Releases: devSealWare/LightIPAM
Release list
Light IPAM v1.2.1
Light IPAM v1.2.1 is a backward-compatible patch release focused on security
hardening, auditability, API consistency, and a simpler published-image install.
Highlights
- Adds
compose.release.yamland a complete installation/upgrade guide for the
published amd64 and arm64 app and scanner images. - Hardens CSV exports against spreadsheet-formula injection and adds conditional
HSTS plus stricter CSP directives. - Restricts API-token creation to administrators and aligns webhook URL SSRF
validation with scanner-agent endpoint validation. - Improves mutation audit metadata and returns the JSON error envelope for
unsupported methods on registered/api/v1routes. - Fixes the API fallback startup panic and the intermittent sealed-secret test.
- Reorganizes the README around audience, product value, quick evaluation, and
technical documentation.
Upgrade notes
- No database migration; the schema remains at migration 23.
- No breaking
/api/v1or scanner-protocol change; the scanner protocol remains
v1. - Webhook create/update now requires
https://. Move any plain-HTTP webhook
endpoint behind TLS before editing and saving it again. - App and scanner images should be upgraded together to
1.2.1.
See the full changelog.
Light IPAM v1.2.0
[1.2.0] - 2026-07-06
A backward-compatible release: no breaking /api/v1 or scanner-protocol changes, and
the two new database migrations (22, 23) are additive. The headline is device
correlation for multi-homed hardware — link-not-merge suggestions, now upgraded to a
gold-confidence signal from SNMP-derived chassis serials.
Added
- SNMP hardware identity + gold-confidence device links (ADR 0030, migration 23):
snmp_inventory(andcombined) scans now read the device's ENTITY-MIB chassis
serial number andsysObjectID, persist them through the discovery queue onto
the imported device, and show the serial on the device page. An exact serial
match across disjoint subnets is a gold-confidence "Serial match" link
suggestion (independent of hostname/OS agreement), and a new
Settings → Discovery toggle (default off) opts in to auto-linking those
matches at import/sync time, audited asdevice.link.auto. Placeholder vendor
serials ("N/A", "To be filled by O.E.M.", …) are filtered agent-side; the
scanner protocol gains only optional observation fields and staysv1. - Same-physical-device links (ADR 0029, migration 22): a reversible link layer that
groups the multiple device records a multi-homed device (e.g. a router with one
IP and MAC per subnet) imports as. The device page suggests high-confidence
matches (identical hostname + same OS family + disjoint subnets — never an exact
OS-string match) for the operator to confirm or dismiss; nothing links
automatically. Linked siblings show their IPs, subnets, MACs, OS, and services on
the device page, records are never merged, and manual link/unlink always works.
Link actions are audited (device.link.confirmed/.removed/.dismissed).
Fixed
- Guarded the operator-supplied scanner-agent
endpoint_urlagainst SSRF: the app's
mTLS dispatcher connects to that URL (TCP connect + TLS ClientHello) before the
pinned-CA cert check runs, and the only prior validation was anhttps://prefix
check, so an endpoint likehttps://169.254.169.254turned the app into an internal
port-scan / metadata oracle. A newValidateAgentEndpointrequires anhttpsURL
with a host and rejects literal loopback/link-local/unspecified IPs (private
RFC-1918 ranges, where real agents live, stay allowed); it runs at save time and
defensively in the dispatcher itself (CodeQLgo/request-forgery). - Bounded the argon2 parameters (memory/iterations/parallelism) decoded from a stored
password hash before their narrowing conversion touint32/uint32/uint8—
an out-of-range value in a malformed or hostile hash string wrapped silently instead
of failing closed (CodeQLgo/incorrect-integer-conversion). - Range-checked the
AGENT_SNMP_PORT/AGENT_NETBIOS_PORT/AGENT_MDNS_PORT
scanner-agent environment variables (1–65535) before their narrowing conversion to
uint16— an out-of-range value (e.g.65537) previously wrapped silently to1
instead of falling back to the documented default (CodeQL
go/incorrect-integer-conversion).
Light IPAM v1.1.0
[1.1.0] - 2026-06-29
A backward-compatible release: no breaking /api/v1 or scanner-protocol changes,
and the one new database migration (21) is additive. The headline is routing-aware
scanner egress, which fixes a macvlan agent silently finding zero hosts on routed
subnets.
Added
- Routing-aware scanner egress:
AGENT_SCAN_PIN_MODE(defaultauto) pins nmap
probes to the macvlan source address only for L2-adjacent targets and lets routed
targets follow the default route, so a single macvlan agent handles both adjacent
and routed subnets with no per-scan configuration (always= the old unconditional
pin,off= never pin) (ADR 0027). - Agent network diagnostics: a
GET /diagnosticsendpoint and an/agents/{id}
detail panel surface the agent's interfaces, scan source/route, pin mode, nmap
version, and capabilities — plus any pin/route mismatch — without adocker exec
(ADR 0027). - A
scanner-agent --healthchecksubcommand and a Compose healthcheck for the
scanner-agent service (ADR 0027). - Save-time scan-scope validation on the scan and schedule forms: an invalid IPv4
CIDR/target, or a schedule whose allowed CIDRs fall outside the chosen agent's
allowlist, is now rejected inline instead of failing silently on every scheduler
tick (ADR 0028). - A "Last run" column on the schedules page showing each schedule's most recent
outcome (succeeded / failed / rejected) and failure reason (migration 21,
ADR 0028). - A device service-count column on the Devices table and per-subnet utilization on
the dashboard. - Light IPAM brand assets: logo lockups, favicons, an Apple touch icon, and a web
app manifest.
Changed
- Zero-host and pin/route-mismatch scans now return self-explaining notices, and
app-to-agent dispatch failures are classified by layer (DNS/TCP/TLS/HTTP) — for
example, a missing agent container reports "container not running" instead of a
rawlookup scanner-agent … no such host(ADR 0027).
Fixed
- A macvlan scanner agent no longer silently returns zero hosts when scanning a
routed subnet (ADR 0027). - A scan schedule saved with a configuration the agent rejects at dispatch (e.g. a
mistyped CIDR) no longer fails silently on every tick; it is caught at save time
and its last-run outcome is surfaced on the schedules page (ADR 0028).
Light IPAM v1.0.0
1.0.0 - 2026-06-23
First stable release. Light IPAM is a lightweight IP address management system with
a clean web UI and optional, tightly-scoped active network discovery. The web app
runs unprivileged (zero Linux capabilities); all privileged scanning is isolated to a
separate, optional scanner agent.
Manual IPAM
- First-admin bootstrap, local login/logout, Argon2id password hashing, sessions, and
CSRF protection with strict security headers. - Subnet CRUD with global overlap/containment blocking and optional VLAN metadata.
- Sparse IPv4 address records (
/31and/32supported), device CRUD, and MAC
tracking with private/rotating-MAC detection and best-effort OUI vendor lookup. - Devices grouped by subnet, global search across subnets/addresses/devices/MACs, and
per-table selectable columns. - Tags and operator-defined custom fields (text) on subnets, addresses, and devices.
- Multi-select bulk edit (status/VLAN/tag/clear-device/delete) and CSV import/export
with a validated dry-run preview and all-or-nothing apply, plus a NetBox-compatible
CSV format. - Immutable, append-only audit log with UI filters.
Identity, access & operations
- Login throttling and account lockout, idle and absolute session timeouts, and a
per-session origin record with active-session review and "log out everywhere". - Admin and read-only roles with central authorization.
- TOTP multi-factor authentication with recovery codes.
- OIDC single sign-on (authorization code + PKCE).
- Encrypted secrets at rest (AES-256-GCM).
pg_dump-based backup and restore.- An app-managed certificate authority that issues and rotates short-lived agent mTLS
certificates, which the agent hot-reloads. - A tabbed Settings page (Security, Users & Roles, Authentication, Agent certificates,
Backup & Restore, Custom fields, Policy, Notifications) with policy editable at
runtime, plus a per-user account page.
Network discovery (optional scanner agent)
- Isolated scanner agent communicating with the app over mTLS, with an allowlist of
permitted scan scopes and an immutable scan audit trail. - nmap-backed host discovery and service/OS detection, run in staged passes with
dynamic per-type timeouts.NET_RAWis granted to the agent only. - Unprivileged SNMP discovery: ARP-table harvesting, device inventory with 802.1Q
VLAN and interface mapping, and LLDP/CDP neighbor harvesting. - Unprivileged NetBIOS/mDNS name resolution, DNS forward/reverse enrichment, and DHCP
lease-file ingestion. - A combined scan that runs every backend and enriches the hosts nmap discovers,
merging findings per host. - A discovery review queue with conflict-aware reconciliation, per-agent auto-import,
and a structured per-host scan-result detail view. - Subnet auto-create on import and an "Import all" action for the pending,
non-conflicting discovery queue. - Manual and scheduled scans, with optional time-of-day/weekday scan windows in the
schedule's own timezone.
Automation & integration
- Policy / health checks: a read-only view flagging overlapping subnets, stale managed
records, and unmanaged/conflicting discovered services. - Change webhooks: HMAC-signed JSON notifications fanned out from the audit log to
subscribed endpoints. - Token-authenticated JSON API under
/api/v1for subnets, addresses, and devices. lightipam-cli, a stdlib-only command-line client for the API.
Deployment
- Docker Compose deployment with separate
app,scanner-agent, anddbimages. /healthzliveness and/readyzreadiness probes; the build version is stamped
into the binaries and reported on/healthz, in the startup log, and via
--version.