Skip to content

v0.19.1

Latest

Choose a tag to compare

@github-actions github-actions released this 13 Jul 20:16
8782c8b

Docker images

Pull the matching ghcr.io tag:

docker pull ghcr.io/cloudfieldcz/shieldoo-gate:0.19.1
docker pull ghcr.io/cloudfieldcz/scanner-bridge:0.19.1

Image pages:

shdg CLI

Push-from-CI client. Pre-built for Linux, macOS, and Windows:

OS Arch Archive
Linux x86_64 shdg-0.19.1-linux-amd64.tar.gz
Linux aarch64 shdg-0.19.1-linux-arm64.tar.gz
macOS Intel shdg-0.19.1-darwin-amd64.tar.gz
macOS Apple Silicon shdg-0.19.1-darwin-arm64.tar.gz
Windows x86_64 shdg-0.19.1-windows-amd64.zip

shdg version reports 0.19.1 to match the Docker tag.
Verify archive integrity with SHA256SUMS (also attached).

Supply-chain security

All artifacts are signed and carry SLSA build provenance (keyless, via GitHub OIDC + Sigstore).

  • Images — cosign signature + SLSA provenance + CycloneDX SBOM attached as OCI referrers:
    cosign verify ghcr.io/cloudfieldcz/shieldoo-gate:0.19.1 \
      --certificate-identity-regexp 'https://github.com/cloudfieldcz/.+' \
      --certificate-oidc-issuer https://token.actions.githubusercontent.com
    gh attestation verify oci://ghcr.io/cloudfieldcz/shieldoo-gate:0.19.1 --repo cloudfieldcz/shieldoo-gate
  • shdg binaries — SLSA provenance: gh attestation verify shdg-0.19.1-linux-amd64.tar.gz --repo cloudfieldcz/shieldoo-gate
  • Detached signatures — each archive and SHA256SUMS also ships a keyless *.sig + *.pem cert (recognised by OpenSSF Scorecard):
    cosign verify-blob \
      --signature shdg-0.19.1-linux-amd64.tar.gz.sig \
      --certificate shdg-0.19.1-linux-amd64.tar.gz.pem \
      --certificate-identity-regexp 'https://github.com/cloudfieldcz/.+' \
      --certificate-oidc-issuer https://token.actions.githubusercontent.com shdg-0.19.1-linux-amd64.tar.gz
    The same provenance is also attached as shdg-0.19.1.intoto.jsonl.
  • SBOMs — the CycloneDX SBOMs dogfooded through the gate are attached (*.cdx.json) with a detached cosign bundle (*.cdx.json.cosign.bundle):
    cosign verify-blob --bundle sbom-gate.cdx.json.cosign.bundle \
      --certificate-identity-regexp 'https://github.com/cloudfieldcz/.+' \
      --certificate-oidc-issuer https://token.actions.githubusercontent.com sbom-gate.cdx.json

Changes (v0.19.0…v0.19.1)

  • chore(deps): bump the gomod-minor-patch group across 1 directory with 5 updates (#122) (8782c8b)
  • build(ci): bump github/codeql-action init/autobuild/analyze to v4.37.0 (#121) (76ff00c)
  • chore(deps): bump scanner-bridge deps (guarddog 3.1.0, grpcio 1.82.1, openai 2.45.0) (#120) (9d2c814)
  • chore(docker): bump python:3.13.14-slim digest to 2026-06-28 rebuild (#119) (459f4fe)
  • chore(deps): bump the gomod-minor-patch group with 12 updates (#118) (0604332)
  • chore(deps): bump the npm-minor-patch group across 1 directory with 9 updates (#112) (49bd414)
  • build(ci): bump github/codeql-action/upload-sarif from 4.36.2 to 4.37.0 (#109) (80c7cc7)
  • chore(deps): bump trivy to 0.72.0 (image + shdg bundled binary) (#116) (b280a69)
  • build(ci): bump docker/setup-buildx-action from 4.1.0 to 4.2.0 (#101) (6b501ce)
  • build(ci): bump docker/metadata-action from 6.1.0 to 6.2.0 (#99) (4348955)
  • build(ci): bump docker/build-push-action from 7.2.0 to 7.3.0 (#97) (7d75230)
  • build(ci): bump docker/login-action from 4.2.0 to 4.4.0 (#96) (d4a59ed)
  • build: bump Go to 1.26.5 and govulncheck to v1.6.0 (#115) (9c074e0)