v0.54.0

Changelog

Engine and CLI

• ac455cf: feat(github): scan all commits across all refs via clone-based history mode (#203) (@HikaruEgashira)

Bug fixes

• 56d57b4: fix(detectors/github): show 4 token chars after prefix in redacted output (#202) (@HikaruEgashira)
• 07e6dd0: fix(git): add author/email/date/message attribution to git-mode findings (#199) (@HikaruEgashira)
• 68cb65b: fix(privatekey): extend PrivateKeyPEM to match PGP armor headers (#198) (@HikaruEgashira)
• 6437d9d: fix: PII language hint, Asana PAT format, Azure Storage key detector (#200) (@HikaruEgashira)

Other

• 4b5aa62: Add verified Slack webhook detector (#191) (@Photon101)
• 76d2922: Backfill changelog entries for v0.47.0-v0.52.0 (#192) (@Photon101)
• bdd6e95: chore: remove external Actions (anti-slop, contributor-report), now in metsuke (#197) (@HikaruEgashira)
• 8f4970b: ci: add anti-slop + contributor-report quality layers, vouch Photon101 (#195) (@HikaruEgashira)
• c6af93f: ci: add vouch trust gate for external contributors (#194) (@HikaruEgashira)
• a6d5f11: ci: remove external anti-slop and contributor-report Actions (#196) (@HikaruEgashira)
• 4918dda: docs(comparison): add real-world evaluation, pin numbers to released v0.53.0 (#174) (@HikaruEgashira)
• 305a750: docs: remove stale content, slim down detector-key-formats table (#193) (@HikaruEgashira)
• 05cb129: refactor(github): remove legacy tree scan mode, full-history only (#204) (@HikaruEgashira)

---

checksums.txt is signed with Sigstore keyless (cosign). Verify with:

cosign verify-blob checksums.txt \
  --bundle checksums.txt.sigstore.json \
  --certificate-identity-regexp \
    'https://github.com/plenoai/pleno-dlp/.github/workflows/release.yml@refs/tags/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

Or verify checksums only (no cryptographic signing):

sha256sum -c checksums.txt

Build-provenance attestations (gh attestation verify) require a
public repo or GHAS and are skipped while this repo is private.

v0.53.0

Changelog

Engine and CLI

• 87870b6: feat(website): visual-first redesign using brand banner (#170) (@HikaruEgashira)
• 80e3ecd: feat: add project website deployed via GitHub Pages (#169) (@HikaruEgashira)

Bug fixes

• 1caa5ed: fix(pii): repair anonymize engine bootstrap; docs: add measured comparison vs trufflehog/gitleaks (#172) (@HikaruEgashira)
• 00c339b: fix(website): align demo output with real CLI format, untangle chips taxonomy (#171) (@HikaruEgashira)

Other

• 1b6b41b: add pii detection docs (#168) (@HikaruEgashira)
• 4a38050: chore: roll changelog for v0.53.0 (#173) (@HikaruEgashira)

---

checksums.txt is signed with Sigstore keyless (cosign). Verify with:

cosign verify-blob checksums.txt \
  --bundle checksums.txt.sigstore.json \
  --certificate-identity-regexp \
    'https://github.com/plenoai/pleno-dlp/.github/workflows/release.yml@refs/tags/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

Or verify checksums only (no cryptographic signing):

sha256sum -c checksums.txt

Build-provenance attestations (gh attestation verify) require a
public repo or GHAS and are skipped while this repo is private.

v0.52.0

Changelog

Engine and CLI

• 1da8e5e: feat: support github app auth (@HikaruEgashira)

---

checksums.txt is signed with Sigstore keyless (cosign). Verify with:

cosign verify-blob checksums.txt \
  --bundle checksums.txt.sigstore.json \
  --certificate-identity-regexp \
    'https://github.com/plenoai/pleno-dlp/.github/workflows/release.yml@refs/tags/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

Or verify checksums only (no cryptographic signing):

sha256sum -c checksums.txt

Build-provenance attestations (gh attestation verify) require a
public repo or GHAS and are skipped while this repo is private.

v0.51.0

Changelog

Engine and CLI

• 74339cf: feat: scan changed source objects incrementally (#166) (@HikaruEgashira)
• e4e7bce: feat: verify by default (#165) (@HikaruEgashira)

---

checksums.txt is signed with Sigstore keyless (cosign). Verify with:

cosign verify-blob checksums.txt \
  --bundle checksums.txt.sigstore.json \
  --certificate-identity-regexp \
    'https://github.com/plenoai/pleno-dlp/.github/workflows/release.yml@refs/tags/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

Or verify checksums only (no cryptographic signing):

sha256sum -c checksums.txt

Build-provenance attestations (gh attestation verify) require a
public repo or GHAS and are skipped while this repo is private.

v0.50.0

Changelog

Engine and CLI

• c896b85: feat: scan changed s3 objects incrementally (@HikaruEgashira)

Other

• 27768c2: Merge pull request #164 from plenoai/codex/s3-object-incremental (@HikaruEgashira)

---

checksums.txt is signed with Sigstore keyless (cosign). Verify with:

cosign verify-blob checksums.txt \
  --bundle checksums.txt.sigstore.json \
  --certificate-identity-regexp \
    'https://github.com/plenoai/pleno-dlp/.github/workflows/release.yml@refs/tags/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

Or verify checksums only (no cryptographic signing):

sha256sum -c checksums.txt

Build-provenance attestations (gh attestation verify) require a
public repo or GHAS and are skipped while this repo is private.

v0.49.0

Changelog

Engine and CLI

• a8cf5a2: feat: scan changed github resources incrementally (@HikaruEgashira)

Other

• 09f0b1e: Merge pull request #163 from plenoai/codex/github-granular-incremental (@HikaruEgashira)

---

checksums.txt is signed with Sigstore keyless (cosign). Verify with:

cosign verify-blob checksums.txt \
  --bundle checksums.txt.sigstore.json \
  --certificate-identity-regexp \
    'https://github.com/plenoai/pleno-dlp/.github/workflows/release.yml@refs/tags/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

Or verify checksums only (no cryptographic signing):

sha256sum -c checksums.txt

Build-provenance attestations (gh attestation verify) require a
public repo or GHAS and are skipped while this repo is private.

v0.48.0

Changelog

Bug fixes

• 9f242ea: fix: emit github links in json output (@HikaruEgashira)

Other

• 151eeae: Merge pull request #162 from plenoai/codex/github-json-link (@HikaruEgashira)

---

checksums.txt is signed with Sigstore keyless (cosign). Verify with:

cosign verify-blob checksums.txt \
  --bundle checksums.txt.sigstore.json \
  --certificate-identity-regexp \
    'https://github.com/plenoai/pleno-dlp/.github/workflows/release.yml@refs/tags/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

Or verify checksums only (no cryptographic signing):

sha256sum -c checksums.txt

Build-provenance attestations (gh attestation verify) require a
public repo or GHAS and are skipped while this repo is private.

v0.47.0

Changelog

New detectors

• 92615d5: feat(detectors): add context-extraction Verify to 10 Shai-Hulud-targeted detectors (#155) (@HikaruEgashira)

Engine and CLI

• 456189b: feat(connectors): add SIEM category — Datadog, Splunk, BigQuery, Redash (#157) (@HikaruEgashira)
• 44ad9d1: feat(piidb): add cross-finding PIIDB candidate detection and severity escalation (#156) (@HikaruEgashira)
• 0e5cc3a: feat: add S3 source connector (#158) (@HikaruEgashira)
• 8a01902: feat: add sqldump source connector for database dump scanning (#159) (@HikaruEgashira)
• cdbd51f: feat: add verified-only scan output (@HikaruEgashira)
• 50f97c0: feat: fingerprint github scans (@HikaruEgashira)
• 46537d6: feat: support github pat revoke (@HikaruEgashira)

Other

• 3e5fcb5: Merge pull request #161 from plenoai/codex/pleno-dlp-migration-foundation (@HikaruEgashira)
• 0b22ff4: ci: enable required status checks and build-provenance attestation (#160) (@HikaruEgashira)
• dbb776a: docs: add repository banner (@HikaruEgashira)
• 4c2c121: docs: simplify README entrypoints (@HikaruEgashira)
• f05c357: docs: trim PII section in README (@HikaruEgashira)
• 00e3f61: slim comment (@HikaruEgashira)

---

checksums.txt is signed with Sigstore keyless (cosign). Verify with:

cosign verify-blob checksums.txt \
  --bundle checksums.txt.sigstore.json \
  --certificate-identity-regexp \
    'https://github.com/plenoai/pleno-dlp/.github/workflows/release.yml@refs/tags/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

Or verify checksums only (no cryptographic signing):

sha256sum -c checksums.txt

Build-provenance attestations (gh attestation verify) require a
public repo or GHAS and are skipped while this repo is private.

v0.46.0

Changelog

New detectors

• d01ffad: feat(detectors): add NearKeywords/NearPattern shared proximity helpers (@HikaruEgashira)

Engine and CLI

• 2b6552b: chore(ci,docs): weekly scheduled govulncheck + bring README in sync with shipped features (#128) (@HikaruEgashira)
• fa8b6f6: feat(cli): add protect command for pre-commit git diff scanning (#148) (@HikaruEgashira)

Bug fixes

• 415bcbb: Merge pull request #146 from plenoai/fix/govulncheck-go1.25.11 (@HikaruEgashira)
• a5b4554: docs(changelog): cut v0.46.0 — release-blocker fix wave (#153) (@HikaruEgashira)
• 6d7ace7: fix(deps): bump go-git/v5 to v5.19.1 to resolve 3 Dependabot alerts (@HikaruEgashira)
• f822054: fix(detectors): FP campaign batch 1 — research-driven hardening of 12 detectors (#130) (@HikaruEgashira)
• 6a95b24: fix(detectors): FP campaign batch 2 — research-driven hardening of 18 detectors (#131) (@HikaruEgashira)
• 4765197: fix(detectors): FP campaign batch 3 — research-driven hardening of 18 detectors (#132) (@HikaruEgashira)
• 46c4e06: fix(detectors): FP campaign batch 4 — research-driven hardening of 18 detectors (#133) (@HikaruEgashira)
• b4490c5: fix(detectors): FP campaign batch 5 — research-driven hardening of 18 detectors (#134) (@HikaruEgashira)
• b57dd79: fix(detectors): FP campaign batch 6 — research-driven hardening of 18 detectors (#135) (@HikaruEgashira)
• 75ea82a: fix(detectors): FP campaign batch 7 (final) — research-driven hardening of 19 detectors (#136) (@HikaruEgashira)
• a036d7e: fix(detectors): harden 7 FP-prone detectors with window+anchor+entropy gates (#121) (@HikaruEgashira)
• 9270631: fix(detectors,connectors): harden gladly FP + stop notion false-clean scans (#127) (@HikaruEgashira)
• 77965e3: fix(engine,connectors,cmd): propagate ctx cancellation, surface swallowed errors (#122) (@HikaruEgashira)
• 8a5e387: fix(protect): register --no-staged as explicit flag (@HikaruEgashira)
• d3d4b4c: fix(release): correct release-notes verify instructions while repo is private (#125) (@HikaruEgashira)
• de29838: fix(sarif): correct drifted detector descriptions (Twitch/Workato/Webex) (#143) (@HikaruEgashira)
• f358ecc: fix: bump toolchain to go1.25.11 to resolve GO-2026-5039 and GO-2026-5037 (@claude)
• 6de277f: fix: resolve release-blocking dedup/allowlist/notion/sarif/incremental issues (#151) (@HikaruEgashira)

Other

• 4dfab01: Add forge API comment sources (#150) (@HikaruEgashira)
• f2cdfe2: build(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#145) (@dependabot[bot])
• 01a0928: build(deps): bump github.com/go-git/go-git/v5 from 5.19.0 to 5.19.1 (#142) (@dependabot[bot])
• 7442c93: chore(hardening): re-audit batch — truthful release notes, mod verify, prefilter+revoke tests (#126) (@HikaruEgashira)
• 0266de9: chore(ops): periodic ops-hygiene cycle — govulncheck gate, dep CVEs, gomod dependabot (#120) (@HikaruEgashira)
• 62e3ccb: ci(release): add cosign keyless signing for checksums.txt (#144) (@HikaruEgashira)
• 4f90975: docs(detectors): seed the FP-hardening campaign key-format research record (#129) (@HikaruEgashira)
• 9a727d0: docs(protect): clarify --no-staged scans tracked files only (@HikaruEgashira)
• 7f161d7: docs(verify-coverage): reclassify 3 detectors (c)->(b) as fundamentally unverifiable (#124) (@HikaruEgashira)
• ab5eb95: docs: refresh project documentation (#149) (@HikaruEgashira)
• 455f1ab: docs: remove Private-key blast radius section (@HikaruEgashira)
• 8df848a: docs: remove git-diff pipe example; use protect instead (@HikaruEgashira)
• 40b82d8: docs: remove pre-commit hook setup block from README (@HikaruEgashira)
• e6cbfdf: docs: remove verbose intro paragraph (@HikaruEgashira)
• b5ffc7c: docs: trim README quickstart — fewer lines, protect first (@HikaruEgashira)
• cd353f4: push (@HikaruEgashira)
• 6691532: reclassify SalesforceRefresh from class (c) to class (b) (@HikaruEgashira)
• f1b0e7e: style: gofmt notion.go (bytes import ordering) (#152) (@HikaruEgashira)
• dbe20ea: test(connectors,sources): cover 7 verify funcs, the registry, and source routing (#123) (@HikaruEgashira)

---

checksums.txt is signed with Sigstore keyless (cosign). Verify with:

cosign verify-blob checksums.txt \
  --bundle checksums.txt.sigstore.json \
  --certificate-identity-regexp \
    'https://github.com/plenoai/pleno-dlp/.github/workflows/release.yml@refs/tags/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

Or verify checksums only (no cryptographic signing):

sha256sum -c checksums.txt

Build-provenance attestations (gh attestation verify) require a
public repo or GHAS and are skipped while this repo is private.

v0.45.0

Changelog

New detectors

• 54efdf8: feat(detectors): add ClassifyVerifyHTTP helper; fix klu 5xx error semantics (#117) (@HikaruEgashira)
• 21260a4: feat(detectors): close 26 verify gaps; semantically harden 40 unverifiable detectors (#119) (@HikaruEgashira)

Engine and CLI

• 3c5ed81: feat(pii): integrate openai/privacy-filter as sibling PII engine (#110) (@HikaruEgashira)

Bug fixes

• 6a2820b: fix(detectors): drop unused tokenRe var in gitlabpipeline (staticcheck U1000) (@HikaruEgashira)
• dc38fef: fix(detectors): tighten drip/monday/make medium-priority FP patterns (#116) (@HikaruEgashira)
• d7ae852: fix(engine): close vicinity-dispatch detection gaps (PEM, paired secrets) (@HikaruEgashira)
• d893481: fix: production-ready hardening — correctness bugs, lint clean, CI gates (#118) (@HikaruEgashira)

Other

• d7fc062: build(deps): bump actions/attest-build-provenance from 1.4.4 to 4.1.0 (#114) (@dependabot[bot])
• ab95359: build(deps): bump actions/checkout from 4.2.2 to 6.0.2 (#111) (@dependabot[bot])
• fe8365b: build(deps): bump actions/setup-go from 5.1.0 to 6.4.0 (#113) (@dependabot[bot])
• b26dab1: build(deps): bump goreleaser/goreleaser-action from 6.3.0 to 7.2.2 (#115) (@dependabot[bot])
• 6001dd5: ci(workflows): set persist-credentials:false on checkout (artipacked) (@HikaruEgashira)
• 4aeb517: ci: add sisakulint workflow and dependabot config (@HikaruEgashira)
• dd5e0c6: ci: bump sisakulint-action to 8bfb339 (shlex args parsing) (@HikaruEgashira)
• 13d5626: docs(benchmarks): add cross-tool comparison vs trufflehog + gitleaks (#109) (@HikaruEgashira)
• 3be6e6a: docs(benchmarks): drop Engine shape today (not a snapshot) (@HikaruEgashira)
• 22c4ff4: docs(benchmarks): drop Next optimisation surface (not a snapshot) (@HikaruEgashira)
• a712eb6: docs(benchmarks): record full-chunk fallback cost honestly (@HikaruEgashira)
• 271b8b9: docs(benchmarks): rewrite as current-state snapshot, drop version-diff framing (@HikaruEgashira)
• d6f87a2: docs(benchmarks): rewrite to academic-rigour standard (@HikaruEgashira)
• b951f59: docs(changelog): cut v0.45.0 — verify coverage + FP hardening (@HikaruEgashira)
• 8eb6f60: docs(readme): document openai-pf engine in PII detection (opt-in) section (@HikaruEgashira)
• 9ef7394: docs: record v0.44.0 Aho-Corasick prefilter benchmark numbers (#108) (@HikaruEgashira)
• a0a1bb9: perf(engine): beat trufflehog on Workload B (8.4x) and D (1.51x) (@HikaruEgashira)
• c923fe4: perf(engine): keep only PrivateKeyPEM as FullChunkDetector (@HikaruEgashira)

---

Verify the release with:

gh attestation verify --owner plenoai pleno-dlp_{os}_{arch}.tar.gz