What's Changed

• skip persisting with version check when running in ci by @SUSTAPLE117 in #439

Full Changelog: v1.1.5...v1.1.6

What's Changed

• Fix Default Branch Detection For Analysis by @SUSTAPLE117 in #437
• add version check call to poutine by @SUSTAPLE117 in #438

Full Changelog: v1.1.4...v1.1.5

What's Changed

• Reworked Refs Resolution by @SUSTAPLE117 in #423
• feat(config): discover .github/poutine.yml as a config path by @graelo in #424

New Contributors

• @graelo made their first contribution in #424

Full Changelog: v1.1.3...v1.1.4

Changelog for poutine v1.1.3 🎉

This release focuses on core engine improvements, stability fixes, and modernization of the toolchain. The biggest shift is the move away from exec-based Git operations toward a fully in-memory model using go-git, along with improved resiliency and observability during analysis.

Major Improvements 🌟🌟

• ⚡ In-Memory Git with go-git v6: Replaced exec-based Git operations with go-git using in-memory storage. This significantly improves performance, portability, and reduces reliance on system binaries, by @SUSTAPLE117.
  (#400)

• 🛡️ Resilient Repository Batch Fetching: Improved robustness of repository batch fetching, reducing failures during large-scale analysis operations, by @SUSTAPLE117.
  (#399)

• 📊 Analysis Progress Monitoring Improvements: Enhanced visibility into analysis progress, making long-running operations easier to track and debug, by @SUSTAPLE117.
  (#419)

Improvements 🔧

• 🧪 Snapshot Testing Added: Introduced snapshot testing to improve regression detection and testing confidence, by @SUSTAPLE117.
  (#401)

• ⚙️ Go 1.26 Upgrade + Dependency Refresh: Upgraded to Go 1.26 and refreshed dependencies for improved performance and compatibility, by @SUSTAPLE117.
  (#412)

• 🔐 Improved Rule Handling for GitHub Actions: Configured skip actions to be ignored for the github_action_from_unverified_creator_used rule, improving rule accuracy, by @mbarbero.
  (#398)

• 📦 Goreleaser Configuration Updates: Updated release configuration and tooling for improved build and distribution workflows, by @SUSTAPLE117.
  (#417), (#418)

Bug Fixes 🐛

• 🐳 Docker Image Parsing Fixes: Fixed issues with Docker image parsing and purl generation, by @SUSTAPLE117.
  (#413)

• 📄 YAML Parsing Fixes: Resolved YAML parsing errors affecting analysis reliability, by @SUSTAPLE117.
  (#414)

• 🔑 GitHub Fine-Grained PAT Compatibility: Fixed organization repository listing failures when using fine-grained tokens without Issues:Read, by @fproulx-boostsecurity.
  (#415)

• 🧾 SARIF Taxonomy GUID Fix: Corrected SARIF taxonomy GUID issues to ensure proper report compatibility, by @SUSTAPLE117.
  (#416)

Dependency Updates ⬆️

GitHub Actions

• Updated github/codeql-action from 3.30.5 to 4.31.2. (#370)
• Updated ossf/scorecard-action from 2.4.2 to 2.4.3. (#371)
• Updated step-security/harden-runner from 2.13.0 to 2.13.1. (#375)
• Updated actions/upload-artifact from 4.6.2 to 5.0.0. (#376)
• Updated actions/setup-go from 5.5.0 to 6.4.0. (#403)
• Updated goreleaser/goreleaser-action from 6.4.0 to 7.0.0. (#411)
• Updated actions/deploy-pages from 4.0.5 to 5.0.0. (#410)
• Updated actions/checkout from 5.0.0 to 6.0.2. (#408)
• Updated sigstore/cosign-installer across versions 3.9.2 → 4.0.0 → 4.1.1. (#377), (#405)

Go Modules

• Updated gitlab.com/gitlab-org/api/client-go from 0.151.0 to 0.157.1. (#369)
• Updated github.com/open-policy-agent/opa from 1.9.0 to 1.10.0. (#372)
• Updated github.com/mark3labs/mcp-go from 0.41.1 to 0.42.0. (#373)
• Updated golang.org/x/oauth2 from 0.31.0 to 0.32.0. (#374)
• Updated golang.org/x/crypto from 0.42.0 to 0.45.0. (#380)

Full Changelog 📜

For a detailed view of all changes, see the full changelog.

What's Changed

• build(deps): bump gitlab.com/gitlab-org/api/client-go from 0.151.0 to 0.157.1 by @dependabot[bot] in #369
• build(deps): bump github/codeql-action from 3.30.5 to 4.31.2 by @dependabot[bot] in #370
• build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by @dependabot[bot] in #371
• build(deps): bump github.com/open-policy-agent/opa from 1.9.0 to 1.10.0 by @dependabot[bot] in #372
• build(deps): bump github.com/mark3labs/mcp-go from 0.41.1 to 0.42.0 by @dependabot[bot] in #373
• build(deps): bump step-security/harden-runner from 2.13.0 to 2.13.1 by @dependabot[bot] in #375
• build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @dependabot[bot] in #376
• build(deps): bump sigstore/cosign-installer from 3.9.2 to 4.0.0 by @dependabot[bot] in #377
• build(deps): bump golang.org/x/oauth2 from 0.31.0 to 0.32.0 by @dependabot[bot] in #374
• build(deps): bump golang.org/x/crypto from 0.42.0 to 0.45.0 in the go_modules group across 1 directory by @dependabot[bot] in #380
• Add Resiliency to Repo Batch Fetch by @SUSTAPLE117 in #399
• Configured 'skip' actions for rule 'github_action_from_unverified_creator_used' are ignored by @mbarbero in #398
• Add Snapshot Testing by @SUSTAPLE117 in #401
• build(deps): bump actions/setup-go from 5.5.0 to 6.4.0 by @dependabot[bot] in #403
• build(deps): bump sigstore/cosign-installer from 4.1.0 to 4.1.1 by @dependabot[bot] in #405
• build(deps): bump goreleaser/goreleaser-action from 6.4.0 to 7.0.0 by @dependabot[bot] in #411
• build(deps): bump actions/deploy-pages from 4.0.5 to 5.0.0 by @dependabot[bot] in #410
• feat: replace exec-based git with go-git v6 in-memory storage by @SUSTAPLE117 in #400
• Go 1.26 + Deps Upgrade by @SUSTAPLE117 in #412
• fix docker image parsing and purls by @SUSTAPLE117 in #413
• Fix Yaml Parse Errors by @SUSTAPLE117 in #414
• build(deps): bump actions/checkout from 5.0.0 to 6.0.2 by @dependabot[bot] in #408
• fix(github): org repo listing fails with fine-grained PATs lacking Issues:Read by @fproulx-boostsecurity in #415
• Fix SARIF Taxonomy GUID by @SUSTAPLE117 in #416
• Updated Goreleaser Config by @SUSTAPLE117 in #417
• updated goreleaser version by @SUSTAPLE117 in #418

Full Changelog: v1.0.8...v1.1.2

What's Changed

• Use case-insensitive matching for Git error "Not a valid object name" by @mdferdousalam in #389
• Add --fail-on-violation flag to exit non-zero when violations are detected by @mbarbero in #392
• Fix SARIF formatter silently dropping findings from build dependencies by @mbarbero in #393

New Contributors

• @mdferdousalam made their first contribution in #389
• @mbarbero made their first contribution in #392

Full Changelog: v1.0.7...v1.0.8

What's Changed

• Add more structured metadata fields for programmatic access of LOTP targets by @fproulx-boostsecurity in #386

Full Changelog: v1.0.6...v1.0.7

What's Changed

• Add structured metadata fields to findings for programmatic access by @fproulx-boostsecurity in #385

Full Changelog: v1.0.5...v1.0.6

What's Changed

• Add GHSA-pwf7-47c3-mfhx to OSV advisories database by @kawsarahmedbhuiyan in #381
• Add ubuntu-slim as built-in GitHub Actions runner by @Copilot in #383
• Fix SARIF validation errors for GitHub CodeQL upload by @Copilot in #384

New Contributors

• @kawsarahmedbhuiyan made their first contribution in #381

Full Changelog: v1.0.4...v1.0.5

What's Changed

• Add Boost Sarif Metadata by @SUSTAPLE117 in #367

Full Changelog: v1.0.3...v1.0.4