HashiCorp Vault 1.16 (Apr 2024) brings Key Management Secrets Engine GA, OIDC token exchange, and an event‑streaming audit backend for centralized secret rotation and encryption.
cert‑manager 1.15 (Feb 2025) adds Gateway API support and LiteralCertificateSubject, issuing ACME, Vault, or self‑signed certs per namespace.
Trivy 0.52 (Mar 2025) scans containers, SBOMs, IaC, and Git repos; `trivy kubernetes --helm` audits Helm releases and outputs CycloneDX SBOMs.
Grype 0.73 (May 2025) matches CVEs across 12 ecosystems using NVD 2.0 and Chainguard edb, providing a second layer of container vulnerability detection.
CrowdSec 1.6 (Feb 2025) bans malicious IPs via agents and shares block‑lists, enhancing runtime security across clusters.
Clair 4.8 (Jul 2024) ingests Ubuntu 24.04, Wolfi, and Red Hat feeds, offering alternate database coverage for defense‑in‑depth.
Dockle 0.5 (Apr 2024) checks Dockerfiles against CIS benchmarks, dangling setuid bits, and outdated base images.
Wolfi‑based images ship zero known CVEs, signed by Sigstore and continuously patched; integrate with Cosign & Rekor.
Syft 1.2 (Apr 2025) emits SPDX or CycloneDX SBOMs for images, directories, and Nix derivations, feeding Trivy/Grype.
Cosign 2.2 (Apr 2024) supports keyless signatures and SBOM attestations; verify via Rekor transparency log.
Rekor 1.4 (Jan 2025) stores immutable metadata for signatures and attestations using Trillian‑v1 and TUF entries.
CodeQL 2.15 (Feb 2025) brings Python 3.13 support, GraphQL taint‑tracking, and parallel queries in GitHub Actions.
Semgrep 1.45 (Apr 2025) adds autofix, Go generics, and rule marketplace for fast multi‑language static analysis.
Bandit 1.8 (Mar 2025) checks for insecure functions, AWS key leaks, and outputs SARIF integrated with GHAS.
gosec 2.18 (Apr 2025) flags unsafe reflection, hard‑coded creds, and SQL injection in Go modules.
ZAP 2.14 (Jun 2025) performs automated spidering, active scans, and GraphQL fuzzing; integrates with GitHub Actions and Cypress pipelines.
Nikto 3.1 (Jan 2024) scans webservers for 7 000+ dangerous files, outdated software, and misconfigs, complementing ZAP for DAST coverage.
Checkov 3.2 (Jun 2025) analyses Terraform, CloudFormation, Pulumi, & K8s manifests with graph detection and AI remediation.
tfsec 1.31 (Jun 2025) outputs SARIF and cross‑links to Checkov docs for Terraform misconfigs.
Kubescape 3.0 (Jul 2025) runs NSA & MITRE benchmarks, RBAC analysis, and risk graphs for clusters.
kube‑hunter 0.8 (Jan 2025) discovers exposed dashboards, unauth Kubelets, and permissive RBAC rules.
Falco 0.40 (Jan 2025) eBPF syscall inspection for anomalous behavior.
CrowdSec 1.6 (Feb 2025) bans malicious IPs via agents and shares block‑lists.
Kyverno validates and mutates manifests with JSON policies; verifies Cosign signatures.
Gatekeeper enforces Rego policies and mutation across clusters.
OPA 1.0 GA with faster bundle evaluation and signed bundles.
Snyk aggregates OSS, SAST, IaC findings into SARIF reports.
Mend scans repos & images for vulnerable libraries and licenses.
PR comments with vulnerability details and fixes.
GHAS bot surfacing secret scans, dependency reviews, and CodeQL findings.
TUF/Notary v2 secures OCI artifact pulls with delegations and signed metadata.
