0.136.0

What's Changed

• feat(kube): Extend Kubernetes Module to have KubernetesNode and Container Architecture Info by @shyammukund in #2598
• chore: bump types-requests from 2.33.0.20260327 to 2.33.0.20260402 by @dependabot[bot] in #2605
• chore: bump the minor-and-patch group with 6 updates by @dependabot[bot] in #2604
• chore: bump astral-sh/setup-uv from 7.6.0 to 8.0.0 by @dependabot[bot] in #2603
• chore: bump docker/login-action from 4.0.0 to 4.1.0 in the minor-and-patch group across 1 directory by @dependabot[bot] in #2602
• chore: bump python from 739e721 to eefe082 by @dependabot[bot] in #2601
• chore: bump pytest from 9.0.2 to 9.0.3 by @dependabot[bot] in #2610
• fix(googleworkspace): Handle Google Workspace memberships missing type by @kunaals in #2611
• feat(gcp): Add Container Architecture Coverage for GCP Cloud Run by @shyammukund in #2600
• feat(permissions): Add DynamoDB write and Secrets Manager permission mappings by @jychp in #2613
• feat(kube): Add in HAS_IMAGE rel between KubernetesContainer and GCPArtifactRegistryImage by @shyammukund in #2608
• feat(azure): Extend Azure Coverage so containers have architecture and digest info by @shyammukund in #2607
• fix(ubuntu): add HTTP retry policy to avoid transient 503 failures by @serge-wq in #2609
• feat(ontology): Add Analysis Job to compute RESOLVED_IMAGE rel between Container and Images by @shyammukund in #2617
• feat(aws): Update HAS_IMAGE in ECS to extend to GAR and Gitlab Images by @shyammukund in #2618
• fix(aws): reduce SageMaker regional retry tail by @kunaals in #2616
• feat(gitlab): align code-to-cloud graph modeling by @jychp in #2612
• feat(gcp): Update CloudRunJob and CloudRunRevision to have container ontology label by @shyammukund in #2619
• feat(crowdstrike): enrich device ontology ownership by @kunaals in #2615
• fix(rules): exclude inactive unmanaged accounts by @jychp in #2623
• feat(kubernetes): map KubernetesCluster to its EKSCluster by @jychp in #2626
• fix(github): defer global cleanup until all orgs sync by @jychp in #2621
• feat(kubernetes): add IRSA service account role mapping by @jychp in #2627
• feat(ontology): add SecurityIssue semantic label for non-CVE findings by @jychp in #2576
• feat(jamf): sync device inventory and memberships by @kunaals in #2625
• chore: bump types-requests from 2.33.0.20260402 to 2.33.0.20260408 by @dependabot[bot] in #2634
• chore: bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 by @dependabot[bot] in #2633
• fix(jamf): map mobile display fields into device ontology by @kunaals in #2636
• chore: bump the minor-and-patch group with 2 updates by @dependabot[bot] in #2631
• chore: bump python from eefe082 to d168b8d by @dependabot[bot] in #2630
• fix(jamf): normalize mobile os before ontology mapping by @kunaals in #2638
• fix(keycloak)/unsupported-pagination by @VeteaRes in #2516
• fix(aws) use recommended function to fetch s3 bucket region by @aliahmed58 in #2509
• chore: bump pyopenssl from 25.3.0 to 26.0.0 by @dependabot[bot] in #2637
• chore(graph): bump default cleanup iterationsize to 10000 by @jychp in #2639
• chore: bump the minor-and-patch group across 1 directory with 4 updates by @dependabot[bot] in #2632
• fix(aws): honor configured profile even when only one is discovered by @jychp in #2641
• fix(aws): skip permission relationships without resource arns by @jychp in #2644
• fix(gcp): list Go modules via packages API in Artifact Registry by @jychp in #2649
• feat(gcp): add GCPCloudRunService USES_SERVICE_ACCOUNT relationship by @jychp in #2651
• feat(gcp): map CAN_READ from principals to GCPSecretManagerSecret by @jychp in #2652
• feat(vercel): add Vercel ingestion module by @jychp in #2628
• refactor(aws-iam): drop dead AccountAccessKey rel definitions by @jychp in #2654
• feat(socketdev): add Socket.dev intel module for supply chain security by @jychp in #2629
• feat: scope Container to individual containers; route Cloud Run + image-based Functions through Function by @jychp in #2653
• fix(entra): Skip Group when a group gets deleted between listing and fetching by @shyammukund in #2624
• feat(intune): stream detected apps transform to prevent OOM by @shyammukund in #2643
• fix(gcp): skip default Apps Script project folders by @kunaals in #2656
• feat(ontology): Jamf device emails should derive canonical ownership edges by @kunaals in #2661
• feat(rules): add rule to detect unpinned GitHub Actions by @jychp in #2660
• fix(aws): lower retry attempts and harden transient failures by @kunaals in #2553
• feat(kubernetes): make list secrets and aws-auth configmap permissions optional by @jychp in #2663
• fix(workos): migrate intel module to workos SDK v6 by @jychp in #2650
• refactor: refine Container/Function ontology for Azure container groups and Cloud Run by @jychp in #2657
• feat(tailscale): model grants and resolve effective access relationships by @jychp in #2647
• fix(aws): preserve S3 buckets on head_bucket timeouts by @kunaals in #2666
• fix(microsoft): migrate intune detected apps to report exports by @kunaals in #2664
• fix(aws): filter unsupported service regions by @kunaals in #2662
• fix(gcp): speed up vertex ai sync path by @kunaals in #2669
• fix(cve): retry NIST NVD fetch on ChunkedEncodingError by @jychp in #2665
• feat(cve_metadata): add CVE metadata enrichment intel module by @jychp in #2538
• fix(kubernetes): process templated EKS aws-auth entries by @jychp in #2655
• perf(gcp): batch permission relationship sync by @kunaals in #2673
• refactor(ontology): remove OntologyRelMapping, migrate to analysis jobs and Python by @jychp in #2674
• perf(gcp): speed up cloud run sync path by @kunaals in #2672
• feat(ontology): promote DNSRecord to semantic label and add cross-provider DNS linking by @jychp in #2676
• fix(gcp): Handle billing-disabled GCP KMS syncs gracefully by @kunaals in #2677
• fix(gcp): Handle CAI policy binding rate limits in GCP sync by @kunaals in #2679
• feat(scan): Add DEPLOYED rel between syft/trivy and images by @shyammukund in #2678
• perf(aws): Add index on EC2Instance metadatahttptokens by @jychp in #2685
• fix(gcp): speed up artifact registry sync by @kunaals in #2675
• feat(ontology): map missing nodes and add FileStorage semantic ...

0.135.0

What's Changed

• chore: bump the minor-and-patch group with 2 updates by @dependabot[bot] in #2533
• chore: bump cryptography from 45.0.7 to 46.0.6 by @dependabot[bot] in #2558
• feat(rules): add NIST AI RMF aligned AI governance checks by @kunaals in #2435
• fix(aws): handle SES list_email_identities without paginator by @kunaals in #2561
• chore: add dependabot cooldowns by @jychp in #2560
• fix(aws): use adaptive botocore retries by @kunaals in #2550
• refactor(ontology): convert device hostname rels to conditional matchlinks by @jychp in #2546
• chore: bump pygments from 2.19.2 to 2.20.0 by @dependabot[bot] in #2563
• chore: bump the minor-and-patch group across 1 directory with 19 updates by @dependabot[bot] in #2562
• refactor: cleanup redundant indexes and auto-index lastupdated on extra labels by @jychp in #2564
• fix(ontology): clean up stale derived relationships by @jychp in #2565
• fix(github): add retry logic to call_github_rest_api for transient errors by @jychp in #2566
• fix(core): update CALL subquery to use Neo4j 5 syntax. Update docs. (#1500) by @achantavy in #2547
• chore: bump sphinxcontrib-mermaid from 1.0.0 to 2.0.1 by @dependabot[bot] in #2556
• fix(github): raise ValueError when organization data is None in fetch_all by @jychp in #2568
• fix(gitlab): support additional dependency scanning job names by @kunaals in #2569
• chore: bump kubernetes from 33.1.0 to 35.0.0 by @dependabot[bot] in #2557
• feat(ontology): link Device to SentinelOne agents by @jychp in #2571
• chore: bump packaging from 25.0 to 26.0 by @dependabot[bot] in #2555
• chore: bump aiohttp from 3.13.2 to 3.13.4 by @dependabot[bot] in #2572
• feat(intune): Add Coverage for Microsoft Intune by @shyammukund in #2537
• fix(gcp): retry google api core server errors by @jychp in #2573
• feat: add new intel module for WorkOS by @jychp in #2219
• chore: add Python 3.13 support with deprecation warning for previous versions by @jychp in #2346
• chore: bump aiohttp from 3.13.3 to 3.13.4 by @dependabot[bot] in #2574
• docs(ci): align CNCF references and publish coverage evidence by @jychp in #2567
• fix: change log level from warning to debug for expected Composite Node Pattern cases by @achantavy in #2549
• fix(gcp): retry cleanup and graph job writes by @kunaals in #2540
• feat(kubernetes): link pods to service accounts by @jychp in #2575
• Pin azure-mgmt-resource below 25 by @kunaals in #2577
• chore: bump actions/upload-artifact from 4.3.3 to 7.0.0 by @dependabot[bot] in #2579
• chore: bump the minor-and-patch group with 23 updates by @dependabot[bot] in #2580
• fix(s1): reduce SentinelOne site-scope fallback log noise by @kunaals in #2585
• chore: bump cryptography from 45.0.7 to 46.0.5 by @dependabot[bot] in #2581
• chore: remove redundant load/sync log statements from intel modules by @jychp in #2588
• feat(tailscale): ingest and resolve device posture by @jychp in #2586
• test: align legacy integration tests with AGENTS.md standards by @jychp in #2589
• fix(test): resolve flaky test_sync_ecr caused by non-deterministic mock ordering by @jychp in #2592
• refactor: migrate 5 legacy intel modules to data model by @jychp in #2590
• chore: bump cryptography from 46.0.5 to 46.0.7 by @dependabot[bot] in #2593
• refactor(github): migrate remaining repo sync to data model by @jychp in #2591
• feat(ontology): add EncryptionKey semantic label for cross-cloud key queries by @jychp in #2594
• fix(aws): Skip 503 error for single region in Cloudtrail_mgmt_events module sync by @shyammukund in #2596
• refactor(microsoft): Move Entra and Intune modules under new Microsoft Module by @shyammukund in #2595
• docs(kubernetes): document EKS permission requirements by @kunaals in #2599

Full Changelog: 0.134.0...0.135.0

0.134.0

What's Changed

• fix(gcp): retry artifact registry API requests by @kunaals in #2496
• chore: bump black from 26.1.0 to 26.3.1 by @dependabot[bot] in #2495
• feat(rules): expand EOL software rule for Kubernetes and EC2 by @kunaals in #2483
• feat(docker_scout): Coverage for Docker Scout by @shyammukund in #2488
• fix(gitlab): tolerate transient attestation registry failures by @kunaals in #2503
• feat(gcp):Add unified label support for more GCP resources. by @shyammukund in #2504
• chore: bump pyjwt from 2.10.1 to 2.12.0 by @dependabot[bot] in #2505
• chore: bump astral-sh/setup-uv from 7.3.1 to 7.5.0 in the minor-and-patch group by @dependabot[bot] in #2498
• chore: bump docker/setup-docker-action from 4.7.0 to 5.0.0 by @dependabot[bot] in #2499
• chore: bump docker/metadata-action from 5.10.0 to 6.0.0 by @dependabot[bot] in #2500
• chore: bump the minor-and-patch group with 5 updates by @dependabot[bot] in #2501
• feat(rules): add SubImage coverage framework and rules by @jychp in #2485
• feat(slack): create SlackBot node type for bot accounts by @jychp in #2493
• fix: handle AWS sync edge cases and Docker Scout tag schema by @jychp in #2506
• feat(gcp): implement classify_gcp_http_error utility and update error handling in DNS, GKE, and Vertex AI modules by @Denyme24 in #2502
• feat(sentry): add Sentry intel module by @jychp in #2439
• feat(ontology): add PermissionRole, NetworkAccessControl, and DNSZone semantic labels by @jychp in #2492
• fix(github): continue repo sync when privileged query is forbidden by @kunaals in #2507
• fix(openai): filter project keys from admin API keys endpoint by @jychp in #2511
• chore: bump pyasn1 from 0.6.2 to 0.6.3 by @dependabot[bot] in #2514
• fix(aws): tolerate transient cloudtrail and ecr failures by @kunaals in #2515
• feat(semgrep: Secrets): Include secret findings from semgrep by @serge-wq in #2513
• feat(aws): ingest EC2 IMDS metadata options by @kunaals in #2519
• feat(ontology): switch Device ID from hostname to serial_number by @jychp in #2523
• feat(config): Expose additional Neo4j driver options in run_with_config by @kunaals in #2524
• Align AWS CIS v5 rule metadata and add EC2 IMDSv2 coverage by @kunaals in #2520
• feat(aws): add SES email identity support by @raajheshkannaa in #2497
• fix(graph): order matchlink cleanup index by scope first by @kunaals in #2529
• fix(aws): tolerate transient child failures and parse SLSA v1 provenance by @kunaals in #2525
• feat(aws): pass region parameter to get_sqs_queue_attributes by @kirkj-lightspeed in #2445
• fix(entra): retry transient Graph API errors across all Entra syncs by @jychp in #2531
• feat(sentinelone): support site-scoped MSSP tokens by @kunaals in #2527
• feat(cve): add indexed cve_id property to CVE node by @jychp in #2536
• fix(gitlab): batch large container image ingests by @kunaals in #2528
• chore: bump the minor-and-patch group with 4 updates by @dependabot[bot] in #2534
• chore: bump python from 4b0a8eb to 4ba18b0 by @dependabot[bot] in #2532
• feat: add Jumpcloud intel module by @tr0mpa in #2480
• fix(tailscale): request all fields from devices API to collect serial numbers by @jychp in #2545
• fix(aws): handle account-instance IAM Identity Center permission set errors by @kunaals in #2543
• fix(semgrep): match SAST/SCA findings to GitHubRepository via URL by @serge-wq in #2521
• chore: bump requests from 2.32.5 to 2.33.0 by @dependabot[bot] in #2551
• Tighten readme by @achantavy in #2544
• chore: bump protobuf from 6.33.0 to 6.33.5 by @dependabot[bot] in #2552

New Contributors

• @raajheshkannaa made their first contribution in #2497

Full Changelog: 0.133.0...0.134.0

0.133.0

What's Changed

• fix(gcp): harden config error handling and vertex model property serialization by @kunaals in #2460
• Adding ubuntu intel module and tests by @AdiLyft in #2428
• chore: bump python from 3.10.19-slim to 3.10.20-slim by @dependabot[bot] in #2464
• chore: bump the minor-and-patch group with 2 updates by @dependabot[bot] in #2465
• chore: bump the minor-and-patch group with 5 updates by @dependabot[bot] in #2470
• chore: bump docker/setup-qemu-action from 3.7.0 to 4.0.0 by @dependabot[bot] in #2466
• chore: bump docker/build-push-action from 6.19.2 to 7.0.0 by @dependabot[bot] in #2467
• chore: bump docker/login-action from 3.7.0 to 4.0.0 by @dependabot[bot] in #2468
• chore: bump docker/setup-buildx-action from 3.12.0 to 4.0.0 by @dependabot[bot] in #2469
• fix(gcp): handle KMS API disabled error to prevent project sync crash by @jychp in #2472
• fix(tailscale): add HTTP retry with backoff for transient errors by @yashasviyadav30 in #2463
• feat(gcp): Add GCP Labels Support for GCPInstances and GCPBuckets by @shyammukund in #2437
• feat(gcp): Add Selective Sync for GCP by @shyammukund in #2462
• feat(cli,config): add neo4j liveness check timeout option to prevent connection issues by @Denyme24 in #2471
• fix(gcp): serialize Vertex AI endpoint labels to JSON by @jychp in #2482
• feat(subimage): add SubImage intel module by @jychp in #2474
• fix(gcp): reduce noisy expected error logs by @kunaals in #2490
• fix(gcp): handle artifact registry os packages by @kunaals in #2491
• feat(aibom): ingest AI BOM reports and link detections to canonical ECR images by @kunaals in #2443
• feat(Semgrep/sast) Add Semgrep SAST findings with AI assistant info by @heryxpc in #2486
• feat(ontology): expand ontology with serviceaccounts and certificates categories by @jychp in #2487

New Contributors

• @AdiLyft made their first contribution in #2428
• @yashasviyadav30 made their first contribution in #2463
• @Denyme24 made their first contribution in #2471

Full Changelog: 0.132.0...0.133.0

0.132.0

What's Changed

• feat(eks,kubernetes): add cert parsing diagnostics and kube TLS posture metadata by @kunaals in #2393
• feat(aws): add RDS permission relationships for IAM database access by @jychp in #2447
• feat(rules): add CIS Kubernetes Benchmark v1.12 framework by @jychp in #2434
• fix(github): extract dependency graph into per-repo paginated queries by @jychp in #2450
• feat(aws/iam): add get_account_summary ingestion by @jychp in #2451
• fix(aws): skip unsupported SageMaker regional operations by @kunaals in #2455
• feat(ecs): normalize runtime container architecture by @kunaals in #2401
• fix(aws): enforce extension-only EKS cert SKI/AKI metadata by @kunaals in #2449
• fix(identitycenter): scope ALLOWED_BY matchlinks by identity_store_id by @jychp in #2448
• fix(anthropic,openai): add HTTP retry with backoff for transient errors by @jychp in #2456
• fix(aws): fix exposed_internet not set on ELB/ELBv2 nodes by @josema-xyz in #2454
• feat(rules): add rule to detect AWS accounts not synced by @jychp in #2458
• fix(aws): correct GuardDuty finding date fields by @kunaals in #2459

New Contributors

• @josema-xyz made their first contribution in #2454

Full Changelog: 0.131.1...0.132.0

0.131.1

What's Changed

• feat(ontology): add Cluster semantic label by @jychp in #2421
• fix(docs): fix View page source links pointing to .md.txt by @kunaals in #2436
• fix(ci): unblock arm64 Docker publish and harden PyPI version check by @kunaals in #2438
• fix(gcp): cleanup legacy project->role resource edges by @kunaals in #2440
• fix(gcp): pass explicit creds to cloud run location discovery by @kunaals in #2441
• fix(gcp): use authorized session for workbench notebooks API by @kunaals in #2442

Full Changelog: 0.131.0...0.131.1

0.131.0

What's Changed

• docs(kubernetes): add required RBAC permissions by @kunaals in #2392
• fix(gitlab): propagate org sync HTTP errors to caller by @kunaals in #2429
• chore: bump the minor-and-patch group with 5 updates by @dependabot[bot] in #2432
• chore: bump actions/upload-artifact from 6.0.0 to 7.0.0 by @dependabot[bot] in #2431
• chore: bump python from e508a34 to 6a58611 by @dependabot[bot] in #2430
• feat(ontology): add UserGroup semantic label for cross-platform group queries by @jychp in #2420
• feat(gcp): add BigQuery resource ingestion by @jychp in #2433

Full Changelog: 0.130...0.131.0

0.130.1rc1

What's Changed

• docs(kubernetes): add required RBAC permissions by @kunaals in #2392

Full Changelog: 0.130.0...0.130.1rc1

0.130.0

What's Changed

• feat(azure): Azure Firewall Support by @ashton-suire in #2223
• feat(AWS): Complete AWS Compute Internet Exposure Coverage by @shyammukund in #2391
• fix(aws): split LBv2 sync to defer IP MatchLinks after network_interface by @jychp in #2395
• fix(aws,gcp): isolate IP labels and migrate shared IP nodes by @kunaals in #2404
• feat(ontology): add canonical Package node to ontology by @jychp in #2399
• fix(aws): sync IAM user and group tags via IAM fallback by @kunaals in #2409
• chore: bump the minor-and-patch group with 6 updates by @dependabot[bot] in #2408
• chore: bump werkzeug from 3.1.5 to 3.1.6 by @dependabot[bot] in #2411
• chore: bump the minor-and-patch group with 2 updates by @dependabot[bot] in #2407
• feat(azure): Azure Compute Exposure by @shyammukund in #2397
• feat(k8s): Kubernetes Compute Internet Exposure by @shyammukund in #2405
• fix(aws): Resourcegroupstagging cleanup batch by @heryxpc in #2400
• feat(okta): add --okta-base-domain option for custom Okta domains by @jychp in #2416
• fix(aws-iam): handle missing Group.tags/ListGroupTags without crashing sync by @kunaals in #2418
• fix(aws): add internet exposed type to ecs containers by @shyammukund in #2419
• feat(gcp): Add GCP Compute Exposure Coverage by @shyammukund in #2412
• fix(rules): add GitLab to Module enum by @jychp in #2425
• chore: bump cryptography from 45.0.7 to 46.0.5 by @dependabot[bot] in #2422
• Fix syntax error in Cloudflare zone filtering by @kirkj-lightspeed in #2371
• fix(aws): make ECR layer manifest access-denied errors non-fatal by @kunaals in #2415
• feat(aws-ecs): add IS_INSTANCE relationship from ECSContainerInstance to EC2Instance by @jychp in #2426
• fix(aws) Add batching to avoid threads hanging on s3 and ecr GetDetails by @heryxpc in #2423

New Contributors

• @ashton-suire made their first contribution in #2223
• @kirkj-lightspeed made their first contribution in #2371

Full Changelog: 0.129.0...0.130

0.129.0

What's Changed

• feat(github): parse workflow YAML for actions, secrets, and permissions by @jychp in #2370
• feat(github): add GitHub App authentication support by @jychp in #2375
• fix(github): harden repo sync for fine-grained PAT denials by @kunaals in #2373
• test(integration): use testcontainers for Neo4j integration tests by @kunaals in #2377
• feat: Add kubernetes ingress support by @ishaanverma in #2064
• fix(github): retry transient connection resets during org sync by @kunaals in #2379
• feat(trivy): load all packages, not just vulnerable ones by @kunaals in #2380
• feat(kube): Add Kubernetes Ingress to AWS ALB relation by @ishaanverma in #2382
• fix(identitycenter): scope RESOURCE edges to the IC owner account by @jychp in #2381
• chore: bump the minor-and-patch group with 2 updates by @dependabot[bot] in #2384
• chore: bump the minor-and-patch group with 7 updates by @dependabot[bot] in #2385
• chore: bump python from 218027a to e508a34 by @dependabot[bot] in #2383
• fix(metrics): disambiguate relationship metrics with source/target labels by @jychp in #2386
• feat(kubernetes): add region property to KubernetesContainer by @kunaals in #2387
• feat(trivy): add normalized_id for cross-tool package matching by @kunaals in #2388
• feat(syft): Add Syft module for dependency graph enrichment by @kunaals in #2345
• fix(aws): skip CodeBuild unsupported/timeout regions by @kunaals in #2390

Full Changelog: 0.128.0...0.129.0