Skip to content

Releases: ShieldNet-360/securevibe

Release list

v0.10.2

Choose a tag to compare

@github-actions github-actions released this 30 Jun 08:11
0debd38

Automated Skills Library release for tag v0.10.2.

⚠️ This release is a draft. The bundled manifest.json
still contains "signature": "TBD" and is not consumable by
securevibe update. The release manager must sign the
manifest offline per SIGNING.md, re-upload
it to the draft, and then run the Sign & publish workflow
(.github/workflows/sign-and-publish.yml) to mark this
release as published.

Assets:

  • securevibe-<goos>-<goarch>[.exe] — the single binary: CLI + MCP server (securevibe mcp), reproducible build. This is what install.sh and Homebrew download, and what go install .../cmd/securevibe@latest produces. Reads its library data from --path / $SKILLS_LIBRARY_PATH (it does not embed the data tree).
  • checksums-<goos>-<goarch>.txt — SHA-256 of the binary for that platform.
  • manifest.json — library manifest (signed out-of-band before publish).
  • skills-library-data.tar.gz — library payload (skills, vulnerabilities, dictionaries, dist, rules, compliance, profiles, manifest.json). This is what securevibe update downloads by default. The bundled vulnerabilities/osv/ tree is a small latest-first sample.
  • osv-cache.tar.gz — full upstream OSV catalogue (osv/<eco>/...). Consumed by securevibe dev fetch-vulns --from-release to populate the user cache with complete coverage without hitting osv.dev.
  • deltas.tar.gz — patch set against the previous release (best effort).
  • SHA256SUMS.txt — checksum of every asset above.

Verification (post-publish):

  • Verify the binary with the matching checksums-<goos>-<goarch>.txt file.
  • Verify manifest.json with securevibe dev manifest verify --path ..
  • The Sign & publish workflow runs the same verification in CI
    before flipping the draft to public.

v0.10.0

Choose a tag to compare

@github-actions github-actions released this 29 Jun 02:56
0fcb5e8

Automated Skills Library release for tag v0.10.0.

⚠️ This release is a draft. The bundled manifest.json
still contains "signature": "TBD" and is not consumable by
securevibe update. The release manager must sign the
manifest offline per SIGNING.md, re-upload
it to the draft, and then run the Sign & publish workflow
(.github/workflows/sign-and-publish.yml) to mark this
release as published.

Assets:

  • securevibe-<goos>-<goarch>[.exe] — the single binary: CLI + MCP server (securevibe mcp), reproducible build. This is what install.sh and Homebrew download, and what go install .../cmd/securevibe@latest produces. Reads its library data from --path / $SKILLS_LIBRARY_PATH (it does not embed the data tree).
  • checksums-<goos>-<goarch>.txt — SHA-256 of the binary for that platform.
  • manifest.json — library manifest (signed out-of-band before publish).
  • skills-library-data.tar.gz — library payload (skills, vulnerabilities, dictionaries, dist, rules, compliance, profiles, manifest.json). This is what securevibe update downloads by default. The bundled vulnerabilities/osv/ tree is a small latest-first sample.
  • osv-cache.tar.gz — full upstream OSV catalogue (osv/<eco>/...). Consumed by securevibe dev fetch-vulns --from-release to populate the user cache with complete coverage without hitting osv.dev.
  • deltas.tar.gz — patch set against the previous release (best effort).
  • SHA256SUMS.txt — checksum of every asset above.

Verification (post-publish):

  • Verify the binary with the matching checksums-<goos>-<goarch>.txt file.
  • Verify manifest.json with securevibe dev manifest verify --path ..
  • The Sign & publish workflow runs the same verification in CI
    before flipping the draft to public.