Bomly CLI v0.15.3
Bomly CLI v0.15.3 release notes: Bump github.com/anchore/syft from 1.45.1 to 1.46.0; Bump golang.org/x/vuln from 1.4.0 to 1.5.0; Bump github.com/mark3labs/mcp-go from 0.5… — 12 changes.
What's Changed
- build(deps): bump github.com/anchore/syft from 1.45.1 to 1.46.0 by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/210
- build(deps): bump golang.org/x/vuln from 1.4.0 to 1.5.0 by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/211
- build(deps): bump github.com/mark3labs/mcp-go from 0.55.0 to 0.55.1 by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/214
- build(deps): bump github.com/anchore/grype from 0.114.0 to 0.115.0 by @dependabot[bot] in https://github.com/bomly-dev/bomly-cli/pull/213
- docs: add GitHub release downloads badge to README by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/215
- ci: harden workflows for OpenSSF Scorecard by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/217
- Harden plugin path handling by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/216
- test: update smoke golden files by @github-actions[bot] in https://github.com/bomly-dev/bomly-cli/pull/218
- Ignore testdata in broad scanner walks by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/219
- ci: pin pip installs by hash to clear Scorecard Pinned-Dependencies by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/220
- Export-ignore testdata for Scorecard archives by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/221
- ci: sign releases with cosign and generate SLSA provenance by @bomly-guy in https://github.com/bomly-dev/bomly-cli/pull/222
Full Changelog: https://github.com/bomly-dev/bomly-cli/compare/v0.15.2...v0.15.3
Release artifacts
- Full builtin
bomlyarchives for Linux, macOS, and Windows. - Alternate
bomly-litearchives for users who prefer external Syft and Grype binaries. - Linux packages for Debian, RPM, Alpine, and Arch-compatible package managers.
- Homebrew, Scoop, and WinGet package-manager manifests or publishing pull requests.
SHA256SUMSfor release artifact verification, signed keylessly with cosign (SHA256SUMS.sigstore.json).- SLSA Build Level 3 provenance (
multiple.intoto.jsonl) generated by slsa-github-generator.
Each archive includes LICENSE, NOTICE, and a licenses/ directory with third-party license texts. See Verify release checksums for signature and provenance verification commands.