Changelog Bomly CLIJune 26, 2026

v0.15.0

Add bomly mcp serve — MCP server for AI agent integration; [codex] Add native NuGet, Cargo, pub, and CocoaPods detectors; [codex] Add nat… — 172 changes.

First public release

This release marks the first public, supported release of Bomly CLI.

Earlier pre-public releases and tags were used while the CLI’s packaging, installation, and distribution paths were being finalized. Those releases have been retired so the project can begin its public version history from a clean, intentional baseline.

From this release forward, Bomly CLI will follow a stable public versioning history across GitHub Releases and supported package/distribution channels. Users should install this release as the first supported public version and track future releases from here.

What's Changed

feat: add bomly mcp serve — MCP server for AI agent integration by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/10
[codex] Add native NuGet, Cargo, pub, and CocoaPods detectors by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/11
[codex] Add native Mix, Conan, SwiftPM, and sbt detectors by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/12
test: update smoke golden files by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/13
Refactor CLI rendering and scan runtime packages by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/14
refactor: consolidate config loading into internal/config and reduce boilerplate by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/20
build(deps): bump github.com/mark3labs/mcp-go from 0.50.0 to 0.51.0 by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/15
build(deps): bump google.golang.org/grpc from 1.79.3 to 1.81.0 by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/16
build(deps): bump go.uber.org/zap from 1.27.1 to 1.28.0 by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/17
build(deps): bump github.com/anchore/grype from 0.111.1 to 0.112.0 by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/18
feat: replace ComponentType with DetectorOrigin + DetectorTechnique by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/21
refactor: CLI command context and resolution by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/22
refactor: pipeline orchestration into engine packages by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/23
Remove unused pipeline process stage by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/26
cleaning up selector package by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/27
Shorten GitHub Actions artifact retention by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/28
test: update smoke golden files by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/29
Make auto version workflow manual by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/31
Upgrade Go and reduce CI validation minutes by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/33
[codex] Upgrade Go and golangci-lint by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/34
Add dependency graph QA workflow by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/36
build(deps): bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0 in the go_modules group across 1 directory by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/37
Improve native detector QA baselines by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/43
build(deps): bump astral-sh/setup-uv from 5 to 7 by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/38
build(deps): bump golang.org/x/term from 0.42.0 to 0.43.0 by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/39
build(deps): bump github.com/mark3labs/mcp-go from 0.51.0 to 0.52.0 by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/40
build(deps): bump github.com/Masterminds/semver/v3 from 3.4.0 to 3.5.0 by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/41
Update smoke tests by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/44
build(deps): bump golang.org/x/text from 0.36.0 to 0.37.0 by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/42
test: update smoke golden files by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/45
Denormalize smoke tests outputs by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/46
test: update smoke golden files by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/47
Improve dependency graph resolution by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/48
test: update smoke golden files by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/49
Add user-facing component docs by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/57
Improve detector progress and debug logging by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/58
feat(sdk): add PackageLocation.Position + wire gomod and pip detectors by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/56
feat(output): emit PackageLocation.Position in SARIF physicalLocation.region by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/60
Expand interactive scan UI by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/59
feat: reachability — confirm vulnerable code is actually reachable from app source by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/62
Refine interactive filters and target labels by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/63
Improve dependency ID resolution for hoisted packages by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/64
Refactor workflows for improved artifact handling and permissions by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/65
test: update smoke golden files by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/66
feat: enhance help command with examples and exit codes section by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/67
Enhance vulnerability enrichment handling in scan and explain commands by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/68
test: update smoke golden files by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/69
fix(diff): match manifests on path even when kind drifts by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/70
redesign diff output and auditing by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/72
docs: rewrite Bomly CLI docs and add Veracode-style per-detector pages by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/71
docs: split installation into its own page by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/73
build(deps): bump github.com/github/go-spdx/v2 from 2.4.0 to 2.7.0 by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/78
build(deps): bump astral-sh/setup-uv from 5 to 7 by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/74
build(deps): bump github.com/CycloneDX/cyclonedx-go from 0.10.0 to 0.11.0 by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/75
build(deps): bump github.com/mark3labs/mcp-go from 0.52.0 to 0.54.0 by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/76
build(deps): bump google.golang.org/grpc from 1.81.0 to 1.81.1 by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/77
feat(diff): redesign interactive TUI with shared skeleton and richer tabs by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/82
feat: per-step progress lines with bubbles bars and accurate phases by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/80
Add markdown outputs and unified output flag by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/81
build(deps): bump github.com/go-git/go-git/v5 from 5.19.0 to 5.19.1 in the go_modules group across 1 directory by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/79
[codex] Dogfood Bomly review action by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/83
[codex] Enrich diff markdown and SARIF outputs by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/84
Fix bundled Grype matcher readiness by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/86
Focus diff Markdown policy findings by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/87
feat(plugin): add test and doctor health commands by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/88
Scope diff audits to changed dependencies by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/90
Enrich grype vulnerability details by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/91
fix(auditors): skip typosquat check for version-bumped packages by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/92
build(deps): bump github.com/containerd/containerd/v2 from 2.2.2 to 2.2.4 in the go_modules group across 1 directory by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/89
Expose reachability in report outputs by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/93
Fix plugin list smoke assertion by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/94
test: update smoke golden files by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/95
feat(matchers): add OpenSSF Scorecard matcher by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/97
feat(tui): tab 7 keybind, Enter-to-focus details, group Posture by check by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/98
[codex] Add shared HTTP proxy and plugin config support by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/100
Add json output shortcut by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/99
Redact proxy and plugin config secrets by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/102
Polish json shortcut docs by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/101
Fix empty SARIF rules array by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/103
Add nested YAML configuration schema by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/104
Add hidden local dependency benchmark command by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/105
feat: reinforce plugin security model with runtime warnings and docs overhaul by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/106
Add conditional interactive reachability filter by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/107
fix(logging): improve console logger configuration and enhance stderr handling in benchmark report by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/111
Add hierarchy-aware Tier-3 reachability by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/110
build(deps): bump golang.org/x/net from 0.53.0 to 0.55.0 by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/112
build(deps): bump github.com/mark3labs/mcp-go from 0.54.0 to 0.54.1 by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/113
build(deps): bump github.com/anchore/syft from 1.44.0 to 1.45.0 by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/114
Model standardization: detection/matching/audit separation + OSV by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/108
Implement model standardization follow-ups by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/116
refactor: remove TargetModeFullGraph references from various components by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/117
refactor: simplify pointer assignments in various components by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/118
Move scope filtering into detection by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/119
test: update smoke golden files by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/120
test: parallelize smoke leaf cases by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/121
Add parity between format and output flags by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/124
Improve TUI tree expansion defaults by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/125
Refresh managed plugin documentation by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/126
Externalize ClearlyDefined matcher and add private plugin examples by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/128
private plugin examples by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/130
fix(plugin): store entrypoint checksum instead of archive checksum by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/131
build(deps): bump github.com/anchore/syft from 1.45.0 to 1.45.1 by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/132
build(deps): bump github.com/anchore/grype from 0.112.0 to 0.114.0 by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/134
feat(output): align machine-readable formats with three-collection model by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/135
build(deps): bump golang.org/x/term from 0.43.0 to 0.44.0 by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/133
Language and Code Quality Fixes by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/136
fix(docs): correct ecosystem doc link depth to repo-root pages by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/138
fix(smoke): update embedded plugin fixture to current SDK by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/137
fix(smoke): expect 0.0.0-dev version for --dev plugin install by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/139
fix(smoke): update verify assertion and regenerate stale plugin goldens by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/141
test: update smoke golden files by @github-actions[bot] in https://github.com/bomly-dev/bomly-cli/pull/142
Add open-source readiness infrastructure and documentation by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/143
Update SVG and Add macOS system files to .gitignore by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/146
chore: rebrand the PR review action to Bomly Guard by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/145
Make SARIF output compatible with GitHub Code Scanning by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/144
docs: add dedicated Bomly Guard action page by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/147
Fix interactive pane bar clipping by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/148
Fix progress streamer stage updates by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/149
Fix TUI badge contrast and posture notes by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/151
Shorten unknown license finding ID by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/150
Fix TUI branding and unknown license IDs by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/154
Restore progress child reports after stage completion by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/152
Publish docs manifest + landing-page sync triggers by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/153
Fix independent progress stage redraws by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/155
Use N/A severity for policy findings by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/156
Polish progress output formatting by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/157
Type finite SDK fields by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/158
feat: compact, colorful text output for scan, explain, diff, and mcp serve by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/159
Refresh README for usability by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/160
Inherit org community defaults by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/166
Annotate SARIF diff output and GitHub Actions locations by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/168
Fix Bomly Guard SARIF annotations by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/169
build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.3 by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/161
build(deps): bump github/codeql-action from 3 to 4 by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/162
build(deps): bump actions/dependency-review-action from 4 to 5 by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/163
test: update smoke golden files by @github-actions[bot] in https://github.com/bomly-dev/bomly-cli/pull/167
build(deps): bump golang.org/x/net from 0.55.0 to 0.56.0 by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/164
build(deps): bump github.com/evanw/esbuild from 0.28.0 to 0.28.1 by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/165
ci: notify landing page on release published, not draft creation by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/170
Expand release automation and distribution options by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/171
Keep release notes outside release checkout by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/172
Clean up GoReleaser release publishing config by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/174
Publish releases automatically with native notes by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/175
test(smoke): normalize volatile EPSS fields in golden comparison by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/176
Revise the release lifecycle yanking workflow by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/178
Add support section to README by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/179
fix(python): deterministic pip/poetry scans + move smoke fixtures to bomly-dev by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/177
test(detectors): fixture-based graph tests for gomod, gradle, maven, syft by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/181
test: update smoke golden files by @github-actions[bot] in https://github.com/bomly-dev/bomly-cli/pull/180
Skip unsupported deps.dev package systems by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/183
docs(guard): clarify that Bomly Guard installs CLI only, not package managers by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/182
Fix dogfood detector edge cases by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/184
docs: separate maintainer docs from public docs by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/189
build(deps): bump actions/checkout from 5 to 7 by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/185
build(deps): bump golang.org/x/vuln from 1.3.0 to 1.4.0 by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/186
build(deps): bump github.com/mark3labs/mcp-go from 0.54.1 to 0.55.0 by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/187
build(deps): bump github.com/containerd/containerd/v2 from 2.3.1 to 2.3.2 in the go_modules group across 1 directory by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/188
test: update smoke golden files by @github-actions[bot] in https://github.com/bomly-dev/bomly-cli/pull/190
ci(release): publish release with app token so the docs-sync dispatch fires by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/191
docs(release): lead with What's Changed, demote artifacts to a footnote by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/192
Improve architecture documentation diagrams by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/193
feat(sdk): GitHub-aligned severities for non-CVSS findings + compact license IDs by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/195
feat(sarif): emit security-severity, map GitHub levels, format descriptions by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/196
fix(maven): raise TGF scanner buffer to handle large dependency trees by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/194
fix(diff): classify carried-over findings as persisted, not introduced+resolved by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/197
feat(diff): polish the markdown summary for PR reviews by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/198
fix(diff/sarif): restore fail-on gating for persisted findings, fix severity badges, decouple icons from severity by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/199
feat(cli/diff): emphasize invalid licenses + exit 5 when no targets resolve by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/200
Preserve diff line locations in SARIF output by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/201
Prefer Maven property version locations by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/202
Locate Maven managed dependency properties by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/203
Document command and SDK package surfaces by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/204

New Contributors

@dependabot[bot] made their first contribution in https://github.com/bomly-dev/bomly-cli/pull/15
@github-actions[bot] made their first contribution in https://github.com/bomly-dev/bomly-cli/pull/142

Full Changelog: https://github.com/bomly-dev/bomly-cli/commits/v0.15.0

Release artifacts

Full builtin bomly archives for Linux, macOS, and Windows.
Alternate bomly-lite archives for users who prefer external Syft and Grype binaries.
Linux packages for Debian, RPM, Alpine, and Arch-compatible package managers.
Homebrew, Scoop, and WinGet package-manager manifests or publishing pull requests.
SHA256SUMS for release artifact verification.

Each archive includes LICENSE, NOTICE, and a licenses/ directory with third-party license texts. GitHub-native artifact attestations are planned for a future release.

Back to all posts