What we shipped, what we ship next
Honest snapshot of where the product stands. Done is in production. In progress is being built right now. Coming up is planned but not started — dates indicative.
Done — shipped
- ✓100 % standards coverage : 697/697 builtin rules mapped to CWE or WCAG (665 + 32)
- ✓DSL extended : multi-CWE per rule, CVE field, WCAG field — all propagated to JSON / SARIF / HTML
- ✓SARIF rule.properties.tags + JSON finding.compliance object — compatible GitHub code-scanning, DefectDojo, ASOC platforms
- ✓Out-of-band rule packs loader (rules-updates/) with SHA-256 verification and manifest.json spec frozen
- ✓D.2 Performance : rule cache + incremental analysis (3× faster on warm runs)
- ✓Taint engine : Python AST + JS/Java/C#/PHP lexical, multi-flow detection, kind compatibility check
In progress — being built
- ⚙CVE intelligence pipeline : daily ingestion of NVD / OSV / GitHub Advisory feeds, filtering by SCA-supported languages
- ⚙Operator authoring console : write a .sca rule, validate against fixtures in sandbox, stage for release
- ⚙Customer portal : authenticated download of rule packs (per subscription tier)
- ⚙Email notifications : alert active subscribers when a new pack is published
Coming — planned
- ◎DSL v2 : Ed25519 signature verification at load time (public key embedded in binary at build)
- ◎D.2.3 finalize : true parallelization (refactor executors for thread-safety)
- ◎Additional languages : Go, Ruby, Kotlin, Swift — based on customer demand
- ◎Taint engine : sanitizers cross-line / scope-level (currently RHS-only)
- ◎IDE plugins : VS Code + JetBrains (read-only finding viewer, runs against last audit JSON)
No commitments on dates. We ship when ready. Customer-driven priorities — tell us what matters most for you.
Version history
v1.4.0
New
May 2026
Dataflow taint engine Phase 7/8 (F1 = 1.000 on Python AND multilang JS/Java/C#/PHP) plus 3 supply-chain rules inspired by the TanStack/Mistral npm attack (May 2026, 170 packages compromised). Legacy taint engine removed (-3 519 LOC net). Total: 700+ rules across 8 categories.
Dataflow taint engine (Phase 7/8)
- ✓Clean-room implementation — CFG, IR 3-address, lattice and worklist with hybrid dotted + regex matching (~6 200 LOC code, 3 800 LOC tests)
- ✓F1 = 1.000 on the internal SCA fixture corpus — zero false negatives, zero false positives, on Python AND multilang (JS/Java/C#/PHP)
- ✓Profile loader (Flask, Django, Express, Spring, Laravel, .NET) auto-injected into taint rules by category — same precision as Snyk Code, without cloud or external dependency
Supply-chain coverage (TanStack/Mistral May 2026)
- ✓npm_git_dependency rule — detects dependencies pinned to a Git commit on GitHub/GitLab/Bitbucket, which bypass npm registry advisories
- ✓ide_config_exfil rules (JS + Python) — detect silent writes to .claude/settings.json, .vscode/tasks.json, .cursor/, .aider/, .codeium/ used as persistence vectors
- →Native preventive coverage — no telemetry, no cloud sandbox, every detection runs offline on the developer's machine
v1.3.0
New
May 2026
D.2 Performance — rule cache and incremental analysis make warm-cache runs up to 3× faster, ideal for CI/CD pipelines and pre-commit hooks.
Performance
- ✓Rule cache: parsed DSL rules cached across runs (no re-parsing)
- ✓Incremental analysis: only files changed since the last scan are re-analyzed (content hash)
- →Up to 3× faster on warm runs (subsequent scans of unchanged code)
v1.2.0
Improved
April 2026
+53 detection rules for non-security categories: Architecture, Maintenance, Accessibility/UX, Interface/UI. Based on axe-core (WCAG 2.2), Ruff, Pylint, PMD, PHPMD, SonarJS, eslint-plugin-jsx-a11y, HTMLHint, and SonarQube Cloud API.
New Rules — 8 Waves
- ✓+16 UX/accessibility rules (HTML + JSX): axe-core WCAG 2.0/2.1/2.2, aria-hidden, viewport zoom, video captions, jsx-a11y
- ✓+6 UI rules (HTML): deprecated tags, inline styles, missing viewport, button type, target blank, image dimensions
- ✓+24 Maintenance rules: Python (Ruff/Pylint), Java (PMD), PHP (PHPMD), JavaScript (SonarJS), C# (SonarQube)
- ✓+7 Architecture rules: Java, PHP, JavaScript, C# — coupling, utility classes, public fields
- →698 total detection rules (up from 645)
v1.1.0
Engine
2026 — Current
Detection & Coverage
- ✓698 detection rules across 7 categories
- ✓8 programming languages: Python, JavaScript/TypeScript, HTML, Java, C#, PHP, YAML
- ✓changelog.v2.detection.custom
--create-rule) with DSL and taint propagation - ✓changelog.v2.detection.fixtures
- ✓changelog.v2.detection.selftest
--self-test) validates all fixtures on demand
Security
- ✓changelog.v2.security.owasp
- ✓changelog.v2.security.iso27001
- ✓changelog.v2.security.asvs
- ✓changelog.v2.security.cicd
- ✓changelog.v2.security.suppress
# sca-ignore), config, or global disable
Exports & Integration
- ✓SARIF 2.1.0 export for GitHub Code Scanning and GitLab SAST
--sarif) — compatible with GitHub Code Scanning and GitLab SAST - ✓SBOM generation in CycloneDX 1.5 format
--sbom) — Software Bill of Materials - ✓changelog.v2.exports.gitblame
--git-blame) — committer per finding - ✓changelog.v2.exports.hook
--install-hook) — automatic audit before every commit - ✓changelog.v2.exports.failon
--fail-on-high) — exit code 1 on HIGH findings
Reports & Branding
- ✓4-language reports: English, French, Spanish, German
- ✓changelog.v2.reports.charts
- ✓changelog.v2.reports.health
- ✓changelog.v2.reports.glossary
- ✓White-label branding: custom tool name, company, logo, file prefix
- ✓Report retention with count, days, or combined modes
--retention-dry-run) - ✓changelog.v2.reports.keyboard
- ✓changelog.v2.reports.print
v1.0.0
Initial
2025 — Initial Release
Core
- ✓51 detection rules across 7 categories
- ✓4 languages: Python, JavaScript/TypeScript, HTML
- ✓changelog.v1.core.reports
- ✓Baseline comparison across audit snapshots
- ✓changelog.v1.core.zero
- ✓changelog.v1.core.offline
- ✓changelog.v1.core.uuid
--init)
Optional Categories
- ✓Dependencies audit via pip-audit and npm audit (CVE scanning)
- ✓changelog.v1.optional.db