v0.54.0

Changelog

Engine and CLI

• ac455cf: feat(github): scan all commits across all refs via clone-based history mode (#203) (@HikaruEgashira)

Bug fixes

• 56d57b4: fix(detectors/github): show 4 token chars after prefix in redacted output (#202) (@HikaruEgashira)
• 07e6dd0: fix(git): add author/email/date/message attribution to git-mode findings (#199) (@HikaruEgashira)
• 68cb65b: fix(privatekey): extend PrivateKeyPEM to match PGP armor headers (#198) (@HikaruEgashira)
• 6437d9d: fix: PII language hint, Asana PAT format, Azure Storage key detector (#200) (@HikaruEgashira)

Other

• 4b5aa62: Add verified Slack webhook detector (#191) (@Photon101)
• 76d2922: Backfill changelog entries for v0.47.0-v0.52.0 (#192) (@Photon101)
• bdd6e95: chore: remove external Actions (anti-slop, contributor-report), now in metsuke (#197) (@HikaruEgashira)
• 8f4970b: ci: add anti-slop + contributor-report quality layers, vouch Photon101 (#195) (@HikaruEgashira)
• c6af93f: ci: add vouch trust gate for external contributors (#194) (@HikaruEgashira)
• a6d5f11: ci: remove external anti-slop and contributor-report Actions (#196) (@HikaruEgashira)
• 4918dda: docs(comparison): add real-world evaluation, pin numbers to released v0.53.0 (#174) (@HikaruEgashira)
• 305a750: docs: remove stale content, slim down detector-key-formats table (#193) (@HikaruEgashira)
• 05cb129: refactor(github): remove legacy tree scan mode, full-history only (#204) (@HikaruEgashira)

---

checksums.txt is signed with Sigstore keyless (cosign). Verify with:

cosign verify-blob checksums.txt \
  --bundle checksums.txt.sigstore.json \
  --certificate-identity-regexp \
    'https://github.com/plenoai/pleno-dlp/.github/workflows/release.yml@refs/tags/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

Or verify checksums only (no cryptographic signing):

sha256sum -c checksums.txt

Build-provenance attestations (gh attestation verify) require a
public repo or GHAS and are skipped while this repo is private.