v0.46.0
Changelog
New detectors
- d01ffad: feat(detectors): add NearKeywords/NearPattern shared proximity helpers (@HikaruEgashira)
Engine and CLI
- 2b6552b: chore(ci,docs): weekly scheduled govulncheck + bring README in sync with shipped features (#128) (@HikaruEgashira)
- fa8b6f6: feat(cli): add
protectcommand for pre-commit git diff scanning (#148) (@HikaruEgashira)
Bug fixes
- 415bcbb: Merge pull request #146 from plenoai/fix/govulncheck-go1.25.11 (@HikaruEgashira)
- a5b4554: docs(changelog): cut v0.46.0 — release-blocker fix wave (#153) (@HikaruEgashira)
- 6d7ace7: fix(deps): bump go-git/v5 to v5.19.1 to resolve 3 Dependabot alerts (@HikaruEgashira)
- f822054: fix(detectors): FP campaign batch 1 — research-driven hardening of 12 detectors (#130) (@HikaruEgashira)
- 6a95b24: fix(detectors): FP campaign batch 2 — research-driven hardening of 18 detectors (#131) (@HikaruEgashira)
- 4765197: fix(detectors): FP campaign batch 3 — research-driven hardening of 18 detectors (#132) (@HikaruEgashira)
- 46c4e06: fix(detectors): FP campaign batch 4 — research-driven hardening of 18 detectors (#133) (@HikaruEgashira)
- b4490c5: fix(detectors): FP campaign batch 5 — research-driven hardening of 18 detectors (#134) (@HikaruEgashira)
- b57dd79: fix(detectors): FP campaign batch 6 — research-driven hardening of 18 detectors (#135) (@HikaruEgashira)
- 75ea82a: fix(detectors): FP campaign batch 7 (final) — research-driven hardening of 19 detectors (#136) (@HikaruEgashira)
- a036d7e: fix(detectors): harden 7 FP-prone detectors with window+anchor+entropy gates (#121) (@HikaruEgashira)
- 9270631: fix(detectors,connectors): harden gladly FP + stop notion false-clean scans (#127) (@HikaruEgashira)
- 77965e3: fix(engine,connectors,cmd): propagate ctx cancellation, surface swallowed errors (#122) (@HikaruEgashira)
- 8a5e387: fix(protect): register --no-staged as explicit flag (@HikaruEgashira)
- d3d4b4c: fix(release): correct release-notes verify instructions while repo is private (#125) (@HikaruEgashira)
- de29838: fix(sarif): correct drifted detector descriptions (Twitch/Workato/Webex) (#143) (@HikaruEgashira)
- f358ecc: fix: bump toolchain to go1.25.11 to resolve GO-2026-5039 and GO-2026-5037 (@claude)
- 6de277f: fix: resolve release-blocking dedup/allowlist/notion/sarif/incremental issues (#151) (@HikaruEgashira)
Other
- 4dfab01: Add forge API comment sources (#150) (@HikaruEgashira)
- f2cdfe2: build(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#145) (@dependabot[bot])
- 01a0928: build(deps): bump github.com/go-git/go-git/v5 from 5.19.0 to 5.19.1 (#142) (@dependabot[bot])
- 7442c93: chore(hardening): re-audit batch — truthful release notes, mod verify, prefilter+revoke tests (#126) (@HikaruEgashira)
- 0266de9: chore(ops): periodic ops-hygiene cycle — govulncheck gate, dep CVEs, gomod dependabot (#120) (@HikaruEgashira)
- 62e3ccb: ci(release): add cosign keyless signing for checksums.txt (#144) (@HikaruEgashira)
- 4f90975: docs(detectors): seed the FP-hardening campaign key-format research record (#129) (@HikaruEgashira)
- 9a727d0: docs(protect): clarify --no-staged scans tracked files only (@HikaruEgashira)
- 7f161d7: docs(verify-coverage): reclassify 3 detectors (c)->(b) as fundamentally unverifiable (#124) (@HikaruEgashira)
- ab5eb95: docs: refresh project documentation (#149) (@HikaruEgashira)
- 455f1ab: docs: remove Private-key blast radius section (@HikaruEgashira)
- 8df848a: docs: remove git-diff pipe example; use protect instead (@HikaruEgashira)
- 40b82d8: docs: remove pre-commit hook setup block from README (@HikaruEgashira)
- e6cbfdf: docs: remove verbose intro paragraph (@HikaruEgashira)
- b5ffc7c: docs: trim README quickstart — fewer lines, protect first (@HikaruEgashira)
- cd353f4: push (@HikaruEgashira)
- 6691532: reclassify SalesforceRefresh from class (c) to class (b) (@HikaruEgashira)
- f1b0e7e: style: gofmt notion.go (bytes import ordering) (#152) (@HikaruEgashira)
- dbe20ea: test(connectors,sources): cover 7 verify funcs, the registry, and source routing (#123) (@HikaruEgashira)
checksums.txt is signed with Sigstore keyless (cosign). Verify with:
cosign verify-blob checksums.txt \
--bundle checksums.txt.sigstore.json \
--certificate-identity-regexp \
'https://github.com/plenoai/pleno-dlp/.github/workflows/release.yml@refs/tags/.*' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com
Or verify checksums only (no cryptographic signing):
sha256sum -c checksums.txt
Build-provenance attestations (gh attestation verify) require a
public repo or GHAS and are skipped while this repo is private.
Contributors
claude, dependabot, and HikaruEgashira