methods used for dynamic builtin recovery
  • security: detect object subclass enumeration globals that can recover loaded process capabilities without direct imports
  • security: detect garbage collector object-graph globals that can recover hidden namespaces and loaded process capabilities
  • security: detect frame-introspection globals and frame namespace descriptor getters used for dynamic builtin recovery
  • security: detect callable __call__ aliases of blocked pickle globals used to invoke hidden RCE source primitives
  • security: detect wrapper __get__ and __self__ aliases of blocked pickle globals used to recover hidden RCE source primitives
  • security: detect attribute aliases under blocked pickle global prefixes used to recover hidden RCE source primitives
  • security: detect pickle calls to PyYAML unsafe loaders that can execute attacker-controlled Python constructors
  • security: detect pickle calls to codecs.open and codec stream writes that can write attacker-controlled startup hooks
  • security: detect pickle calls to durable tempfile creation and CSV DictWriter row dispatch that can write attacker-controlled startup hooks
  • security: detect pickle calls to mailbox single-file add dispatch methods that can write attacker-controlled startup hooks
  • security: detect pickle calls to _tkinter Tcl interpreter dispatch methods that can execute local commands
  • security: detect high-level tkinter.Misc pickle call targets that can forward attacker-controlled commands into Tcl interpreter dispatch
  • security: detect pickle calls to _xxsubinterpreters.run_string that can execute attacker-controlled Python source
  • security: detect builtins.staticmethod pickle call targets that can synthesize callable descriptors for later invocation
  • security: detect builtins.property.__get__ pickle call targets that can invoke attacker-controlled property getters during descriptor access
  • security: detect builtins.classmethod.__get__ pickle call targets that can synthesize attacker-controlled bound methods during descriptor access
  • security: detect _functools.partial pickle call targets that can synthesize private-alias partial callables for later invocation
  • security: detect _functools.reduce pickle call targets that can invoke attacker-controlled reducer callables through the private CPython alias
  • security: detect functools.cache, functools.lru_cache, and functools.singledispatch pickle call targets that can synthesize callable wrappers around attacker-controlled functions for later invocation
  • cli: add scanner selection with --scanners, --exclude-scanner, and --list-scanners wired into core routing, nested dispatch, remote prefilters, and scan metadata; selection-suppressed preferred scanners emit a stderr warning and populate scanner_selection.suppressed_preferred_scanner_ids, and unknown scanner names suggest the closest match
  • pickle: replace the standalone pickle scanner's package-engine selector with the Rust-only runtime and explicit native-extension errors
  • pickle: scan PyTorch ZIP checkpoint pickle members directly in the standalone pickle scanner
  • pickle: bundle the standalone modelaudit_picklescan API in the root modelaudit wheel and add source-tree coverage for the package boundary
  • tests: enable existing PaddlePaddle scanner tests in CI by adding test_paddle_scanner.py to the allowed test files list (Python 3.10/3.12/3.13)
  • security: detect CVE-2026-1669 Keras HDF5 external weight references in standalone .h5 and embedded .keras weights
  • security: detect CVE-2026-24747 PyTorch weights_only=True bypass via SETITEM/SETITEMS abuse and tensor metadata mismatch detection
  • security: detect CVE-2022-45907 PyTorch torch.jit.annotations.parse_type_line unsafe eval() injection (CVSS 9.8)
  • keras: detect CVE-2025-12058 StringLookup external vocabulary path loading in .keras configs (local file read / SSRF)

Changed

  • telemetry: persist ModelAudit distinct IDs in Promptfoo's global config format (creating ~/.promptfoo/promptfoo.yaml if absent and migrating any legacy ~/.modelaudit/user_config.json ID) and include isRunningInCi on analytics payloads, with presence-based detection for marker-style providers (TeamCity, CodeBuild, Bitbucket, Jenkins)
  • docs: align public README and compatibility guidance with supported Python 3.10-3.13, TensorFlow extra requirements, supported formats, and telemetry sanitization behavior
  • security: credit @mosebit for privately reporting a TensorRT native-code detection gap that helped harden native-code scanner coverage
  • security-policy: clarify when low-impact scanner coverage gaps may be closed without publishing a public advisory while still crediting reporters
  • pickle: increase Rust stream read chunks to reduce scan overhead on large file and archive-member inputs
  • pickle: store Rust byte stack operands as source spans instead of copied previews to reduce large-pickle scan overhead
  • pickle: skip no-seed raw-text and CVE fallback passes on clean Rust-complete pickle scans, tightening benign state-dict CLI performance while preserving targeted raw-detector positives
  • pickle: document and pin parse-incomplete tail suppression to trusted pickle boundaries without dangerous import references; parse failures with security findings or dangerous imports still fail closed
  • security: bump the optional ONNX dependency to 1.21.0rc3, which removes the vulnerable onnx.hub module flagged by CVE-2026-28500.

Rule Codes

  • pickle: preserve and document Rust pickle scanner mappings for SETITEM abuse (S209), copyreg extensions (S211), persistent IDs (S212), nested or encoded pickle payloads (S213), base64/hex/obfuscated encoded payloads (S601/S602/S604), structural tamper and incomplete analysis (S902), and the new pickle expansion denial-of-service rule (S214).
  • pickle: keep internal Rust finding codes such as STRUCTURAL_TAMPER and PICKLE_EXPANSION in pickle_rule_code details while exposing stable ModelAudit rule codes for dashboards, SARIF, suppression, and severity configuration.

Fixed

  • llamafile: stream marker detection across executable bodies so .exe wrappers with middle-only llamafile markers still route to the scanner
  • flax: keep explicit Flax/JAX checkpoint suffixes routed to the scanner when msgpack is unavailable so missing parser coverage fails closed
  • llamafile: fail closed when bounded embedded-payload scanning stops before covering the full executable
  • skops: require exploit-shaped structured loader nodes for CVE-2025-54412 and CVE-2025-54413 checks so inert prose, filenames, and valid loader nodes do not become critical findings
  • routing: require recognized ZIP signatures before classifying files or streaming previews as archives, so benign PK* near-matches stay unclassified
  • xgboost: avoid flagging inert feature_names metadata as executable JSON content.
  • pmml: avoid flagging benign ecosystem() prose as a system(...) call.
  • jax: avoid routing ajax near-matches as JAX checkpoint indicators.
  • security: fail closed on malformed nested XGBoost JSON structures that would otherwise skip booster or tree validation.
  • security: require the legacy XGBoost binary signature instead of accepting marker-shaped text payloads as valid .bst models.
  • security: validate late XGBoost trees instead of sampling only the first ten tree structures.
  • security: detect PaddlePaddle suspicious tokens that span the scanner's 1 MiB read boundaries.
  • routing: align manifest scanner routing with the manifest filenames and dedicated manifest-style suffixes declared by the registry.
  • security: detect strong executable headers in generic archive members even when the payload has no executable-looking suffix.
  • routing: preserve renamed OpenVINO and PMML XML models with long benign prologs during content-based directory filtering.
  • security: resolve compile-time string concatenation in archive-member getattr calls so high-risk targets like os.system cannot hide behind split literals
  • security: fail closed when routing recognizes a model format but no scanner is available to analyze it
  • security: fail closed when streaming scans only fall back to heuristic header checks, even if the remote file bytes were fully read
  • docs: narrow public scan-coverage wording so unsupported or merely discovered formats are not over-promised
  • analysis: keep exact dangerous literals visible even when surrounding bytes look like ML weights
  • analysis: stop attacker-controlled file and directory names from suppressing dangerous framework-pattern findings
  • security: detect dangerous marker-free Python source blobs through the public JIT path so disguised archive members are still analyzed
  • security: mark ONNX scans inconclusive when raw JIT/script or network detector analysis cannot complete instead of treating detector failures as clean passes.
  • security: run Jinja template analysis for manifest-owned configs that carry embedded chat-template fields.
  • pickle: detect stdlib filesystem probe and process-state callables such as pathlib metadata methods, decimal.setcontext, and gc.disable during pickle scans, while keeping local container mutations clean and covering public operator.setitem registry poisoning plus target-aware operator.imul warning-filter mutation.
  • pickle: detect public operator.setitem pickle calls, keep callable invocation aliases ahead of import-reference budget exhaustion, dedupe repeated invocation metadata before the reporting cap, preserve literal mapping-key shadowing through ChainMap, block deeply wrapped defaultdict factories, and avoid outer-function call-graph false positives from nested function and lambda bodies.
  • security: prevent HuggingFace whitelist provenance from downgrading active payload, CVE, traversal, executable, operational-error, or incomplete-coverage findings. Exemptions now cover S1xx code-execution primitives (S101S115) and HIGH-severity S3xx network primitives (S301/S304/S305/S310), and the keyword fallback uses word-boundary matching so substrings like "executable" inside "ExecuTorch" no longer over-suppress legitimate downgrades.
  • security: scan generic ZIP/TAR/NPZ Python members and ZIP/TAR/NPZ executable members, including wildcard imports and callable rebindings while failing closed on malformed Python source. Findings carry accurate rule codes per risk category (S101 for os.system/os.popen, S103 for subprocess.*, S104 for eval/exec, S106 for __import__, S107 for importlib.import_module, S213 for pickle.load/pickle.loads) instead of a single catch-all, the ZIP path now honors max_mar_python_analysis_bytes for non-MAR Python members, and source bytes are parsed directly so PEP 263 encoding declarations are respected.
  • security: bound PyTorch ZIP JIT/network member reads (default 32 MiB per-member cap, configurable via max_jit_scan_member_bytes) and mark oversized or unreadable member coverage inconclusive. Oversize and read-failure events are aggregated into a single summary INFO check per kind (with per-member detail in details["entries"]) so adversarial archives cannot flood the checks list, duplicate-name entries are de-duplicated by ZipInfo identity rather than filename so the second of two same-name members is still analyzed, directory entries are skipped explicitly, and pickle members continue through the bounded JIT/network pass so padded payloads remain covered beyond the pickle scanner raw window.
  • security: detect hidden PyTorch ZIP pickle members even when a benign data.pkl is already present. The bounded-prefix sniff now always runs across unselected members (including extensionless payloads and files under data/<n>), fails closed with one aggregated INFO check if probe reads raise (was one check per failed member), and is mirrored in the standalone modelaudit-picklescan package so both code paths discover the same hidden payloads.
  • security: mark PyTorch ZIP scan timeouts inconclusive and unsuccessful instead of reporting complete coverage.
  • security: detect extensionless protocol-0/1 pickle members during 7-Zip nested archive probes.
  • pickle: restore ModelAudit nested-pickle findings from Rust standalone notices and keep network raw-detector coverage after native pickle findings
  • xgboost: route UBJSON-backed .bst models when version or booster markers appear after a large learner object, and route extensionless XGBoost UBJSON models via content sniffing (requires both the learner marker and a booster/model-param strong marker within the probe window).
  • telemetry: strip query strings, fragments, and URL userinfo from cloud model names and file-extension metadata
  • preserve S999 unknown-opcode mapping in generic rule fallback
  • docker: run the full parser image as a non-root appuser
  • onnx: mark weight-distribution analysis inconclusive when dependencies are missing or eligible tensors are external, oversized, or fail extraction
  • zip: enforce an aggregate uncompressed-size budget before extracting ZIP entries so split archive bombs cannot bypass per-entry limits
  • security: flag NeMo Hydra _target_ values that invoke ML deserialization loaders such as torch.load, joblib.load, Keras load-model APIs, and related pickle-backed helpers.
  • telemetry: replace free-form issue messages in telemetry issue fields with stable rule/CVE/type identifiers
  • security: route renamed TFLite FlatBuffers by magic bytes, enforce scanner file-size limits before model reads, and fail closed instead of propagating malformed structure traversal exceptions
  • onnx: fail closed on CRITICAL findings, detect PyFunc operators and Windows absolute external-data paths, validate external tensor slices with the current ONNX dtype API, and avoid Python-op substring false positives
  • tensorrt: route .trt engines, detect case-variant and UTF-16 suspicious strings, and avoid substring false positives in benign engine metadata
  • coreml: detect Python 3 command metadata, Windows and bundle-macro linked-model escapes, malformed custom-code protobuf blocks, and custom layers nested under pipeline wrappers while preserving safe-key metadata URL inspection
  • pmml: enforce max-file-size limits, inspect namespaced Extension/script tags, ignore DOCTYPE/ENTITY text inside XML comments/CDATA, avoid recursive text-walk crashes on deeply nested Extension trees, and fail closed when CRITICAL PMML findings are present
  • gguf: fall back to the GGUF spec default tensor-data alignment after rejecting invalid general.alignment metadata values
  • security: detect protocol 0/1 pickle streams hidden behind long separator gaps after an initial safe pickle stream
  • security: preserve failed status for malicious Skops CVE detections and avoid CVE-2025-54886 false positives on benign README/model-card text such as "download"
  • security: validate HuggingFace repo path components before cache path construction, revalidate HuggingFace cache freshness through the provider SDK, bound XGBoost JSON routing sniffing, redact signed cloud URLs from cache metadata, and default full-file scanner reads to bounded fail-closed limits
  • security: enforce Flax msgpack scanner file-size limits before full reads, scan trailing msgpack stream objects with a bounded object-count cap, downgrade benign container-like trailing-object findings to INFO, and preserve failed status when CRITICAL findings are reported
  • security: route .joblib files through the Joblib scanner, scan raw protocol-0/1 payloads directly, support gzip/bzip2/lzma/zlib wrappers with bounded output and trailing-data checks, preserve embedded Pickle finding locations, and fail closed on undecodable/trailing-wrapper errors
  • security: route ONNX protobuf payloads saved with a .pb suffix by content before TensorFlow protobuf extension fallback
  • security: detect direct getattr(module, "dangerous") handler calls in TorchServe MAR archives, parse conflicting duplicate manifests without silently downgrading hidden handlers, and suppress collision warnings for byte-identical duplicate manifests
  • security: recognize RAR archives and fail closed as unsupported coverage instead of skipping .rar files during directory scans
  • skops: fail closed when Skops archive limits, malformed archives, or bounded metadata reads leave CVE coverage incomplete, while preserving benign numeric-array payload scans
  • xgboost: fail closed on incomplete JSON, UBJ, binary-structure, pickle-spoof, and enabled-loader analyses while preserving core exit-code and cache semantics
  • security: route disguised ZIP and TAR members inside 7-Zip archives by bounded header probes while stopping probe reads at the per-member budget
  • security: reduce NeMo Hydra _target_ false positives by matching suspicious identifiers on token boundaries, preserve CVE-2025-23304 details on suspicious-target findings, and reject oversized YAML members before parsing
  • security: preserve skipped-suffix ZIP containers when Keras config-only structure or embedded model-like .bin members indicate scannable content
  • security: fail closed when oversized NeMo YAML prevents Hydra target analysis and scan malformed Jinja2 config fallbacks beyond the initial prefix window
  • security: detect protocol 0/1 pickle streams with trivial opcode prefixes even when STOP is followed by trailing junk, while preserving plain-text near-match rejection
  • security: detect protocol 0/1 pickle streams whose dangerous opcode appears after large trivial padding or after a non-trivial probe-boundary prelude, reject all-trivial no-STOP probe prefixes, and preserve rule codes across cached scan-result round trips
  • pickle: propagate standalone fallback parse and stream-read failures into merged scan success, preserve truncated .bin fail-closed behavior, reuse non-seekable stream spools for the legacy parity pass, clamp negative stream sizes, and reset post-budget scan state between reused scanner runs
  • pickle: align Rust pickle suspicious-string matching, protocol-0 text decoding, EOF-before-STOP handling, malformed argument diagnostics, parse-incomplete reports, warning dangerous-call adaptation, negative stream sizes, and compatibility finding promotion with Python parity
  • pickle: harden Rust opcode parity for protocol 5 buffers, copyreg extensions, follow-on streams, protocol-0 encoded nested payloads, and __main__ call escalation while bounding Python raw-detector hot paths
  • pickle: preserve root raw-detector coverage for Slack tokens, mongodb+srv:// secrets, bare IPs, domains, and network-library/function indicators behind large-file compatibility prefilters
  • pickle: detect modern STACK_GLOBAL, INST, and copyreg extension references in post-budget pickle tails, avoid a second Rust-boundary copy of Python byte payloads, and skip expensive raw detectors for realistic benign PyTorch state-dict key streams
  • pickle: route crafted protocol-1 binary pickle headers and nested protocol-1 payload prefixes through the same scanner paths as newer binary protocols
  • pickle: enforce PyTorch ZIP entry limits with a bounded EOCD preflight before opening over-cap archives
  • pickle: resolve memoized GET/BINGET/LONG_BINGET operands in post-budget STACK_GLOBAL tails so pre-memoized dangerous globals cannot bypass the Rust scanner
  • pickle: detect no-PROTO binary-opcode nested payloads in raw/base64/hex fields, fail closed when nested probe candidates exceed the bounded budget, and flag process-termination/resource primitives such as builtins.exit, faulthandler._sigsegv, and resource.setrlimit
  • numpy: propagate incomplete embedded-pickle scan status from object-dtype .npy payloads so partial recursive pickle coverage fails closed
  • license: bound binary header scans and reuse compiled patterns to avoid full-file regex passes on large model archives
  • security: stop iterating malformed TFLite models after excessive subgraph counts are detected
  • openvino: route forbidden-DOCTYPE IR XML into the OpenVINO scanner, fail closed on XML parse errors, and suppress warning-level format-validation noise for benign .xml models with no distinctive magic bytes
  • security: fail closed on conflicting duplicate or alias Keras root members so benign trailing config.json entries cannot hide malicious earlier configs, while accepting byte-identical duplicates without warning noise
  • security: detect PyTorch binary code and blacklist patterns that straddle chunk boundaries, avoid duplicate overlap reports, and return success=False when CRITICAL findings are present
  • fail closed on bare scanner success=False results across object, dict, streaming, and cached scan paths instead of allowing clean aggregate success
  • security: harden PyTorch ZIP pickle import classification without downgrading dangerous builtins or known benign rebuild aliases
  • security: scan every duplicate PyTorch ZIP member by physical archive entry and report conflicting duplicate names at INFO severity so benign trailing data.pkl entries cannot shadow malicious earlier payloads without making benign-but-conflicting duplicates warning-fail by themselves
  • security: route metadata-stripped PyTorch ZIP archives by numeric tensor storage members only, preserving generic ZIP routing for data-directory near-matches
  • security: route misnamed Skops ZIPs by bounded schema sniffing, treat encrypted Skops-like schema members as non-matches instead of crashing routing, recurse into embedded members while preserving Skops-specific CVE checks, avoid tiny nested .bin false positives on clean archive members, preserve nested-member byte accounting, and preserve CLI scanner_names in aggregated JSON output
  • pickle: bound post-budget global fallback state, retained findings, and deadline checks to prevent crafted pickle tails from exhausting scanner memory or flooding logs
  • pickle: mark timeout-, budget-, recursion-, and resource-limited pickle scans as inconclusive so clean-looking partial analysis returns exit code 2 unless real security findings were reported
  • route misnamed ZIP, HDF5, and 7z files through content-aware scanner selection
  • security: recursively scan all members of content-routed .keras ZIP archives with bounded per-member extraction, prefer canonical root members over normalized aliases, and fail closed on ambiguous duplicate aliases so embedded payloads and ./config.json entries are not skipped
  • keras: fail closed when embedded .keras weights exceed inspection limits, constrain fully-qualified H5/ZIP Lambda CVE attribution to Keras/TensorFlow namespaces, and avoid CVE noise for documentation URLs that mention get_file.
  • security: scan duplicate ZIP entries by physical archive member instead of resolving repeated names to the final entry, preventing shadowed payloads from being skipped during recursive archive analysis
  • bound Keras config.json and metadata.json member reads before JSON parsing
  • openvino: parse XML roots for long-prolog routing, enforce size limits before parsing, scan nested layer attributes for external library references, and avoid importlib substring false positives
  • zip: propagate nested critical findings and incomplete archive traversal to success=False, and bound symlink-target reads before path validation
  • tar: propagate nested critical findings and partial archive traversal to success=False, continue after per-entry extraction errors, and normalize malformed archive-limit configs to safe defaults
  • route oversized config-only Keras ZIP archives by bounded config-prefix sniffing instead of falling back to the generic ZIP scanner
  • preserve disguised model files during directory prefiltering without promoting document ZIPs
  • fail closed on duplicate 7z entries, nested critical findings, probe-limit truncation, and malformed 7z safety-limit configs
  • oci: fail closed on nested findings and partial layer traversal, content-sniff misnamed layer members, normalize cosmetic layer-ref suffix changes, and reject oversized members before temp extraction
  • oci: ignore non-layer metadata strings ending in .tar.gz when collecting manifest layer refs so benign URLs do not become false missing-layer failures
  • recurse into nested 7z members even when their filenames use misleading extensions
  • fail closed on extreme-size files when a scanner lacks bounded large-file analysis
  • harden scan-cache invalidation and skip caching operational scan failures
  • propagate CLI cache settings into MLflow and JFrog downloads
  • avoid materializing streaming directory iterators in memory
  • fail closed when JFrog folder downloads return only partial results
  • keras: anchor safe Lambda normalization regexes in H5 scanning so appended statements (for example ; __import__(...)) cannot bypass dangerous-code analysis
  • keras: harden Keras H5 scanning by propagating CRITICAL findings to success=False, scanning wrapper-owned nested layers, parsing prerelease fix-boundary versions correctly, and matching suspicious module/config tokens without benign substring false positives
  • complete primary header-format routing in core.py so all registered model formats map to scanner IDs (including OpenVINO/PMML/CNTK/LightGBM/Torch7/CatBoost/RKNN/MXNet/NeMo/Llamafile/TFLite/CoreML/Paddle/TensorRT/Flax/R/ExecuTorch/7z/compressed/skops/joblib/xgboost/jax_checkpoint), add .skops extension detection coverage without spurious ZIP mismatch noise, and route ZIP-backed PyTorch .ckpt/.pkl containers through the PyTorch ZIP path
  • security: track pickle BUILD-driven __setstate__ mutation on non-safe globals and block tree-model opcode-threshold escalation when dangerous globals are present in-stream
  • safetensors: include BOOL, BF16, F8_E4M3, and F8_E5M2 dtypes in tensor-size validation so malformed offsets are no longer skipped
  • harden pickle symbolic stack simulation by ignoring stack-neutral opcodes and using unknown sentinels for unhandled stack pushes
  • security: scan TensorFlow SavedModel assets/ and assets.extra/ directories for executable-like content (shebang scripts, ELF/Mach-O binaries, pickle magic, and embedded Python source patterns)
  • security: make TensorFlow SavedModel scans fail closed on CRITICAL findings, avoid substring false positives in PyFunc function references, and treat blacklist_patterns=None as disabled instead of emitting DEBUG read errors
  • security: enforce SafeTensors MAX_HEADER_BYTES during scan() and skip regex-heavy metadata-content analysis when headers exceed the configured limit to reduce header-based DoS risk
  • emit a one-time warning when the HuggingFace whitelist snapshot is older than 90 days while preserving existing whitelist severity downgrades
  • treat pickle scan timeouts as unsuccessful while preserving post-budget tail scans after opcode truncation
  • harden pickle CVE-2026-24747 SETITEM detection against stack-neutral padding
  • keras: harden CVE-2025-9906 detection against documentation-padding bypasses in .keras config.json
  • count successful stream:// scans in files_scanned so clean streaming scans return exit code 0 instead of 2
  • harden 7z nested archive scanning and pre-extraction size checks
  • scan follow-on pickle streams after large padding blocks
  • security: add a budget-independent post-truncation GLOBAL/INST/STACK_GLOBAL byte scan (100 MB capped) so dangerous imports hidden past opcode limits are still detected
  • security: detect nested pickle payloads in BINBYTES8 and BYTEARRAY8 opcodes
  • security: scan bounded sliding windows for padded nested pickles hidden beyond the first 1 KB in raw, legacy BINSTRING, and base64/hex-encoded payloads
  • onnx: treat official ai.onnx.ml and ai.onnx.preview.training domains as standard so only truly custom domains are flagged
  • reject local streaming symlink traversal outside the scan root
  • require explicit remote Hugging Face provenance for whitelist downgrades
  • preserve scannable archives, hidden model files, hidden DVC pointers, and local .metadata files in directory scans
  • tighten Hugging Face cache-root matching so only real .cache/huggingface/hub layouts get cache-specific filtering and provenance handling
  • preserve validated PE detections in pickle binary ML-context filtering
  • security: fail closed on pickle opcode parse errors for .pkl / .pickle / .joblib / .dill files instead of returning a successful INFO-only scan
  • security: surface an explicit INFO limitation when large pickle raw byte-pattern heuristics cover only the first 10 MB of the file
  • security: preserve full scanner execution for large files when scanners do not implement chunk analyzers
  • harden manifest URL trust checks and enforce metadata/manifest scan limits
  • harden metadata scanner URL handling so shorteners/tunnels hidden in userinfo are flagged without treating ordinary authenticated URLs as suspicious
  • trust legitimate AWS S3 virtual-hosted regional and legacy manifest URLs without broadening other amazonaws.com hosts
  • treat all-uppercase pickle module segments as plausible imports
  • recurse into extensionless nested ZIP members by content
  • preserve mixed ZIP/TAR/MAR archive depth limits
  • security: keep Hugging Face model downloads fail-closed when repo listing errors/timeouts prevent exact file allowlists, and run disk-space preflight against the default HF cache even without an explicit cache_dir
  • security: bound embedded .keras weight extraction before temporary-file inspection to reduce zip-bomb denial-of-service risk
  • security: prevent ExecuTorch binary ZIP polyglots from bypassing archive scanning
  • security: keep spoofed built-in Keras registered_name values from hiding non-allowlisted custom modules in .keras ZIP scans
  • keras: suppress duplicate custom-object warnings for allowlisted registered objects when module metadata is absent
  • security: analyze TorchServe MAR requirements.txt files for supply-chain attack indicators such as non-PyPI indexes, editable/git installs, direct remote URL installs, external requirement includes, insecure HTTP URLs, remote find-links, and typosquatting package names while ignoring inline comments
  • security: stop auto-applying local .modelaudit.toml and pyproject.toml rule config during scans unless a human explicitly trusts that config in an interactive scan; remembered trust is stored securely under the local ModelAudit cache and invalidated when the config changes
  • telemetry: preserve secret-scrubbed model references in telemetry payloads while omitting raw credentials, query strings, and local directory paths
  • cli: preserve original local files during --stream directory scans instead of unlinking them after analysis
  • security: reduce benign pickle scanner noise by suppressing placeholder __reduce__ findings, narrowing generic base64-like string heuristics, and applying default suppression for the JWT.io example token
  • security: recurse into object-dtype .npy payloads and .npz object members with the pickle scanner while preserving CVE-2019-6446 attribution and archive-member context
  • eliminate false positives for valid ExecuTorch FlatBuffers binaries and file-type validation on public .pte models
  • eliminate Keras ZIP false positives for safe built-in and allowlisted serialized objects such as Add and NotEqual
  • security: remove dill.load / dill.loads from the pickle safe-global allowlist so recursive dill deserializers stay flagged as dangerous loader entry points
  • security: add exact dangerous helper coverage for validated torch and NumPy refs such as numpy.f2py.crackfortran.getlincoef, torch._dynamo.guards.GuardBuilder.get, and torch.utils.collect_env.run
  • security: add exact dangerous-global coverage for numpy.load, site.main, _io.FileIO, test.support.script_helper.assert_python_ok, _osx_support._read_output, _aix_support._read_cmd_output, _pyrepl.pager.pipe_pager, torch.serialization.load, and torch._inductor.codecache.compile_file (9 PickleScan-only loader and execution primitives)
  • security: treat legacy httplib pickle globals the same as http.client, including import-only and REDUCE findings in standalone and archived payloads
  • security: detect import-only pickle GLOBAL/STACK_GLOBAL references while preserving safe constructor imports and avoiding mislabeling executed call chains as import-only
  • security: fail closed on malformed STACK_GLOBAL operands when memo lookups are missing or operand types are non-string, while keeping simple truncation-only context informational
  • security: remove builtins.hasattr / __builtin__.hasattr from the pickle safe-global allowlist so attribute-access primitives stay flagged as dangerous builtins
  • security: harden pickle blocklist enforcement by removing _pickle.Unpickler/_pickle.Pickler from safe globals, adding copyreg.add_extension/copyreg.remove_extension to suspicious globals, and limiting functools warning downgrades to partial/partialmethod so functools.reduce findings stay CRITICAL
  • security: harden TensorFlow weight extraction limits to bound actual tensor payload materialization, including malformed tensor_content and string-backed tensors, and continue scanning past oversized Const nodes
  • security: stream TAR members to temp files under size limits instead of buffering whole entries in memory during scan
  • security: inspect TensorFlow SavedModel function definitions when scanning for dangerous ops and protobuf string abuse, with function-aware finding locations
  • security: route oversized TensorFlow MetaGraph files to fail-closed parse-budget scans, inspect AttrValue.func.name references in executable ops, and restore oversized-attribute anomaly detection after bounded string decoding
  • cli: include streamed artifacts as SBOM components when scan --stream --sbom is used
  • cli: exclude HuggingFace download cache bookkeeping files from remote SBOMs and asset lists
  • cli: add --no-whitelist and --strict whitelist/caching hardening so CI scans can disable HF severity downgrades and force uncached analysis
  • security: require official or explicitly allowlisted JFrog hosts before treating /artifactory/ URLs as authenticated JFrog endpoints
  • security: detect CVE-2024-5480 PyTorch torch.distributed.rpc arbitrary function execution via PythonUDF (CVSS 10.0)
  • security: detect CVE-2024-48063 PyTorch torch.distributed.rpc.RemoteModule deserialization RCE via pickle (CVSS 9.8)
  • security: detect CVE-2019-6446 in NumPy scanner when object-dtype arrays are found, with informational attribution (CVSS 9.8) due to potential pickle deserialization via allow_pickle=True
  • security: new NeMo scanner detecting CVE-2025-23304 Hydra _target_ injection in .nemo model files (CVSS 7.6), with recursive config inspection and dangerous callable blocklist
  • security: detect CVE-2025-51480 ONNX save_external_data arbitrary file overwrite via external_data path traversal (CVSS 8.8)
  • security: detect CVE-2025-49655 TorchModuleWrapper deserialization RCE (CVSS 9.8).
  • security: add CatBoost .cbm scanner with strict CBM1 format validation, bounded parsing, and suspicious command/network/script indicator checks
  • security: add dedicated scanner support for R serialized artifacts (.rds, .rda, .rdata) with bounded decompression and static detection of executable symbol/payload indicators
  • security: add CNTK .dnn/.cmf scanner with strict signature validation, bounded reads, and multi-signal suspicious content correlation
  • feat: add standalone compressed-wrapper scanner support for .gz, .bz2, .xz, .lz4, and .zlib with strict signature validation, decompression size/ratio safeguards, and inner-payload scanner routing
  • security: add RKNN .rknn scanner with strict RKNN signature detection, bounded metadata parsing, and contextual command/network/obfuscation checks
  • security: add Torch7 (.t7, .th, .net) scanner with strict signature heuristics plus Lua execution primitive and dynamic module-loading detection
  • security: add native LightGBM scanner for .lgb/.lightgbm and signature-validated .model artifacts with strict XGBoost collision disambiguation and static command/network/path indicator checks
  • feat: add Llamafile executable scanner with bounded runtime-string analysis and embedded GGUF payload carving/forwarding
  • feat: add CoreML .mlmodel scanner with strict protobuf structure validation, custom layer/custom model detection, metadata abuse checks, and linked-model path safety checks
  • feat: add MXNet scanner support for paired *-symbol.json and *-NNNN.params artifacts with strict contract validation, companion-file checks, and suspicious reference/payload detection
  • security: add TensorFlow MetaGraph (.meta) scanner support with strict protobuf can_handle(), bounded MetaGraph parsing, unsafe op detection (PyFunc/PyCall/LoadLibrary), executable-context string checks, and payload-stuffing anomaly controls
  • security: add dedicated TorchServe .mar scanner with strict archive validation, bounded manifest/member reads, manifest policy checks, and recursive embedded payload scanning
  • security: detect CVE-2025-1716 pickle bypass via pip.main() as dangerous callable (CVSS 9.8)
  • keras: detect CVE-2025-9906 enable_unsafe_deserialization config bypass in .keras archives (CVSS 8.6, safe_mode bypass)
  • security: detect CVE-2025-8747 Keras get_file gadget safe_mode bypass
  • keras: detect CVE-2025-9905 H5 safe_mode bypass for Lambda layers (CVSS 7.3)
  • keras: add CVE-2024-3660 attribution to Lambda layer detection in .keras and .h5 scanners (CVSS 9.8)
  • keras: recursively inspect H5 training_config and .keras compile_config for custom losses and metrics, while allowlisting standard aliases and built-in preprocessing layers to reduce false positives
  • security: detect CVE-2025-10155 pickle protocol 0/1 payloads disguised as .bin files by extending detect_file_format() to recognize GLOBAL opcode patterns and adding posix/nt internal module names to binary code pattern blocklist
  • security: detect CVE-2022-25882 ONNX external_data path traversal with CVE attribution, CVSS score, and CWE classification in scan results
  • security: detect CVE-2024-27318 ONNX nested external_data path traversal bypass via path segment sanitization evasion
  • security: restore ZIP scanner fallback for invalid .mar archives so malicious ZIP payloads renamed to .mar cannot bypass archive checks
  • security: flag risky import-only pickle references for torch.jit, torch._dynamo, torch._inductor, torch.compile, torch.storage._load_from_bytes, numpy.f2py, and numpy.distutils while preserving safe state-dict reconstruction paths
  • security: add low-severity pickle structural tamper findings for duplicate or misplaced PROTO opcodes while avoiding benign binary-tail false positives
  • security: stop treating mixed-case valid pickle module names as implausible, so import and reduce checks no longer bypass on names like PIL or attacker-chosen EvilPkg
  • security: scan OCI layer members based on registered file extensions so embedded ONNX, Keras H5, and other real-path scanners are no longer skipped inside tar layers
  • security: resolve bare-module TorchServe handler references like custom_handler to concrete archive members so malicious handler source is no longer skipped by static analysis
  • security: compare archive entry paths against the intended extraction root without following base-directory symlinks
  • security: stop loading .env files implicitly during JFrog helper import so untrusted working directories cannot rewrite proxy or auth-related environment variables
  • rules: preserve rule_code metadata through direct result aggregation and ensure dangerous advanced pickle globals emit explicit rule codes (with regression coverage)
  • rules: ignore unknown rule IDs in config files with warning logs, normalize rule-code casing in config parsing, and prevent invalid severity entries from being applied
  • security: harden shared auth config storage and archive path sanitization to avoid insecure temp fallbacks, symlink overwrite abuse, and temp-root symlink traversal bypasses
  • security: stop archive path sanitization from resolving attacker-controlled extraction-root symlinks, preventing symlinked temp directories from weakening traversal checks
  • telemetry: refresh the cached telemetry client when runtime context changes and lazily initialize PostHog when telemetry is re-enabled in-process
  • tests: add scanner literal rule_code registry-consistency coverage to catch unknown rule identifiers early
  • cloud: harden cache path handling to prevent sibling-prefix bypasses from escaping cache boundaries, avoid deleting out-of-cache metadata paths during cleanup, and clean temporary cloud download directories on failure
  • tests: unskip and restore cloud disk-space failure coverage; add regressions for cache boundary enforcement and temp-directory cleanup on download errors
  • security: harden pickle scanner stack resolution to correctly track STACK_GLOBAL and memoized REDUCE call targets, preventing decoy-string and BINGET bypasses
  • security: flag pickle EXT1/EXT2/EXT4 extension-registry call targets in REDUCE analysis to close EXT opcode bypasses
  • security: detect protocol 0/1 ASCII pickle signatures in generic file-format detection to prevent ZIP entry extension bypasses (e.g., malicious payload.txt)
  • security: harden protocol 0/1 pickle format detection with bounded opcode parsing to catch prefixed payloads (e.g., MARK/LIST before GLOBAL) while reducing plain-text false positives in ZIP entry scanning
  • security: keep opcode-level pickle analysis active when malformed streams trigger unicode/text parse errors after partial opcode extraction
  • security: tighten safetensors magic-byte detection to require valid framed headers, preventing JSON and protocol 0 pickle misrouting
  • security: analyze all Python files in TorchServe .mar archives (including non-handler modules and __init__.py) for risky calls, import-time execution, and handler-to-utility import relationships

Security

  • keras: detect CVE-2025-1550 arbitrary module references in .keras config.json (CVSS 9.8, safe_mode bypass)
  • security: treat joblib.load as always dangerous and remove it from pickle ML allowlist to block loader trampoline bypasses
  • security: tighten manifest trusted-domain matching to validate URL hostnames instead of substring matches
  • security: make .keras suspicious file extension checks case-insensitive to catch uppercase executable/script payloads
  • security: block unsafe in-process torch.load in WeightDistributionScanner by default unless explicitly opted in
  • fix: tighten metadata scanner suspicious URL matching to use exact hostname/subdomain checks and add focused regression coverage
  • fix: treat .nemo files as tar-compatible during file-type validation to avoid false extension/magic mismatch alerts
  • fix: pass XGBoost load-test file paths via subprocess argv instead of interpolating shell-quoted paths into python -c, preventing backslash escape corruption on Windows-style paths
  • security: reject absolute OCI layer references so .manifest files cannot scan host tarballs outside the OCI layout

Documentation

  • update README and user docs for the modelaudit metadata command, metadata safety guidance (--trust-loaders), and new NeMo format coverage
  • align maintainer/agent docs with current architecture and release workflow (metadata extractor component, dependency extras, and release-please + changelog guidance)
  • align repository documentation around current scanner coverage, rule codes, package boundaries, and supported CI workflows

0.2.37 (2026-04-12)

Bug Fixes

  • add CVE scanner coverage (01dec02)
  • add size floor for zip compression ratio (#949) (5e66eeb)
  • align SARIF scan metadata with CLI results (#934) (1a90415)
  • allow generated TorchScript source files (#948) (53d0cdc)
  • archives: honor nested header routing (fccdb91)
  • avoid archive bin pickle routing (#962) (446df6b)
  • avoid safetensors unicode metadata false positive (#945) (d595fde)
  • bound standalone pickle stream reads (4d0cb84)
  • catboost: redact finding urls (c65334c)
  • cli: honor streaming file skips (49291ac)
  • cli: redact cloud urls in output (#964) (0ee82ca)
  • default unknown severities to info (#963) (9b27b9a)
  • deps: update dependency tensorflow to >=2.21,<2.22 (#985) (2e3ac65)
  • detectors: redact network urls in findings (7e28a46)
  • dvc: restrict target paths (3bd9b68)
  • flag pickle persistent ids (#938) (2cfba40)
  • gguf: detect tensor bounds overflow (a4358ff)
  • honor header-routed scanners (#941) (6740260)
  • huggingface: redact source urls (73b538e)
  • ignore pmml documentation urls (506aa75)
  • jfrog: redact url secrets (4546eee)
  • keras: redact archive urls (e532b0d)
  • lightgbm: redact finding urls (d4f1fe2)
  • manifest: redact url secrets (c831733)
  • mark missing numpy format as operational (#958) (6d271d6)
  • mark pickle parse failures inconclusive (8a0e3fd)
  • metadata: redact suspicious urls (7af0d4d)
  • metadata: reject symlink escapes (3869cf0)
  • narrow flax suspicious key criticals (#957) (9276d24)
  • narrow network c2 metadata patterns (fd9cc41)
  • narrow openvino external library checks (#959) (e895872)
  • narrow safetensors path metadata checks (#955) (4241780)
  • narrow suspicious dunder string detection (#947) (e866760)
  • nemo: scan referenced non-checkpoint suffixes (3ba4ff7)
  • openvino: flag sidecar symlink escapes (772e796)
  • openvino: redact library urls (241a667)
  • preserve informational network findings (b39d312)
  • reduce benign Keras Lambda bytecode noise (8cb5c29)
  • require nested pickle execution evidence (d2ad631)
  • route nested compressed archive members (e217b29)
  • route nested compressed members (#944) (d839fe7)
  • r: redact serialized urls (013bcf0)
  • scanners: redact evidence secrets (3ae1383)
  • skip prose-only network references (773eb88)
  • skip protocol-only streaming pickle warning (#961) (dba3ebe)
  • tighten pytorch zip pickle discovery (#953) (bfd9663)
  • torchserve: redact manifest urls (4626a02)

Documentation

  • add scanner CVE coverage notes (73d6e8e)
  • allow promptfoo telemetry approval (1fbe64c)

0.2.36 (2026-04-11)

Documentation

  • disable telemetry during agent validation (#928) (69a1986)

0.2.35 (2026-04-11)

Bug Fixes

  • clean up oversized zip entry temps (#911) (66b4871)
  • flag Paddle code patterns as warnings (#925) (32fa0b7)
  • harden manifest parse boundaries (#922) (6f5b516)
  • harden standalone pickle scanner (#901) (31f7dd3)
  • mark corrupt NumPy object payloads inconclusive (#912) (ecba19d)
  • mark incomplete MXNet scans inconclusive (#923) (a928ed7)
  • mark incomplete sharded scans inconclusive (#909) (510d0fb)
  • mark malformed GGUF scans inconclusive (#914) (9b3e216)
  • mark malformed Keras H5 configs inconclusive (#917) (23671c3)
  • mark malformed Keras ZIP configs inconclusive (#918) (d4ad8d8)
  • mark malformed SafeTensors scans inconclusive (#913) (43913d6)
  • mark malformed tflite scans inconclusive (#916) (07c871a)
  • mark partial archive scans inconclusive (#907) (c8eb918)
  • mark partial streaming scans inconclusive (#908) (3d47a10)
  • mark unknown ONNX tensor dtypes inconclusive (#915) (35661b6)
  • preserve picklescan stack state (#910) (fabac5c)
  • recover malformed Jinja template configs (#920) (d619c8f)
  • route corrupt catboost scans fail closed (#924) (052bb5f)
  • traverse nemo yaml list configs (#919) (0d8d4fd)
  • zip: fail closed on MAR handler parse errors (#896) (a06a620)

Documentation

  • improve scanner correctness documentation (#921) (06be0b6)

0.2.34 (2026-04-10)

Bug Fixes

  • flag Paddle code patterns as warnings instead of failing benign scans
  • route corrupt CatBoost scans to fail closed outcomes
  • mark incomplete MXNet scans inconclusive instead of clean
  • harden manifest parse boundaries around malformed metadata
  • recover malformed Jinja template configs as inconclusive scan outcomes
  • traverse NeMo YAML list configs when checking suspicious targets
  • mark malformed Keras ZIP configs inconclusive instead of clean
  • mark malformed Keras H5 scans inconclusive instead of clean
  • mark malformed TFLite scans inconclusive instead of clean
  • mark malformed GGUF scans inconclusive instead of clean
  • mark malformed SafeTensors scans inconclusive instead of clean
  • preserve picklescan stack state across reused scanner runs
  • mark partial streaming scans inconclusive when large-file streaming coverage is incomplete
  • harden native code detection in model scanners (#897) (f4f661a)

0.2.33 (2026-04-09)

Features

  • extract standalone pickle scanner package with parity harness (#832) (e2986cd)

Bug Fixes

  • harden helper routing for zip-backed pickle checkpoints (#870) (3ebe0c0)
  • make return paths explicit (#884) (e31c254)
  • skip extraction for suspicious ZIP entries (358aa44)

Documentation

  • clarify detection bypass severity policy (d8117a1)

0.2.32 (2026-04-05)

Bug Fixes

  • detect punctuated TensorRT tmp paths (#867) (9607530)
  • fail closed on OpenVINO DOCTYPE parse errors (#864) (f5b19c4)
  • ignore OCI metadata URLs during layer discovery (#866) (0b24e3f)
  • reduce PMML subprocess extension false positives (#869) (5e6f79d)
  • tolerate bounded CoreML custom block truncation (#868) (34df06d)

0.2.31 (2026-04-04)

Bug Fixes

Documentation

0.2.30 (2026-03-30)

Bug Fixes

  • always run binary fallback for parse-failed .bin files (#814) (f5f3c90)
  • harden nested pickle detection against padded payloads (#812) (c15f53e)
  • mark incomplete pickle scans as inconclusive (#810) (ade9296)
  • normalize archive locations and route .skops ZIPs (#805) (f7c8277)
  • preserve fail-closed pickle fallback semantics (#817) (e8a6db7)
  • restore post-budget pickle opcode parity (#811) (d321309)
  • use symbolic STACK_GLOBAL refs for pickle ML context (#813) (eb48c52)
  • utils: recurse into cloud directories with size metadata (#819) (2d9852d)

0.2.29 (2026-03-29)

Features

  • cli: add --no-whitelist and --strict flags for CI pipelines (636b813)
  • detect pickle expansion attack heuristics (8e074fd)
  • whitelist: warn when HuggingFace whitelist snapshot is stale (5a60871)

Bug Fixes

  • add guarded CRC fallback for PyTorch ZIP scanning (5db1e71)
  • cache: harden invalidation and skip operational failures (6492598)
  • cli: propagate cache settings to registry downloads (d6cf508)
  • core: count stream scans in files_scanned (#749) (50326bb)
  • core: route misnamed archives by trusted file structure (cad90c3)
  • deps: include py7zr in all extras (#759) (16cfae1)
  • detection: tighten safetensors magic detection to prevent misrouting (109bca2)
  • fail closed on pickle unknown opcode parse errors (#747) (a63979a)
  • filtering: preserve disguised model files during directory scans (27058f5)
  • generate release sbom from uv lock (#733) (a1019a8)
  • harden pickle setitem target detection (#756) (877669c)
  • huggingface: fail closed on listing errors and timeouts (f22ebbe)
  • jfrog: fail closed on partial folder downloads (14e2ddd)
  • keep json stdout clean for skipped files (#768) (0857b98)
  • keras-zip: harden documentation padding bypass for CVE-2025-9906 (6e73043)
  • keras: anchor safe Lambda pattern regexes to prevent code injection bypass (73fa571)
  • keras: prevent spoofed built-in registered_name from hiding non-allowlisted modules (#736) (6d8350e)
  • large-files: fail closed without bounded scanner coverage (a2317eb)
  • make pickle operational errors explicit (2d75778)
  • manifest: trust regional S3 manifest URLs (#763) (f43af54)
  • mar: analyze all Python files in TorchServe MAR archives (dd2cf32)
  • mar: analyze requirements.txt for supply chain attacks (5365583)
  • metadata: harden metadata scanner userinfo URLs (#767) (07bf5a5)
  • normalize streamed source path reporting (#765) (09431e0)
  • onnx: add ai.onnx.ml to standard domain allowlist (c94f804)
  • pickle: add budget-independent global/import byte scanner for large files (512dd18)
  • pickle: add catch-all for unhandled opcodes in stack simulator (445b204)
  • pickle: allow uppercase module segments in import checks (#757) (c1aeb55)
  • pickle: detect nested pickle BINBYTES8 and BYTEARRAY8 payloads (#754) (814c7f2)
  • pickle: harden blocklist — copyreg, _pickle.Unpickler, functools.reduce (fe04d9a)
  • pickle: surface large-file raw pattern coverage limits (#769) (d9904f2)
  • pickle: track BUILD opcode setstate exploitation (7e8c370)
  • pickle: treat scan timeouts as unsuccessful without regressing tail scans (075adcd)
  • preserve exit code 1 for zero-file findings (#764) (34d25e7)
  • preserve scanner execution for chunked large files (#745) (8d93f1d)
  • preserve validated PE detections in pickle scans (#746) (017202c)
  • prevent ExecuTorch polyglot ZIP bypass (#743) (e06d0e8)
  • route zip-backed pytorch containers in pickle scanner (0390a00)
  • routing: complete format_to_scanner primary routing map (de69f71)
  • safetensors: add missing BF16/BOOL/FP8 dtypes for size validation (f2f2574)
  • safetensors: apply MAX_HEADER_BYTES limit in scan() to prevent DoS (7a847a7)
  • savedmodel: scan assets/ directory for executable content (04d2a0c)
  • scan padded follow-on pickle streams (#755) (8727d03)
  • security: block streamed symlink traversal outside scan roots (#751) (aee6656)
  • security: bound embedded .keras weight extraction to prevent zip-bomb DoS (#737) (1cc0e46)
  • security: bound MAR fallback python handler reads (#735) (88e42b9)
  • security: harden manifest URL trust checks and timeout handling (#760) (9ccc5f3)
  • security: preserve scannable artifacts in directory filtering (#758) (7666930)
  • security: preserve shared depth across nested archive types (#753) (607b506)
  • security: recurse into extensionless nested ZIP members (#752) (a2dfea9)
  • security: recurse into nested sevenzip archives by content (#761) (3b0e3dc)
  • security: require explicit HuggingFace provenance for whitelist downgrades (#750) (582e361)
  • security: route nested sevenzip members through core scanning (#762) (92ffdf7)
  • sevenzip: recurse into misnamed nested archives (2cc5423)
  • streaming: avoid materializing file iterators (7a9ae37)
  • tflite: stop after excessive subgraph counts (64b08fa)
  • whitelist: preserve explicit HF download provenance (#766) (7e187cb)

Documentation

  • agents: tighten validation and routing guidance (335b656)
  • normalize unreleased changelog section (#741) (5e66490)

0.2.28 (2026-03-20)

Features

  • add rule codes to all security checks (#255) (330e7df)
  • keras: detect StringLookup external vocabulary paths (#727) (20e9852)
  • security: detect Keras HDF5 external weight references (#729) (6db8e27)

Bug Fixes

  • accept valid ExecuTorch FlatBuffers binaries (93caa97)
  • add torch and numpy helper primitive coverage (#706) (b0a6a11)
  • block dill recursive loader globals (#695) (0d88a4b)
  • block legacy httplib pickle aliases (#703) (24b789a)
  • bound advanced pickle global extraction (#700) (d9fe283)
  • bound skops zip entry reads and enforce uncompressed size limit (#702) (a91577d)
  • bound XZ decompression memory in r_serialized scanner (26d5b44)
  • bound zlib wrapper decompression output (#681) (8bb9cc2)
  • ci: reorder provenance job steps to prevent SBOM generation failure (#646) (d4ab381)
  • deps: move optional onnx extra to 1.21.0rc3 for CVE-2026-28500 mitigation (#726) (01b5f4f)
  • deps: update dependency numpy to >=2.4.3,<2.5 (#669) (9d81218)
  • detect pickle proto structural tampering (#697) (0a8a737)
  • detect risky import-only pickle ML surfaces (#696) (a272307)
  • enforce decompression limits for compressed tar wrappers (841cc5e)
  • expand dangerous pickle primitive coverage (#705) (40e45ac)
  • fail closed on malformed STACK_GLOBAL operands (#704) (9a1b9a1)
  • handle Windows backslashes in XGBoost subprocess loader (#656) (ba30b81)
  • harden archive path sanitization (#666) (9d77d50)
  • harden cloud download async/cache safety and cleanup (#655) (e14ea61)
  • harden import-only pickle global detection (#691) (d27d90d)
  • harden keras custom object detection (#694) (7651298)
  • harden rule config parsing and debug path privacy (#648) (a073187)
  • harden shared config writes and archive path sanitization (#660) (60de400)
  • harden xgboost subprocess import isolation (#701) (2df2d78)
  • include streamed artifacts in SBOM output for --stream scans (#672) (48d8d54)
  • keras attack-vector fixes for coverage gaps in h5 and keras zip scanning (#689) (863c884)
  • keras: derive safe layer inventory from exports (#718) (9b8d143)
  • mark flaky timing test as performance to skip in CI (#670) (9c47f7e)
  • numpy: downgrade benign object-dtype CVE attribution to info (#723) (b7cc190)
  • preserve duplicate paths with spaces (#690) (ea7c6d9)
  • preserve Hugging Face artifacts in SBOM output (#673) (49c7eca)
  • preserve rule codes through scan aggregation (#650) (d71a219)
  • prevent jfrog folder download path traversal (#679) (6f226a4)
  • prevent unbounded tensor proto allocations in TF weight extraction (#685) (ae2b01c)
  • recurse into NumPy object pickle payloads (9893c0c)
  • reduce Keras ZIP custom-object false positives (#716) (165b238)
  • refresh telemetry client state (#658) (7b6ea2f)
  • reject absolute OCI layer references (#659) (722131a)
  • remove pickle hasattr allowlist entries (#692) (4d64cc8)
  • resolve bare torchserve handler modules (#664) (3ae3535)
  • restore raw telemetry fields and harden model_name extraction (#649) (275f087)
  • restrict trusted jfrog hosts for auth (#661) (d959a0d)
  • route compound tar wrappers to tar scanner (#707) (79c0772)
  • route oci layer members via extracted paths (#663) (1395af0)
  • scan TensorFlow SavedModel function definitions for dangerous ops (#677) (31f4715)
  • security: avoid torch import-hijack in PyTorch ZIP CVE checks (#728) (badd611)
  • security: bound pickle metadata reads in metadata extraction (f1d0698)
  • security: detect nested kwargs URLs in CVE-2025-8747 check (#682) (9431fae)
  • security: reduce benign pickle scanner noise (#724) (237db31)
  • security: require explicit trust for local scan config (#714) (25c6936)
  • security: restore ZIP fallback scanning for invalid .mar archives (#711) (55de730)
  • security: use conservative PyTorch version selection for CVE checks (#684) (ef5c5e6)
  • stop double-scanning PyTorch ZIP archives (e4d36d4)
  • stop importing dotenv in jfrog helper (#662) (d20fda3)
  • stop suppressing mixed-case pickle modules (18cdd31)
  • stream tar member extraction during scan (#665) (3de3048)
  • telemetry: preserve model refs while stripping secrets (#717) (d19d6fd)
  • tighten dill MemoryError downgrade gating (5eefa15)
  • tighten llamafile runtime allowlist matching (#683) (8592a80)
  • use major GitHub Action refs (#680) (7965314)

0.2.27 (2026-03-05)

Features

  • add CatBoost .cbm scanner support (#627) (9138066)
  • add CNTK scanner support (#629) (74a60b9)
  • add CoreML .mlmodel scanner support (#635) (4e24291)
  • add llamafile executable scanner support (#634) (8d2c37d)
  • add Model Metadata Extractor feature (#383) (ff66f33)
  • add native LightGBM scanner support (#633) (d3aca64)
  • add R serialized scanner support (#628) (e27667c)
  • add RKNN scanner support (#631) (f1bbfb7)
  • add standalone compressed wrapper scanner (#630) (c5f0dba)
  • add TensorFlow MetaGraph scanner support (#637) (7c3c25d)
  • add Torch7 scanner support (#632) (2e6f2c4)
  • security: add CVE-2019-6446 attribution for NumPy object dtype RCE (#610) (5d707b5)
  • security: add CVE-2022-25882 attribution to ONNX external_data path traversal (#606) (4d69e83)
  • security: add CVE-2024-3660 Lambda code injection attribution (#604) (60ca40f)
  • security: add NeMo scanner for CVE-2025-23304 Hydra target injection (#609) (6d2dee3)
  • security: detect 3 PyTorch CVEs (JIT eval, RPC injection, RemoteModule RCE) (#611) (98f2af6)
  • security: detect 4 PyTorch CVEs via static scanning (#595) (024f583)
  • security: detect CVE-2024-27318 ONNX nested path traversal bypass (#607) (fe8837c)
  • security: detect CVE-2025-10155 pickle protocol 0/1 bypass via .bin extension (#605) (88a5901)
  • security: detect CVE-2025-1550 Keras safe_mode bypass (#599) (432c383)
  • security: detect CVE-2025-1716 pickle bypass via pip.main() (#598) (2f2ae20)
  • security: detect CVE-2025-49655 TorchModuleWrapper RCE (#600) (0c12d2d)
  • security: detect CVE-2025-51480 ONNX save_external_data file overwrite (#608) (fe04271)
  • security: detect CVE-2025-8747 get_file gadget bypass (#602) (16308d0)
  • security: detect CVE-2025-9905 H5 safe_mode bypass (#603) (1676693)
  • security: detect CVE-2025-9906 Keras enable_unsafe_deserialization config bypass (#601) (b493806)

Bug Fixes

  • block joblib.load pickle trampoline (#626) (966c223)
  • ci: resolve 4 release pipeline failures (#572) (7e2e7ed)
  • ci: resolve Ruff failures on main (#621) (bd186f0)
  • cli: surface operational scan error status in text output (#578) (ddbbec6)
  • close pickle EXT opcode bypass (#623) (ffb5ec1)
  • deps: promote msgpack to core dependency for Flax scanner (#583) (ebba6b2)
  • detect proto0/1 pickles inside zip entries (#624) (2bce49d)
  • downgrade non-traversal ONNX external data refs to WARNING (#642) (44eb3ab)
  • eliminate false positive in skops Unsafe Joblib Fallback Detection (#584) (c1dd2a6)
  • handle MemoryError gracefully for joblib/sklearn pickle files (#645) (f8599fe)
  • pickle-scanner: three targeted false-positive reductions (#591) (7a5567e)
  • preserve opcode analysis on malformed pickle tails (#625) (4fe4dee)
  • prevent false positives in TF SavedModel scanner (#588) (89282e2)
  • report actual file size in scan summary when scanner exits early (#587) (7d066fb)
  • resolve false positive for .keras ZIP files (Keras 3.x) (#582) (f575769)
  • resolve ONNX weight extraction failure (#589) (3f54602)
  • security: close scanner RCE bypasses and add regressions (#518) (e736ebb)
  • security: harden pickle scanner blocklist and multi-stream analysis (#581) (f0c7246)
  • stabilize nightly performance CI and optimize pickle opcode analysis (#619) (e5dcec5)
  • suppress false positives in PaddlePaddle scanner (#586) (ec7fc48)
  • tests: prevent multiple_stream_attack fixture rewrites (#580) (0eb47c9)
  • tests: resolve 3 nightly CI failures across Linux and Windows (#576) (dd115d1)
  • tests: resolve nightly CI failures on Linux and Windows (#597) (7f88c52)
  • tflite: recognize .tflite format without tflite package installed (#585) (8276184)
  • tighten metadata URL hostname matching (#617) (c2af8c1)

Documentation

  • add CVE detection checklist from 13 CVE implementation learnings (#612) (7ea1869)
  • audit and refresh README, user docs, and maintainer guides (#643) (015acdc)
  • rewrite SECURITY.md with comprehensive vulnerability policy (#594) (968a2c2)
  • update scanner architecture example (#579) (20de35d)

0.2.26 (2026-02-24)

Bug Fixes

  • ci: pin protoc version for vendored proto reproducibility (#548) (03e9d35)
  • cli: add --cache-dir and simplify defaults wording (#550) (b8701dd)
  • cli: fail fast when glob patterns match nothing (#519) (404104b)
  • deps: update dependency xgboost to >=3.2,<3.3 (#507) (4489e97)
  • enforce consistent scanner patterns across all scanners (#564) (dd6b8d2)
  • improve test suite reliability and safety (#565) (4bd04a7)
  • remove security anti-patterns from scanning infrastructure (#562) (d02cd0b)
  • security: close critical scanner and CI gating gaps (#553) (807a8aa)
  • security: resolve CodeQL alerts for workflow permissions and sensitive logging (#570) (d2dfc79)
  • security: resolve remaining audit findings (#4-#8) (#556) (7430436)
  • security: use URL hostname parsing instead of substring matching (#571) (b4d3696)
  • test: relax benchmark timing assertions for Windows CI (#569) (b06faac)

Documentation

  • clarify README exit codes (#568) (e57a0de)
  • fix accuracy issues across AGENTS.md, README, and CONTRIBUTING (#566) (880e7a4)
  • open-source: add user trust docs batch (#534) (dd5e676)
  • readme: add cache management flag (#521) (33d74bd)
  • ship next-phase open-source readiness docs (#532) (c88035d)
  • trim README to essentials, fix inaccuracies (#517) (59c056c)

0.2.25 - 2026-02-12

Features

  • add binary patterns for native code loading (#499) (ef638f1)
  • add comprehensive Windows compatibility support (#474) (d62574e)
  • add detection for dangerous TensorFlow operations (#494) (6c4c0c9)
  • add detection for memo-based and extension registry pickle opcodes (#493) (72509f7)
  • add getattr-based evasion detection patterns (#500) (87ba295)
  • add Git LFS pointer detection (#488) (6413ae3)
  • add Keras subclassed model detection (#503) (d9e5663)
  • add lambda variadic argument validation (#501) (52a6622)
  • add PyTorch ZIP archive security controls (#502) (09ab087)
  • eliminate TensorFlow dependency with vendored protobuf stubs (#485) (56cec5e)
  • expand SUSPICIOUS_GLOBALS with process and memory modules (#495) (8637d2b)

Bug Fixes

  • add content-based CVE detection to SkopsScanner (#498) (89895cb)
  • add logging to critical exception handlers in pickle scanner (#492) (b6b06cb)
  • add logging to silent exception handlers in secrets detector (#491) (b59f8a4)
  • add security keywords to QueueEnqueueV2 TF op explanation (#511) (1d93483)
  • ci: ensure numpy compatibility job runs (#478) (7266160)
  • deps: bump pillow 12.1.0→12.1.1 and cryptography 46.0.4→46.0.5 (#513) (5b18d49)
  • deps: update dependency fickling to v0.1.7 [security] (#479) (292eb23)
  • improve Python version requirement UX (#508) (a44d8bb)
  • reduce false positive scan warnings for HuggingFace models (#514) (b545c11)
  • reduce pickle scanner false positives for BERT and standalone REDUCE opcodes (#510) (94c22d6)
  • remove duplicate whitelist downgrading in add_check() (#490) (a8c52bc)
  • remove variable shadowing for skip_file_types parameter (#489) (bcf99ea)
  • use deterministic data patterns in anomaly detector tests (#477) (df11759)

0.2.24 - 2025-12-23

Bug Fixes

  • deps: update dependency contourpy to <1.3.4 (#463) (16fb916)
  • deps: update dependency fickling to v0.1.6 [security] (#462) (9413ddc)
  • deps: update dependency xgboost to v3 (#469) (97adbbc)
  • resolve release-please CHANGELOG formatting race condition (#457) (4347b83)

0.2.23 - 2025-12-12

Documentation

  • consolidate agent guidance (#453) (a01ceff)
  • restructure AGENTS.md and CLAUDE.md following 2025 best practices (#451) (e87de51)

0.2.22 - 2025-12-10

Added

  • feat: add modelaudit debug command for troubleshooting - outputs comprehensive diagnostic information including version, platform, environment variables, authentication status, scanner availability, NumPy compatibility, cache status, and configuration in JSON or pretty-printed format; useful for bug reports and support interactions

0.2.21 - 2025-12-09

Fixed

  • fix: resolve UnicodeDecodeError when scanning PyTorch .pkl files saved with default ZIP serialization - torch.save() uses ZIP format by default since PyTorch 1.6 (_use_new_zipfile_serialization=True), but ModelAudit was incorrectly routing these files to PickleScanner which failed to parse the ZIP header. Now correctly routes ZIP-format .pkl files to PyTorchZipScanner.

0.2.20 - 2025-12-01

Added

  • feat: detect cloud storage URLs in model configs (AWS S3, GCS, Azure Blob, HuggingFace Hub) - identifies external resource references that could indicate supply chain risks or data exfiltration vectors
  • feat: add URL allowlist security scanning to manifest scanner - uses 164 trusted domains to flag untrusted URLs in model configs as potential supply chain risks
  • feat: detect weak hash algorithms (MD5, SHA1) in model config files - scans manifest files for hash/checksum fields using cryptographically broken algorithms and reports WARNING with CWE-328 reference; SHA256/SHA512 usage is confirmed as strong
  • feat: add comprehensive analytics system with Promptfoo integration - opt-out telemetry for usage insights, respects PROMPTFOO_DISABLE_TELEMETRY and NO_ANALYTICS environment variables
  • feat: auto-enable progress display when output goes to file - shows spinner/progress when stdout is redirected to a file

Fixed

  • fix: resolve false positives in pickle and TFLite scanners - improved detection accuracy
  • fix: clean up tests for CI reliability - removed flaky tests and improved test isolation

0.2.19 - 2025-11-24

Fixed

  • fix: resolve Jinja2 SSTI false positives from bracket notation - refined obfuscation pattern to only match dunder attributes (["__class__"]) instead of legitimate dict access (["role"]), and fixed regex bug where |format\( matched any pipe character
  • fix: remove overly broad secret detection pattern - replaced generic [A-Za-z0-9]{20,} pattern with specific well-known token formats (GitHub, OpenAI, AWS, Slack) to eliminate false positives on URLs and model IDs
  • fix: resolve msgpack file type validation false positive - unified format name inconsistency where functions returned different values ("msgpack" vs "flax_msgpack"), causing validation failures on legitimate MessagePack files
  • fix: add HuggingFace training utilities to pickle safe globals - added safe Transformers, Accelerate, and TRL classes (HubStrategy, SchedulerType, DistributedType, DeepSpeedPlugin, DPOConfig, etc.) to reduce false positives on training checkpoints

0.2.18 - 2025-11-20

Fixed

  • fix: exclude INFO/DEBUG checks from success rate calculation - success rate now only includes security-relevant checks (WARNING/CRITICAL), with informational checks (INFO/DEBUG) shown separately in "Failed Checks (non-critical)" section
  • fix: missing whitelist logic in validation checks - whitelist downgrading now correctly applies to validation result instantiations
  • fix: resolve PyTorch ZIP scanner hang on large models - improved memory-mapped file handling and timeout configuration
  • fix: additional severity downgrades - further reduced false positives across multiple scanners

Changed

  • chore: standardize on add_check() API - internal code now uses the modern add_check() method for structured check reporting with explicit pass/fail status

0.2.17 - 2025-11-19

Fixed

  • fix: eliminate false positive WARNINGs on sklearn/joblib models (removed overly broad pattern matching)
    • Removed b"sklearn", b"NumpyArrayWrapper", and b"numpy_pickle" from binary pattern detection
    • These patterns flagged ALL legitimate sklearn/joblib models (100% false positive rate)
    • Regex CVE patterns still detect actual exploits requiring dangerous combinations
    • Reduces false positive WARNING rate by 77% (10 out of 13 WARNINGs eliminated)
  • fix: NEWOBJ/OBJ/INST opcodes now recognize safe ML classes (eliminates sklearn model false positives)
    • Applied same safety logic as REDUCE opcode: check if class is in ML_SAFE_GLOBALS allowlist
    • sklearn models like LogisticRegression now correctly identified as INFO instead of WARNING
    • Added support for nested sklearn modules (e.g., sklearn.linear_model._logistic)
    • Added joblib.numpy_pickle.NumpyArrayWrapper and dtype.dtype to safe class list
  • fix: handle joblib protocol mismatches gracefully (protocol 4 files using protocol 5 opcodes)
    • joblib files may declare protocol 4 but use protocol 5 opcodes like READONLY_BUFFER (0x0f)
    • Scanner now parses as much as possible before unknown opcodes, logs INFO instead of failing
    • Eliminates false positive "Invalid pickle format - unrecognized opcode" WARNING on joblib files
  • fix: accept ZIP magic bytes for .npz files (NumPy compressed format is ZIP by design)
    • .npz files ARE ZIP archives containing multiple .npy files (numpy.savez format)
    • Now accepts both "zip" and "numpy" header formats for .npz extension
    • Fixed case-sensitivity bug: MODEL.NPZ, model.Npz now handled correctly
  • fix: handle XML namespaces in PMML root element validation
    • PMML 4.x files with namespaces like {http://www.dmg.org/PMML-4_4}PMML now recognized
    • Strips namespace prefix before comparing tag name
  • fix: add validation to prevent TFLite scanner crashes on malformed files
    • Pre-validates magic bytes ("TFL3") before parsing
    • Prevents buffer overflow crashes: "unpack_from requires a buffer of at least X bytes"
    • Added security rationale ("why" field) to magic bytes check

0.2.16 - 2025-11-04

Added

  • feat: content hash generation for regular scan mode - all scans (not just streaming) now generate content_hash field for model deduplication and verification

Changed

  • refactor: rename --scan-and-delete flag to --stream for clarity - streaming mode is now invoked with the more intuitive --stream flag

0.2.15 - 2025-10-31

Added

  • feat: universal streaming scan-and-delete mode for all sources to minimize disk usage
    • New --scan-and-delete CLI flag works with ALL sources (not just HuggingFace):
      • HuggingFace models (hf:// or https://huggingface.co/)
      • Cloud storage (S3, GCS: s3://, gs://)
      • PyTorch Hub (https://pytorch.org/hub/)
      • Local directories
    • Files are downloaded/scanned one-by-one, then deleted immediately
    • Computes SHA256 hash for each file and aggregate content hash for deduplication
    • Adds content_hash field to scan results for identifying identical models
    • Ideal for CI/CD or constrained disk environments where downloading entire models (100GB+) isn't feasible

Changed

  • chore: move cloud storage dependencies (fsspec, s3fs, gcsfs) to default install - S3, GCS, and cloud storage now work without [cloud] extra

Fixed

  • fix: centralize MODEL_EXTENSIONS to ensure all scannable formats are downloaded from HuggingFace
    • Created single source of truth for model extensions (62+ formats including GGUF)
    • Previously: GGUF files relied on fallback download (inefficient, downloads all files)
    • Now: GGUF, JAX, Flax, NumPy and other formats are properly detected and selectively downloaded
    • Dynamically extracts extensions from scanner registry to stay in sync
  • fix: restore fallback behavior in streaming downloads to maintain parity with non-streaming mode

0.2.14 - 2025-10-23

Fixed

  • fix: eliminate false positives across URL detection, CVE checks, GGUF parsing, and secret detection (#412)
  • fix: improve shebang detection, fix fsspec usage, and resolve UnboundLocalError (#411)

0.2.13 - 2025-10-23

Added

  • feat: huggingface model whitelist (#409)

Fixed

  • fix: eliminate CVE-2025-32434 false positives for legitimate PyTorch models (#408)

0.2.12 - 2025-10-22

Fixed

  • fix: remove non-security format validation checks across scanners (#406)
  • fix: eliminate false positives in stack depth, GGUF limits, and builtins detection (#405)

0.2.11 - 2025-10-22

Fixed

  • fix: INFO and DEBUG severity checks no longer count as failures in success rate calculations

0.2.10 - 2025-10-22

Fixed

  • fix: eliminate false positive REDUCE warnings for safe ML framework operations (#398)
  • fix: eliminate ONNX custom domain and PyTorch pickle false positives (#400)
  • fix: eliminate false positive JIT/Script warnings on ONNX files (#399)

0.2.9 - 2025-10-21

Added

  • feat: add context-aware severity for PyTorch pickle models (#395)
    • Implement SafeTensors detection utility to identify safer format alternatives
    • Add import analysis to distinguish legitimate vs malicious pickle imports
    • Consolidate opcode warnings into single check with evidence counts
    • Add import_reference field to pickle scanner GLOBAL checks for analysis
    • Provide actionable recommendations (use SafeTensors format)

Changed

  • feat: rewrite PyTorch pickle severity logic with context-awareness (#395)
    • CRITICAL: malicious imports detected (os.system, subprocess, eval)
    • WARNING: legitimate imports + SafeTensors alternative available
    • INFO: legitimate imports + no SafeTensors alternative
    • Reduces false positives while maintaining security detection accuracy
    • Example: sentence-transformers/all-MiniLM-L6-v2 now shows WARNING (was CRITICAL)

0.2.8 - 2025-10-21

Added

  • feat: add skops scanner for CVE-2025-54412/54413/54886 detection (#392)
    • Implement dedicated skops scanner for .skops model files
    • Detect CVE-2025-54412 (OperatorFuncNode RCE vulnerability)
    • Detect CVE-2025-54413 (MethodNode dangerous attribute access)
    • Detect CVE-2025-54886 (Card.get_model silent joblib fallback)
    • Add ZIP format validation and archive bomb detection

Changed

  • refactor: remove non-security checks prone to false positives (#391)
    • Remove blacklist checks from manifest scanner
    • Remove model name policy checks from manifest scanner
    • Streamline XGBoost scanner by removing non-security validation checks
    • Reduce false positives in metadata scanner

Fixed

  • fix: resolve XGBoost UBJ crash and network scanner false positives (#392)
    • Fix UBJ format JSON serialization crash by sanitizing bytes objects to hex strings
    • Eliminate network scanner false positives for pickle/joblib ML models by adding ML context awareness
    • Add comprehensive XGBoost testing documentation with 25-model test corpus

0.2.7 - 2025-10-20

Fixed

  • fix: improve XGBoost scanner severity levels and reduce false positives (#389)
    • Handle string-encoded numeric values in XGBoost JSON models
    • Add deterministic JSON validation to prevent claiming non-XGBoost files
    • Implement tiered file size thresholds (INFO → WARNING) for large models
    • Downgrade metadata scanner generic secret patterns from WARNING to INFO
    • Reduce false positives for BibTeX citations and code examples in README files
  • fix: prevent ML confidence bypass and hash collision security exploits (#388)
    • Enable --verbose flag and accurate HuggingFace file sizes
    • Remove CoreML scanner and coremltools dependency
  • fix: enable advanced TorchScript vulnerability detection (#384)
    • Enable comprehensive detection for serialization injection, module manipulation, and bytecode injection patterns

Changed

  • refactor: reorganize codebase into logical module structure (#387)
    • Create detectors/ module for security detection logic
    • Improve maintainability and reduce import complexity
  • chore(deps): bump tj-actions/changed-files from v46 to v47 (#386)

0.2.6 - 2025-09-10

Added

  • feat: add comprehensive JFrog folder scanning support (#380)
  • feat: add comprehensive XGBoost model scanner with security analysis (#378)
  • feat: consolidate duplicate caching logic into unified decorator (#347)
  • test: improve test architecture with dependency mocking (#374)

Fixed

  • fix: exclude Python 3.13 from NumPy 1.x compatibility tests (#375)

0.2.5 - 2025-09-05

Added

  • feat: upgrade to CycloneDX v1.6 (ECMA-424) with enhanced ML-BOM support (#364)
  • feat: add 7-Zip archive scanning support (#344)
  • feat: re-enable check consolidation system (#353)
  • feat: integrate ty type checker and enhance type safety (#372)

Changed

  • BREAKING: drop Python 3.9 support, require Python 3.10+ minimum
  • feat: add Python 3.13 support
  • feat: consolidate CLI from 25 to 12 flags using smart detection (#359)
  • feat: enhance pickle static analysis with ML context awareness (#358)
  • feat: enhance check consolidation system with PII sanitization and performance improvements (#356)
  • docs: update AGENTS.md with exact CI compliance instructions (#357)
  • docs: rewrite README with professional technical content (#370)
  • feat: improve logging standards and consistency (#355)
  • chore(deps): bump the github-actions group with 2 updates (#362)
  • chore: update dependencies and modernize type annotations (#360)
  • chore: remove unnecessary files from root directory (#369)

Fixed

  • fix: handle GGUF tensor dictionaries in SBOM asset creation (#363)
  • fix: correct release dates in CHANGELOG.md (#354)
  • fix: resolve SBOM generation FileNotFoundError with URLs (#373)

0.2.4 - 2025-08-28

Added

  • feat: improve CVE-2025-32434 detection with density-based analysis (#351)
  • feat: implement graceful degradation and enhanced error handling (#343)
  • feat: improve PyTorch ZIP scanner maintainability by splitting scan() into smaller functions (#346)
  • feat: add SARIF output format support for integration with security tools and CI/CD pipelines (#349)
  • feat: optimize cache performance by reducing file system calls (#338)
  • feat: comprehensive task list update and critical CLI usability audit (#340)
  • feat: add cache management CLI commands mirroring promptfoo's pattern (#331)
  • feat: add comprehensive metadata security scanner and enhanced HuggingFace support (#335)
  • feat: add comprehensive CVE detection for pickle/joblib vulnerabilities (#326)
  • feat: add Jinja2 template injection scanner (#323)
  • feat: comprehensive deep Pydantic integration with advanced type safety (#322)
  • feat: optimize CI for faster feedback (#320)
  • feat: skip SafeTensors in WeightDistributionScanner for performance (#317)
  • feat: add Pydantic models for JSON export with type safety (#315)
  • feat: add support for multi-part archive suffixes (#307)
  • docs: add comprehensive CI optimization guide (#319)
  • docs: add Non-Interactive Commands guidance to AGENTS.md (#318)
  • docs: add comprehensive publishing instructions (#302)
  • test: speed up tests and CI runtime (#316)
  • test: cover Windows path extraction scenarios (#313)
  • feat: detect dangerous TensorFlow operations (#329)
  • feat: enhance pickle scanner with STACK_GLOBAL and memo tracking (#330)
  • feat: detect Windows and Unix OS module aliases to prevent system command execution via nt and posix

Changed

  • chore: organize root directory structure (#341)
  • chore: make ctrl+c immediately terminate if pressed twice (#314)

Fixed

  • fix: aggregate security checks per file instead of per chunk (#352)
  • fix: eliminate circular import between base.py and core.py (#342)
  • fix: default bytes_scanned in streaming operations (#312)
  • fix: validate directory file list before filtering (#311)
  • fix: tighten ONNX preview signature validation (#310)
  • fix: recurse cloud object size calculations (#309)
  • fix: handle missing author in HuggingFace model info (#308)
  • fix: handle PyTorch Hub URLs with multi-part extensions (#306)
  • fix: avoid duplicated sharded file paths (#305)
  • fix: handle None values in Keras H5 scanner to prevent TypeError (#303)

0.2.3 - 2025-08-21

Added

  • feat: increase default max_entry_size from 10GB to 100GB for large language models (#298)
  • feat: add support for 1TB+ model scanning (#293)
  • docs: improve models.md formatting and organization (#297)

Fixed

  • fix: improve cache file skip reporting to not count as failed checks (#300)
  • fix: eliminate ZIP entry read failures with robust null checking and streaming (#299)

0.2.2 - 2025-08-21

Added

  • feat: increase default scan timeout to 1 hour (#292)
  • feat: improve CLI output user experience with verbose summary (#290)
  • feat: add promptfoo authentication delegation system (#287)
  • feat: expand malicious model test corpus with 42+ new models (#286)
  • feat: streamline file format detection I/O (#285)
  • feat: add comprehensive progress tracking for large model scans (#281)
  • feat: raise large model thresholds to 10GB (#280)
  • feat: enable scanner-driven streaming analysis (#278)
  • feat: safely parse PyTorch ZIP weights (#268)
  • feat: add comprehensive authentication system with semgrep-inspired UX (#50)
  • docs: document security features and CLI options in README (#279)

Changed

  • perf: cache port regex patterns for network detector (#269)
  • refactor: reduce file handle usage in format detection (#283)

Fixed

  • fix: eliminate SafeTensors recursion errors with high default recursion limit (#295)
  • fix: add interrupt handling to ONNX scanner for graceful shutdown (#294)
  • fix: eliminate duplicate checks through content deduplication (#289)
  • fix: implement ML-context-aware stack depth limits to eliminate false positives (#284)
  • fix: optimize directory detection (#282)
  • fix: include license files in metadata scan (#277)
  • fix: validate cloud metadata before download (#276)
  • fix: handle async event loop in cloud download (#273)
  • fix: add pdiparams extension to cloud storage filter (#272)
  • fix: streamline magic byte detection (#271)
  • fix: close cloud storage filesystems (#267)
  • fix: flag critical scan errors (#266)
  • fix: finalize early scan file exits (#265)
  • fix: isolate network detector custom patterns (#264)
  • fix: warn when JFrog auth missing (#263)
  • fix: refine dangerous pattern detection check (#262)
  • fix: handle deeply nested SafeTensors headers (#244)

Removed

  • chore: remove outdated markdown documentation files (#296)

0.2.1 - 2025-08-15

Added

  • feat: enhance timeout configuration for progressive scanning (#252)
  • feat: add Keras ZIP scanner for new .keras format (#251)
  • feat: add enhanced TensorFlow SavedModel scanner for Lambda layer detection (#250)
  • feat: add compile() and eval() variants detection (#249)
  • feat: improve os/subprocess detection for command execution patterns (#247)
  • feat: add runpy module detection as critical security risk (#246)
  • feat: add importlib and runpy module detection as CRITICAL security issues (#245)
  • feat: add webbrowser module detection as CRITICAL security issue (#243)
  • feat: add record path and size validation checks (#242)
  • feat: enhance detection of dangerous builtin operators (#241)
  • feat: add network communication detection (#238)
  • feat: add JIT/Script code execution detection (#237)
  • feat: add embedded secrets detection (#236)
  • feat: add comprehensive security check tracking and reporting (#235)
  • feat: add JFrog integration helper (#230)
  • feat: add PyTorch Hub URL scanning (#228)
  • feat: add tar archive scanning (#227)
  • feat: add SPDX license checks (#223)
  • feat: add RAIL and BigScience license patterns (#221)
  • feat: expand DVC targets during directory scan (#215)
  • feat: adjust SBOM risk scoring (#212)
  • feat: add py_compile validation to reduce false positives (#206)
  • feat: add disk space checking before model downloads (#201)
  • feat: add interrupt handling for graceful scan termination (#196)
  • feat: add CI-friendly output mode with automatic TTY detection (#195)

Changed

  • perf: use bytearray for chunked file reads (#217)
  • chore: improve code professionalism and remove casual language (#258)
  • refactor: remove unreachable branches (#222)
  • refactor: remove type ignore comments (#211)

Fixed

  • fix: improve detection of evasive malicious models and optimize large file handling (#256)
  • fix: eliminate false positives and false negatives in model scanning (#253)
  • fix: improve PyTorch ZIP scanner detection for .bin files (#248)
  • fix: add dangerous pattern detection to embedded pickles in PyTorch models (#240)
  • fix: reduce false positives in multiple scanners (#229)
  • fix: cast sbom output string (#220)
  • fix: stream zip entries to temp file (#218)
  • fix: handle broken symlinks safely (#214)
  • fix: enforce UTF-8 file writes (#213)
  • fix: update PyTorch minimum version to address CVE-2025-32434 (#205)
  • fix: add main.py module and improve interrupt test reliability (#204)
  • fix: resolve linting and formatting issues (#203)
  • fix: return non-zero exit code when no files are scanned (#200)
  • fix: improve directory scanning with multiple enhancements (#194)
  • fix: add missing type annotations to scanner registry (#191)
  • fix: resolve CI timeout by running only explicitly marked slow/integration tests (#190)
  • fix: change false positive messages from INFO to DEBUG level (#189)

Security

  • fix: resolve PyTorch scanner pickle path context and version bump to 0.2.1 (#257)

0.2.0 - 2025-07-17

Added

  • feat: add scan command as default - improved UX with scan as the default command (#180)
  • feat: add TensorRT engine scanner - support for NVIDIA TensorRT optimized models (#174)
  • feat: add Core ML model scanner - support for Apple's Core ML .mlmodel format (#173)
  • feat: add PaddlePaddle model scanner - support for Baidu's PaddlePaddle framework models (#172)
  • feat: add ExecuTorch scanner - support for Meta's ExecuTorch mobile inference format (#171)
  • feat: add TensorFlow SavedModel weight analysis - deep analysis of TensorFlow model weights (#138)
  • ci: add GitHub Actions dependency caching - optimized CI pipeline performance (#183)

Fixed

  • fix: optimize CI test performance for large blob detection (#184)
  • fix: properly handle HuggingFace cache symlinks to avoid path traversal warnings (#178)

0.1.5 - 2025-06-20

Added

  • feat: add cloud storage support - Direct scanning from S3, GCS, and other cloud storage (#168)
  • feat: add JFrog Artifactory integration - Download and scan models from JFrog repositories (#167)
  • feat: add JAX/Flax model scanner - Enhanced support for JAX/Flax model formats (#166)
  • feat: add NumPy 2.x compatibility - Graceful fallback and compatibility layer (#163)
  • feat: add MLflow model integration - Native support for MLflow model registry scanning (#160)
  • feat: add DVC pointer support - Automatic resolution and scanning of DVC-tracked models (#159)
  • feat: add nested pickle payload detection - Advanced analysis for deeply embedded malicious code (#153)
  • feat: enhance SafeTensors scanner - Suspicious metadata and anomaly detection (#152)
  • feat: add HuggingFace Hub integration - Direct model scanning from HuggingFace Hub URLs (#144, #158)
  • feat: improve output formatting for better user experience (#143)
  • feat: add PythonOp detection in ONNX - Critical security check for custom Python operations (#140)
  • feat: add dangerous symlink detection - Identify malicious symbolic links in ZIP archives (#137)
  • feat: add TFLite model scanner - Support for TensorFlow Lite mobile models (#103)
  • feat: add asset inventory reporting - Comprehensive model asset discovery and cataloging (#102)
  • feat: add Flax msgpack scanner - Support for Flax models using MessagePack serialization (#99)
  • feat: add PMML model scanner - Support for Predictive Model Markup Language files (#98)
  • feat: add header-based format detection - Improved accuracy for model format identification (#72)
  • feat: add CycloneDX SBOM output - Generate Software Bill of Materials in standard format (#59)
  • feat: add OCI layer scanning - Security analysis of containerized model layers (#53)
  • test: add comprehensive test coverage for TFLite scanner (#165)
  • perf: achieve 2074x faster startup - Lazy loading optimization for scanner dependencies (#129)

Changed

  • perf: stop scanning when size limit reached for better performance (#139)

Fixed

  • fix: reduce HuggingFace model false positives (#164)
  • fix: reduce false positives for Windows executable detection in model files (#162)

0.1.4 - 2025-06-20

Added

  • feat: add binary pattern validation - Executable signature and pattern analysis (#134)
  • feat: refine import pattern detection - Enhanced detection of malicious imports (#133)
  • feat: centralize security patterns with validation system (#128)
  • feat: add unified scanner logging - Consistent logging across all scanner modules (#125)
  • feat: add magic byte-based file type validation - Improved format detection accuracy (#117)
  • feat: add centralized dangerous pattern definitions - Unified security rule management (#112)
  • feat: add scan configuration validation - Input validation and error handling (#107)
  • feat: add total size limit enforcement - Configurable scanning limits across all scanners (#106, #119)
  • feat: enhance dill and joblib serialization support - Advanced security scanning for scientific computing libraries (#55)
  • feat: add GGML format variants support for better compatibility (4c3d842)
  • test: organize comprehensive security test assets with CI optimization (#45)

0.1.3 - 2025-06-17

Added

  • feat: add security issue explanations - User-friendly 'why' explanations for detected threats (#92)
  • feat: add modern single-source version management - Streamlined release process (#91)
  • feat: add GGUF/GGML scanner - Support for llama.cpp and other quantized model formats (#66)
  • feat: add ONNX model scanner - Security analysis for Open Neural Network Exchange format (#62)
  • feat: add dill, joblib, and NumPy format support - Extended serialization format coverage (#60)
  • feat: add comprehensive GGUF/GGML security checks - Advanced threat detection for quantized models (#56)

Changed

  • chore: modernize pyproject configuration (#87)
  • chore: refine package build configuration (#82)

Fixed

  • fix: broaden ZIP signature detection (#95)
  • fix: synchronize version between pyproject.toml and init.py to 0.1.3 (#90)
  • fix: eliminate false positives in GPT-2 and HuggingFace models (#89)

0.1.2 - 2025-06-17

Added

  • feat: add Biome formatter integration - Code quality tooling for JSON and YAML files (#79)
  • feat: enable full scan for .bin files (#76)
  • feat: add zip-slip attack protection - Prevent directory traversal attacks in ZIP archives (#63)
  • feat: add SafeTensors scanner - Security analysis for Hugging Face's SafeTensors format (#61)
  • feat: add dill pickle support - Extended pickle format security scanning (#48)
  • feat: add CLI version command - Easy version identification for users (#44)
  • feat: add weight distribution anomaly detector - Advanced backdoor detection through statistical analysis (#32)
  • docs: optimize README and documentation for PyPI package distribution (#83)

Changed

  • chore: update biome configuration to v2.0.0 schema (#85)
  • chore: change errors → findings (#67)

Fixed

  • fix: reduce PyTorch pickle false positives (#78)
  • fix: log weight extraction failures (#75)
  • fix: log debug issues at debug level (#74)
  • fix: clarify missing data.pkl warning (#73)
  • fix: clarify missing dependency error messages (#71)
  • fix: change weight distribution warnings to info level (#69)
  • fix: correct duration calculation (#68)

0.1.1 - 2025-06-16

Added

  • feat: add multi-format .bin file support - Enhanced detection for various binary model formats (#57)
  • feat: add PR title validation - Development workflow improvements (#35)
  • feat: add manifest parser error handling - Better diagnostics for corrupted model metadata (#30)
  • feat: change output label of ERROR severity to CRITICAL (#25)

Changed

  • chore: replace Black, isort, flake8 with Ruff for faster linting and formatting (#24)

Fixed

  • fix: treat raw .pt files as unsupported (#40)
  • fix: avoid double counting bytes in zip scanner (#39)
  • fix: mark scan result unsuccessful on pickle open failure and test (#29)
  • fix: ignore debug issues in output status (#28)
  • fix: use supported color for debug output (#27)
  • fix: switch config keys to info and reduce false positives (#8)
  • fix: reduce false positives for ML model configurations (#3)

0.1.0 - 2025-03-08

Added

  • feat: add ZIP archive security analysis - Comprehensive scanning of compressed model packages (#15)
  • feat: add stack_global opcode detection - Critical security check for dangerous pickle operations (#7)
  • feat: add configurable exit codes - Standardized return codes for CI/CD integration (#6)
  • feat: add core pickle scanning engine - foundation for malicious code detection in Python pickles (f3b56a7)
  • docs: add AI development guidance - CLAUDE.md for AI-assisted development (#16)
  • ci: add GitHub Actions CI/CD - Automated testing and security validation (#4)

Fixed

  • style: improve code formatting and documentation standards (#12, #23)
  • fix: improve core scanner functionality and comprehensive test coverage (#11)